payload
wordpress-develop
Our great sponsors
payload | wordpress-develop | |
---|---|---|
160 | 10 | |
19,608 | 2,283 | |
9.4% | 2.6% | |
9.9 | 9.9 | |
1 day ago | 3 days ago | |
TypeScript | PHP | |
MIT License | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
payload
- Best way to build a modern back end and admin UI. No black magic
-
Headless CMS: Directus vs Payload vs Strapi in 2024
Despite being a relatively newer player, Payload's GitHub repository has accumulated 18.8k stars and 1.1K forks as of April 2024, reflecting its growing community. The project has also secured $5.6 million in funding, positioning it for continued growth and innovation.
-
Ask HN: Freelance website builders/maintainers, what's in your 2024 toolkit?
My most recent project launched in January. NextJS 14 client integrated with PayloadCMS (http://payloadcms.com) for the back-end. I love both technologies in theory, but they're both going through a renaissance period and "bleeding edge" doesn't even begin to describe it.
If I'm just building a client app, create-react-app is still my go to.
Before now, I'd been building on WordPress for 10+ years for anything client-administered. Planning on using Payload from here on out.
-
Open-Source Headless CMS in 2024
Payload CMS: The Customization Insurgent
-
Prismic.io is increasing our price by *1900%* over Christmas
Payload is free, you can self host it without paying a one time fee or a SaaS fee for its use, it even says so at the bottom of the homepage
-
Next.js 14: No New APIs & Breaking Changes
James, the co-founder of Payload, a headless CMS with MongoDB support, shared his insights on the drawbacks and limitations of using a headless CMS in the context of web development. He challenged the promises often made about headless CMS, such as separation of concerns and ease of content migration, revealing that these claims often don't align with the reality faced by developers and clients. James is considering integrating Payload directly with Next.js to overcome these limitations and offer a better developer experience, including out-of-the-box features and simpler deployments. Should Payload move to Next.js?
- Ask HN: Why aren't Django Admin style dashboards popular in other frameworks?
- Payload (app framework + CMS in TypeScript) releases 2.0
- Payload 2.0: Postgres, Live Preview, Lexical RTE, and More
-
Payload 2.0 released, TypeScript headless CMS and app framework
Hey HN, Dan here from Payload (YC S22), an open-source headless CMS that closes the gap between CMS and traditional app frameworks. We’re excited to announce Payload 2.0!
https://github.com/payloadcms/payload
If you’ve not heard of Payload you’re probably wondering why the world needs another CMS. Payload connects to your database and runs without the vendor lock-in and black box of SaaS based CMS solutions, and it’s far more extensible than off-the-shelf SaaS options. Enterprises in specific have been finding value in this control, and they’re using Payload to power content infrastructure that simply isn’t possible through integrating with SaaS webhooks alone.
Today’s announcement is all about features that strike at two neglected areas in the world of CMS. The first is application framework level control over your database that you’d expect with tools like Ruby on Rails or Laravel and the second area is making content editors effective by seeing their edits in realtime.
Here are the highlights on what we’ve been working on:
*Postgres Support*—in the same week we launched about two years ago,people asked for Postgres support. It brings me pure cathartic joy to finally give this to our community. To be fair, MongoDB has been a perfect solution for our architecture and it’s still recommended. But with a new adapter pattern for databases, you can stand your Payload project up on Postgres and run the same functionality as you can with MongoDB now. The crazy part is that we didn’t compromise on how nesting complex fields works. We could have taken the “easy” road and wrote things to JSON, but we leaned fully into the relational way and built the right tables and native column types for fields all the way throughout.
*Database Migrations*—maintaining a production app while deploying schema changes is something you come to expect from ORMs and backend frameworks, but rarely CMS. Payload 2.0 delivers full, first-party migration support all in TypeScript. We took a lot of care on the developer experience here so that when working with Postgres, thanks to our friends at Drizzle, we generate the migration files in TS that add the tables and fields for you. If you have to manipulate data before or after, you have a clear way forward now.
*Database Transactions*—when a request involves multiple inserts, updates or deletes to the database, you need control to rollback all changes when one part fails. The built-in Payload CRUD operations do this now for you and your custom hooks and other code can too.
*Live Preview*—the ability to quickly draft content and see it in context of a website is a literal game changer. We have taken the best dev experience of any headless CMS and given the editors a reason to demand Payload over the others.
*Lexical Richtext Editor*—our original Slate based editor has seen some great features added, like storing related documents directly in the JSON, uploads and any customizations. Unfortunately Slate leaves a lot to be desired on how to extend it, especially compared to Lexical. In a few short weeks we’ve built up a new editor experience inspired by Medium and Notion. Now type “/” and have embedded relationships, uploads, and custom blocks popping right up to be dropped in. Then drag and drop them to reorder your content. If you still want Slate, we continue to support that too.
We’re not compromising on editor experience. This is how we’re bringing the “head” to the headless CMS.
Building critical applications on top of a CMS may sound like blasphemy but it doesn’t have to be that way.
Thanks for reading! I look forward to hearing what you think.
wordpress-develop
-
WordPress Playground: A WordPress that runs in the browser
The problem is architectural.
Wordpress at its core execute most of its user-facing code trough an un-parallelizable, self-modifying single threaded queue, which has to be run at every page reload[1] and everything and anything will have to inject stuff in it. From handling your pictures in your media library, to checking your server can actually send mails, to managing your page and posts content and layout, everything goes trough it. It's also a system that doesn't really play ball very easily with most PHP accelerators outside of baseline PHP opcache. You may have better luck using a static cache or memcached. Depending on the theme you're using (90% of what's available from envato themeforest, for example) the improvement will be negligible.
All of the data you're accessing is also for the most part queried from two tables of a single database instance[2] which again handles everything from your mail configuration, page routing and redirection, page layout, contents, stored forms, etc. No sharding, load balancing is natively available. Heck, most WP hosted solutions run MySQL on the same instance running Apache and PHP. Also the data is usually stored as serialized php values, which have to be parsed and reformatted, again, at every page load using the system described beforehand.
[1]https://github.com/WordPress/wordpress-develop/blob/6.2/src/...
[2]https://codex.wordpress.org/Database_Description
-
Dropping support for PHP 5 - wordpress.org
Yup, it would helped with autoloading the core classes.
-
Exploiting admin_ajax.php
[!] 18 vulnerabilities identified: | | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery | Fixed in: 5.8.4 | References: | - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09 | - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ | | [!] Title: WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package | Fixed in: 5.8.4 | References: | - https://wpscan.com/vulnerability/6e61b246-5af1-4a4f-9ca8-a8c87eb2e499 | - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ | - https://github.com/WordPress/gutenberg/pull/39365/files | | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0 | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - SQLi via Link API | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283 | | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095 | | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44 | | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc | | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0 | | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef | | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955 | | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8 | | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f | | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492 | | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e | | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/gutenberg/pull/45045/files | | [!] Title: WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding | References: | - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590 | - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/
-
Cleaning up some old backups and found this beauty
It is the wp dev repo from some years ago, so it is the node modules that were used by wp core: https://github.com/WordPress/wordpress-develop
-
Slow search
Wordpress is open source. Anyone can submit code suggestions https://github.com/WordPress/wordpress-develop
-
The Complicated Futility of WordPress
Addendum to my previous comment(as an in-depth technical review):
Check out the source code of wp_insert_post() [0] on line 4407, you'll see three hooks that trigger: "edit_post_{$post->post_type}", 'edit_post' and 'post_updated').
Then after that, these other ones trigger unconditionally: "save_post_{$post->post_type}", 'save_post' and 'wp_insert_post'.
For the cherry on top: wp_after_insert_post() is called, with several other hooks on their own.
Try to evaluate each configured workflow whenever every one of these hooks triggers. Your WordPress installation will get slow in no time.
Somebody designed this function this way, and that design is inhibiting effective WordPress automation.
--
[0]: https://github.com/WordPress/wordpress-develop/blob/5.8.1/sr...
- SQL Injection in WordPress Core: CVE-2022-21661
- MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in WordPress Could Allow for SQL Injection - PATCH: NOW
-
Any SEO framework users?
I was planning to include something I call "WP Fix - Unified Core Kit" (aka WPF-UCK); but, I believe the fixes are coming to WordPress real soon already: https://github.com/WordPress/wordpress-develop/pull/1806.
What are some alternatives?
Strapi - 🚀 Strapi is the leading open-source headless CMS. It’s 100% JavaScript/TypeScript, fully customizable and developer-first.
plasmic - Visual builder for React. Build apps, websites, and content. Integrate with your codebase.
Directus - The Modern Data Stack 🐰 — Directus is an instant REST+GraphQL API and intuitive no-code data collaboration app for any SQL database.
Grav - Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS powered by PHP, Markdown, Twig, and Symfony
Nest - A progressive Node.js framework for building efficient, scalable, and enterprise-grade server-side applications with TypeScript/JavaScript 🚀
caja - Caja is a tool for safely embedding third party HTML, CSS and JavaScript in your website.
bulletproof-react - 🛡️ ⚛️ A simple, scalable, and powerful architecture for building production ready React applications.
webiny-js - Open-source serverless enterprise CMS. Includes a headless CMS, page builder, form builder, and file manager. Easy to customize and expand. Deploys to AWS.
Ghost - Independent technology for modern publishing, memberships, subscriptions and newsletters.
wordpress-playground - Run WordPress in the browser via WebAssembly PHP