So drupal is more barebones and has a higher learning curve, but seems to push developers in a better direction.
Ghost is a bit more… It’s the apple of publishing platforms. It does it’s thing, is very opinionated about how it does, and that’s about it.
They both require security as a mindset.
Hugo is my recommendation frankly, because what the end user sees is just a static site. No vulns to take advantage of, except apache or nginx.
@wendell confirm?
I used version 7 many years ago and was underwhelmed.
I kinda try to avoid PHP in general if I can although maybe that bias is unfounded (compared to RoR or the various javascript platforms).
big-ish. it is a 90% solution. Out of the box it is very underhwhelming. It’s like a prefab house… some assembly required… its not approaching the problem the same as wordpres.s… different answers
Hmm alright, I’ll take a look into HUGO more in the future, and stop paying attention to WordPress.
Thanks for all of the information everyone!
Yeah, I’ve heard this too many times. Pushed me away from it.
I always find it kind of amusing that there’s probably a lot of people around these days who don’t know that PHP was originally designed to be embedded in HTML, and not the other way around. 
I host several hundred WordPress websites for various small businesses. Something around 300 at my last count. Boy let me tell you, its a walking security disaster. I have the pleasure of “fixing” everything from SEO-hacked to outright crypto mining sites about once a week if not more.
WordPress is easy to use and attracts bad developers who write bad code. WordPress refuses to break backwards compatibility, it was only a few years ago that they made the minimum PHP version for new installations 7.0 - which at the time of the announcement was already EOL. Now you have bad code working with bad practices running on known insecure platforms all dynamically typed because WordPress devs don’t understand static typing.
It is also used in the wrong applications. For something like a blog where someone is logging in frequently to fuss with things, its great. Keep updates installed and its fine. Half the problem is that people use WordPress as an “install then forget” platform, where over time things lose forward compatibility because nobody has been installing updates. When I switched my minimum PHP version from 7.1 to 7.2 a while back, I had several dozen unhappy customers complaining that their site was broken. This is a huge disincentive for hosts to ever change anything because the non-tech-savvy customers simply don’t know better. This is a recipe, and as we can see in the wild, for an entire ecosystem that is behind the times and insecure.
The core devs themselves are pretty worthless and petty beyond belief. They will only allow something into core if it was their own idea. Take - these - examples - of - the - same - issue - all - closed - because - “I don’t find this very useful”. Heck, they still refuse to integrate with composer, and they don’t even have to do the work! Several pull requests have been submitted to accomplish this, but since its not their idea its a no-go.
The whole thing just stinks of bad developers holding onto bad choices and refusing to iterate because the “known bad” is preferred over the “better and new.”
Dang, so you’re a masochist? Am I reading this right?
That’s a fair assessment. Not by choice mind you, I hate it, but maybe that is what a masochist would say?
Who knows. As long as it pays the bills, right?
I look after a couple wordpress sites where someone hired a “web developer” to make a site for them and they customized a wordpress template, threw it onto whatever hosting, got paid and disappeared forever.
I set everything to auto-update and backup aggressively as possible and so far, I have never had to think about it again…
I have a local website which I have to frequent. They’ve put the site under an account registration so that any posted personal info would not leak. I could register and I would be eligible to register but I dont because the site admin didnt really lock down the site contents.
It is literally a door with a lock but no walls. How could I trust them with my personal info?
+1 golden cermudgen award
From dealing with WordPress issues over the years of other clients, beyond the fact it has become popular for bug hunting which leads to exploits there are also 3rd party add-ons that can have unfixable flaws that weaken WordPress security. If I recall from a few years ago there was a flaw in backwards compatibility of older WordPress themes/addons.
As long as a WP installation receives regular updates(last few versions have automated updates), it can be a stable platform with a custom template that uses the least amount of exploitable features/widgets.
Arsetechnica is Wordpress iirc… so it can’t be that bad.
More like TurdPress
You’re talking about Ars.
Been using Ghost for a while. It’s been awesome. Very clean both front end and back. I wrote about it bit here, but more recently setup https://anothersupersite.com/ which was a bit more of an undertaking. Used a pre-made theme, but man… the designer made A LOT of typos and it took @HardwareTracker a few passes to iron them all out. Still, me being a complete novice, it wasn’t a large learning curve at all.
Whatever you might think of them, people who work there do understand what Wordpress is and are capable of using an alternative.
Or more substantially, their site isn’t hacked every other week (or ever?). I’m sure people try.
That was kinda my point. They’re a big outfit who can afford to hire people who know what they’re doing to maintain their tech debt full time.