In Defence Of WordPress

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, May 07, 2015

Follow me on Twitter as @mattiasgeniar

The internet is verbally attacking WordPress again. I read a lot of hate towards WordPress for its latest security vulnerabilities that have become public.

leave_wordpress_alone_meme

What I don’t see is praise in how those updates are handled and distributed to its millions of users.

Cross-Site Scripting Vulnerabilities

The last 2 weeks, 3 major security releases have been announced by the WordPress team;

Oh my, WordPress must pose a security risk, right?!

The Magical Release: WordPress 3.7

I was skeptical when they first announced this, but automatic background updates as featured in the 3.7 release are amazing.

Automatic background updates were introduced in WordPress 3.7 in an effort to promote better security, and to streamline the update experience overall. By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated.

If you read the comments on Twitter, security blogs and even major news sites, you would expect the internet to have crashed and burned by now, with all the WordPress security vulnerabilities.

But that magical feature saved the internet from a lot of problems. That feature, that most WordPress users take for granted, is the single best thing ever to happen to WordPress.

And to think I questioned it at launch. What happens when your auto-update breaks all sites? What happens if an update is pushed, that introduces more vulnerabilities or backdoors? What if WordPress.org is every compromised and attackers can influence that update?

None of those scenarios happened. At least, not yet. But WordPress’ trackrecord is solid.

Patching several million websites

WordPress is popular. It powers millions of sites. Small & big. This puts it in a position where it’s bound to attract some unwanted attention. Once a critical WordPress vulnerabilty comes out, the update is pushed to those millions of sites within hours.

Hours.

Let that sink in for a while. After a few hours, WordPress administrators that left the auto-update enabled (which it is, by default), receive an e-mail like this.

wordpress_auto_updated

Just to put that into perspective, the steps to update Drupal core contain 13 instructions, among which;

  1. Delete all the files & folders inside your original Drupal instance except for /sites folder and any custom files you added elsewhere.

  2. Copy all the folders and files except /sites from inside the extracted Drupal package [tar ball or zip package] into your original Drupal instance.

WordPress users get that automatically.

Disabled auto-updates? Just log in and click a single button.

wordpress_update_now

Does the update need a database schema change or upgrade? A single button.

wordpress_database_upgrade

Want to updates your installed plugins, to the latest version? A single button.

wordpress_update_plugins

Your themes? A single button.

wordpress_update_themes

Let that sink in for a while.

The Punching Bag

At PHP conferences, WordPress often serves as a punching bag.

Nearly every talk that discusses code quality brings in WordPress and compares it to other frameworks. WordPress always ends up at the bottom.

Yet here it is, powering the internet. Patching millions of sites in less than 24 hours.

As much as I appreciate the other frameworks, WordPress is by far the best at handling security incidents. Magento? Don’t get me started. Drupal? Your average user has no idea how to apply patches. I’m certain Drupalgeddon did far more damage than the recent 3 WordPress vulnerabilities, combined.

Joomla? Typo3? Each and every one can learn from WordPress.

Thanks, WordPress

I for one would like to thank WordPress. Besides powering this blog, it powers thousands of our clients. And thanks to this auto-update feature, each and every one of those is safer.

For all the hate the internet redirects to WordPress and for all the punches it has to take, I think there’s far too little appreciation for everything WordPress does.

Thanks guys, keep it up.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.