Why Wordpress Sucks

I'm writing this because I just realized it's not obvious why wordpress sucks.

I realized it's not obvious because I was explaining this to someone trained as a computer science engineer (but not much experience in PHP, the language that Wordpress is written in), and even he didn't easily understand.

Here is are the "highlights" for why:

  • VERY easily hacked, since plugins have the same execution privileges as the Wordpress framework.
  • VERY slow (benchmarked 10 requests/second for a 2GB RAM server???)
  • VERY resource heavy (RAM + CPU)
    • Each page load usually does 50 MySQL queries. With Woocommerce: 300-500 queries.
  • AND CONSEQUENTLY: very expensive!! ($5/month for a basic blog??)

There's no reason why a basic, low-traffic website should cost $5/month.

If all you have is a 50-100 MB of content, it should be free.

If you do need capacity for more traffic, it should be at most $12/year.

These prices are exactly what we plan to offer in the managed hosting offering of PageZest. We've recently released the open source code of PageZest.

Please subscribe to the email list (at the bottom of page) if you are interested in using PageZest managed hosting! This is the main way we gauge interest in our project

Why Wordpress is so easily hacked

This requires some technical explanation.

Wordpress framework is written in PHP. This executes from index.php

Wordpress plugins are written in PHP. The host framework calls the plugin. There is no sandboxing. The plugin has the same execution privileges as the host framework.

If you're an engineer, you should immediately understand now how Wordpress is so easily hacked. There really only needs to be one insecure plugin, and your entire virtual machine is screwed.

What is proper sandboxing?

Good example is Chrome and Chrome extensions. These are properly sandboxed. Chrome engineers work hard to make sure installed Chrome extensions cannot corrupt the user's computer.

Chrome is written in C++. Chrome extensions are written in Javascript.

Chrome extensions do not run with the same execution privileges as Chrome itself. Concretely, this means: chrome extensions cannot download other new extensions. It can write to only part of the filesystem, not the entire filesystem. It can only have 1 process on the computer, not 100-200 processes.

This is sandboxed!

C++ compiles down to machine code. Imagine if Chrome extensions were simply machine code, executed with the same privileges as Chrome. Seems crazy, doesn't it? Yet that is the exact situation happening in Wordpress and Wordpress plugins!!!

How PageZest Fixes problems in Wordpress

  • plugins using webassembly. SANDBOXED. NO MORE HACKS.
  • written in Rust, not PHP. Significantly faster execution!
  • plugins are by default static+cacheable. Easily generate 100% static sites! Much faster and cheaper to host!