I was on a forum the other day and a guy asked about the best platform to build an E-Commerce website on.
All the answers echoed one another, “WordPress!”.
Now I’m in shock … I mean how can you say WordPress when its the most hacked platform in the world.
Just having a WordPress website makes you a target.
And keep in mind, getting hacked can put you out of business.
1.) If they inject you with a virus Google and Firefox will block anyone from seeing your site and you will not even know it.
2.) All of a sudden your site stops getting traffic and the phone stops ringing.
3.) You start to disappear from all the search engines. .
I read some where that the president of Home Depot was loosing sleep worrying about getting hacked right before they got hacked. Target never recovered after they got hacked and neither has Home Depot.
After a bit of watching I decide to chime in.
So with graphs and stats I point out that WordPress isn’t the best choose for anyone much less a guy trying to start an Eccomerce business.
WordPress isn’t just the most hacked platform in the world but 3 out of 4 websites that get hacked are WordPress websites.
So I show test that have been run and how 70% of every WordPress website online is vulnerable to an attack.
And he responds with ...
“You are free to your opinion on this. But any site is hackable. The knowledge of the person behind it is what makes the difference.”
So I say, “those aren’t my opinion, Those are stats, graphs and facts.”
A bit of time goes by and he responds with …
The reason wordpress gets hacked is because of plugins and the reason plugins are a problem is because they use plugins that have poorly designed.
Okay, so what he is saying here is that other people have the problem but not him. As a matter of fact the only people with the problem are people that don’t understand coding.
So I respond, “But WordPress is pushed as a one button quick install and your up and running.
However the truth of the matter is that once you’ve installed it you can’t do much of anything without plug-ins. And their best top ranked plug-in for security has been hacked and used to hack sites and their best, top ranked SEO plug-in has prevented sites from getting ranked.
And none of those were caught by the php experts that were being paid to check their code.
Other words, you can’t use WordPress without a plugins, and no knows how good or secure those plugins, are as even their most popular plugins have been hacked.
You’ve also got the additional problem of not being able to tell the difference from the guys that really know the platform and the ones that are just faking it until they make it. Or for that matter the ones that know the platform but are willing to take short cuts that could cause you problems latter.
Now I don’t blame the programmers for the hacks as both WordPress and PHP find vulnerabilities in their code 3 to 4 times per month which means they have to go in and patch code and anyone whose got a plugin or template will need to check and rewrite their coed accordingly.
So this means you’ll need a full time programmer on staff to keep your WordPress website up to date.
But even then it will not be enough as most problems have been found after the hacks and not before.
And really … whose got the time to keep track of all that code?
And he responds …
Wordpress isn’t the problem , its entry level web developers and business owners building sites that are the problem.
And the reason WordPress gets hacked more is because its more popular.
So I write back with 9 undeniable problems with WordPress that should leave any running from it …
Are you saying your idea for security is obscurity ???
Because what I’m saying is that if you have plans for the future and need a sustainable, highly customizable solution WordPress isn’t it and heres why ...
1.) Wordpress is a mess in terms of both code and basic common sense of how to develop a CMS but they can’t improve the code because it breaks compatibility with PHP 5.2!
WordPress' minimum PHP version requirement is PHP 5.2, which was released on January 6, 2006, 11 years ago, and which has been unsupported by the PHP Group and not received any security patches since January 8, 2011.
Just think about it: 8 years (!!!!) without any security patches.
By supporting insecure versions they support security holes
They've gone out of their way to keep php 5.2 support, making the codebase a complete mess in doing so, and not taking advantage of things that would make wordpress on php 7 not only much nicer for developers, but faster for site users.
In their defense they probably can’t change the architecture because they don't want to break it.
2.) Something like 70% of WordPress sites are insecure and for this reason they’ve got a ton of bots gunning for them. As a matter of fact WordPress it is the Largest malware/hacking target in the world, so just by using WordPress you also become a target.
3 out of every 4 websites that get hacked are WordPress sites.
3.) The developer community is large but consists mostly of wannabe developers and consultants who can't tell if they're using MAMP or XAMPP or whether they should install a plugin to change an image.
4.) For a developer WordPress is a maze that has 25% of its walls constantly changing, three or four times per month.
WordPress finds bad code, that could be used by hackers so they have to change the code, which means you have to update WordPress, which means your theme or plugins could break and need to be recoded.
5.) Code bloat is a big problem. Because of all the patches it makes the site slower than necessary. I make it a point to use GTMetrix to test my sites and I always try and keep load time under 2 seconds.
However I've seen Wordpress sites through GTMetrix that have taken in excess of 30 seconds to load.
In my opinion that is criminal to have a clients site take that long to load.
6.) The code sucks. Everything about is is horrible: globals everywhere, inconsistencies, a weird mix between functional and OOP styles, absolutely horrible coding style. It's like we're back in the 90's.
If it was an unknown project and it's author posted it here for review, they'd be laughed of any coding forum.
7.) As a PHP programmer, you understand that global variables are to be avoided at all costs and have no reason to be used. Yet, WordPress is full of them, and that alone is reason to dismiss its code as utter shit.
Anyone who doesn't admit that WP's code sucks has absolutely no idea how decent code is written.
No experienced developer would look into WordPress and call it good code.
8.) Plugins - WordPress does not actually ship with a lot of features out of the box. If you need to start building a site, you have two choices:
1. turn to third party plugins,
2. write your own plugins.
Both of these can be budget busters.
Because third party plugins may have crucial limitations or bugs that you might not discover until you've invested time into using them. You still have to do a lot of research and due diligence to select the right plugin.
I once spent 3 days just trying to find a plugin that would do what the client wanted.
I could have coded it myself in a day. It's a mistake to believe that 3rd party plugins are a time saver.
But then if you to dive deep into the guts of WP and all of its substandard features.
It's crap compared to modern frameworks. It's "hooks" system is a poor man's event system. Its "templates" are a joke. It's "router" sucks, and its database is horrible.
So basically, unless your application can be mostly built using the small set of features WP ships with out of the box, then you're going to be wading into a potential minefield of 3rd party plugin dead-ends, or a swamp of sluggish feature development using WP's substandard "framework" tools.
Even moderately complex applications can be built faster, more securely, more stably, and more easily maintainable using a proper framework instead of WP.
The problem is most plugins are written by the worst developers. You have to code review anything you use.
And if they are not maintained and updated 3 or four times per month then you either:
A) lose your customization
B) or you have to manually crawl through the new version to find out whats changed
9.) They have a ton of concurrent, incompatible APIs.
WP is written in such a way that an internal refactor isn't possible because the ecosystem is dependent on internals instead of a well defined API surface.
What more evidence do you need that WP sucks?
That's what happens when the target audience is broad enough to include people who aren't actually web developers, and might only know a little HTML.
But this is his career we are talking about, possible the only platform the guy knows how to work on so common sense, statistics, and proof mean nothing.
So he responds …
Let me make this really simple for you.
You have 100 WordPress sites with mostly amateur developers , that makes a great target for hackers, big school of fish. 10 get hacked.
Thats the 10 % your hearing about.
Now you have 10 Python sites, mostly millennial but more advanced developers, 2 get hacked 20% .
Its easy to say WordPress is the bad guy.
Also sites like Shopify that was created in python become more pouplar we will begin hearing more about Python sites getting hacked.
Remember php has been more popular than python for ages, there just isn’t enough targets in Python yet.
Hackers are for the most part looking for abundance in potential targets, python hasn’t achieved a big enough share to be that.
I would never so naive to say one language is better than another as everything has its assets.
Sure python is great but it cannot offer what php does in one aspect fast turn around times and ease of use to users.
I very much agree that python is a higher level language i wouldn't down it for a second.
Its just that it shouldn't really be compared.
I think they are aimed at different needs.
WordPress is a simple CMS that is easy to install and deploy, and you can get started with it very quickly.
It is not however suitable for more demanding applications as python would be.
Now I can tell hes starting to see the light, and realizes that there is no defending WordPress at this moment but he’s still said some things that were not true so I felt like those things should be addressed.
So I responded again ...
The reason WordPress gets hacked more is because they are an easy target.
And we are not talking about 10% of WordPress sites as being hackable we are talking about 10% of WordPress site being hackable we are talking about 83% of WordPress sites currently online are hackable.
And Shopify was created in 2009, that makes it like ten years old and its getting more and more popular every day and your saying that as soon as they get pouplar enough and old enough people will start hacking them.
Ten years on the Internet is like a life time in the real world, about ten years and they’ll be dead and gone, what your saying isn’t adding up.
Mainly because WordPress was created in 2003 and isn’t that mush older than Shopify.
Also when you see that Python is a millennial thing I have to ask if you consider
Just to name a few to have all been created in the last couple years by millennium's?
And are you saying that at this moment in time none of those sites are as popular as WordPress?
Also you say that php is more popular than Python but according to Google trends this has never been the case.
Now while the forum has quieten down and the WordPress developers are licking their wonds, there was one questions that I was unable to answer and would like to answer now …
How long does it take to build a website in Python?