Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Almost Everything That's Wrong With Wordpress

Christian Leo-Pernold
March 16, 2018
Technology
0
78

Almost Everything That's Wrong With Wordpress

Christian Leo-Pernold

March 16, 2018
Tweet

More Decks by Christian Leo-Pernold

See All by Christian Leo-Pernold
Alpine.js
mazedlx
0
19
An_Introduction_to_PHP_and_Laravel.pdf
mazedlx
0
7
What's new in PHP8.2
mazedlx
0
35
Don't assume, know!
mazedlx
0
30
What's new in Laravel 9
mazedlx
0
99
What's new in PHP8.1
mazedlx
0
88
GraphQL
mazedlx
0
240
How to not fuck up your day
mazedlx
0
78
Livewire. It's like Vue or React. Without the JavaScript.
mazedlx
0
210

Other Decks in Technology

See All in Technology
KARTEのAPIサーバ化
line_developers
PRO
1
220
Better PHP - Keep your code up to date
wernerkrauss
1
120
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
1
180
Designing an Incident Response Process at Scale
opeonikute
0
150
物理シミュレーションと数理最適化の知見を導入した機械学習手法
yellowshippo
1
910
組織・プロセス・技術 - フロントエンドの生産性向上への複眼的アプローチ / 20230921
bengo4com
3
580
PHPからはじめるコンピュータア ーキテクチャ / PHP Meets Silicon: A Fun Dive into Computer Structures
tomzoh
4
200
20230914_FinJAWS
takuyay0ne
2
410
YouTubeへのライブ配信機能をリリースするまで
yurihondo
0
790
2023 CSS
nishiharatsubasa
5
3.1k
How to test GraphQL API using Postman
yokawasa
0
330
JPOUG Tech Talk Night #7 ASAHI
asahihidehiko
0
190

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.9k
How to name files
jennybc
56
84k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
The Language of Interfaces
destraynor
149
22k
Designing for Performance
lara
601
66k
Three Pipe Problems
jasonvnalue
89
9.2k
4 Signs Your Business is Dying
shpigford
172
21k
Thoughts on Productivity
jonyablonski
55
3k
Designing for humans not robots
tammielis
246
24k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.2k
RailsConf 2023
tenderlove
0
230
Stop Working from a Prison Cell
hatefulcrawdad
265
18k

Transcript

  1. Almost everything
    that’s wrong with
    WordPress

    View Slide

  2. Christian Leo-Pernold
    @mazedlx
    https://github.com/mazedlx
    https://mazedlx.net

    View Slide

  3. Agenda
    State of WordPress
    Developer’s POV #
    Vulnerabilities
    Conclusion
    Lots of Memes

    View Slide

  4. State of WordPress

    View Slide

  5. View Slide

  6. WordPress Versions
    4.9 (2017-11) 4.8 (2017-06) 4.7 (2016-12) 4.6 (2016-08) Older
    Source: https://wordpress.org/about/stats

    View Slide

  7. WordPress and PHP Versions
    7.2 (2017-11) 7.1 (2016-01) 7.0 (2015-12) 5.6 (2014-08) Older
    Source: https://wordpress.org/about/stats

    View Slide


  8. Why do we support older versions?
    We strongly recommend the latest versions of PHP and
    MySQL, but we understand that this isn’t right for
    everyone, and that sometimes hosts can be slow or
    hesitant to upgrade their customers since upgrades to
    PHP and MySQL have historically broken applications.
    Note: If you are in a legacy environment where you
    only have older PHP or MySQL versions, WordPress also
    works with PHP 5.2.4+ and MySQL 5.0+, but these
    versions have reached official End Of Life and as such
    may expose your site to security vulnerabilities
    Source: https://wordpress.org/about/requirements/

    View Slide

  9. View Slide

  10. More numbers
    ~ 29% market share (of CMS)
    ~ 50.000 Plugins
    ~ 60 translations )*+,-.
    ~ 77.000.000 blogs
    ~ 16.000.000 sites
    ~ $50 developer hourly rate
    Source: https://w3techs.com, https://www.codeinwp.com and https://managewp.com

    View Slide

  11. Well-known WordPress Users
    Snoop Dogg
    NY Times Blogs
    Forbes Blogs
    Vogue
    Bloomberg
    Professional
    BBC America
    TechCrunch
    GNOME
    Mercedes-Benz
    Playstation.Blog
    Le Monde
    The Walt Disney
    Company
    Time Magazine
    Sony Music
    Source https://wordpress.org/showcase/

    View Slide

  12. View Slide

  13. Lines of Code
    WordPress Drupal Joomla Typo3

    View Slide

  14. Average Class Length
    WordPress Drupal Joomla Typo3

    View Slide

  15. Average Method Length
    WordPress Drupal Joomla Typo3

    View Slide

  16. Average Class Complexity
    WordPress Drupal Joomla Typo3

    View Slide

  17. Average Method Complexity
    WordPress Drupal Joomla Typo3

    View Slide

  18. Namespaces
    WordPress Drupal Joomla Typo3

    View Slide

  19. Developer’s POV #

    View Slide

  20. It’s not a CMS.

    View Slide

  21. View Slide

  22. wp-config.php
    Great for pushing to a repository. Not.

    View Slide

  23. Tables and Columns
    They speak for themselves. Don’t they?

    View Slide

  24. Globals FTW!
    Source https://codex.wordpress.org/Class_Reference/wpdb

    View Slide

  25. Small classes

    View Slide

  26. Even smaller classes

    View Slide

  27. Helpful comments are helpful

    View Slide

  28. Themes

    View Slide

  29. Magic Numbers 9

    View Slide

  30. Why not 3.1415?

    View Slide

  31. Vulnerabilities

    View Slide

  32. WordPress FAQ
    https://codex.wordpress.org/FAQ_My_site_was_hacked

    View Slide

  33. 78% of hacked websites in
    Q1 2016 used WordPress
    Source https://sucuri.net/infographics/

    View Slide

  34. Source: https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

    View Slide

  35. View Slide

  36. Security Through Obscurity
    Hide the “admin” user.
    Change the default table prefix.
    Hide the login page.
    Hide the WordPress version.
    Rename the wp_ folders.
    Hide WordPress altogether.
    Source https://blogvault.net/wordpress-security-through-obscurity/

    View Slide

  37. View Slide

  38. Passwords
    WordPress relies on the Portable PHP password hashing framework
    MD5 as a fallback
    Password hashes don’t get “upgraded” after login

    View Slide

  39. Passwords

    View Slide

  40. View Slide

  41. https://wpvulndb.com

    View Slide

  42. Attack Vectors
    Hosting Theme Plugin Weak Passwords
    Source https://torquemag.io/2016/03/wordpress-sites-hacked/

    View Slide

  43. CVE (Common Vulnerabilities and Exploits)
    Code Execution SQL Injection XSS Bypass Gain Information CSRF Other
    Source http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337

    View Slide

  44. Conclusion

    View Slide

  45. Database column’s names are a mess (e.g. post_author is an ID).
    Spaghetti code EVERYWHERE. Magic Numbers all the time.
    No separation of concerns (MVC).
    Super-long classes (4.000 LOC and up).
    Different coding styles throughout the codebase. Sometimes within the
    same class.
    Querying the database hurts your brain.
    Only MySQL/MariaDB-Support out of the box.

    View Slide

  46. View Slide

  47. No templating engine.
    Writing plugins is cumbersome.
    Writing custom templates too.
    The built-in WYSIWYG editor is a mess.
    Inconsistent function names.
    SEO is often painful.
    Absolute paths in database (mysite.com/about).

    View Slide

  48. Recommendations
    Use WordPress if you must
    Be proactive and update often. Really often
    Secure your setup
    Be careful when using 3rd party plugins for they
    may be vulnerable
    Use a real CMS (Typo3, Drupal, Joomla, OctoberCMS,
    Statamic etc.) if you can


    View Slide

  49. View Slide

  50. Thanks!
    Slides are available at https://speakerdeck.com/mazedlx/
    Done! Thanks! Questions?

    View Slide