Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Almost Everything That's Wrong With Wordpress

Almost Everything That's Wrong With Wordpress

Christian Leo-Pernold

March 16, 2018
Tweet

More Decks by Christian Leo-Pernold

Other Decks in Technology

Transcript

  1. Almost everything
    that’s wrong with
    WordPress

    View Slide

  2. Christian Leo-Pernold
    @mazedlx
    https://github.com/mazedlx
    https://mazedlx.net

    View Slide

  3. Agenda
    State of WordPress
    Developer’s POV #
    Vulnerabilities
    Conclusion
    Lots of Memes

    View Slide

  4. State of WordPress

    View Slide

  5. View Slide

  6. WordPress Versions
    4.9 (2017-11) 4.8 (2017-06) 4.7 (2016-12) 4.6 (2016-08) Older
    Source: https://wordpress.org/about/stats

    View Slide

  7. WordPress and PHP Versions
    7.2 (2017-11) 7.1 (2016-01) 7.0 (2015-12) 5.6 (2014-08) Older
    Source: https://wordpress.org/about/stats

    View Slide


  8. Why do we support older versions?
    We strongly recommend the latest versions of PHP and
    MySQL, but we understand that this isn’t right for
    everyone, and that sometimes hosts can be slow or
    hesitant to upgrade their customers since upgrades to
    PHP and MySQL have historically broken applications.
    Note: If you are in a legacy environment where you
    only have older PHP or MySQL versions, WordPress also
    works with PHP 5.2.4+ and MySQL 5.0+, but these
    versions have reached official End Of Life and as such
    may expose your site to security vulnerabilities
    Source: https://wordpress.org/about/requirements/

    View Slide

  9. View Slide

  10. More numbers
    ~ 29% market share (of CMS)
    ~ 50.000 Plugins
    ~ 60 translations )*+,-.
    ~ 77.000.000 blogs
    ~ 16.000.000 sites
    ~ $50 developer hourly rate
    Source: https://w3techs.com, https://www.codeinwp.com and https://managewp.com

    View Slide

  11. Well-known WordPress Users
    Snoop Dogg
    NY Times Blogs
    Forbes Blogs
    Vogue
    Bloomberg
    Professional
    BBC America
    TechCrunch
    GNOME
    Mercedes-Benz
    Playstation.Blog
    Le Monde
    The Walt Disney
    Company
    Time Magazine
    Sony Music
    Source https://wordpress.org/showcase/

    View Slide

  12. View Slide

  13. Lines of Code
    WordPress Drupal Joomla Typo3

    View Slide

  14. Average Class Length
    WordPress Drupal Joomla Typo3

    View Slide

  15. Average Method Length
    WordPress Drupal Joomla Typo3

    View Slide

  16. Average Class Complexity
    WordPress Drupal Joomla Typo3

    View Slide

  17. Average Method Complexity
    WordPress Drupal Joomla Typo3

    View Slide

  18. Namespaces
    WordPress Drupal Joomla Typo3

    View Slide

  19. Developer’s POV #

    View Slide

  20. It’s not a CMS.

    View Slide

  21. View Slide

  22. wp-config.php
    Great for pushing to a repository. Not.

    View Slide

  23. Tables and Columns
    They speak for themselves. Don’t they?

    View Slide

  24. Globals FTW!
    Source https://codex.wordpress.org/Class_Reference/wpdb

    View Slide

  25. Small classes

    View Slide

  26. Even smaller classes

    View Slide

  27. Helpful comments are helpful

    View Slide

  28. Themes

    View Slide

  29. Magic Numbers 9

    View Slide

  30. Why not 3.1415?

    View Slide

  31. Vulnerabilities

    View Slide

  32. WordPress FAQ
    https://codex.wordpress.org/FAQ_My_site_was_hacked

    View Slide

  33. 78% of hacked websites in
    Q1 2016 used WordPress
    Source https://sucuri.net/infographics/

    View Slide

  34. Source: https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

    View Slide

  35. View Slide

  36. Security Through Obscurity
    Hide the “admin” user.
    Change the default table prefix.
    Hide the login page.
    Hide the WordPress version.
    Rename the wp_ folders.
    Hide WordPress altogether.
    Source https://blogvault.net/wordpress-security-through-obscurity/

    View Slide

  37. View Slide

  38. Passwords
    WordPress relies on the Portable PHP password hashing framework
    MD5 as a fallback
    Password hashes don’t get “upgraded” after login

    View Slide

  39. Passwords

    View Slide

  40. View Slide

  41. https://wpvulndb.com

    View Slide

  42. Attack Vectors
    Hosting Theme Plugin Weak Passwords
    Source https://torquemag.io/2016/03/wordpress-sites-hacked/

    View Slide

  43. CVE (Common Vulnerabilities and Exploits)
    Code Execution SQL Injection XSS Bypass Gain Information CSRF Other
    Source http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337

    View Slide

  44. Conclusion

    View Slide

  45. Database column’s names are a mess (e.g. post_author is an ID).
    Spaghetti code EVERYWHERE. Magic Numbers all the time.
    No separation of concerns (MVC).
    Super-long classes (4.000 LOC and up).
    Different coding styles throughout the codebase. Sometimes within the
    same class.
    Querying the database hurts your brain.
    Only MySQL/MariaDB-Support out of the box.

    View Slide

  46. View Slide

  47. No templating engine.
    Writing plugins is cumbersome.
    Writing custom templates too.
    The built-in WYSIWYG editor is a mess.
    Inconsistent function names.
    SEO is often painful.
    Absolute paths in database (mysite.com/about).

    View Slide

  48. Recommendations
    Use WordPress if you must
    Be proactive and update often. Really often
    Secure your setup
    Be careful when using 3rd party plugins for they
    may be vulnerable
    Use a real CMS (Typo3, Drupal, Joomla, OctoberCMS,
    Statamic etc.) if you can


    View Slide

  49. View Slide

  50. Thanks!
    Slides are available at https://speakerdeck.com/mazedlx/
    Done! Thanks! Questions?

    View Slide