WHY NOT WORDPRESS?

It’s a testament to the efforts of Matt Mullenweg of Automattic, and the enthusiasm of its user community, that WordPress is the most popular content management system (CMS) worldwide. Favoured by solo bloggers and large businesses alike, its huge market penetration is unquestionably a success story.

But the ZDNet article headlined above makes for sobering reading, as does the more detailed Sucuri report which the article condenses. None of this comes as a great surprise to me, however, as WordPress has a rather sketchy security history — CVE Details lists 294 known vulnerabilities on the date I’m writing, 29 November 2019. I see several reasons for this:

• To some extent, WordPress is a victim of its own success. Being the most widely used CMS makes it a major target for hackers: they get more bang for their buck by finding and exploiting vulnerabilities in software with millions of installations rather than hundreds or thousands. For the same reason, there are more viruses and other malware targeting Windows than other operating systems.
• Its plugin architecture makes WordPress susceptible to harm. Users may see the ability to extend the WordPress feature set with plugins as a boon. But plugins can be written by anyone, which means that:
  • bad actors could deliberately write plugins with security exploits built in;
  • plugins can be written by people who simply don’t have the programming nous to write secure software — cock-up rather than conspiracy, you might say.
• The codebase is pretty huge. WordPress began as a simpler blogging program, b2/cafelog, which Matt Mullenweg “forked” to create WordPress, which has grown and grown ever since. The last time I looked at the code, the word that popped into my mind was tangle, and perhaps it had reached a point where it would be better torn down and started over. The more code, the greater the opportunities for errors and vulnerabilities.
• WordPress uses a database — typically MySQL — to store website content. That opens another attack vector, as the database may be compromised by SQL injections. The database problem is one of the reasons for the growing popularity, especially among the technorati, of static site generators like Jekyll, which doesn’t use a database.

“It only takes five minutes” (to begin with…)

The easy, “five minute installation” (and the fact that it is free) makes WordPress attractive to many people, including some who, to be blunt, shouldn’t be let anywhere near a web server due to their slim grasp of the technicalities. Which might lead you to suspect that the reason for so many hacked installations is because a lot of the people running WordPress simply aren’t assiduous enough in keeping their installations current with the latest security updates. But as Sucuri found and ZDNet reported, most of the hacked sites were actually running up-to-date versions. The majority of the problems were associated with plugins and themes, misconfiguration and “a lack of knowledge around security best practices”.

WordPress doesn’t sit well with my general pursuit of simplicity. Notwithstanding all the above, it is an extremely capable, full-featured CMS. That’s great, if you need all those features. Which you might, if you’re running a large, complex site. But I find clients don’t usually need all of that capability, and can do without having to learn how to use it all. WordPress affords site owners a great degree of control — perhaps too much, because unless you really know what you’re doing, you can inadvertently mess up your site. (I should say that WordPress isn’t alone among CMSs in these respects; it’s just the best known. Most major packages are more capable or complex than a lot of clients need.)

Because (again, like many other CMSs) WordPress uses a database:

• the data — your website content — isn’t very portable, because it is stored in blobs of binary code, rather than something like plain text that can be read outside of the CMS or transferred to other applications easily;
• it’s a little slower to deliver pages than static websites, because the content has to be pulled out of the database first.

File-based CMSs don’t have these disadvantages, and offer a viable alternative. Even in cases where a database CMS is the right way to go, there are others with better security than WordPress.

I would rather not put my clients (or my servers) at potential risk from WordPress. But that doesn’t mean I can’t equip you with a content management system!

→  Notes & miscellany  →  Why not WordPress?