Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Almost Everything That's Wrong With Wordpress

E157a71a8b1585e6a33e2c6da01d4cac?s=47 Christian Leo-Pernold
March 16, 2018
Technology
0
45

Almost Everything That's Wrong With Wordpress

E157a71a8b1585e6a33e2c6da01d4cac?s=128

Christian Leo-Pernold

March 16, 2018
Tweet

More Decks by Christian Leo-Pernold

See All by Christian Leo-Pernold
Don't assume, know!
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
2
What's new in Laravel 9
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
35
What's new in PHP8.1
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
47
GraphQL
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
110
How to not fuck up your day
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
24
Livewire. It's like Vue or React. Without the JavaScript.
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
160
PHP73.pdf
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
0
42
PHP 7.3 && Laravel 5.7
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
3
590
What's new in Laravel 5.5
E157a71a8b1585e6a33e2c6da01d4cac?s=48 mazedlx
1
65

Other Decks in Technology

See All in Technology
ロボットの実行すらメンドクサイ!?
3a06a93a8db01666fd2b822484930594?s=48 kou12092
0
220
AWS Step Functions を用いた非同期学習処理の例
227382dbd5e033db211c159edf32853c?s=48 hacarus
0
110
cobra は便利になっている
6ed12627fec46a135f1bce5d56f3568e?s=48 nwiizo
0
150
AWS CLI でやってみる ~ AWS Hands-on for Beginners ECS ハンズオン ~
8785139c395ce2345ce535822b522dde?s=48 kentosuzuki
1
550
ログラスを支える技術的投資の仕組み / loglass-technical-investment
F109e64829df9d89239079d68689c938?s=48 urmot
9
2k
マルチテナントSaaSのカスタム要件に、 Auth0テナントを分割せず向き合う! / Multi tenant SaaS with Auth0
8e8410eb785755ae2cb485f85dbab6e8?s=48 hiroga
0
170
金融スタートアップの上場準備で大事にしたマインドセット / 2022-08-04-the-mindset-in-preparing-for-ipo
0251532f4fb413ea1a026efe6eb16b87?s=48 stajima
0
330
Power BI のうらがわ
0cc2ebc5781bcb2cae5f9ab7efa40ff2?s=48 hanaseleb
1
170
CloudWatchアラームによるサービス継続のための監視入門 / Introduction to Monitoring for Service Continuity with CloudWatch Alarms
107ea34bd4da51e40f1c30b9ca0c459e?s=48 inomasosan
1
450
セキュキャンを卒業してその後
1f745ff900e1be51aedae18cae76593c?s=48 kurochan
0
600
ぼくらが選んだ次のMySQL 8.0 / MySQL80 Which We Choose
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
7
3.2k
今 SLI/SLO の監視をするなら Sloth が良さそうという話
Cb17938137021ead2656d0fe58b7c7b1?s=48 shotakitazawa
1
290

Featured

See All Featured
Side Projects
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
450
37k
It's Worth the Effort
Ba530e786553390f3fb271848485681c?s=48 3n
172
26k
Atom: Resistance is Futile
7fa6101cd43067653cf4ac6c7ca54305?s=48 akmur
255
20k
Helping Users Find Their Own Way: Creating Modern Search Experiences
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
7
1.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
212
20k
Automating Front-end Workflow
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1351
200k
GitHub's CSS Performance
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1020
420k
YesSQL, Process and Tooling at Scale
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
157
12k
XXLCSS - How to scale CSS and keep your sanity
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
236
1.1M
The Mythical Team-Month
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
210
39k
Learning to Love Humans: Emotional Interface Design
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
37k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
980

Transcript

  1. Almost everything that’s wrong with WordPress

  2. Christian Leo-Pernold @mazedlx https://github.com/mazedlx https://mazedlx.net

  3. Agenda State of WordPress Developer’s POV # Vulnerabilities Conclusion Lots

    of Memes

  4. State of WordPress

  5. None

  6. WordPress Versions 4.9 (2017-11) 4.8 (2017-06) 4.7 (2016-12) 4.6 (2016-08)

    Older Source: https://wordpress.org/about/stats

  7. WordPress and PHP Versions 7.2 (2017-11) 7.1 (2016-01) 7.0 (2015-12)

    5.6 (2014-08) Older Source: https://wordpress.org/about/stats

  8. “ Why do we support older versions? We strongly recommend

    the latest versions of PHP and MySQL, but we understand that this isn’t right for everyone, and that sometimes hosts can be slow or hesitant to upgrade their customers since upgrades to PHP and MySQL have historically broken applications. Note: If you are in a legacy environment where you only have older PHP or MySQL versions, WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have reached official End Of Life and as such may expose your site to security vulnerabilities Source: https://wordpress.org/about/requirements/
  9. None

  10. More numbers ~ 29% market share (of CMS) ~ 50.000

    Plugins ~ 60 translations )*+,-. ~ 77.000.000 blogs ~ 16.000.000 sites ~ $50 developer hourly rate Source: https://w3techs.com, https://www.codeinwp.com and https://managewp.com

  11. Well-known WordPress Users Snoop Dogg NY Times Blogs Forbes Blogs

    Vogue Bloomberg Professional BBC America TechCrunch GNOME Mercedes-Benz Playstation.Blog Le Monde The Walt Disney Company Time Magazine Sony Music Source https://wordpress.org/showcase/
  12. None

  13. Lines of Code WordPress Drupal Joomla Typo3

  14. Average Class Length WordPress Drupal Joomla Typo3

  15. Average Method Length WordPress Drupal Joomla Typo3

  16. Average Class Complexity WordPress Drupal Joomla Typo3

  17. Average Method Complexity WordPress Drupal Joomla Typo3

  18. Namespaces WordPress Drupal Joomla Typo3

  19. Developer’s POV #

  20. It’s not a CMS.

  21. None

  22. wp-config.php Great for pushing to a repository. Not.

  23. Tables and Columns They speak for themselves. Don’t they?

  24. Globals FTW! Source https://codex.wordpress.org/Class_Reference/wpdb

  25. Small classes

  26. Even smaller classes

  27. Helpful comments are helpful

  28. Themes

  29. Magic Numbers 9

  30. Why not 3.1415?

  31. Vulnerabilities

  32. WordPress FAQ https://codex.wordpress.org/FAQ_My_site_was_hacked

  33. 78% of hacked websites in Q1 2016 used WordPress Source

    https://sucuri.net/infographics/

  34. Source: https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

  35. None

  36. Security Through Obscurity Hide the “admin” user. Change the default

    table prefix. Hide the login page. Hide the WordPress version. Rename the wp_ folders. Hide WordPress altogether. Source https://blogvault.net/wordpress-security-through-obscurity/
  37. None

  38. Passwords WordPress relies on the Portable PHP password hashing framework

    MD5 as a fallback Password hashes don’t get “upgraded” after login

  39. Passwords

  40. None

  41. https://wpvulndb.com

  42. Attack Vectors Hosting Theme Plugin Weak Passwords Source https://torquemag.io/2016/03/wordpress-sites-hacked/

  43. CVE (Common Vulnerabilities and Exploits) Code Execution SQL Injection XSS

    Bypass Gain Information CSRF Other Source http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337

  44. Conclusion

  45. Database column’s names are a mess (e.g. post_author is an

    ID). Spaghetti code EVERYWHERE. Magic Numbers all the time. No separation of concerns (MVC). Super-long classes (4.000 LOC and up). Different coding styles throughout the codebase. Sometimes within the same class. Querying the database hurts your brain. Only MySQL/MariaDB-Support out of the box.
  46. None

  47. No templating engine. Writing plugins is cumbersome. Writing custom templates

    too. The built-in WYSIWYG editor is a mess. Inconsistent function names. SEO is often painful. Absolute paths in database (mysite.com/about).

  48. Recommendations Use WordPress if you must Be proactive and update

    often. Really often Secure your setup Be careful when using 3rd party plugins for they may be vulnerable Use a real CMS (Typo3, Drupal, Joomla, OctoberCMS, Statamic etc.) if you can

  49. None

  50. Thanks! Slides are available at https://speakerdeck.com/mazedlx/ Done! Thanks! Questions?