Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Almost Everything That's Wrong With Wordpress

E157a71a8b1585e6a33e2c6da01d4cac?s=47 Christian Leo-Pernold
March 16, 2018
Technology
0
38

Almost Everything That's Wrong With Wordpress

E157a71a8b1585e6a33e2c6da01d4cac?s=128

Christian Leo-Pernold

March 16, 2018
Tweet

More Decks by Christian Leo-Pernold

See All by Christian Leo-Pernold
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
27
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
80
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
17
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
140
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
39
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
3
550
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
1
62

Other Decks in Technology

See All in Technology
36bb9dcd778d2a9621d44e92425d0907?s=48 hhiroshell
1
450
1dceaa2dcea41c16004f430c1723b20e?s=48 miso
0
210
8d0803aa4572615f7bce5f5288e6b716?s=48 mochan_tk
0
440
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
1
130
29fc9602e0ed9cca544d677266dadd68?s=48 hikarut
1
21k
3fa91dc187588e13e827810d2f30d8c7?s=48 moepy_stats
2
2.1k
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
PRO
0
190
532348a1aba5a909e283624c3d2a9a95?s=48 shift_evolve
0
1.8k
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
460
1b031ccbf968811f157cf7a892dddfed?s=48 geshan
1
290
Af02fa0e7eab6a7ca9da85052536e8c3?s=48 aar_nobu
0
2.9k
58ed7368f1de80df0b380087b19a4ac1?s=48 sugarcrm
PRO
0
110

Featured

See All Featured
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.5k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
122
16k
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
7
30k
245cee81a9c424266e5e401d844ea881?s=48 lara
27
3.7k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
990
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
484
150k
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
224
120k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
100
15k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
333
37k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
60
9.7k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1352
200k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
262
37k

Transcript

  1. Almost everything that’s wrong with WordPress

  2. Christian Leo-Pernold @mazedlx https://github.com/mazedlx https://mazedlx.net

  3. Agenda State of WordPress Developer’s POV # Vulnerabilities Conclusion Lots

    of Memes

  4. State of WordPress

  5. None

  6. WordPress Versions 4.9 (2017-11) 4.8 (2017-06) 4.7 (2016-12) 4.6 (2016-08)

    Older Source: https://wordpress.org/about/stats

  7. WordPress and PHP Versions 7.2 (2017-11) 7.1 (2016-01) 7.0 (2015-12)

    5.6 (2014-08) Older Source: https://wordpress.org/about/stats

  8. “ Why do we support older versions? We strongly recommend

    the latest versions of PHP and MySQL, but we understand that this isn’t right for everyone, and that sometimes hosts can be slow or hesitant to upgrade their customers since upgrades to PHP and MySQL have historically broken applications. Note: If you are in a legacy environment where you only have older PHP or MySQL versions, WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have reached official End Of Life and as such may expose your site to security vulnerabilities Source: https://wordpress.org/about/requirements/
  9. None

  10. More numbers ~ 29% market share (of CMS) ~ 50.000

    Plugins ~ 60 translations )*+,-. ~ 77.000.000 blogs ~ 16.000.000 sites ~ $50 developer hourly rate Source: https://w3techs.com, https://www.codeinwp.com and https://managewp.com

  11. Well-known WordPress Users Snoop Dogg NY Times Blogs Forbes Blogs

    Vogue Bloomberg Professional BBC America TechCrunch GNOME Mercedes-Benz Playstation.Blog Le Monde The Walt Disney Company Time Magazine Sony Music Source https://wordpress.org/showcase/
  12. None

  13. Lines of Code WordPress Drupal Joomla Typo3

  14. Average Class Length WordPress Drupal Joomla Typo3

  15. Average Method Length WordPress Drupal Joomla Typo3

  16. Average Class Complexity WordPress Drupal Joomla Typo3

  17. Average Method Complexity WordPress Drupal Joomla Typo3

  18. Namespaces WordPress Drupal Joomla Typo3

  19. Developer’s POV #

  20. It’s not a CMS.

  21. None

  22. wp-config.php Great for pushing to a repository. Not.

  23. Tables and Columns They speak for themselves. Don’t they?

  24. Globals FTW! Source https://codex.wordpress.org/Class_Reference/wpdb

  25. Small classes

  26. Even smaller classes

  27. Helpful comments are helpful

  28. Themes

  29. Magic Numbers 9

  30. Why not 3.1415?

  31. Vulnerabilities

  32. WordPress FAQ https://codex.wordpress.org/FAQ_My_site_was_hacked

  33. 78% of hacked websites in Q1 2016 used WordPress Source

    https://sucuri.net/infographics/

  34. Source: https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

  35. None

  36. Security Through Obscurity Hide the “admin” user. Change the default

    table prefix. Hide the login page. Hide the WordPress version. Rename the wp_ folders. Hide WordPress altogether. Source https://blogvault.net/wordpress-security-through-obscurity/
  37. None

  38. Passwords WordPress relies on the Portable PHP password hashing framework

    MD5 as a fallback Password hashes don’t get “upgraded” after login

  39. Passwords

  40. None

  41. https://wpvulndb.com

  42. Attack Vectors Hosting Theme Plugin Weak Passwords Source https://torquemag.io/2016/03/wordpress-sites-hacked/

  43. CVE (Common Vulnerabilities and Exploits) Code Execution SQL Injection XSS

    Bypass Gain Information CSRF Other Source http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337

  44. Conclusion

  45. Database column’s names are a mess (e.g. post_author is an

    ID). Spaghetti code EVERYWHERE. Magic Numbers all the time. No separation of concerns (MVC). Super-long classes (4.000 LOC and up). Different coding styles throughout the codebase. Sometimes within the same class. Querying the database hurts your brain. Only MySQL/MariaDB-Support out of the box.
  46. None

  47. No templating engine. Writing plugins is cumbersome. Writing custom templates

    too. The built-in WYSIWYG editor is a mess. Inconsistent function names. SEO is often painful. Absolute paths in database (mysite.com/about).

  48. Recommendations Use WordPress if you must Be proactive and update

    often. Really often Secure your setup Be careful when using 3rd party plugins for they may be vulnerable Use a real CMS (Typo3, Drupal, Joomla, OctoberCMS, Statamic etc.) if you can

  49. None

  50. Thanks! Slides are available at https://speakerdeck.com/mazedlx/ Done! Thanks! Questions?