Why WordPress Falls Short in Enterprise CMS
I'm writing this because I just realized it's not obvious why WordPress is inadequate for Enterprise CMS, or any high traffic website (100,000+ monthly traffic).
I realized it's not obvious because I was explaining this to someone trained as a computer science engineer (but not much experience in PHP, the language that Wordpress is written in), and even he didn't easily understand.
Here is are the "highlights" for why:
- VERY easily hacked, chiefly because of plugins – they are not sandboxed. The plugins have the exact same execution privileges as the hosting WordPress framework. If you're an engineer, you should immediately understand how insane that is from a security standpoint!
- VERY slow (benchmarked 10 requests/second for a 2GB RAM server???)
- VERY high latency (benchmarked average latency of 1439 ms (!!))
- VERY resource heavy (RAM + CPU)
- Each page load usually does 50 MySQL queries. With Woocommerce: 300-500 queries.
Why Wordpress is so easily hacked
This requires some technical explanation.
Wordpress framework is written in PHP. The PHP VM executes from index.php
Wordpress plugins are written in PHP. The host framework, in PHP, calls the plugin code, also in PHP.
Which means.......the underlying PHP VM treats the Wordpress code, and the Wordpress unknown plugin code, exactly the same. The PHP VM does not know they are different.
So.........the WordPress plugins get the same execution privileges as the host WordPress framework. Anything the WordPress framework can do, so can the plugins.
If you're an engineer, you should immediately understand now how Wordpress is so easily hacked. There really only needs to be one insecure plugin, and your entire virtual machine is screwed.
Every year, around 4.7 million WordPress sites get hacked. Around 1% of all WordPress installations.
I can speak from experience. I myself got hacked. Honestly couldn't believe it. That virus was very sophisticated. Very very sophisticated.
What is proper sandboxing?
Good example is Chrome and Chrome extensions. These are properly sandboxed. Chrome engineers work hard to make sure installed Chrome extensions cannot corrupt the user's computer, even if it was as malicious as possible.
Chrome is written in C++. Chrome extensions are written in Javascript.
Chrome extensions do not run with the same execution privileges as Chrome itself. Concretely, this means: chrome extensions cannot download other new extensions. It can write to only part of the filesystem, not the entire filesystem. It can only have 1 process on the computer, not 100-200 processes.
This is sandboxed!
C++ compiles down to machine code. Imagine if Chrome extensions were simply machine code, executed with the same privileges as Chrome. Seems crazy, doesn't it? Yet that is the exact situation happening in Wordpress and Wordpress plugins!!!
How PageZest Fixes problems in Wordpress
Security.
- Plugins run in a WebAssembly VM. SANDBOXED. NO MORE HACKS. Enterprise-grade.
Performance
- written in Rust, not PHP. Just this one change is 40x faster execution!
- plugins are by default static+cacheable. Easily generate 100% static sites! Much faster response times, lower latency!
| wordpress | ghost | pagezest (dynamic) | pagezest (static) | |
|---|---|---|---|---|
| Request/second | 8.8 req/s | 25 RPS | 2000 RPS | 3800 RPS |
| wordpress | ghost | pagezest (static) | |
|---|---|---|---|
| Time per request | 1439.441 ms (!!) | 566.587 ms | 225.075 ms |
| wordpress | ghost | pagezest (static) | |
|---|---|---|---|
| Time per request (mean, across all concurrency requests) |
89.965 ms (!!) | 9.127 ms | 0.275 ms |
Visit the pricing page to start using PageZest!