New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Rotten egg is more toxic than anything else.
I'd like to add to @Master_Bo and @joepie91 whith whom I largely agree two more factors.
Wordpress started in a wave that still is rolling. "Conquer as much of the target market and as fast as any possible". Which usually comes down to architectural and engineering problems, choice of a poor language which however is in wide use, usually an en vogue scripting language, and probably most dangerously pushing the release and the developers hard. If a small detour is tolerated it is for features not for security.
The other factor is that frankly almost all users/customers no matter how much noise they make do not really care much about security.
To make it worse those two factors also mutually amplify.
Finally add psychology. If the "conquer much and fast" approach worked as it did with Wordpress there are many with some kind of investment/stakes. The Wordpress companies investment is evident but millions of users also have an investment in the path they chose. Time, resources, "a working solution" like some sites with lots of visitors and so on. This together with the fact that they can't do a lot themselves to improve the whole situation of and around the product usually leads to a soft compromise like what many said here. Something like "If one takes care and always updates and wisely choses but a few good quality plugins then WordPress is OK". A compromise echo chamber.
It's all fun and games until someone cracks an egg.
@YokedEgg Getting yourself banned with the help of a wordpress related thread takes a special kind of skill.
No, seriously, you will. And you will revert back to the same old shit again which will get spotted. You can change your name, not your writing style.
Crandolph who ?
Was a good read
If I remember correctly this particular idiot was also a millennial. Just stating for the record.
Shame the thread descended into a pile of guff, some good points already made and it's the kind of bread and butter topic I'd like to see more of here.
I beg to disagree! WordPress is quite secure and updated regularly. Security issues are introduced to WordPress through user plugins, shared hosting environment or just lack of common sense by some site owners.
A few years back, a client referred a friend of his because "she was constantly getting hacked". We asked her to send us login info to the site and ftp. Surprisingly, her login was her domain name, her password was her domain name plus 123123. The same was used on her site, web hosting login and ftp.
That's the fate of many topics that can easily devolve into a flame war.
It would be interesting to see stats on many live WP installations (not just default post and theme) - to support the statements already posted in the thread. But I doubt such a resource exists.
worpress is not abstract enough for me. Everything is a post or a post with hacky bits. I prefer a CMS where you can design your own object models and relationships. A page, A post is just too view oriented. Also its slower than other offers.
I have a feeling that my blogs are not abstract enough since I can live with Grav
For individuals or agencies like IMPACT who manage several different websites for clients, it can be frustrating to have to learn how each specific WordPress account is setup in order to make simple website changes.
Sorry to resurrect this old thread, but I could not resist.
An attacker exploited a WordPress vulnerability to exfiltrate 26 million Ticketfly customer records and publish them on the internet. See: https://arstechnica.com/information-technology/2018/06/how-to-protect-yourself-from-megabreaches-like-the-one-that-hit-ticketfly/
Here is a quote from Ticketfly's blog, also quoted in the article:
“We’re rolling out a secure website solution as an alternative to your Ticketfly-powered site to meet your immediate needs. We’ve built a secure, non-WordPress-based website solution ..."
I will leave it as an exercise for our readers to guess for themselves what Ticketfly thinks of WordPress now.
Was WP at fault here? It does not say, perhaps it could have been something in their code that caused the issue.
I have used wordpress...for ages. I remember the events that lead to its meteoric rise in popularity.
Some of the usual criticisms:
It's Bloated: I sometimes find it too simple and would like a lot more configuration options exposed. I'm not really sure why people make this claim (we'll get to attack surface in a minute) because it's effortless to turn things off or move widgets off the page, etc.
Is it speed? No, it won't scale to run Facebook. Yes, with your hand-crafted golang HTTP engines, you can serve more pages per Mhz. But that's not the point. If you're writing HTML or code, you're not really in Wordpress's target market. There is always a leaner, more resource-friendly way to do something...there are also places where it's appropriate to use more horsepower in favor of an easier interface for the non-technical.
It's Too Limiting/Straight-jacketing: Fair enough but that's kind of the point. If you want complete freedom, fire up vim and rock the net. There are definitely limitations on what WP can do. You're buying a family sedan, not a Ferrari or an SUV.
Plugins Are the Problem: The core has grown to include the most popular functionality but plugins are still kind of the point with WP. For most users, Theme + Plugins = Site. If people wanted to write their own PHP they wouldn't be using WP.
People complain that plugins are poorly coded or insecure...and the fix for that is...what exactly? A central board that reviews all code? I'm thinking Automattic nets a bit less than either Apple or Google and can't afford to run an app store.
The current system essentially is "share code, talk amongst yourselves". the main-traveled roads are safer than the the byways. You're never going to have rigorous security analysis of tens of thousands of security packages.
You don't have to use plugins. The base theme and functionality will take you pretty far...I sometimes peek at site's HTML to figure out their theme and it's surprising how often the basic WP 2016 or 2017 theme is in use with a lot of custom CSS. But most people do want plugins and now you're into how that ecosystem should be governed.
It's Insecure: @joepie91's point on update servers is a very valid one. I'd like to see WP amp up its security but that probably won't happen (I have no inside knowledge, pure speculation) until there's a Heartbleed-style event with WP that affects 30% of the Internet.
However, when I look at cvedetails, I see...
Really, with drupalgeddon and drupalgeddon2, I don't think Drupalians are in a place to talk about security...
Now, if you look at the numbers, WP was still worse overall, though that's on a vastly more attacked codebase due to its popularity. I know, some people hate that argument so we'll just move on.
One thing the above may suggest is that security issues are prevalent in all CMSes. Amusingly, Joomla's security problems trail off...because really, is anyone still using Joomla? I think WP's security grade is a mix of weak security history and fronting 30% of all web sites.
Now, for my personal complaints...
The Theme Ecosystem Sucks: It's very easy to get locked into a theme if you use its most powerful parts...which is probably why you bought it. Which also means you'll be paying that theme subscription forever because you'll need security updates. And if you ever switch, your web site will turn into proprietary tag soup.
Implementing Things as Tags Sucks: e.g., I'll try PluginX which makes me put a tag ("[pluginx=14]") on pages I want to use it. But then later I decide I don't want to use that plugin and now...I have to hand-edit each page. Which sometimes could mean looking at EVERY page/post because there's no report to identify where that tag is in use, etc. Or you were using blue tables but now want to switch to red and every tag has a color= you have to change. Etc. Tags suck.
Bulk Editing Is Painful: How many times have I written SQL to hack the DB because I didn't want to hand-edit a hundred pages...
No Caching By Default: Seriously, why not? Just turn it on by default. 99% of users won't turn it off and suddenly every shared hosting company in the world will have tons of headroom on their servers. Which means big deals for us. @Francisco's BuyShared for a penny a year probably because he can serve it so effortlessly.
No Support for Non-MySQL DBs: COME ON ALREADY. So lame. Even lamer excuses.
Still No Support for Tables: GOOD FREAKING GRIEF. Websites have had tables since the 90s.
WP on its own without any module is very simple, but using like gantry framework plus a few modules, it does change completely and possibilities are endless.
I setup Wordpress for people who are new to websites, when they ask "can it do this?" and it isn't a native feature I either write them a solution for it or tell them to find an alternative. I used to joke about how insecure Wordpress was, but now when I have to clean up hacked systems because the client installed a new theme, Wordpress itself has become the punchline. Seriously, in what universe does a custom theme (HTML/CSS) introduce a security exploit?
Joomla: 162 products, 350 vulnerabilities
Drupal: 139 products, 325 vulnerabilities
You should really completely ignore CVE counts; they don't give a useful indication of how secure or insecure something is, and CVEs were never meant to be used that way.
This has a number of reasons, ranging from it being largely a self-reporting system, to projects having different policies on reporting issues, to different amounts of attention being cast towards different projects, to different standards on what constitutes a reportable issue.
If you want to compare the security between projects, you're much better off looking at how they handle security issues, whether there is a dedicated security team, whether issues are handled proactively rather than reactively, whether core infrastructure is secure, whether the team understands the impact of API design on ecosystem security, and so on.
(Those, incidentally, are metrics that WP scores rather poorly on, and where Drupal does a lot better - even if it's far from perfect.)
If I recall correctly, the attacker exploited a WordPress flaw in a blog that was not part of the Ticketfly main website, but that server was the toehold that enabled further exploitation.
There was no mention of whether WordPress was fully patched at the time, nor which plug-ins were installed and in use, etc. etc. etc. There are lots of open questions, I'm sure.
It was not fair of me to rekindle this thread based on the flimsy information currently available, but the quote, "We’ve built a secure, non-WordPress-based website solution ..." was too delicious for me to pass up. My bad. :-)
Before there are really true free wordpress themes at wordpress.org. Now, everything are basic version of a commercial one.
I only use free themes, but recently I installed generatePress and I did fall totally in love with it. Clean design and really fast loading.
The only thing that prevents me know from buying the commercial one is that I really don't know what benefits it brings. I mean, how much more happy than totally happy one can get?
https://generatepress.com
As an open source platform and someone that works extensively in web development, I think WP is a great platform. Not just for website management, but also for empowering end users with the ability to maintain and create new content for their websites.
With that being said WP is defintly not everyone and in my opinion is only a viable if there is some form of management. So if you have a user that knows next to nothing about site development and is looking for a do it your-self option, solutions like Squarespace, Weebly..ext are probably more viable.
Themes are not just HTML/CSS, as I'm sure you know.
Is that good or bad? If only HTML and CSS were allowed in themes, 30% of the Internet would look very very similar. If you're going to introduce new functionality in a theme, you need more than HTML/CSS.
Agreed. For example vulnerabilities such as XSS and Privilege escalation can be introduced through a theme. Most of WordPress is exposed through API/Functions which can be accessed through php file in theme (i.e. functions.php)
A different perspective here...
I get a lot of new clients who come to me because their WP sites have been hacked. Here's the #1 scenario that leads to their sites' downfall.
1.) Original developer was hired on the cheap and installed a paid theme.
2.) Client thought they were done with the developer after the site launched.
3.) Nobody thought to pick up the paid maintenance plan for that theme.
4.) A year or two passes and while the paid theme company has issued many (security) updates, the client hasn't received any of them.
5.) Client gets calls from their customers that their site is flagging customers' anti-virus.
6.) I get called, clean up the sh*t, make sure they're paid up on theme support and install Wordfence.
7.) Put their site on my InfiniteWP manager which I use to update all the clients' sites everyday (takes about 5 min.)
8.) I get weekly emails from each Wordfence install which tells me about blocked IPs and their geolocation. If things look bad, I'll get the client to go with a paid Wordfence subscription which lets me block IPs by country (I'm looking at you - China, Turkey, Ukraine!). Doesn't stop everything, but helps.
I'd say this one scenario covers about 80% of the WP repair work I do. Been about 5 years now and I've never had a "repaired" client who stayed with the plan hacked (fingers crossed!!)
I charge for the repairs, maybe a little for the InfiniteWP management... but usually there's plenty of new business that comes out of these clients.
I generally don't deal much with clients' hosting. It's usually some of the usual big-box hosts or a managed VPS. Really not interested in doing battle with Hostgator, 1&1, etc. and there's just not enough money in the deal to be a re-seller or affiliate.
As to WP efficiency, once caching is setup, most sites which don't do constant updates are essentially serving HTML with very little load on PHP or the DB.
Indeed, it's theme.css?arg=withoutlube
The fact that there's PHP by arbitary authors who can run arbitrary php means tits up all round, but, with all software there is a degree of trust. Just look at the most paranoid privacy afficionados who came on here, lording it about privacy rights... exploit after exploit just showed how much they were walking around with their pants down.