WordPress Now Powers 25% of the Web

An anonymous reader writes: According to data from W3Techs one in four websites is now powered by WordPress. According to the report: "WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.” Venturebeat reports: "Today is a big day for the free and open-source content management system (CMS). To be perfectly clear, the milestone figure doesn't represent a fraction of all websites that have a CMS: WordPress now powers 25 percent of the Web.

In other news, the web is at least 24% unsecured

[xxxJonBoyxxx]

About 95% of the WordPress sites I've run across have allowed user enumeration, exposed internal paths, or had old software that could be exploited. So...I'd probably say that "25% of all websites are WordPress" really means "at least 24% of all websites are insecure".

The End of Days

[Luthair]

is nigh. This is a sign

Re:In other news, the web is at least 24% unsecure

[MyFirstNameIsPaul]

Is this a problem of WordPress, or just a popular CMS? If the admins aren't doing their job for WordPress, why would they start doing it for some other package?

We're Number Two! We're Number Two!

[93+Escort+Wagon]

According to the linked report, 57.4% of websites aren't using a CMS at all. So Wordpress is a distant second to "None".

Re:We're Number Two! We're Number Two!

[Tablizer]

If you sell a few products or services that don't change very often, you don't really need a CMS. It's cheaper to pay somebody to change static HTML pages every few months than to rent a CMS and pay to keep it patched.

Re:We're Number Two! We're Number Two!

[Bert64]

No, that's 57.4% where they don't know what the site is using. It could be none, or it could just be something they don't recognise.

User enumeration, seriously?

[tepples]

What is the actual risk from user enumeration, especially on a site not about a medical condition?

And how can it be prevented? Do you really want to allow two users to have the same username? If a user sends a private message to a nonexistent user, what error message strikes the best balance between security and usability?

Re:User enumeration, seriously?

[xxxJonBoyxxx]

>> What is the actual risk from user enumeration, especially on a site not about a medical condition?

It can tell you whether or not the default admin user is still present. It can also suggest what some of the other admin accounts are, since they are often the lowest numbered accounts on WordPress. (e.g., if you delete default admin - user #1 - your new admin is often the name of user #2). It's also a lot of fun for social engineering, particularly if you can crack or create a "mere contributor account" and then convince one of the admins (ferreted out through user enumeration) to promote you to an editor.

(Remember that WordPress user enumeration isn't classic user enumeration, where you can simply tell if a username is in user or not - it's literally the ability to say "give me user #1, 2, 3....100".)

>> And how can it be prevented? Do you really want to allow two users to have the same username?

On a system like WordPress, you always tell the user "yep, I just created that account" during user registration but you use the email address already on file for the existing to send an alert to the first registered user saying "hey, someone just tried to recreate your account - was that you"?

>> If a user sends a private message to a nonexistent user, what error message strikes the best balance between security and usability?

Most WordPress systems I've seen don't use comments or PMs or any of that overhead - they're mostly single-user (or all admin) systems for "read only" content. In those cases (most cases?) the dial should be set to "no one needs to know the list of usernames on these systems."

Re:User enumeration, seriously?

the problem lies in wordpress having a default page built in called /author/usernumber/

for instance, if I try loading /author/1/, wordpress will redirect to /author/username/. An attacker can then issue brute force attacks on said username.

I put a stop to this in apache with the following (note: I don't run any sites that need to make use of /author/, which displays posts written by an author)

RewriteEngine On
RewriteCond %{REQUEST_URI} !/wp-admin.*
RewriteCond %{QUERY_STRING} ^author=.*$
RewriteRule (.*) /? [L,R=302]

RewriteCond %{THE_REQUEST} wp.config.php [NC]
RewriteRule .* - [F,L]

Another rule in this prevents attackers from trying to get plugins to reveal the contents of wp-config.php. Badly written plugins can be told to print almost any file.

Plugins are wordpress's greatest strength and weakness. The vast majority of plugins are truly terrible. Either badly written, insecure, or use a ton of resources. We run into countless numbers of web site owners complaining of site speed and it always comes down to plugins and badly written themes.

The other biggest problem with wordpress is that /wp-admin/ and /wp-login.php are known and get completely hammered by bots. They are impossible to stop as bots attack from behind proxies and don't issue attacks from the same ip more than 3 or 4 times. These brute force attempts issue 3 to 4 db queries each and can really put a lot of strain on a server extremely quickly.

I've tried and failed to raise this issue with the wordpress team. I get shut down with people saying it's a plugins job to secure the install which is a load of BS. WP needs a builtin feature that lets us change the wp-login an wp-admin paths so that bots can't just randomly attack our sites. WP has had the ability to change the table prefix for the db tables since FOREVER ago. Why on earth would we not get the same security measure against admin and login system?

Re:User enumeration, seriously?

[tepples]

WP needs a builtin feature that lets us change the wp-login an wp-admin paths so that bots can't just randomly attack our sites.

Admin I can understand. But if a WP site has a comment section, wouldn't members of the public need to hit the login page in order to list past comments that they have posted?

Dreamweaver isn't a CMS, and neither is Frontpage

[h33t+l4x0r]

I know those made it in there because they were picked up in in the generator meta tag at the site root. That doesn't feel like a great methodology to me, honestly.

Shame

[Dracos]

It's a shame that ignorant designers and pseudo-developers have tricked so many hapless clients into running WordPress because it's easy. "Easy" here actually means that through a celestial confluence of bad architecture, poor development practice, and sly marketing, a third party market for themes sprang into being, with an horde of add-ons written by neophytes who aspire to writing code only as bad as the WP core, their sole source of PHP practices.

But that's not all. The majority of that monumental-seeming 25% wasn't set up by Joe Hipster for his easily enamored "e-commerce" clients. No, they're deployed via script by phishers and other scammers.

Re:Shame

[Tablizer]

What's the alternative? Our org tried roll-your-own CMS's, and there's just too many features to re-invent to do it well.

I'd like to see a roll-your-own-cms kit with API's and sample templates to deal with common web needs, but leave the data structuring to the org.

In other words, we need ready-made features like auto-image scaling (actual, not width=x), non-screwy browser based text editors (like CKEditor done right), user login UI kit, file upload manager, search/index engine, etc. but don't want a certain organizational or content data schema imposed on the org. The database design should be in our control.

Re:Shame

[Wraithlyn]

Check out Silverstripe. It's literally exactly what you just described.

You define your data structures in nice OOP classes using simple arrays (like $db for simple fields, $has_many, $many_many for relationships, etc), then just hit the URL /dev/build and Silverstripe will make the database reflect the code. (Talk about a deployment/staging dream)

Then you define your CMS editing widgets by overriding a getCMSFields() function, and away you go.

Image scaling & manipulation API, check. Beautiful, focused, intuitive admin interface (seriously clients love it) with CKEditor out of the box, check. File manager, search engine, check. Just a really well-written MVC framework with easy DB scaffolding and a polished CMS interface on top. Brilliant lazy-loading ORM syntax. Super clean and infinitely flexible template system. A preview system that actually works. Solid ecosystem of modules.

Drupal used to be our go-to but Silverstripe has been a real breath of fresh air. Check it out.

Re:Shame

[Tablizer]

Make the database reflect the code? ORM and MVC? Hell no. Count me out. Those are discredited from last decade.

Re:Shame

[Herve5]

The majority of the monumental-etc. wasn't set for e-commerces nor phisers.
It was set by people like me for very simple associative sites, for people only having access to simple servers with only php/mysql, and with just no plugin, only the baseline setup, sometimes with, oh, the second one of the standard appearence templates instead of the first.
And there is a simple, nonagressive, neutral reason for that: nothing else was available within this minimal requirements.

Re: Shame

[slazzy]

Concrete5 is pretty good.

Re:Shame

[Wraithlyn]

Um ok... stick with Wordpress then?

I thought you were asking for alternatives. I gave you one based on what you described. GIGO.

It would also be great if you gave reasons for your objections instead of just stating "discredited" like that actually explains anything at all. What's wrong with having the DB reflect the structures you define in code? Works great. Stages great. No downsides. Wonderful solution.

It makes sense to me

[Laconique]

Its ease of use is second to none and that does matter. It also makes sense, sadly, that its plugin repo is now full of freemium. There's clearly a large market but I hope that the genuinely free and quality plugins will remain. Without them, this number wouldn't be.

Re:In other news, the web is at least 24% unsecure

[xxxJonBoyxxx]

>> Is this a problem of WordPress, or just a popular CMS?

User enumeration is ON by default in WordPress and it's baked into the design. (There are plug-ins to disable it but most people don't use them.) This is pretty unique among LMSs. WordPress's architecture (which allows the use of old plug-ins) also frequently seems to lead to the reintroduction of helper files that have old vulnerabilities, two of which happen to frequently be "directory browsing" or "internal path disclosure". As for keeping old software up-to-date, that's a problem that all LMS's have to deal with, but there's usually enough on these other WordPress-specific issues on a target site to give your average security person a place to dig in.

Re:Greasy Yoda Anal Grease Drippings are 25% of We

Plus, it's a better love story than Twilight!

No way

[JustAnotherOldGuy]

"WordPress Now Powers 25% of the Web"

Sorry, I ain't buying it. Yes, there are a lot of WordPress sites out there, but 1 in every 4 is a WordPress site?

I call bullshit.

Re:No way

[Crashmarik]

If you parse the post closely you can see it's weasel worded

"WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.”

Re:No way

[tlambert]

"WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.”

58.7% of the 25% the know the CMS on is 14.675% of all web sites.

Re:No way

[NaCh0]

What that sentence means is that 41.3% of all website are not using a content management system or they have one that the bot couldn't recognize as a CMS.

This doesn't change the point of WordPress being used on 25% of all websites.

Re:No way

[gawdonblue]

60% of the time, it works every time

Re:No way

[drinkypoo]

The Wordpress codebase is an absolute steaming pile of dingos kidneys. It maintains it's popularity by virtue of the huge library of plugins and themes available for it. A fair proportion of those are steaming piles as well, but even those that are well written are still a problem because all those plugins rely on the WP core not changing significantly

And this is why Drupal is better than WordPress. Drupal is not afraid to break modules with every major revision. Yes, that is a PITA in its own way; it leads to people waiting a long time to upgrade because they have to wait for some modules to get updated for the new core, or to having to redesign parts of their website in order to transition to using a different module for the same functionality. But it's also an obvious benefit; security releases still come out for the prior major version, so you can limp it along until you get your site updated, and the upgrade to the new core is actually meaningful.

Re:No way

[tomhath]

This doesn't change the point of WordPress being used on 25% of all websites.

WordPress is used on 25% of the 59% of sites that the bot could detect. You cannot extrapolate anything beyond that.

Re:No way

[SumDog]

It's really obvious it's misleading. 25% of the web? Wrodpress? Umm...no. No way in hell. That doesn't even sound marginally accurate, or even a good estimate.

Re:No way

[laffer1]

of the first 10 million websites. Their source uses alexa data.

Re:No way

it appears to be a reasonable reaction

No, it isn't.

First, it is redundant with GP.

Second, commenters who feel the need to use "fucking" in every post mark themselves as annoying brats who should be down modded and ignored.

Re:No way

[amicusNYCL]

Then do your own study and show your own data, no one cares about your personal opinion.

Here's something fun to do: block all requests to wordpress.com and wordpress.org and then go around to news sites and wherever you can think of and notice how many things are broken - images won't load, CSS won't load, etc. A lot more sites are running on Wordpress than you think, regardless of what your "gut" is telling you. It's hard to see it because of how the sites look, but a lot of sites host a lot of resources on Wordpress servers. And, thankfully, reality doesn't depend on whether or not you want to "buy" it.

Re:No way

[JustAnotherOldGuy]

Then do your own study and show your own data

Errr, no. Thanks for the suggestion, but I have much better ways to spend my time. :)

And no, I don't buy that "study".

Sorry if that offends your deeply held beliefs that are mostly based on slashdot posts. lol

Re:No way

[amicusNYCL]

It doesn't offend me, I just notice when some armchair statistician throws out his heavy opinion of some study being "bullshit" based on literally nothing other than the feeling in his gut. Why even bother to post your opinion if you're just going to discount a study and show literally no evidence to the contrary?

Re:No way

[JustAnotherOldGuy]

Why even bother to post your opinion if you're just going to discount a study and show literally no evidence to the contrary?

Because I feel like it, that's why.

Re:In other news, the web is at least 24% unsecure

[phantomfive]

And I would rephrase it.......25% of websites are absolutely insecure, and 24% are trivially insecure.* Let's be honest, a fully patched and configured WordPress site just means an attacker has to work a little harder to find a vulnerability.


*Not exclusive....a good portion of the other 75% of websites likely have problems, too.

good news or really bad news?

[bloodhawk]

considering how many wordpress sites are insecure, unpatched and poorly configured I find this news scary not exciting, especially with how readily available exploits for it are.

Re:In other news, the web is at least 24% unsecure

[DNS-and-BIND]

Because other CMS are complete. Wordpress relies on everything to be a plugin. Upgrade your wordpress, break the plugins your site depends on. Even if they don't break right away, there are lots of small problems that can happen later, or only under certain circumstances. Been there, done that.

Wordpress isn't a CMS for actual people to use. It's a pre-hacked system for people who like tinkering with systems. You want an actual CMS, go elsewhere, and I'm not talking about rival free software platforms.

Re:Dreamweaver isn't a CMS, and neither is Frontpa

[Tablizer]

One could arguably call Dreamweaver a "static CMS". It has templates and other do-dads for formatting reuse, and has FTP sync-up management.

Wow...

[ZorkZero]

I had no idea there were that many blogs that nobody reads.

Re:PHP SUCKS IT IS STUPID AND LAME

[Tablizer]

Yes, but then you won't get all the "cool" hipsters to work on it. NodeJS has a rocket science mystique about it that attracts pioneers and fools alike. I won't comment on what I really think of the technology, but rather address it as a social phenomenon. Getting work done and being "where it's at" may not be the same thing.

Re:In other news, the web is at least 24% unsecure

[thegarbz]

Wordpress is incredibly easy to set up. I know someone who's computer skills extend to word, excel and a tiny bit of Photoshop who has a domain and wordpress based blog.

With that kind of low barrier to entry it stands to reason that people will have no idea about security. Some people will say the fault is with wordpress but the reality is wordpress can be setup securly and I'm willing to bet that if it were any other CMS we were talking about the results would be the same.

Re:PHP SUCKS IT IS STUPID AND LAME

[phantomfive]

Yes, but then you won't get all the "cool" hipsters to work on it. NodeJS has a rocket science mystique about it that attracts pioneers and fools alike. I won't comment on what I really think of the technology, but rather address it as a social phenomenon

Web programming (maybe more than any other area of programming?) goes through trends where one technology then another is hip and cool. It's like butterflies on crack or something.

I think the reason it happens in web programming especially is because there is no good answer. If you want to do embedded programming, then C/C++ are a good answers. If you want to do corporate software, then Java and C# work decently. But for the web, there's not really a good way to build web pages. HTML/CSS are kind of a pain, with incompatibilities abounding. For Javascript, you have to look for the good parts before you see them. Because they are poor tools, it's easy to create a system that appears to be better (not so easy to build one that is actually better, of course).

So big and yet...

[Jezral]

So popular, and yet they still haven't fixed the hugely annoying core issue of emulating magic quotes, even years after PHP itself completely threw out the feature.

Re:So big and yet...

[olau]

So popular, and yet they still haven't fixed the hugely annoying core issue of emulating magic quotes, even years after PHP itself completely threw out the feature.

Well, if you think about it, probably there's no contradiction here - in fact, there may be correlation.

There's probably tonnes of weird Wordpress PHP out there made by people who aren't expert programmers.

no celebration

[Tom]

Every time something becomes too dominant, we should not celebrate, we should worry. Doesn't matter if it's Windows, or IE or Oracle or the iPhone or Apache - we need competition to move and innovate.

In the CMS world, there is fierce competition, fortunately, but there are also high barriers already. A new CMS system will not be used in many commercial projects, no matter the merits, because the customers know a few big ones and if you don't drop their names, your pitch is out.

Almost 60% is quite terrible, especially with a project that has always had serious security issues.

WordPress is good. (I am not joking)

[Qbertino]

WordPress is good.

Ok, stop laughing and hear me out.

We all know that with all the shitty web-cmses out there, the ones built on LAMP (PHP) are the oldest that actually have a finished and working feature set.
Show me one non-PHP CMS with the featureset of WP, Joomla, Drupal, EZ Publish or Typo 3, closed source or FOSS. You won't find any.
PHP and the CMSes built with it are at least ten years ahead of the game in the market they were built for - that's a simple fact that no one can deny.
And of those, the mess called WP is actually the best that fits every mold.

- It's primarly a blogging engine - which is what most people want and need anyway.
- It takes about 3 clicks and ten seconds to move it away from the blogging perspective to a regular web CMS.
- It's dead simple to install.
- It uses the hook model (also found in Drupal) to implement features that can be applied flexibly. And while that principle is questionable at best - especially from a performance standpoint - there is no doubt that it is *very* easy to use to implement custom features and setups.
- The documentation actually exisits and is pretty good.
- The community is massive. It's basically an army of tinkerers fiddling away at extensions and plugins.
- It has an official full blown mobile management app downloadable for free.
- It has a large, semi-post-capitalistic hip company baking it and it's development. (They all work remote, from around the planet and put their money where their mouths are.)
- There are popular WP plugins built by people who can't programm - but they work (sort of) and are installed/activated/deactivated/uninstalled within seconds.
- The architecture is a bizar convoluted shoddy mess. But you can start tinkering with it within minutes and won't feel bad about it - because, hey, guess what, it's a mess already.
- Modifying templates and themes in a non-destuctive update-safe manner is dead simple. ... and so forth ...

In an nutshell:
WordPress is PHPs philosophy carried 1on1 into the application/CMS layer.
That is why it's so successful.
And rightfully so.

Re:WordPress is good. (I am not joking)

[astro]

Show me one non-PHP CMS with the featureset of WP, Joomla, Drupal, EZ Publish or Typo 3, closed source or FOSS. You won't find any.

Plone.

Re:WordPress is good. (I am not joking)

[Tablizer]

piles of...terrible code

C- tools are the enemy of D tools. Almost all non-trivial software sucks. Quality software is a lucky rare accident. Idealists never get anything done.

The world changes too fast for up-front requirements to get everything right and still be relevant 15 years down the road. For example, nobody anticipated mobile versions of pages/content when CMS's were being designed, but now they have to deal with them. The future will continue to surprise such than an organic mindset is a better fit than get-requirements-right-up-front.

Maybe the future has 3D holographic interfaces or direct-to-brain-uploads, or formatted so The Grays can read them, and all the CMS's will have to evolve to handle that.

Re:Because its non-brain-dead software...

[stridebird]

I have scraped my knuckles badly on drupal versions 6 and 7. I won't ever go near it again, ever. I basically agree with every (comprehensible) thing in your post. Fanboys, facades, false promises and vapourware along wih a bunch of seriously obnoxious contributors and deluded neophytes.

Yeah, it will run a web site. No, it will not run your website.

Wordpress on the other hand is a great money maker for a dev and can be hollowed out and used in any way you like. Highly flexible once understood, just roll your own theme and plugins.

Re:In other news, the web is at least 24% unsecure

[drinkypoo]

Is this a problem of WordPress, or just a popular CMS?

Drupal is also hugely popular, to the extent that it's actually a government favorite, and yet it doesn't have the same kind of holes as WordPress. That's not to say that it's wholly secure; there's advisories for Drupal all the time. But I think also that a different kind of user installs Drupal, one who actually knows their way around a line of code here and there, and one who will keep up with their updates. Even though WP has automatic updates and Drupal doesn't, WP gets exploited far more... even per capita, AFAICT.

If the admins aren't doing their job for WordPress, why would they start doing it for some other package?

WP is worse by design so the holes are bigger.

Re:Because its non-brain-dead software...

[drinkypoo]

Yeah, it will run a web site. No, it will not run your website.

Having seen all manner of site implemented with Drupal, from 100% flash interfaces for bands and albums and the like backed by its excellent XML-RPC functionality to government websites handling more hits than your mom, I suspect the problem is that it will not run your website. If you're involved, you'll fuck it up.

Re:In other news, the web is at least 24% unsecure

[keko]

As someone who had to dig deep into WordPress codebase at some low point in life... there's little admins can do about it.

Besides, one of the strong selling points of WordPress is its engine for supporting plugins, which is itself a vast ecosystem. In other words, it allows you to run the most terrible pile of code you could ever encounter on the Internet.

Re:Dreamweaver isn't a CMS, and neither is Frontpa

[jafiwam]

sure they are content management systems. they're used to manage content for millions of websites, even for the governments. the content is created, edited and generated from them and in some cases automatically uploaded.. just because they suck doesn't mean that they're not content management systems.

\\"A content management system (CMS)[1][2][3] is a computer application that allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface.[4] Such systems of content management provide procedures to manage workflow in a collaborative environment.[5] These procedures can be manual steps or an automated cascade. CMSs have been available since the late 1990s."

I'd call them CMMS's. Content Mis-Management Systems.

They lack the fundamental feature of the subject matter though, a database back end with a front end script letting the editors or others make changes with a browser. Regardless of whatever website's definition of it, the core of what people mean by "CMS" is a database and a scripting language running things, and a browser to edit.

In that sense, only SharePoint counts and that's a many generations later offshoot used with FrontPage sometimes. DreamWeaver doesn't count. IF those tools are used they are to manage the template on top of the script, and not the scripting, and not the database.

Re:In other news, the web is at least 24% unsecure

[dotancohen]

Is this a problem of WordPress, or just a popular CMS? If the admins aren't doing their job for WordPress, why would they start doing it for some other package?

Because for most websites, I've got to pentest from tens of IP addresses to find your vulnerabilities. There is a minimum bar for cracking your site. But if you're running Wordpress I can look at your meta tags and know wxactly which exploits will work and what I will get out of them. Even better, I can use DuckDuckGo to find your site and tens of thousands like it, all with doors wide open.

The difference between Wordpress and a well-built site is the difference between the corner prostitute and Melinda Gates. Somebody will be fucking both of them, but one is available for all to come and do as they please, while the other requires just the right special touch and quite a bit of luck and patience.

Re:In other news, the web is at least 24% unsecure

[drinkypoo]

Well, not to leave Drupal out too much, it did have https://www.drupal.org/SA-CORE....

Oh yeah, it's deeply embarrassing when your framework intended to stop SQL injection has a SQL injection hole in it. But it's not quite as embarrassing as being a constant source of infection to the rest of the interwebs because you're so supremely easy to exploit as WP. It also got fixed quite promptly...

Re:Read TFS!

[tomhath]

You cannot assume that web sites which don't tell you what CMS they use are either not using one or that 25% of them are using WordPress. All you can conclude is that 25% of Web Sites reporting a CMS use WordPress.

Furthermore, the statistic is meaningless since it doesn't say how much web traffic reaches those sites. It wouldn't surprise me a bit to learn that the vast majority of them are one or two page vanity sites that don't get any traffic at all (other than the occasional bot)

Re:In other news, the web is at least 24% unsecure

[Ice+Station+Zebra]

Yes, it is better that your plugins contain the sql-injection attacks so the core doesn't have to deal with them.

Re:Read TFS!

[kristianbrigman]

The point about the traffic is valid.

But the actually path to the statistic is:

- 57.4% of sites reported no CMS
- 25% of sites reported WordPress
- From the first, 42.6% of sites reported some CMS
- WordPress is 25/42.6 = ~58% of all sites that did report

Bollocks

[The123king]

Total bollocks

Mobile friendly

[ZeroWaiteState]

Just my opinion, but I think the reason for it has a lot to do with the fact that Google changed PageRank to increase visibility of sites that recognize mobile browsers and render accordingly. Getting that to work well is non-trivial, and WordPress makes it easy for the non-technical. For the part of the web where you just want to throw something up and have it render correctly in all browsers and don't want to spend a lot of time on it, you're going to use a CMS like WordPress. I think WordPress is probably going to end up being a vital part of web infrastructure a lot quicker than anyone really expected.

Re:PHP SUCKS IT IS STUPID AND LAME

Node.js is about one thing, getting cheap front end developers to do backend programming. It doesn't teach them about databases, algorithms, security or design though. JavaScript is a pain to debug so pushing it into the backend was utter stupidity.

If you look at the code quality of many node modules, you'll cry. JavaScript developers don't understand backward compatibility. Try using a yeoman install sometime and see what I mean.

Re:PHP SUCKS IT IS STUPID AND LAME

[ProzacPatient]

I am an experienced web developer who has worked with both PHP, ASP, ASP.NET and ASP.NET MVC.

In my opinion PHP is very powerful and I enjoy working with it because of how flexible it is but it has a lot of legacy baggage it must carry for the forseeable future but I don't believe PHP in itself is bad as people paint it but rather it's the inexperienced and the incompetent that give PHP its bad name because they don't write or setup their scripts with security in mind so you end up with all these PHP sites with security holes big enough to fly a 747 jumbo jet through.

Re:PHP SUCKS IT IS STUPID AND LAME

[phantomfive]

Well, I don't consider ASP.NET to be particularly great for web programming either lol

Same username, different e-mails

[tepples]

give me user #1

Then we've found the real WTF: sequential assignment of user IDs. Instead of relying on MySQL AUTO_INCREMENT, it should be using random_int(0, 999999999) or the like.

On a system like WordPress, you always tell the user "yep, I just created that account" during user registration but you use the email address already on file for the existing to send an alert to the first registered user saying "hey, someone just tried to recreate your account - was that you"?

Consider the following cases:

1. Someone signs up for a comment account with the username staisy and the e-mail address staisy2p@example.com. This results in the creation of an account.
2. Someone else signs up for a comment account with the username staisy and the e-mail address ltd@attacker.com. This results in no account being created.
3. Someone directs 200 people on some image board to sign up for a comment account with the username staisy and different e-mail addresses.

In each case, what should be displayed, and what mail should be sent? In the second case, sending mail only to Staisy and not to the attacker would indicate to the attacker that the name staisy is in use. And in the third case, sending mail only to Staisy and not to the image board members would flood her inbox.

Or would it be a better idea to shun usernames entirely, instead relying on the e-mail address as the sole primary key to uniquely identify an author of an article or comment? As far as I can tell, that would imply displaying that e-mail address to the world, including spambots that scrape web sites.

Most WordPress systems I've seen don't use comments

If that's true, that might be what I'm missing. I tend to associate the WordPress brand with blogs that have comment sections.

Re:Same username, different e-mails

[amicusNYCL]

Then we've found the real WTF: sequential assignment of user IDs. Instead of relying on MySQL AUTO_INCREMENT, it should be using random_int(0, 999999999) or the like.

Right, security through obscurity is the obvious solution. If you fix the symptom then it's like the problem isn't even there.

dont tell the black hats or the NSA

[TeddyR]

The problem is that black hats and the NSA also know this and will be concentrating on wordpress vulnerabilities. Any 0-day vulnerability in wordpress would be devastating.

Re:In other news, the web is at least 24% unsecure

[Actually,+I+do+RTFA]

If the admins aren't doing their job for WordPress, why would they start doing it for some other package?

If your CMS requires a competent admin to be secure, it has no business marketing itself as a turnkey solution.

A million hits to get one user

[tepples]

If you have a billion possible user IDs, but only a thousand correspond to users with commenting privileges and only ten correspond to accounts with anything near administrator-level access, an automated online process will have a heck of a time getting through whatever throttling you've already put in place.

Re: Dreamweaver isn't a CMS, and neither is Frontp

You could call Dreamweaver a polished turd and you'd also be correct.

Re: Dreamweaver isn't a CMS, and neither is Frontp

[Tablizer]

Well, being a PT and being a static-file CMS are not necessarily mutually exclusive, especially since the CMS field is full of PT's, and Un-PT's.

Re:In other news, the web is at least 24% unsecure

[dotancohen]

So how was she? All the time and patience worth it?

Ask Bill. He always gets the girl!

Re:Dreamweaver isn't a CMS, and neither is Frontpa

[AK+Marc]

Everywhere I've seen use WordPress use it like frontpage. If FP isn't a CMS, then neither is WordPress for most uses.

It'd be like buying salesforce.com to use as a shared calendar. It's not bad as a shared calendar. But it's too hard to set up and too expensive for that, so most people who bother to get it would also use the (assumed) CRM functions. But if someone didn't use a single CRM in a CRM, is it still a CRM?

The same thing applies to WP. The smaller company sites I see using it use it because that's what their web admin requires for content generation because it's easier to adminstrate (often farming out the actual web site admin to a 3rd party, while generating content in-house - the old analogy being the in-house would use Front Page, and email the page to the web admin, who would admin the server and upload pages to it).

Stupid, I'd agree. But common, from what I've seen.

In Related News

[wisnoskij]

WordPress has just released that they are changing their name to Skynet.