wordpress-develop VS Platform

The problem is architectural.

Wordpress at its core execute most of its user-facing code trough an un-parallelizable, self-modifying single threaded queue, which has to be run at every page reload[1] and everything and anything will have to inject stuff in it. From handling your pictures in your media library, to checking your server can actually send mails, to managing your page and posts content and layout, everything goes trough it. It's also a system that doesn't really play ball very easily with most PHP accelerators outside of baseline PHP opcache. You may have better luck using a static cache or memcached. Depending on the theme you're using (90% of what's available from envato themeforest, for example) the improvement will be negligible.

All of the data you're accessing is also for the most part queried from two tables of a single database instance[2] which again handles everything from your mail configuration, page routing and redirection, page layout, contents, stored forms, etc. No sharding, load balancing is natively available. Heck, most WP hosted solutions run MySQL on the same instance running Apache and PHP. Also the data is usually stored as serialized php values, which have to be parsed and reformatted, again, at every page load using the system described beforehand.

[1]https://github.com/WordPress/wordpress-develop/blob/6.2/src/...

[2]https://codex.wordpress.org/Database_Description

Yup, it would helped with autoloading the core classes.

[!] 18 vulnerabilities identified: | | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery | Fixed in: 5.8.4 | References: | - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09 | - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ | | [!] Title: WordPress < 5.9.2 / Gutenberg < 12.7.2 - Prototype Pollution via Gutenberg’s wordpress/url package | Fixed in: 5.8.4 | References: | - https://wpscan.com/vulnerability/6e61b246-5af1-4a4f-9ca8-a8c87eb2e499 | - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ | - https://github.com/WordPress/gutenberg/pull/39365/files | | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0 | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.2 - SQLi via Link API | Fixed in: 5.8.5 | References: | - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f | - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/ | | [!] Title: WP < 6.0.3 - Stored XSS via wp-mail.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/713bdc8b-ab7c-46d7-9847-305344a579c4 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/abf236fdaf94455e7bc6e30980cf70401003e283 | | [!] Title: WP < 6.0.3 - Open Redirect via wp_nonce_ays | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/926cd097-b36f-4d26-9c51-0dfab11c301b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/506eee125953deb658307bb3005417cb83f32095 | | [!] Title: WP < 6.0.3 - Email Address Disclosure via wp-mail.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/c5675b59-4b1d-4f64-9876-068e05145431 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/5fcdee1b4d72f1150b7b762ef5fb39ab288c8d44 | | [!] Title: WP < 6.0.3 - Reflected XSS via SQLi in Media Library | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/cfd8b50d-16aa-4319-9c2d-b227365c2156 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/8836d4682264e8030067e07f2f953a0f66cb76cc | | [!] Title: WP < 6.0.3 - CSRF in wp-trackback.php | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/b60a6557-ae78-465c-95bc-a78cf74a6dd0 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/a4f9ca17fae0b7d97ff807a3c234cf219810fae0 | | [!] Title: WP < 6.0.3 - Stored XSS via the Customizer | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/2787684c-aaef-4171-95b4-ee5048c74218 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/2ca28e49fc489a9bb3c9c9c0d8907a033fe056ef | | [!] Title: WP < 6.0.3 - Stored XSS via Comment Editing | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/02d76d8e-9558-41a5-bdb6-3957dc31563b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/89c8f7919460c31c0f259453b4ffb63fde9fa955 | | [!] Title: WP < 6.0.3 - Content from Multipart Emails Leaked | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/3f707e05-25f0-4566-88ed-d8d0aff3a872 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/3765886b4903b319764490d4ad5905bc5c310ef8 | | [!] Title: WP < 6.0.3 - SQLi in WP_Date_Query | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/1da03338-557f-4cb6-9a65-3379df4cce47 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f | | [!] Title: WP < 6.0.3 - Stored XSS via RSS Widget | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/58d131f5-f376-4679-b604-2b888de71c5b | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/929cf3cb9580636f1ae3fe944b8faf8cca420492 | | [!] Title: WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/b27a8711-a0c0-4996-bd6a-01734702913e | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/wordpress-develop/commit/ebaac57a9ac0174485c65de3d32ea56de2330d8e | | [!] Title: WP < 6.0.3 - Multiple Stored XSS via Gutenberg | Fixed in: 5.8.6 | References: | - https://wpscan.com/vulnerability/f513c8f6-2e1c-45ae-8a58-36b6518e2aa9 | - https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/ | - https://github.com/WordPress/gutenberg/pull/45045/files | | [!] Title: WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding | References: | - https://wpscan.com/vulnerability/c8814e6e-78b3-4f63-a1d3-6906a84c1f11 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3590 | - https://blog.sonarsource.com/wordpress-core-unauthenticated-blind-ssrf/

It is the wp dev repo from some years ago, so it is the node modules that were used by wp core: https://github.com/WordPress/wordpress-develop

Wordpress is open source. Anyone can submit code suggestions https://github.com/WordPress/wordpress-develop

Addendum to my previous comment(as an in-depth technical review):

Check out the source code of wp_insert_post() [0] on line 4407, you'll see three hooks that trigger: "edit_post_{$post->post_type}", 'edit_post' and 'post_updated').

Then after that, these other ones trigger unconditionally: "save_post_{$post->post_type}", 'save_post' and 'wp_insert_post'.

For the cherry on top: wp_after_insert_post() is called, with several other hooks on their own.

Try to evaluate each configured workflow whenever every one of these hooks triggers. Your WordPress installation will get slow in no time.

Somebody designed this function this way, and that design is inhibiting effective WordPress automation.

--

[0]: https://github.com/WordPress/wordpress-develop/blob/5.8.1/sr...

I was planning to include something I call "WP Fix - Unified Core Kit" (aka WPF-UCK); but, I believe the fixes are coming to WordPress real soon already: https://github.com/WordPress/wordpress-develop/pull/1806.

Open, permissionless networks beat closed, proprietary ones once they are good enough.

I spent 10 years and over $1 million from my company’s revenues to build an open source social operating system to power pretty much all the applications you’d want:

https://qbix.com

Hope it helps! About to release v2.0 on GitHub

https://github.com/Qbix/Platform

(And 5 years ago spun off https://intercoin.org/applications — we are still in the development stage on that one).

You might also like our platform that we’ve been building for 12 years and are preparing to launch:

https://github.com/Qbix/Platform

We have been doing it! Join us!

It isn’t perfect but we are ahead of most others (Mastodon, Matrix). We have spent TWELVE YEARS building the free, permissionless open source platform for anyone to assemble and host their own community software with all the features of Facebook/Twitter/TikTok for their own community:

https://github.com/Qbix/Platform

We are about to roll out version 2.0 — I have never done this before but I would like to invite whoever wants to learn about it or build on it, to a Zoom webinar where I will demo anything and answer any questions. The next Webinar will take place on our own platform — no Calendly, no Zoom, no Google, just the free open Web.

Anyway, sign up here if you want. Will do it every Sunday August:

https://calendly.com/qbix/qbix-2-0-platform-demo

This is true not just for analytics but pretty much all features.

Imagine you are a great speaker and instructir and have an audience. Right now you GIFT it to YouTube, Twitter, etc. and they monetize it for you, give you a ting percentage, and even constantly direct your audience to competitors and other distractions. In fact YouTube even sells an option to advertise your videos on your competitor’s videos!

I say — opt out. Run your own everything! It’s hard to build an open-source alternative that is good enough (no, Mastodon and Bluesky aren’t — yet).

Which is why (shameless plug warning) I spent 12 years and $1 million dollars with my team to build it. https://github.com/Qbix/Platform

Use it — as 1 of hundreds of features, you can have your own analytics on your own database on your own community site. The other features are here: https://qbix.com/features.pdf

I hope they don't do it.

I've had a similar situation with PHP, where we had written quite a large engine (https://github.com/Qbix/Platform) with many features (https://qbix.com/features.pdf) . It took advantage of the fact that PHP isolated each script and gave it its own global variables, etc. In fact, much of the request handling did stuff like this:

  Q_Request::requireFields(['a', 'b', 'c']);

I am the king of this. It has been 12 years and we had 6 million users — and we still have yet to ship Groups for Android for example.

Oh wait I have you one better — it has been 12 years and https://github.com/Qbix/Platform is only now almost ready to be released, as v2.0

Sure we “ship” it all the time, on github. We even released v1.0 but we didn’t announce it

People who discover https://qbix.com are shocked that there is a decentralized open source alternative platform to Facebook and Twitter that is far more full-featured than Mastodon, Bluesky or even Matrix and they never heard of it.

Well… the problem is that I picked a very complex space, one where no one got this far except for billion-dollar companies. People kept expecting everything to be real-time and rock-solid, and even when we finally got that done after many years, they still complain it “doesn’t look as good as Twitter”.

Every time I shipped half-baked stuff, it didn’t actually take off. Now, I believe it WOULD have taken off if it had a low demand surface area (eg Bitcoin just stores value and transfers it, period). But I tend to build stuff that is similar to what people use EVERY DAY, and that kind of stuff accrued lots of features.

Oh yeah my other project https://intercoin.org blockchain platform took 5 years to create. During that time we went from a crypto winter to a super bull market in crypto to another winter with super bear skepticism on HN.

On HN we knee-jerk get lumped in with stuff that isn’t even blockchain, like FTX or Binance, or ridiculous shitcoins that have no utility at all.

Our stuff is FREE AND OPEN SOURCE and you use it if you want, or don’t. Before complaining that it even exists to help people for free, or calling it a scam, at least click the link to https://github.com/Intercoin

A word about regulations, because you shouldn’t “just ship” in violation of laws (unless you’re Uber or AirBNB lol). Even though we raised money in an ICO pursuant to Reg D and Reg S exemotions, filed Form D with the SEC, got people who worked at the SEC as active advisors, complied with laws in multiple other jurisdictions, innovated in many areas of securities law, and carefully developed tokens to fit the No-Action letters grantsd to projects like PocketFullOfQuarters, people on HN just assume that we are like most of the others who didn’t treat their tokens as securities. Which is understandable. (I am not admitting the token ARE securities, this is a matter of opinion that a judge would determine, merely that we didn’t want to take the chance that the original transactions weren’t securities transactions.)

Btw besides securities there is also this FATCA, FINCEN and other stuff that many startups here should read even if they aren’t making web3 or crypto projects, but ARE dealing with money and payouts to people on their platform: https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20...

https://github.com/Qbix/Platform/commit/704ee677a6937f0b20a26d6a3c56f6aff812ab47

2. Implemented stream.ephemeral(payload) that can be sent to any stream now, and whole system of ephemeral is now working parallel to messages. Unlike messages, ephemeral isn't saved to the database, doesn't trigger notifications for subscribers, and the order doesn't matter. It's for things like "Typing..." indicators and other temporary things. Ephemeral is like UDP while Messages is like TCP.

For a framework that is radically different but also PHP-native (since PHP 5), would you like to spend an hour playing with https://github.com/Qbix/Platform ?

If you do, please share your experience in a comment. I’d love to hear it. I architected this framework over the last decade :)

Author here. Happy to see this went viral.

I have spent 12 years and 1 million dollars to date (no exaggeration) on a project to hopefully help people get a viable alternative to the Big Tech, and have choice where to host the infrastructure they typically expect from Facebook, Twitter, Telegram etc. It’s open source and it’s the only way you can make it expensive to backdoor everyone in bulk, or shut down a platform altogether:

https://github.com/Qbix/Platform

If you spend an afternoon playing with, I think you’ll feel like you’re discovering superpowers (like Batman or Iron man or something). It’s free to use. We’re launching https://qbix.com/ecosystem soon, with courses and certification so anyone who wants to learn, click on my profile and email me.

And if you like what we do and you’re thinking of supporting us with $100 or more, feel free to do it here… November 5 we are launching, until then you can voluntarily put a “no-obligation” contribution: https://wefunder.com/Qbix