In Defence Of WordPress

Mattias Geniar, Thursday, May 7, 2015 - last modified: Sunday, August 2, 2015

The internet is verbally attacking WordPress again. I read a lot of hate towards WordPress for its latest security vulnerabilities that have become public.


What I don't see is praise in how those updates are handled and distributed to its millions of users.

Cross-Site Scripting Vulnerabilities

The last 2 weeks, 3 major security releases have been announced by the WordPress team;

Oh my, WordPress must pose a security risk, right?!

The Magical Release: WordPress 3.7

I was skeptical when they first announced this, but automatic background updates as featured in the 3.7 release are amazing.

Automatic background updates were introduced in WordPress 3.7 in an effort to promote better security, and to streamline the update experience overall. By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated.

If you read the comments on Twitter, security blogs and even major news sites, you would expect the internet to have crashed and burned by now, with all the WordPress security vulnerabilities.

But that magical feature saved the internet from a lot of problems. That feature, that most WordPress users take for granted, is the single best thing ever to happen to WordPress.

And to think I questioned it at launch. What happens when your auto-update breaks all sites? What happens if an update is pushed, that introduces more vulnerabilities or backdoors? What if is every compromised and attackers can influence that update?

None of those scenarios happened. At least, not yet. But WordPress' trackrecord is solid.

Patching several million websites

WordPress is popular. It powers millions of sites. Small & big. This puts it in a position where it's bound to attract some unwanted attention. Once a critical WordPress vulnerabilty comes out, the update is pushed to those millions of sites within hours.


Let that sink in for a while. After a few hours, WordPress administrators that left the auto-update enabled (which it is, by default), receive an e-mail like this.


Just to put that into perspective, the steps to update Drupal core contain 13 instructions, among which;

5. Delete all the files & folders inside your original Drupal instance except for /sites folder and any custom files you added elsewhere.

6. Copy all the folders and files except /sites from inside the extracted Drupal package [tar ball or zip package] into your original Drupal instance.

WordPress users get that automatically.

Disabled auto-updates? Just log in and click a single button.


Does the update need a database schema change or upgrade? A single button.


Want to updates your installed plugins, to the latest version? A single button.


Your themes? A single button.


Let that sink in for a while.

The Punching Bag

At PHP conferences, WordPress often serves as a punching bag.

Nearly every talk that discusses code quality brings in WordPress and compares it to other frameworks. WordPress always ends up at the bottom.

Yet here it is, powering the internet. Patching millions of sites in less than 24 hours.

As much as I appreciate the other frameworks, WordPress is by far the best at handling security incidents. Magento? Don't get me started. Drupal? Your average user has no idea how to apply patches. I'm certain Drupalgeddon did far more damage than the recent 3 WordPress vulnerabilities, combined.

Joomla? Typo3? Each and every one can learn from WordPress.

Thanks, WordPress

I for one would like to thank WordPress. Besides powering this blog, it powers thousands of our clients. And thanks to this auto-update feature, each and every one of those is safer.

For all the hate the internet redirects to WordPress and for all the punches it has to take, I think there's far too little appreciation for everything WordPress does.

Thanks guys, keep it up.

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


Jorge Daniel Sampayo Vargas Friday, May 8, 2015 at 01:44 - Reply

“The internet is verbally attacking WordPress” Can you put some references? I haven’t read anything about it.

Matthias Friday, May 8, 2015 at 16:04 - Reply

*scratch rant about comparing frameworks* ;-)

The interesting question: Why can’t Drupal get it right and why does WordPress’ codebase suck?

I think it all boils to UX vs. DX. In short: WordPress has awesome UX but it made a trade of regarding its’ “code quality”. Drupal evolved in another way: it tried to become this abstract box of easy to use building blocks for “site builders”

However, Drupal 8 tries to bridge the gap between DX and UX. Drupal wants to break out of this perception as this developer-tool-with-a-high-learning-curve and become a framework that is as useful and easy to learn for non technical users as for non-Drupal PHP developers.

But on certain functional points, DX and UX come into conflict. See this – currently hot – discussion about updating modules from within Drupal 8: (Short story: should we impose/inflict CLI tools on non-tech users for the sake of DX and code maintainability or not?)

Interesting discussion indeed!

    Mattias Geniar Friday, May 8, 2015 at 16:10 - Reply

    I couldn’t agree more.

    Thanks for the comment!

    Mario Peshev Sunday, May 10, 2015 at 20:55 - Reply

    I used to explain how WordPress’ codebase suck for over a year when I started (coming from Java and then PHP MVC frameworks or Django) and now I love most of it. Sure, it has some quirks, but I can totally export a list of idiocies from each framework out there.

    I’m not going to argue about it since it is personal, but the fact that a platform doesn’t obey the most popular architectural design pattern doesn’t make the code stupid. After a few larger projects, you may very well appreciate tons of goodies and thousands of hooks that would solve a lot of problems.

    Mike Schinkel Friday, May 15, 2015 at 04:02 - Reply

    I gotta agree with Mario. WordPress does not follow OOP code patterns but that does not mean it has code is bad. Yes, some of the older code is bad but much of WordPress is newer code and it is quite good, good in that it does an excellent job of achieving the goals that the WordPress team values.

    And yes WordPress focused on UX, but they also focused on DX, for lesser skilled developers. WordPress is far easier to extend for a person who has just learned PHP than Drupal, and I’ve worked on both.

    The WordPress architecture is also less fragile than a finely crafted OOP hierarchy; people can do almost anything with WordPress if they need to; no fragile base class to worry about, and the non-fully relational database structure adds to that resiliency.

    That said, it is very easy to build a house of cards with WordPress because of its architecture. So much so that our team has released an MV* library for WordPress to make it easier to scale up complexity of a WordPress app by using OOP for structure. That said, I’m not going to name the library because I don’t want people to think I am posted to promote it.

Will Friday, May 8, 2015 at 16:56 - Reply

Thanks for the well-rationed argument. I’ve seen plenty of WP bashing, both online and from people I’ve worked with, and it always comes down to this:

Anyone who bashes WordPress for its security failures doesn’t know what the hell they are talking about.

craigcdw Tuesday, May 12, 2015 at 21:56 - Reply

Thanks for putting my mind at ease Mattias, and for restoring the faith in WP.

Patrick Coombe Friday, May 15, 2015 at 04:37 - Reply

well said, and you just happen to be using one of my favorite WordPress themes as well :)

Dwayne Charrington Friday, May 15, 2015 at 05:29 - Reply

I will keep this short. I wrote a comment over at HN here:

While WordPress has had its fair share of vulnerabilities and issues over the years, it doesn’t make it a bad framework. We shouldn’t judge people (or in this case WordPress) on the things it has done wrong, but rather how it goes about addressing and learning from those mistakes. I can’t ever recall a severe vulnerability that didn’t get patched in a short amount of time in WordPress. No waiting weeks for a fix like Windows and Mac OS have been known for from time-to-time.

As I said in my HN comment, developers need to start taking responsibility. Obviously protecting yourself against core exploits is going to be hard, but a lot of the most common attacks I have seen on WordPress installations were avoidable. In a lot of cases they were either because the client didn’t keep their site updated or because WordPress and/or server was improperly setup.

I love it when people go out of their way to tell you how bad WordPress is because its code-base isn’t 100% pure OOP. My answer is: who the heck cares? Since when do most users of WordPress ever need to work with anything outside of the wp-content folder anyway? In the 8 or so years I have been using WordPress, I mostly work in the theme directory or if I am building a plugin, in the plugins directory. Unless you’re working with the WordPress core everyday, this isn’t even a valid argument in my opinion. It’s like some developers think that by going OOP WordPress is all of a sudden going to become faster and better, when it wouldn’t make any noticeable difference at all.

If you’re going to make your username admin: you deserve to be attacked and it is not WordPress’ fault.
If you set 0777 permissions on all of your files and folders: you deserve to be attacked and it is not WordPress’ fault.
If you keep your wp-config.php file in the root directory instead of one level back: you deserve to be attacked and it is not WordPress’ fault.
Do you upload and modify files via FTP instead of SSH keys and managed permissions via user groups? You deserve to be attacked and it is not WordPress’ fault.

I am pretty passionate about WordPress. I haven’t had an attack that did anything in years because unlike a lot of people who do get hacked, I am not an idiot and I make sure I put the effort into securing my sites. Auto updating is great, it doesn’t always work in my opinion, but it is great nonetheless. Our web browsers automatically update, so too should our CMS’s.

Patrick Friday, May 15, 2015 at 09:13 - Reply

I work for a huge web host that hosts about 10% of the internet. And I’m also a developer on side projects Laravel being my framework of choice. WordPress is great and probably the best thing going for people with low-to-no tech skills, I out-grew it as I started building custom apps, and that’s the way to go for security in general. Hackers love going for the easy apples — hack one plugin and you’ve hacked 100,000+ sites. Rather than try to break into 1 custom non-wordpress site.

That’s what makes wordpress so vulnerable. Another issue I see is that there’s really no policing of plugins. I’d LOVE to see some sort of at least open-source code-review and integrity test of EVERY plugin that ever enters the plugins repository and is installable through wordpress itself. That would be a huge endeavor, but in all honesty — anyone can upload a plugin and put their own backdoor into the app without you ever knowing what you’re installing.

    Mattias Geniar Friday, May 15, 2015 at 21:31 - Reply

    anyone can upload a plugin and put their own backdoor into the app without you ever knowing what you’re installing.

    I think, with that, you’ve nailed the success and dangers of WordPress.

    The ecosystem of plugins and themes is probably among the biggest reasons WordPress got the marketshare it has today. And it got that marketshare, by creating an easy-to-extend framework. In some cases, that means abandoning best practices in exchange for more easy to read and extend code.

    Long term, you can question the benefits of that approach. But looking back at WordPress’ history, there’s no denying that such a decision got it where it is today: the leader in the CMS & blog space.

    Stefanie Friday, May 22, 2015 at 01:14 - Reply

    Another issue I see is that there’s really no policing of plugins.

    As a clarification, every plugin in the repository is manually reviewed before being approved. While that’s not a guarantee, it’s also not a free-for-all “anyone can upload a plugin” either.

Jackson Friday, May 15, 2015 at 09:34 - Reply

Hi guys,

Default Twenty Fifteen WordPress Theme Vulnerable Reported Netsparker Team.

Details :

Ryan Jarrett Friday, May 15, 2015 at 09:35 - Reply

As Patrick pointed out, WordPress’ Achilles heel is its huge user base and the relative pay-off for the hackers and script kiddies trying to find exploits. Economies of scale you see. No easy answer to that, but certainly establishing best practices around hosting and maintaining a WordPress site would certainly help.

I think an independent code review of plugins is a great idea – dxw do something like this at and there are others. There seems to be plenty of code review services out there, but most do not publicly release the results. It would be great if, as a community, these reviews could be pooled and used to iterate the plugins to improve future releases. An aggregator for these would be extremely useful…

    Mattias Geniar Friday, May 15, 2015 at 21:28 - Reply

    Those kind of public code reviews (preferably automated end-to-end) would be an amazing idea.

    It has the primary benefit of preventing bad code in the Plugin space and would at the same time educate the developers. I bet a lot of plugin developers simply don’t know why some of the code they write is considered dangerous. If no one tells them, how should they?

    I’m sure there must be open source PHP-code scanners (performing static analysis), fuzzers, … that can be used for this. If I were Ops/DevOps at, I’d make this my side project. ;-)

Paul Friday, May 15, 2015 at 21:11 - Reply

You mean “defense”?

Tom Harrison Saturday, May 16, 2015 at 06:27 - Reply

I am a software engineer focused on high volume and secure sites. I have been blogging on WP since 2005 because it mostly works. I am not in love with WP, but it is a solid tool. But knowing what I know about the nature of computers, software, security and people I know that concern about WP is valid.

It’s really about scale. In the same way that massive adoption of Windows and some poor choices by Internet Explorer (ability to execute machine code with a single click) opened the world to viruses, WP has a similar issue. It is the ease of use that has made WP the choice of website software for many companies, even some very large ones — the same ease of use that makes me use and recommend WP.

But there’s a dark side. While the auto-update feature helps a lot, many sites still don’t use it. In one case, an e-commerce site I advised had written custom plugins that didn’t play well with updates. Others were still running versions where you had to do Unix and MySQL operations to get to a new version. There are undoubtedly millions of such sites still around. Add to this a framework that allows fully privileged plugins to be installed with a Simple UI and you have a ticking time bomb. Not because WP is worse (it’s better) but because its a big, juicy target. Just like Windows and IE.

WP should work with Google to identify vulnerable sites and notify them in some way. And WP folks should certify plugins.

Lynn Smythe Saturday, May 16, 2015 at 11:54 - Reply

Interesting article. All I know if that the majority of my clients use for both their website and blog. And after many years of using Typepad for my personal blogs (I have a free journalists account) I decided a couple of months ago to do most of my blogging on a WordPress site.

Ataul Ghani Sunday, May 17, 2015 at 00:34 - Reply

Nice post. I like your writing. Anyway, can you help me to improve my own blog If you give me some help and suggestion then i will be really happy.

Chadrack Monday, May 18, 2015 at 12:50 - Reply

Never really tried any of the other CMS resources. WordPress has been a darling to me since I started using it. Yes, I have had some concern about these vulnerability issues but never cared. Your post is really a bigger reassurance to me.

Marc Brooks Friday, May 22, 2015 at 07:34 - Reply

Any CMS that can have its Admin UI completely killed by a bad theme (especially one that becomes “bad” just because WordPress automatically upgraded itself) deserves to be mocked.

Laurence Cope Friday, May 22, 2015 at 13:46 - Reply

To be fair, WordPress is GOOD for people who want to install plugins and add tonnes of functionality easily with a few clicks, but apart from that it is no better than any other CMS. In fact, it is a complex system to use compared to others. So the only reason we use WordPress is for low budget sites we can install a theme, or when people need a load of functionality added and don’t have the budget to develop it bespoke. We would not use WordPress for bespoke websites, as its far to complex, bloated, and low compared to other CMSs.

Chris Howard Saturday, May 23, 2015 at 05:08 - Reply

I think most devs using WP have a love-hate relationship with it. One day you can be swooning over something and the next day tearing your hair out in frustration over another.

But security, greatly helped by those auto updates, is definitely in the first category.

WP is not perfect; however, for a software that powers more than 23% of the web, major security breaches of WP sites are rare. When was the last time you read of “20% of the web brought to its knees by hackers!”?

Also, I find it sad and ironic that “At PHP conferences, WordPress often serves as a punching bag”, given PHP cops more than its fair share of flak from the wider developer community for poor code practices. The bullied becomes the bully.

Derek Monday, April 25, 2016 at 01:14 - Reply

I’ll keep using Jekyll and enjoy my lightning-fast site speed and bulletproof security, while never ever deal with any of these problems :)

Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links