Slashdot Mirror
WordPress Now Powers 25% of the Web
An anonymous reader writes: According to data from W3Techs one in four websites is now powered by WordPress. According to the report: "WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.” Venturebeat reports: "Today is a big day for the free and open-source content management system (CMS). To be perfectly clear, the milestone figure doesn't represent a fraction of all websites that have a CMS: WordPress now powers 25 percent of the Web.
About 95% of the WordPress sites I've run across have allowed user enumeration, exposed internal paths, or had old software that could be exploited. So...I'd probably say that "25% of all websites are WordPress" really means "at least 24% of all websites are insecure".
is nigh. This is a sign
Is this a problem of WordPress, or just a popular CMS? If the admins aren't doing their job for WordPress, why would they start doing it for some other package?
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
What is the actual risk from user enumeration, especially on a site not about a medical condition?
And how can it be prevented? Do you really want to allow two users to have the same username? If a user sends a private message to a nonexistent user, what error message strikes the best balance between security and usability?
Its ease of use is second to none and that does matter. It also makes sense, sadly, that its plugin repo is now full of freemium. There's clearly a large market but I hope that the genuinely free and quality plugins will remain. Without them, this number wouldn't be.
>> Is this a problem of WordPress, or just a popular CMS?
User enumeration is ON by default in WordPress and it's baked into the design. (There are plug-ins to disable it but most people don't use them.) This is pretty unique among LMSs. WordPress's architecture (which allows the use of old plug-ins) also frequently seems to lead to the reintroduction of helper files that have old vulnerabilities, two of which happen to frequently be "directory browsing" or "internal path disclosure". As for keeping old software up-to-date, that's a problem that all LMS's have to deal with, but there's usually enough on these other WordPress-specific issues on a target site to give your average security person a place to dig in.
"WordPress Now Powers 25% of the Web"
Sorry, I ain't buying it. Yes, there are a lot of WordPress sites out there, but 1 in every 4 is a WordPress site?
I call bullshit.
Just cruising through this digital world at 33 1/3 rpm...
Because other CMS are complete. Wordpress relies on everything to be a plugin. Upgrade your wordpress, break the plugins your site depends on. Even if they don't break right away, there are lots of small problems that can happen later, or only under certain circumstances. Been there, done that.
Wordpress isn't a CMS for actual people to use. It's a pre-hacked system for people who like tinkering with systems. You want an actual CMS, go elsewhere, and I'm not talking about rival free software platforms.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
I had no idea there were that many blogs that nobody reads.
Yes, but then you won't get all the "cool" hipsters to work on it. NodeJS has a rocket science mystique about it that attracts pioneers and fools alike. I won't comment on what I really think of the technology, but rather address it as a social phenomenon
Web programming (maybe more than any other area of programming?) goes through trends where one technology then another is hip and cool. It's like butterflies on crack or something.
I think the reason it happens in web programming especially is because there is no good answer. If you want to do embedded programming, then C/C++ are a good answers. If you want to do corporate software, then Java and C# work decently. But for the web, there's not really a good way to build web pages. HTML/CSS are kind of a pain, with incompatibilities abounding. For Javascript, you have to look for the good parts before you see them. Because they are poor tools, it's easy to create a system that appears to be better (not so easy to build one that is actually better, of course).
"First they came for the slanderers and i said nothing."
So popular, and yet they still haven't fixed the hugely annoying core issue of emulating magic quotes, even years after PHP itself completely threw out the feature.
Make the database reflect the code? ORM and MVC? Hell no. Count me out. Those are discredited from last decade.
Table-ized A.I.
WordPress is good.
Ok, stop laughing and hear me out.
We all know that with all the shitty web-cmses out there, the ones built on LAMP (PHP) are the oldest that actually have a finished and working feature set.
Show me one non-PHP CMS with the featureset of WP, Joomla, Drupal, EZ Publish or Typo 3, closed source or FOSS. You won't find any.
PHP and the CMSes built with it are at least ten years ahead of the game in the market they were built for - that's a simple fact that no one can deny.
And of those, the mess called WP is actually the best that fits every mold.
- It's primarly a blogging engine - which is what most people want and need anyway. ... and so forth ...
- It takes about 3 clicks and ten seconds to move it away from the blogging perspective to a regular web CMS.
- It's dead simple to install.
- It uses the hook model (also found in Drupal) to implement features that can be applied flexibly. And while that principle is questionable at best - especially from a performance standpoint - there is no doubt that it is *very* easy to use to implement custom features and setups.
- The documentation actually exisits and is pretty good.
- The community is massive. It's basically an army of tinkerers fiddling away at extensions and plugins.
- It has an official full blown mobile management app downloadable for free.
- It has a large, semi-post-capitalistic hip company baking it and it's development. (They all work remote, from around the planet and put their money where their mouths are.)
- There are popular WP plugins built by people who can't programm - but they work (sort of) and are installed/activated/deactivated/uninstalled within seconds.
- The architecture is a bizar convoluted shoddy mess. But you can start tinkering with it within minutes and won't feel bad about it - because, hey, guess what, it's a mess already.
- Modifying templates and themes in a non-destuctive update-safe manner is dead simple.
In an nutshell:
WordPress is PHPs philosophy carried 1on1 into the application/CMS layer.
That is why it's so successful.
And rightfully so.
We suffer more in our imagination than in reality. - Seneca
Is this a problem of WordPress, or just a popular CMS?
Drupal is also hugely popular, to the extent that it's actually a government favorite, and yet it doesn't have the same kind of holes as WordPress. That's not to say that it's wholly secure; there's advisories for Drupal all the time. But I think also that a different kind of user installs Drupal, one who actually knows their way around a line of code here and there, and one who will keep up with their updates. Even though WP has automatic updates and Drupal doesn't, WP gets exploited far more... even per capita, AFAICT.
If the admins aren't doing their job for WordPress, why would they start doing it for some other package?
WP is worse by design so the holes are bigger.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
As someone who had to dig deep into WordPress codebase at some low point in life... there's little admins can do about it.
Besides, one of the strong selling points of WordPress is its engine for supporting plugins, which is itself a vast ecosystem. In other words, it allows you to run the most terrible pile of code you could ever encounter on the Internet.
sure they are content management systems. they're used to manage content for millions of websites, even for the governments. the content is created, edited and generated from them and in some cases automatically uploaded.. just because they suck doesn't mean that they're not content management systems.
\\"A content management system (CMS)[1][2][3] is a computer application that allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface.[4] Such systems of content management provide procedures to manage workflow in a collaborative environment.[5] These procedures can be manual steps or an automated cascade. CMSs have been available since the late 1990s."
I'd call them CMMS's. Content Mis-Management Systems.
They lack the fundamental feature of the subject matter though, a database back end with a front end script letting the editors or others make changes with a browser. Regardless of whatever website's definition of it, the core of what people mean by "CMS" is a database and a scripting language running things, and a browser to edit.
In that sense, only SharePoint counts and that's a many generations later offshoot used with FrontPage sometimes. DreamWeaver doesn't count. IF those tools are used they are to manage the template on top of the script, and not the scripting, and not the database.
Just my opinion, but I think the reason for it has a lot to do with the fact that Google changed PageRank to increase visibility of sites that recognize mobile browsers and render accordingly. Getting that to work well is non-trivial, and WordPress makes it easy for the non-technical. For the part of the web where you just want to throw something up and have it render correctly in all browsers and don't want to spend a lot of time on it, you're going to use a CMS like WordPress. I think WordPress is probably going to end up being a vital part of web infrastructure a lot quicker than anyone really expected.