Almost Everything That's Wrong With Wordpress

Slide 1

Slide 1 text

Almost everything that’s wrong with WordPress

Slide 2

Slide 2 text

Christian Leo-Pernold @mazedlx https://github.com/mazedlx https://mazedlx.net

Slide 3

Slide 3 text

Agenda State of WordPress Developer’s POV # Vulnerabilities Conclusion Lots of Memes

Slide 4

Slide 4 text

State of WordPress

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

WordPress Versions 4.9 (2017-11) 4.8 (2017-06) 4.7 (2016-12) 4.6 (2016-08) Older Source: https://wordpress.org/about/stats

Slide 7

Slide 7 text

WordPress and PHP Versions 7.2 (2017-11) 7.1 (2016-01) 7.0 (2015-12) 5.6 (2014-08) Older Source: https://wordpress.org/about/stats

Slide 8

Slide 8 text

“ Why do we support older versions? We strongly recommend the latest versions of PHP and MySQL, but we understand that this isn’t right for everyone, and that sometimes hosts can be slow or hesitant to upgrade their customers since upgrades to PHP and MySQL have historically broken applications. Note: If you are in a legacy environment where you only have older PHP or MySQL versions, WordPress also works with PHP 5.2.4+ and MySQL 5.0+, but these versions have reached official End Of Life and as such may expose your site to security vulnerabilities Source: https://wordpress.org/about/requirements/

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

More numbers ~ 29% market share (of CMS) ~ 50.000 Plugins ~ 60 translations )*+,-. ~ 77.000.000 blogs ~ 16.000.000 sites ~ $50 developer hourly rate Source: https://w3techs.com, https://www.codeinwp.com and https://managewp.com

Slide 11

Slide 11 text

Well-known WordPress Users Snoop Dogg NY Times Blogs Forbes Blogs Vogue Bloomberg Professional BBC America TechCrunch GNOME Mercedes-Benz Playstation.Blog Le Monde The Walt Disney Company Time Magazine Sony Music Source https://wordpress.org/showcase/

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Lines of Code WordPress Drupal Joomla Typo3

Slide 14

Slide 14 text

Average Class Length WordPress Drupal Joomla Typo3

Slide 15

Slide 15 text

Average Method Length WordPress Drupal Joomla Typo3

Slide 16

Slide 16 text

Average Class Complexity WordPress Drupal Joomla Typo3

Slide 17

Slide 17 text

Average Method Complexity WordPress Drupal Joomla Typo3

Slide 18

Slide 18 text

Namespaces WordPress Drupal Joomla Typo3

Slide 19

Slide 19 text

Developer’s POV #

Slide 20

Slide 20 text

It’s not a CMS.

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

wp-config.php Great for pushing to a repository. Not.

Slide 23

Slide 23 text

Tables and Columns They speak for themselves. Don’t they?

Slide 24

Slide 24 text

Globals FTW! Source https://codex.wordpress.org/Class_Reference/wpdb

Slide 25

Slide 25 text

Small classes

Slide 26

Slide 26 text

Even smaller classes

Slide 27

Slide 27 text

Helpful comments are helpful

Slide 28

Slide 28 text

Themes

Slide 29

Slide 29 text

Magic Numbers 9

Slide 30

Slide 30 text

Why not 3.1415?

Slide 31

Slide 31 text

Vulnerabilities

Slide 32

Slide 32 text

WordPress FAQ https://codex.wordpress.org/FAQ_My_site_was_hacked

Slide 33

Slide 33 text

78% of hacked websites in Q1 2016 used WordPress Source https://sucuri.net/infographics/

Slide 34

Slide 34 text

Source: https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

Security Through Obscurity Hide the “admin” user. Change the default table prefix. Hide the login page. Hide the WordPress version. Rename the wp_ folders. Hide WordPress altogether. Source https://blogvault.net/wordpress-security-through-obscurity/

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

Passwords WordPress relies on the Portable PHP password hashing framework MD5 as a fallback Password hashes don’t get “upgraded” after login

Slide 39

Slide 39 text

Passwords

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

https://wpvulndb.com

Slide 42

Slide 42 text

Attack Vectors Hosting Theme Plugin Weak Passwords Source https://torquemag.io/2016/03/wordpress-sites-hacked/

Slide 43

Slide 43 text

CVE (Common Vulnerabilities and Exploits) Code Execution SQL Injection XSS Bypass Gain Information CSRF Other Source http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337

Slide 44

Slide 44 text

Conclusion

Slide 45

Slide 45 text

Database column’s names are a mess (e.g. post_author is an ID). Spaghetti code EVERYWHERE. Magic Numbers all the time. No separation of concerns (MVC). Super-long classes (4.000 LOC and up). Different coding styles throughout the codebase. Sometimes within the same class. Querying the database hurts your brain. Only MySQL/MariaDB-Support out of the box.

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

No templating engine. Writing plugins is cumbersome. Writing custom templates too. The built-in WYSIWYG editor is a mess. Inconsistent function names. SEO is often painful. Absolute paths in database (mysite.com/about).

Slide 48

Slide 48 text

Recommendations Use WordPress if you must Be proactive and update often. Really often Secure your setup Be careful when using 3rd party plugins for they may be vulnerable Use a real CMS (Typo3, Drupal, Joomla, OctoberCMS, Statamic etc.) if you can 

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

Thanks! Slides are available at https://speakerdeck.com/mazedlx/ Done! Thanks! Questions?