Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What's wrong with WordPress? - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What's wrong with WordPress?

24

Comments

  • Bloatware. Greedy for resources, insecure by concept. Too many poorly coded plugins; API, where security and simplicity were the last things developers thought about. Also, one cannot rely on plugin remaining in up-to-date state - so always be ready to replace the obsolete one and find an alternative.

    If I really need really powerful extendable CMS, I'll take Drupal.

    If I need really light and yet useful blog engine, I'll take TextPattern.

    If I would need to create a quick and secure site, I'll use a static site generator.

    Of course, WordPress success resulted in appearing of myriads of parasite services - those setting that damned thing securely, those developing plugins for it etc etc etc. So everyone happy, everyone busy. Long live WordPress!

    Thanked by 1Blazing
  • FHRFHR Member, Host Rep

    @Master_Bo said:
    Bloatware. Greedy for resources, insecure by concept. Too many poorly coded plugins; API, where security and simplicity were the last things developers thought about. Also, one cannot rely on plugin remaining in up-to-date state - so always be ready to replace the obsolete one and find an alternative.

    If I really need really powerful extendable CMS, I'll take Drupal.

    If I need really light and yet useful blog engine, I'll take TextPattern.

    If I would need to create a quick and secure site, I'll use a static site generator.

    Of course, WordPress success resulted in appearing of myriads of parasite services - those setting that damned thing securely, those developing plugins for it etc etc etc. So everyone happy, everyone busy. Long live WordPress!

    I hate the Drupal update mechanism, or lack thereof. When something like this happens it's much easier to fix WordPress - just press a single button to update.

  • On some WordPress installations I've managed in the past, I had to get my client to setup a development WordPress site and once they were done with it, I literally cleared all PHP FastCGI handlers in directories where WordPress shouldn't be executing any code.

    That trick worked out pretty well until somebody exploited an insecure plugin and started to infect the site again for spam and hosting malware on it.

  • @MikeA said:
    I run a few Wordpress installs (Nginx, PHP 7.2 + CloudFlare). Obviously secured, they're fast and I've never had a problem. Most of the problem is probably people installing a shit load of random plugins or never updating them.

    Two of my WP sites were hacked into and both were pretty up to date. So it's not always outdated WP sites that gets hit. I did some hardening after that and no issues since.

    I also looked at other CMS, Drupal, Joomla, Bolt, and some others. Nothing really beats WP in terms of convenience and ease of uses. I do like Bolt.cm though, but only for sites I rarely change.

    Thanked by 1Claverhouse
  • joepie91joepie91 Member, Patron Provider

    YokedEgg said: I know people say it's insecure, but that seems to only be so without the right configuration (which could happen to any script, really), and insecure plugins being installed.

    No. It still uses MD5 for password hashing. It blindly installs automated updates without verifying their authenticity, meaning that you can pwn a quarter of the web by compromising the update server. Security issues in Wordpress absolutely are not limited to plugins. Not to mention that something that's only secure "with the right configuration" counts as insecure full stop.

    The entire codebase is a mess structurally, making it easy to introduce bugs, including security-critical ones.

    From a quality perspective, Wordpress is an absolute trashfire. Its popularity has nothing to do with technical quality, and everything with optimizing for short-term benefits in exchange for long-term costs, like so many bad technologies do.

  • YokedEggYokedEgg Member
    edited April 2018

    @joepie91 said:

    YokedEgg said: I know people say it's insecure, but that seems to only be so without the right configuration (which could happen to any script, really), and insecure plugins being installed.

    No. It still uses MD5 for password hashing. It blindly installs automated updates without verifying their authenticity, meaning that you can pwn a quarter of the web by compromising the update server. Security issues in Wordpress absolutely are not limited to plugins. Not to mention that something that's only secure "with the right configuration" counts as insecure full stop.

    The entire codebase is a mess structurally, making it easy to introduce bugs, including security-critical ones.

    From a quality perspective, Wordpress is an absolute trashfire. Its popularity has nothing to do with technical quality, and everything with optimizing for short-term benefits in exchange for long-term costs, like so many bad technologies do.

    I know more than one person making millions through WordPress.

    Example:

    https://www.digitalmarketer.com/

    I'm sorry, but really, these baseless accusations don't really hold ground. If it's so insecure, I challenge you to hack them. But it won't be possible. WP is fine in terms of security and just fine in terms of loading speeds. Pros outweigh the cons.

  • Master_BoMaster_Bo Member
    edited April 2018

    @FHR said:
    I hate the Drupal update mechanism, or lack thereof. When something like this happens it's much easier to fix WordPress - just press a single button to update.

    Inconvenient update scheme isn't an excuse to use WP instead.

    Also, when dealing with Drupal, I usually use automation tools like drush. Oh yes, and backup everything prior to any update/change, to avoid crying over corrupt data.

    @YokedEgg said:

    I'm sorry, but really, these baseless accusations don't really hold ground. If it's so insecure, I challenge you to hack them. But it won't be possible. WP is fine in terms of security and just fine in terms of loading speeds. Pros outweigh the cons.

    Your right to deem them baseless. I also get my part of income off WordPress - repairing broken/hacked installations, applying those security measures that do not come with bare bone CMS.

    As for "challenge you to hack" - sorry, I do not respond to sandbox-level taunts.

  • HxxxHxxx Member

    I disagree with a lot of the content here in this thread and without offending anyone, I must respectfully say there is a lot of clueless people throwing shit here.

    Saying drupal in here, I mean you lost the argument already with that card.

    I agree about the MD5 stuff, there are remedies to that. As always @joepie91 is knowledgeable , from dev to dev I can see his point of view.

    You should not run Wordpress vanilla. Wordfence, even the free version, is so effective, specially verifying the update sources, file versions, modifications, bruteforce, real time protection to prevent SQL Injections, I mean... shit if you are going to install plugins without reviewing their code, you better have some sort of security installed. In my books Wordfence is top and if anyone disagrees I invite you to take a look at what the product does, these guys are pioneers in the area.

    If you are going to use ANY CMS , all of them have vulnerabilities, all of them have shit plugins, etc. In the case of Wordpress, since is very popular, the community is huge, this is like Microsoft users vs Linux users.

    Even if you code your own CMS chances are you are going to do worst than WP in terms of security.

    Thanked by 1YokedEgg
  • YokedEgg said: I'm sorry, but really, these baseless accusations don't really hold ground. If it's so insecure, I challenge you to hack them. But it won't be possible. WP is fine in terms of security and just fine in terms of loading speeds. Pros outweigh the cons.

    it's @joepie91 opinion, challenge him to hack wordpress is useless. if you want to counter, prove his claim is wrong. for example show him if the password is hashed using SHA-512. or this discussion become destructive (wordpress vs the world ?)

  • YokedEggYokedEgg Member
    edited April 2018

    @kassle said:

    YokedEgg said: I'm sorry, but really, these baseless accusations don't really hold ground. If it's so insecure, I challenge you to hack them. But it won't be possible. WP is fine in terms of security and just fine in terms of loading speeds. Pros outweigh the cons.

    it's @joepie91 opinion, challenge him to hack wordpress is useless. if you want to counter, prove his claim is wrong. for example show him if the password is hashed using SHA-512. or this discussion become destructive (wordpress vs the world ?)

    Well, for example, he's right about MD5 being the default hash but what he left out is the fact you can change the hash itself.

    I'm not in the slightest expecting the site to be hacked, but you can't say you've looked into the code and seen exploits without understanding how to actually use the exploit yourself.

    "If you can't explain it simply, you don't understand it well enough."

    -Alber Einstein

    The same fundamental principle could be applied here, if you cannot execute the exploit yourself, you don't understand it or it doesn't exist.

    P.S. I'm not really interested in arguing why everyone should use WordPress but you can't throw out something with no actual basis or facts behind it.

    Thanked by 2Hxxx kassle
  • alright then, back to topic

    honestly i have question about securing wordpress, some or most said to rename the wp-admin folder. yeah it will obscure hacker, but is this method will break the (auto) update mechanism ?

    Thanked by 1Claverhouse
  • YokedEggYokedEgg Member
    edited April 2018

    @Master_Bo said:

    @FHR said:
    I hate the Drupal update mechanism, or lack thereof. When something like this happens it's much easier to fix WordPress - just press a single button to update.

    Inconvenient update scheme isn't an excuse to use WP instead.

    Also, when dealing with Drupal, I usually use automation tools like drush. Oh yes, and backup everything prior to any update/change, to avoid crying over corrupt data.

    @YokedEgg said:

    I'm sorry, but really, these baseless accusations don't really hold ground. If it's so insecure, I challenge you to hack them. But it won't be possible. WP is fine in terms of security and just fine in terms of loading speeds. Pros outweigh the cons.

    Your right to deem them baseless. I also get my part of income off WordPress - repairing broken/hacked installations, applying those security measures that do not come with bare bone CMS.

    As for "challenge you to hack" - sorry, I do not respond to sandbox-level taunts.

    It wasn't directed at you.

    But it applies to anyone saying "I've reviewed the code, it's terrible, and has exploits". They will just look stupid unless they've already proved authority in the security field, or they can demonstrate it themselves.

  • HxxxHxxx Member

    Take a look at wordfence, the free version at least.

    You don't need to rename anything, that will break a few things.

    @kassle said:
    alright then, back to topic

    honestly i have question about securing wordpress, some or most said to rename the wp-admin folder. yeah it will obscure hacker, but is this method will break the (auto) update mechanism ?

    Thanked by 1kassle
  • YokedEggYokedEgg Member
    edited April 2018

    @kassle said:
    alright then, back to topic

    honestly i have question about securing wordpress, some or most said to rename the wp-admin folder. yeah it will obscure hacker, but is this method will break the (auto) update mechanism ?

    By default, yes, you should rename it but that won't in the slightest really do anything for actual security, it's pseudo security by hiding. It's just for bots, etc.

    There's so many things you can do it's hard to give any advice really, start by renaming the admin folder and installing WordFence.

    If you want an easy way to lock down WordPress (such as double auth for login pages with nginx), try Centminmods autoinstaller with the default settings enabled.

    Thanked by 1kassle
  • FHR said: I hate the Drupal update mechanism, or lack thereof. When something like this happens it's much easier to fix WordPress - just press a single button to update.

    ..yeah, if convenience is a main factor to you, you might have to stick with Wordpress. On a developer's perspective Drupal as a CMS solution is a gazillion times better than Wordpress.

  • @ZiriusPH said:

    FHR said: I hate the Drupal update mechanism, or lack thereof. When something like this happens it's much easier to fix WordPress - just press a single button to update.

    ..yeah, if convenience is a main factor to you, you might have to stick with Wordpress. On a developer's perspective Drupal as a CMS solution is a gazillion times better than Wordpress.

    You really should say "In my opinion as a developer, Drupal as a CMS solution is a gazillion times better than Wordpress".

  • jetchiragjetchirag Member
    edited April 2018

    Many peeps using WordPress have no idea about security and they would install any random plugin or theme. Many of those use nulled ones (because it's, well, free) but they have no clue that there site is compromised until the host suspends them for sending out large chunk of spam. They would then blame the host with threats and pointing out that their servers are insecure.

    /my 2c

    Thanked by 1DataPacket
  • @jetchirag said:

    Many peeps using WordPress have no idea about security and they would install any random plugin or theme. Many of those use nulled ones (because it's, well, free) but they have no clue that there site is compromised until the host suspends them for sending out large chunk of spam. They would then blame the host with threats and pointing out that their servers are insecure.

    /my 2c

    /me TL;DR: It's users not WordPress which makes it insecure

    True, true.

  • YokedEgg said: /me TL;DR: It's users not WordPress which makes it insecure

    I thought it'd work with content :?

    Thanked by 1YokedEgg
  • FHRFHR Member, Host Rep

    @ZiriusPH said:

    FHR said: I hate the Drupal update mechanism, or lack thereof. When something like this happens it's much easier to fix WordPress - just press a single button to update.

    ..yeah, if convenience is a main factor to you, you might have to stick with Wordpress. On a developer's perspective Drupal as a CMS solution is a gazillion times better than Wordpress.

    From my perspective as a developer I don't particularly like WordPress or Drupal - however I use WordPress because that's what clients want.

    Most people using the CMS won't know much about the system, they just want a working website. With a built-in updater, they will either update with a single button press or the CMS will update itself automatically (I always turn on auto update for my clients). If something like this doesn't exist, tell people who have no idea what FTP is to replace a bunch of files. I don't even mention Drush because that thing obviously doesn't work without SSH, a thing unknown on most shared hostings.

  • (I always turn on auto update for my clients)

    just reading this just tells me we are serving Wordpress SaaS very differently. But hey, if our clients our happy, cheers!

  • WordPress is unquestionably the world's most well-liked CMS. The script is in its roots a lot of of a web log than a typical CMS. For a jiffy currently it has been modernized and it got thousands of plugins, what created it a lot of CMS-like.

    Thanked by 1YokedEgg
  • @YokedEgg said:
    You really should say "In my opinion as a developer, Drupal as a CMS solution is a gazillion times better than Wordpress".

    From viewpoint of a developer, Wordpress has an interesting CVE history. That somewhat contradicts the statement that WP security issues are users' fault.

    In fact, WP is liked by almost everyone.

    Users like it since "you know, everyone uses it", also "it's shiny and cool with all those themes".

    Hosters like it since WP, especially with myriads of plugins, is resources hog. Selling WP-specific hosting is profitable.

    Security experts like WP, since it provides endless earning opportunities, off those idiots valued users, who just don't bother configuring it until the site is either 100% busy mining crypto, or defaced by a would-be hacker.

    WP plugins developers are especially happy, since with its current CMS share WP will most probably live forever. The demand for yet another plugin will also stay forever.

    So the opinion of developers seeing all that chaos and spaghetti in WP code has nothing to do with reality. In reality, see above, everyone likes WP.

  • My perspective: What makes WP most alluring is the breadth of themes.

  • JarryJarry Member

    @Blazing said:
    My perspective: What makes WP most alluring is the breadth of themes.

    Never did some serious research, but when it comes to web-design, all those WP-sites look the same to me. I'd guess 90% of WP-sites use one of 10 most popular themes...

  • ramesh_vish said: A good chunk of plugins were coded for earlier releases and haven't been given a second look.

    I've created a few plugins and I can tell you this doesn't matter at all. One of the main reasons WP is so popular is that it maintains backwards compatibility with old plugins and themes. The plugin and theme API rarely changes. So it doesn't matter if the tested up to thing is not current. It'll work.

    Thanked by 2YokedEgg FHR
  • joepie91joepie91 Member, Patron Provider
    edited April 2018

    YokedEgg said: If it's so insecure, I challenge you to hack them.

    That attitude is an excellent way to ensure that anybody who remotely has a clue about security will stop taking you seriously. And an excellent way to end up making really poor choices about what to run on your infrastructure.

    And well, to put it simply: it will get you hacked. Sooner or later. By somebody with a lot more malicious intent than the guy you were taunting to 'hack it to prove it'.

    (Of course, I will gladly try to find vulnerabilities for you in WordPress at my usual hourly rate, under contract.)

  • @joepie91 said:

    YokedEgg said: If it's so insecure, I challenge you to hack them.

    That attitude is an excellent way to ensure that anybody who remotely has a clue about security will stop taking you seriously. And an excellent way to end up making really poor choices about what to run on your infrastructure.

    And well, to put it simply: it will get you hacked. Sooner or later. By somebody with a lot more malicious intent than the guy you were taunting to 'hack it to prove it'.

    (Of course, I will gladly try to find vulnerabilities for you in WordPress at my usual hourly rate, under contract.)

    You are the literal definition of the r/iamverysmart subreddit.

  • joepie91joepie91 Member, Patron Provider

    @YokedEgg said:

    @joepie91 said:

    YokedEgg said: If it's so insecure, I challenge you to hack them.

    That attitude is an excellent way to ensure that anybody who remotely has a clue about security will stop taking you seriously. And an excellent way to end up making really poor choices about what to run on your infrastructure.

    And well, to put it simply: it will get you hacked. Sooner or later. By somebody with a lot more malicious intent than the guy you were taunting to 'hack it to prove it'.

    (Of course, I will gladly try to find vulnerabilities for you in WordPress at my usual hourly rate, under contract.)

    You are the literal definition of the r/iamverysmart subreddit.

    Not at all. I'm just pointing out that your attitude to security is completely misguided.

    Feel free to ask any reputable security professional for a second opinion on whether challenging somebody to "hack it to prove it" is a reasonable thing to do. You're going to get the same answer.

  • @joepie91 said:

    @YokedEgg said:

    @joepie91 said:

    YokedEgg said: If it's so insecure, I challenge you to hack them.

    That attitude is an excellent way to ensure that anybody who remotely has a clue about security will stop taking you seriously. And an excellent way to end up making really poor choices about what to run on your infrastructure.

    And well, to put it simply: it will get you hacked. Sooner or later. By somebody with a lot more malicious intent than the guy you were taunting to 'hack it to prove it'.

    (Of course, I will gladly try to find vulnerabilities for you in WordPress at my usual hourly rate, under contract.)

    You are the literal definition of the r/iamverysmart subreddit.

    Not at all. I'm just pointing out that your attitude to security is completely misguided.

    Feel free to ask any reputable security professional for a second opinion on whether challenging somebody to "hack it to prove it" is a reasonable thing to do. You're going to get the same answer.

    Yes, because it cannot be done.

    Prove me wrong, otherwise anything you could say is moot.

Sign In or Register to comment.