Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What's wrong with WordPress?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What's wrong with WordPress?

YokedEggYokedEgg Member
edited April 2018 in General

In all seriousness, what's wrong with WordPress?

Seems to be generally disliked here, although it's powering upwards of 25% of sites according to WordPress themselves, which is believable from me.

I know people say it's insecure, but that seems to only be so without the right configuration (which could happen to any script, really), and insecure plugins being installed.

People say it's slow because of php + database (not static), but when you cache it (both php and the actual site), it can work just fine.

So convince me here, why not just use WordPress?

There's just too big of a plugin ecosystem and too much functionality to leave, and nearly every business needs a blog.

P.S. I understand every use may not fit WordPress.

«134

Comments

  • WordPress is a good platform to work with if you keep it updated, well managed and well secured, a lot of people use poorly coded plugins/themes which are easily exploited and that's where a lot of bad blood comes from when it comes to wordpress.

    It is definitely one of the most popular platforms to use and it's that way for a reason.

    Thanked by 1YokedEgg
  • Maybe it's not WordPress that's the actual problem for most things. Perhaps just some of the people using it. It can be secure, if you use it right, don't add dumb themes and add-ons etc, but not everyone knows/cares about that.

    Thanked by 1YokedEgg
  • @WSCallum said:
    WordPress is a good platform to work with if you keep it updated, well managed and well secured, a lot of people use poorly coded plugins/themes which are easily exploited and that's where a lot of bad blood comes from when it comes to wordpress.

    It is definitely one of the most popular platforms to use and it's that way for a reason.

    I pay for my major plugins & my only (customizable & brandable) theme I use.

    Which are beaver builder theme & page building plugin. I love it, it was cheap enough for me, and since I'm actually paying for it, I receive updates on both.

    Thanked by 1WSCallum
  • deankdeank Member, Troll
    edited April 2018

    The issue with WP is that it got too popular. Every single script kiddies find it the easiest target to hack into.

    Bundled with a common trend of "install and forget" and downloading pirated themes cuz it's free, it creates a nice recipe for disaster.

    Of course, when actually hacked, WP users blame the host first always.

  • @deank said:
    The issue with WP is that it got too popular. Every single script kiddies find it the easiest target to hack into.

    Bundled with a common trend of "install and forget" and downloading pirated themes cuz it's free, it creates a nice recipe for disaster.

    Of course, when actually hacked, bloggers blame the host first. I don't think I've seen any bloggers voluntarily admitting that it was their fault.

    Anyone that doesn't know what they're doing should use Centminmod, it secures it down by default if you let it use it by default settings.

    Vast majority of hacked WordPress sites are a sys admin error in configuration, or a insecure plugin install.

  • jhjh Member
    edited April 2018

    I don't hate Wordpress but it does encourage idiots to do stupid things..

    Plugin store be like "here's a list of packages written by random people on the internet - click here to download and run them!"

    Wordpress owner be like "Ooooh a plugin that lets me edit my robots.txt file!"

  • deankdeank Member, Troll

    I generally avoid using WP. Using something even slightly less popular reduces general risk by shit ton.

  • raindog308raindog308 Administrator, Veteran

    I think the chief problems are:

    (1) The base platform is so widely used that it's a huge attack surface. Then again, one could argue that any problems are swiftly exposed, so...

    (2) There are a billion plugins for it, and with any given plugin, you're trust that one developer with your site.

    I use WP but stick will well-known theme vendors and plug-in providers.

    jh said: Wordpress owner be like "Ooooh a plugin that lets me edit my robots.txt file!"

    Yeah, the best attitude with WP is "don't use a plugin if you can avoid it".

    Thanked by 1Clouvider
  • @deank said:
    I generally avoid using WP. Using something even slightly less popular reduces general risk by shit ton.

    Idk, that's another change the SSH port = secure argument. It's just hiding really, I think it's better to use software you can rely on the team existing in a year from now. For example HTMLY is pretty much dead now already.

    Thanked by 1Abdussamad
  • deankdeank Member, Troll

    @raindog308 said:
    Yeah, the best attitude with WP is "don't use a plugin if you can avoid it".

    That's true to any CMS. The opposite usually happens though.

  • As you pointed out, the plugin ecosystem is quite out of control. A good chunk of plugins were coded for earlier releases and haven't been given a second look. Why? For one, the world is always looking for something newer and with a slightly different functionality. I have seen so many forks and versions of the Site statistics plugin (don't remember the actual name now). So plugin X gives you 5 options, plugin X+ gives you 10 options, Plugin Ultimate X gives you a different set of 10 options and so on.. You never know which is the "good" one out of the bunch.

    Because plugin & theme development is often lucrative and the fact that a lot of code is GPL licensed, half-assed developers can put together something that looks amazing. (Though in reality opens a lot of vulnerabilities and slows down the website).

    Many years ago when I was on shared hosting, a bad neighbor would cause my site to also be vulnerable. I have seen email sending php scripts on my home directory even though I don't have any thing running other than a default Twenty Fourteen/Fifteen theme.

    While I don't think I can convince you that you should move away from Wordpress (I run 90% of my sites on it), I think it takes a lot of tending to, like a garden.

    Thanked by 1Claverhouse
  • For siteowners that are going to use Wordpress for business use, its wrong to do it without professional help, I'm pretty sure 90% of those "hacked", "broken" wordpress sites seeking help are because they don't have the right knowledge to use it.

    On developer perspective when I discuss it with my colleagues, its always mixed, some just hates PHP so they hate Wordpress; some are turned off because its not fully OOP; some hates using a "blogging" software for a fully content management system.

  • deankdeank Member, Troll
    edited April 2018

    Another issue is that, until one's hacked, they don't feel being hacked is their reality.

    It's the same as making backups. One doesn't usually have a habit of backing up things until he loses his data catastrophically.
    Even then, there are those who don't learn from their own mistakes.

    Thanked by 1Aidan
  • Static sites FTW

  • Wordpress is a good way to consume my Idle vps.

    Thanked by 1ariq01
  • emgemg Veteran

    WordPress suffers from frequent security issues. Keeping up with patches adds to the workload. Automated exploits for script kiddies appear quickly, so you don't get a lot of time to patch, and let's not ignore the occasional zero day exploits.

    How often do we see headlines where "thousands of WordPress sites" were infected or taken over by bots? That says it all to me.

  • @emg said:
    WordPress suffers from frequent security issues. Keeping up with patches adds to the workload. Automated exploits for script kiddies appear quickly, so you don't get a lot of time to patch, and let's not ignore the occasional zero day exploits.

    How often do we see headlines where "thousands of WordPress sites" were infected or taken over by bots? That says it all to me.

    Being a bit dramatic, also use WP-CLI for automatic updates.

  • @jh said:
    I don't hate Wordpress but it does encourage idiots to do stupid things..

    Plugin store be like "here's a list of packages written by random people on the internet - click here to download and run them!"

    Wordpress owner be like "Ooooh a plugin that lets me edit my robots.txt file!"

    lol

  • because we're anti-mainstream ?

    the only acceptable mainstream product is whmcs and cpanel

    for me, the biggest obstacle to use wordpress is no postgresql support. yes there is pg4wp, but unofficial and abandoned.

  • @kassle said:
    because we're anti-mainstream ?

    the only acceptable mainstream product is whmcs and cpanel

    for me, the biggest obstacle to use wordpress is no postgresql support. yes there is pg4wp, but unofficial and abandoned.

    I dislike both whmcs and cpanel, to be honest with you.

    Thanked by 1kassle
  • HxxxHxxx Member
    edited April 2018

    As long as you use the right plugins and keep everything on auto-update, assuming you did things correctly, maintenance job is next to none. WP Security is very decent as long as you use Wordfence free or paid. This is just like cPanel, after install, **harden **it then you are good to go.

  • @Hxxx said:
    As long as you use the right plugins and keep everything on auto-update, assuming you did things correctly, maintenance job is next to none. WP Security is very decent as long as you use Wordfence free or paid. This is just like cPanel, after install, **harden **it then you are good to go.

    Sucuri or WordFence both work good.

  • HxxxHxxx Member

    IMO the wordfence company has a lot more to show when it comes to experience. Sucuri is pretty nice specially to change those salt keys after being compromised.

    @YokedEgg said:

    @Hxxx said:
    As long as you use the right plugins and keep everything on auto-update, assuming you did things correctly, maintenance job is next to none. WP Security is very decent as long as you use Wordfence free or paid. This is just like cPanel, after install, **harden **it then you are good to go.

    Sucuri or WordFence both work good.

  • PUSHR_VictorPUSHR_Victor Member, Host Rep
    edited April 2018

    There is absolutely zero need to use any plug-in for security purposes with WP. Same with using caching plugins. Just throw Nginx, fail2ban and Varnish in, come up with a few fail2ban rules for the most probable attacks (xmlrpc, admin-ajax, search dos, a default catch-all for non-existing URLs, etc.) and call it a day. And make sure WP auto-updates itself.

    WP is a brilliant CMS.

  • @PUSHR_Victor said:
    There is absolutely zero need to use any plug-in for security purposes with WP. Same with using caching plugins. Just throw Nginx, fail2ban and Varnish in, come up with a few fail2ban rules for the most probable attacks (xmlrpc, admin-ajax, etc) and call it a day. And make sure WP auto-updates itself.

    WP is a brilliant CMS.

    Disagree on the first part, I always suggest using WordFence personally.

  • PUSHR_VictorPUSHR_Victor Member, Host Rep
    edited April 2018

    @YokedEgg said:

    @PUSHR_Victor said:
    There is absolutely zero need to use any plug-in for security purposes with WP. Same with using caching plugins. Just throw Nginx, fail2ban and Varnish in, come up with a few fail2ban rules for the most probable attacks (xmlrpc, admin-ajax, etc) and call it a day. And make sure WP auto-updates itself.

    WP is a brilliant CMS.

    Disagree on the first part, I always suggest using WordFence personally.

    I am probably a bit too much an anti-plugins guy, but what is it the WordFence does for you that my no-plugins approach does not? I have seen what a mess WordFence does to the DB which is the main reason why I dislike it, and not how effective it is (if it really is, because I have not had a need for it on a few very high-profile WP sites).

  • @PUSHR_Victor said:

    @YokedEgg said:

    @PUSHR_Victor said:
    There is absolutely zero need to use any plug-in for security purposes with WP. Same with using caching plugins. Just throw Nginx, fail2ban and Varnish in, come up with a few fail2ban rules for the most probable attacks (xmlrpc, admin-ajax, etc) and call it a day. And make sure WP auto-updates itself.

    WP is a brilliant CMS.

    Disagree on the first part, I always suggest using WordFence personally.

    I am probably a bit too much an anti-plugins guy, but what is it the WordFence does for you that my no-plugins approach does not? I have seen what a mess WordFence does to the DB which is the main reason why I dislike it, and not how effective it is (if it really is, because I have not had a need for it on a few very high-profile WP sites).

    Well for one, brute force blocking unless you plan on creating access restriction with nginx.

    It does a lot of things other than that obviously.

  • As most people have stated. Its not WordPress itself, its things like not updating plugins regularly that creates security breaches.

    Occasionally there are issues with WordPress it self that is normally resolved within 24 hours by updating WordPress.

    i have tried ManageWP to update plugins daily + backups etc. and it has worked well. If there is anything better that people have used please let me know :)

  • From a host standpoint WordPress has become an abuse problem. The WordPress core itself is secure, but when you add in free third party plugins and themes it can become a hassle to deal with. Sites get hacked and send spam, or host phishing content.

  • MikeAMikeA Member, Patron Provider

    I run a few Wordpress installs (Nginx, PHP 7.2 + CloudFlare). Obviously secured, they're fast and I've never had a problem. Most of the problem is probably people installing a shit load of random plugins or never updating them.

Sign In or Register to comment.