Password Compat VS WordPress

> Same for WordPress.

Not as much - WP favours backwards compatibility (or is it laziness?) even when doing so impacts security.

Another problem is that the environments Wordpress targets are inherently vulnerable - while it's not WP's fault directly, they do nothing to warn people against using them nor outright stop supporting broken, insecure configurations.

> There are multitudes of comments that specifically single out WP in the post's comment thread. Including this very thread that you are on.

I was talking about publicized data breaches in general. But if we specifically talk about CMSes, I'm not sure anything else beats Wordpress and similar PHP-based CMSes of that era when it comes to not just the amount of vulnerabilities, but especially the nature of them - the same, dumb, basic problems resolved in every other language (including modern PHP with a framework such as Laravel) repeated over and over again.

> WHERE is that objective study that compares WordPress with other software in regard to vulnerabilities

Someone posted the following excerpt of the Wordpress codebase, which appears to be some custom attempt at simulating SQL query parameterization instead of using the actual, database-driver-provided function. If this is indeed the purpose of that function and it is indeed used, then I'm not sure there is any valid excuse for this in today's day and age.

Someone else mentioned password hashing still relying on MD5 - if that is actually true, I'm not sure that is excusable either? I haven't done PHP for many years now, but surely even if the native functions aren't available, couldn't they use a "polyfill" such as https://github.com/ircmaxell/password_compat ?

I'm sure there are many other issues but frankly the first one should be enough for any competent developer to run away.

> No it doesnt. Dont make up falsities. PHP executes files how you configure it to.

I was with you until this, but now I think you're arguing in bad faith.

Yes, if you want to be pedantic, PHP and your web server execute files like how you configure them to. In practice, the environment where the vast majority of Wordpress sites are deployed (your typical shared hosting environment) will execute anything that ends with .php and is in the web root.

This is inherently a legacy PHP problem (which WP encourages by supporting it) - no other language that I know of does this by default. If I accidentally store a malicious file in Python, Ruby, Node.js, etc applications, the worst that will happen is that I serve it back. At no point what so ever the server itself will execute that file.

Yet in the PHP environments Wordpress targets, this is a massive issue which means every single feature handling file uploads (both in WP core and any plugins) should anticipate your server's misconfiguration (maybe it's not limited to .php files, but .html files too?) and try to protect against it, eventually failing and then you get yet another Wordpress vulnerability.

Creating a high-performance website is essential in today’s digital age. Speed, efficiency, and a seamless user experience are the cornerstones of successful web development. This article explores how combining Next.js with WordPress can achieve these goals, providing a robust solution for developers looking to elevate their web projects.

WordPress as the backend headless CMS, offering a versatile content management foundation.

Open source CMS WordPress and Drupal introduced WYSIWYG editors and template customization to empower independent publishing but page building was still largely code-driven.

While specific CMS platforms were not directly listed in the sources as explicitly supporting Behat, it’s widely known in the development community that Behat can be integrated with several PHP-based CMS platforms. Drupal and _WordPress _are notable examples of PHP CMSs that support Behat testing, thanks to their flexible architecture and the availability of various plugins or modules that facilitate integration with Behat. For instance:

WordPress is the most popular CMS(Content Management System) among bloggers. The same fact has made WordPress more vulnerable to attacks by hackers. Especially for authentication vulnerabilities such as brute-force attacks.

I recent WordFence scan identified the plugin reCaptcha by BestWebSoft as a "critical" vulnerability adding that it has been removed from wordpress.org. Where can I find information as to why it was removed from wordpress.org or why it is a critical security vulnerability?

The Genshine Impact database site looks pretty custom, can't tell if there is any CMS involved. You could start with the tried and tested WordPress. I built my gaming site on WordPress, it's not as fancy as the site you linked but it has plenty of options and flexibility to build all sorts of sites.

Almost every host has one-click WordPress installs these days using either cPanel's WP Toolkit or Softaculous, so that should be a non-issue. You never have to visit wordpress.org if you go that route; the host is handling that for you. Watch Ferdy Korpershoek's videos on YouTube for tutorials on getting started with WordPress. Personally, I would not go with his hosting recommendations, however. I like iWebFusion, but there are other good recommendations over at /r/webhosting

I am on wordpress (commerce plan ) £55pm. wordpress.com is what I am using, however I have heard of wordpress.org also which requires more technical knolwedge which I am willing to invest in over the next 12 months.

wordpress.org requires that user input should be sanitized and validated, and output should be escaped, to prevent mischief by bad actors. This mantra is embedded in current wordpress.org plugin guidelines. Unfortunately older plugins may not comply, leaving them vulnerable. They always were vulnerable, but what's changed is the light has been shone on the issue by Patchman and others. Publicly available code can be scanned by both good and bad actors to detect where malware can be injected.