Why Wordpress?

What are the alternatives? Is there any other free, self-hosted, open source CMS that out-of-the-box allows an average non-tech person to publish content, images, etc. with such ease and nicely designed admin GUI? Easy to install, can be installed on any cheap shared hosting and will work fine, has automatic updates, content is searchable, has tones of themes free or cheap to choose from, it&#x27;s fairly easy to customize and reasonably safe, as long as developer doesn&#x27;t get crazy with plugins and has a basic idea of web security it&#x27;s just fine. Code is ugly as hell and I hate it as much as everyone else, but site owners don&#x27;t care about it, as long as the interface is nice and easy and cheap to use. And also there&#x27;s a ton of helpful videos and tutorials to give to your clients to learn how to use it (so they don&#x27;t bug you at all on &quot;how do I do this&quot;). Developers are cheap and readily available if you don&#x27;t want to provide support which is a huge benefit for the customer, not being stuck with a custom solution and having to pay a new site each time he changes the developer.<p>I&#x27;d be very happy to use something else, more secure and better written, but what comes even close?

Wordpress is a great platform if you use well rounded plugins, actively manage it, have it behind a Firewall, and run a security suite (like Wordfence.) But really, you should have any CMS install behind a Firewall.<p>I really like Wordpress, it gets a lot of hate; but it&#x27;s easy to develop on allowing for fast turn around, has the best editor of any CMS around for client happiness, and has a robust ecosystem. I&#x27;m in charge of around ~150 websites that run Wordpress, and I moved them all under an active management platform with always up to date plugins, themes and core. I inherited a lot of them with my new job, but I am slowly putting them all behind Cloudflare&#x27;s firewall and setting up the appropriate page rules to keep them safe. I often scan them and compare them against the core to make sure there have been no changing of core files by a hack. I also have them on scheduled back-ups to private Azure blobs and have alerts set up with Azure&#x27;s monitoring tools.<p>It takes a while to set all of that up, but once it is set up your install is pretty safe against any sort of attack relative to other CMSs. Another great thing about WP is if it IS hacked, it&#x27;s pretty easy to fix. Other CMSs getting hacked is quite the chore to hunt down, especially the other major PHP based CMSs. I&#x27;m looking at your Magento &amp; Drupal.<p>I think about what is best for turn around, has the best cost&#x2F;benefit, and what makes clients happiest, and so far that is Wordpress is the answer 90% of the time. Until that changes, Wordpress will continue to run a huge chunk of the web. I do grant you that a lot of lazy developers and unmanaged&#x2F;out-of-date installs from agencies, small businesses and individuals are hacked very often and are often turned into zombie sites. There&#x27;s no doubt about that. But just taking some basic common sense security measures can do wonders and keep you and your clients safe(r) from attack.

I see WP Engine touted as a solution. My limited experience with a client several months ago was &quot;hey, we&#x27;re getting really big, we need better security and better performance&quot;, they shop around, and get sold (in a literal sense) on WP Engine. Signed up, and my friend started to try to migrate things over. Oh... yeah, they don&#x27;t actually support many custom plugins - you could select from some blessed ones, but the client&#x27;s traffic was all using a custom theme and set of plugins. Those wouldn&#x27;t run on WP Engine.<p>I too (and many others) could make most WP hosting really secure if I got to say &quot;you can only use these 9 plugins (or whatever the number was) and no, you can&#x27;t put any custom code on the server at all&quot;.<p>EDIT: Indeed... every moderately-sized WP project I&#x27;ve worked on ends up being dozens of plugins (more than 15 being average, and one recent one having about 45 active plugins). Every time I mention that to anyone I know who &#x27;does&#x27; WP they all recoil in horror and say &quot;I&#x27;d never even work on that - that&#x27;s impossible! Why would you need that many plugins ever?!&quot; And then I think... they don&#x27;t really understand WP, or they don&#x27;t understand clients. Or... yeah, it must be my problem, because I&#x27;m somehow not good enough to deliver everything a client asks for <i>in wordpress</i> (requirement) in the mythological &quot;3-5 plugins&quot; everyone tells me is their max.<p>EDIT2: The client project referenced above was getting tens of millions visits per month, and as such the WPengine number I was told was somewhere in the region of $1500&#x2F;month.

Dismissed Wordpress for many years, then I found WPEngine (I know, mentioned below, but I have some points to make). Edit: Not affiliated with them in any way. Just a really big fan.<p>My number one reason for WPEngine is their excellent support, both in terms of response times and general knowledge. They have never let me or a client down.<p>My time is money (or the client&#x27;s money). Yes it&#x27;s much more expensive than self-hosting, but my hourly rates are much more than their professional plan costs each month. One unfortunate issue and they&#x27;ll spend more on paying me than they&#x27;ll save on hosting elsewhere for a year. This is also how I &quot;sell&quot; WPEngine to new leads. It&#x27;s not a hard sell.<p>I now have 12+ client sites there. Some several years and none have suffered a single issue of a compromised site. I&#x27;ve actually used WPE&#x27;s (free) service to migrate compromised sites to their platform and get them cleaned as a feature to garner new clients.<p>The WPE interface allows me to switch between them in an instant. Add to that general performance&#x2F;caching, security&#x2F;firewall, automatic updates, daily snapshots and reverting to a previous version with one click, on-demand backups, the staging site functionality, free automated SSL certs, CDN (pro plans), etc etc<p>It has come to the point that I don&#x27;t accept any projects that don&#x27;t agree on hosting there.<p>PS Fought battles with many different CMSs --e.g. don&#x27;t even get me started on Joomla or even Drupal-- and don&#x27;t believe that wordpress is any more vulnerable than other CMS sites. Moreover, there are so many WordPress developers out there, that I can safely promise that me getting hit by a truck is really not a problem.<p>Edit 2: I limit plugins to the absolute minimum. I avoid free plugins whenever possible. Buying highly rated plugins with support from places like ThemeForest is really really useful and well worth the money.

I love wordpress, but I don&#x27;t love PHP, updates, security flaws, or hosting. I haven&#x27;t done it yet, but I&#x27;m considering using the Simply Static plugin[0] to migrate to generated static pages from my wordpress instance, which sidesteps all of those problems.<p>[0]: <a href="https:&#x2F;&#x2F;wordpress.org&#x2F;plugins&#x2F;simply-static&#x2F;" rel="nofollow">https:&#x2F;&#x2F;wordpress.org&#x2F;plugins&#x2F;simply-static&#x2F;</a>

Because people who don&#x27;t actually know how to build websites are fooled into thinking they have a tool that will fill that knowledge gap, despite the security implications that they are oblivious to.

People keep saying wp is bad. Ye it is from your point of view. But there are maybe billions who have no clue how internet works but they want a site&#x2F;blog&#x2F;shop whatever. Many of them don&#x27;t even think about paying someone to make a website, or pay for tools.<p>So they pick wordpress: 1 click install in cpanel, no html, css, js, php knowledge whatsoever, pick a free theme from millions of themes, pick plugins from millions free ones, done. Maybe a bit of google to personalize it but that&#x27;s it.<p>What do you offer devs who can make a quick 50 bucks in afternoon installing a plugin&#x2F;theme, or even 100 for a quick website with admin panel and all that easy stuff?<p>There is a market for everyone and cms&#x27;s will live one way or another. The simple &amp; free stuff will always be more successful.

I used to have a WordPress-based blog. It was indeed a nightmare to keep up to date, unless a bit after version 2, where they included the option of automatic updates, and the whole thing was a bit more manageable. Not because it was too much of a problem before (download the compressed file, uncompress, move to the correct folder), but because sometimes an update came out and I didn&#x27;t notice. Had malware installed once, was a nightmare to get rid of.<p>For a variety of reasons, the blog crashed and when I started a new one, I chose Pelican[1]. Haven&#x27;t looked back.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;getpelican&#x2F;pelican" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;getpelican&#x2F;pelican</a> (linking to the github repository because the main site happens to be down <a href="https:&#x2F;&#x2F;github.com&#x2F;getpelican&#x2F;pelican&#x2F;issues&#x2F;2079" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;getpelican&#x2F;pelican&#x2F;issues&#x2F;2079</a>).

WordPress is fantastic for what it was meant to be: a blog. When people try shoehorning it into e-commerce and other things it turns into a real mess. There&#x27;s no real structure to the application itself, which leads to promoting a procedural, &quot;dump everything in a functions.php file&quot; type of programming.

Wordpress (with auto-updates enabled) + modsecurity with the owasp ruleset = I&#x27;ve never had a problem. I&#x27;m sure if someone targeted me specifically that statement wouldn&#x27;t be true, but I don&#x27;t fear having a Wordpress site on the Internet at the moment.

I never got into WP, but had multiple good experiences with Drupal. The problem for me is that WP gives you a good foundation, but if you don&#x27;t know how to develop on that foundation, write your own plugins, or control your own security, you end up doing what 99.5% of the people do that use WP:<p>1 - use a C panel &quot;one click&quot; install of the CMS from your web host<p>2 - start looking for plugins to give you the functionality you want<p>3 - install said plugins without sand boxing them or even testing them for vulnerabilities.<p>4 - end up getting hacked and then wonder what happened<p>It&#x27;s true that for the most part the WP <i>core</i> is pretty solid, but its the billions of sketchy plugins that people use that create vulnerabilities and allows their sited to get hacked.

One of the great things about WordPress is the plugin ecosystem. This is also a something of an achilles heel, especially when it comes to security. WordPress seems to attract a lot of lowest-common-denominator coders who create plugins. So while the WordPress core is now pretty solid when it comes to security, the various plugins are almost never coded to the same standard.<p>I have to wonder if WordPress added a small cost and verification system at front, similar to the app store, if third-party code would be of higher quality.

The question should be &quot;what&quot;.<p>Static HTML will often fit the bill

WP felt like a good default &#x27;go to&#x27; choice 10 years ago. Certainly, in the last 5, it does not feel that way to me, even though I still do use it for some projects (myself and my clients) but it&#x27;s not a default, nor is it by any means the only tech stack I work in (&lt; 10% of my work is in wordpress - various PHP and Java&#x2F;Groovy make up most of the rest of my work).<p>There are a few things which don&#x27;t get called out very much, but which were&#x2F;are some of the underlying motivating factors for people defaulting to wordpress (perhaps as a more root underlying reason behind some of the &#x27;large ecosystem&#x27; reasons people typically default to).<p>A primary one which gets overlooked is that fact that WP is about the only &#x27;framework&#x27; of any sorts in any tech stack which allows people to simply move files up to a server. There are no command line incantations to run, no npm&#x2F;build stuff to use, no compiling, etc. It&#x27;s about the only platform I can point someone to where they can do an install themselves, and still make modifications later (days&#x2F;months&#x2F;years later). Many do &#x27;one click&#x27; installs via cpanel or whatever, but even outside of that, the process to install and make changes later is about as basic as you can get - editing and moving files - nothing else needed.<p>Secondly, in the realm of web frameworks (whether we describe it as one or not, wordpress is indeed a framework, albeit possibly reluctantly for a while), it&#x27;s one of the few that comes with a username&#x2F;password&#x2F;registration process ready to use, out of the box. Anyone looking to build any extension&#x2F;plugin can count on a standard user&#x2F;pass&#x2F;registration&#x2F;recovery process being there. Most other web platforms shun this most basic aspect, comparing their routing options and ms-oriented benchmarks. I think ASP.NET MVC v4 came bundled with a standard user&#x2F;reg system?, and one might throw Drupal&#x2F;Joomla in that camp too. Outside of that - certainly all the major PHP platforms for years - symfony, zend, kohana, code igniter, ez, etc - all gave you parts, then told you to build it youself. Typical rationale was &quot;everyone&#x27;s needs are different&quot;.<p>So... people &#x27;build it themselves&#x27;, thinking their own needs were &#x27;different&#x27; from everyone else&#x27;s (hint - vast majority of times, they&#x27;re not), then we wonder why things get hacked, and point the finger at the devs themselves who... shouldn&#x27;t have to be reinventing that wheel every other month. Devise in Rails seemed to have been a go-to for a while, and many other languages tend to coalesce around 1-2 frameworks and 1-2 user&#x2F;auth libraries, but the PHP world is just too damn big for much consensus...<p>Except in Wordpress. Whether it&#x27;s good or not, it provided enough of the basics in a standard way to become the basis for people to build on. And... build they did - often extremely poorly (no, really, not <i>everything</i> should necessarily go in to &#x27;wp_options&#x27; - session data? really? and I have to run my own stuff to clean it up?)<p>These low barrier to entries have been at the root of why WP has gained so much popularity and control.<p>I certainly know there are &#x27;good&#x27; ways to develop with WP as a basis, if you wanted to. And some people really want to. But doing things too &#x27;correctly&#x27; from a dev standpoint (migrations, testing, dev&#x2F;staging&#x2F;prod setups, etc) means you&#x27;re now fighting against the WP core principles of &#x27;move files up and execute&#x27;. The core of WP doesn&#x27;t support these concepts, and tacking them on feels... tacked on. You&#x27;re also alienating yourself from the 99% of wordpress developers (in every sense of that word) who do not even understand those concepts in the first place - they will never be able to use or contribute to your code&#x2F;project&#x2F;tool. At some point, doing things the &#x27;developer&#x27; way conflicts so much with the core ethos of WP, that you&#x27;re fighting the base, and there&#x27;s probably not much benefit (outside of latching on to the name recognition) and you&#x27;re probably better off in another tech stack.<p>WP itself providing some &#x27;blessed&#x27; approaches for creating plugins with testing processes, standard&#x2F;defined way of importing&#x2F;exporting plugin data, and other attendant issues around plugins would solve problems for larger-scale developers&#x2F;users, but might very well alienate many of the folks who were earlier adopters. But... at this point, where else would those folks go?

If you have an existing web application (i.e. Rails or Django) and need to add in CMS, Wordpress becomes suboptimal very quickly. If you&#x27;re doing work for a client website, they want you to spend as few hours ($$$) as possible launching a CMS. For that there are modern API-first CMS like <a href="https:&#x2F;&#x2F;buttercms.com" rel="nofollow">https:&#x2F;&#x2F;buttercms.com</a> that were built to quickly integrate into any tech stack. Which means you remain very productive working in technology you&#x27;re comfortable with instead of learning PHP (in the event you&#x27;re well versed in Ruby or Python, for example).

I hate wordpress. Always having to be updated, plugins that fall behind or also need to be updated, duplication of images instead of using original and styling or scripting it instead - same image creates 30 images in some templates. Change a template and things break. I&#x27;ve never understood why people keep touting it.

can we talk about the action&#x2F;filter hell, the mess that is wp_query and the hackish way to get structured data integrated in wp (see acf for example)? digital agencies loves wp, and you will always get to use it in a non blog way with messy plugins and themes, and this is a pain.

Or you can dump it on medium, which looks better on mobile devices and looks cooler in general.

I&#x27;d love WordPress to be on GitHub rather than squirreled away on... Actually I have no idea, I&#x27;ve never actually found it. I bet you can&#x27;t find it within 2 minutes from reading this, go on, give it a go...<p>Told you. Get it on GitHub and watch how much better it becomes.<p>Also sorting out the versioning would make it more usable.

Because you want to get hacked.

Umm, wordpress is a useful widely supported lowest common denominator

I&#x27;m looking at the &quot;dead&quot; comment by PravlageTiem. I understand that PravlageTiem was being sarcastic, and some people feel that sarcasm undermines the tone that is supposed to prevail on Hacker News. But still, PravlageTiem raises an important point:<p>WordPress has historically been a security nightmare.<p>Possibly there was a tone of anger in the way PravlageTiem expressed themselves, but the security flaws in WordPress are worth discussing any time that WordPress is discussed.<p>Certainly, when I have a freelance client, and they ask me &quot;Should we use WordPress?&quot; I typically answer with some long version of &quot;It has a good admin section for non-technical users, and also designers love it, but it also has a lot of security flaws.&quot;

<a href="https:&#x2F;&#x2F;roots.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;roots.io&#x2F;</a><p>Problem(s) solved.<p>Disclaimer: not affiliated in any way.