Why all the hate for WordPress?

Seriously, what’s with all the hate with WordPress? I understand that plugins can be problematic and introduce security vulnerabilities, but is that it? From my research, it seems to have tons and tons of helpful features.

1 Like

It’s not so much that it’s a bad tool. It’s more that it’s a poorly designed tool with massive vulnerabilities.


Isn’t it frequently updated with the vulnerabilities getting quickly patched?

What would be a suitable alternative?

So was adobe flash.

Static HTML pages.


The vulns come out as frequently as the patches, nearly. Wordpress being vulnerable to at least one cve is as reliable as the sun coming up in the morning.

Even still, some features are inherently vulnerable.

1 Like

The architecture is prone to allowing developers to make fatal mistakes. The attitude from command is mostly that’s a feature not a bug.

As a result low skill people use wordpress which increases my suffering and misery when I’m asked to make something more durable.

The frustration is building a house on sand when you know the foundation will wash away


Valid point

I don’t think that’s realistic anymore, with most webpages on the web working only properly with javascript. Static HTML pages mostly feel “dated”.

Haven’t heard of this point. Any examples? (This may sound rude, but I don’t mean to ask this in a rude way, but instead in a way to learn about what legitmatiely makes WordPress bad).


In the past, and idk if this is still an issue, but I used the file upload feature to get shell access.

Now that is behind a login page, but the site was also vulnerable to sql injection so…
Maybe 2 years ago?


Couldn’t the same be said with, for example, Windows Active Directory, in which many GPO’s and other settings are enabled by default, introducing major security vulnerabilities?

1 Like

I don’t think so. Hard to recall the last time GPO misconfig resulted in loss of domain admin credentials.


It’s mistakes in plugin design, not so much security policy implementation.

Policy can be corrected by the admin. Plugins, usually, cannot.


Yeah pretty much what Wendell said. If you know what real engineering is, then using wordpress just rubs you the wrong way, because you know too much about the concessions made in order to make it so widely used.

The signal to noise ratio is pretty bad when doing pretty much any kind of research around it also, because there’s 87 people rambling about something completely unrelated for every person who has identified a real problem and just wants to know what they can do about it.


I was thinking more along the lines of how many default Active Directory settings can lead to fairly easy privledge esculation by a bad actor. That’s how I was relating the comparison between WordPress and Active Directory; both require hardening to prevent bad actor attacks.

1 Like

Right, but those are default settings, which by definition can be changed. Should they not be default? Probably, it really depends on what the trade off is. I’d have to evaluate them on a case by case basis.

The bigger issue is that these encouragements by the wordpress api encourages developers to make terrible design decisions which result in wordpress being a pentesters wet dream.

I very specifically remember in my first devops position, we had to use wordpress. My manager put me in charge of setting it up. He told me the requirements were “it doesn’t have access to any of our stuff, it’s hosted in another data center with no routing to our stuff, and none of the credentials should have any overlap at all. Assume this is a honeypot.”


Ohhhh ok, that makes sense and is a good distinction between the two.


Yeah, poor configuration can be repaired. Poor design cannot.

Think of it as leaving the door unlocked on a house, vs building a house and not putting locks on any of the doors.


Alright, so I’m starting to understand the hate for Wordpress. However, what alternatives really are there for self-hosted? I know of MediaWiki and Discourse, but both of those softwares target different use-cases.

1 Like

Wendell is a big proponent of drupal, to my knowledge. I’ve used Ghost in the past and liked it. There’s also static sites, or static site generators, like hugo


I’ve used both of those in the past. Drupal seems fine. A bit heavy maybe for some uses, but it works. Hugo I didn’t care for that much, but that was a few years ago when Go wasn’t really a thing yet, so maybe it’s better now.

There’s also Jekyll, which is another static site generator. Shopify is based mostly on Jekyll templates.


I haven’t heard of either of these two in the past. I assume they provide similar functionality to WordPress, while also being more hardened against attacks, with minimal/no web-programming knowledge required?