Because you sound like you know a bit about a11y, we could really use a hand. Accessibility meetings are weekly in the Make WordPress.org Slack instance. One of the problems is that Gutenberg's technology is very different than the rest of WordPress core, so some of the a11y contributors to WordPress Core are staying away from code-contributions to Gutenberg because of that (myself included). I've been playing around with node.js a bit to try and contribute, but it's very different than what I'm used to (PHP).
There's also a very nice library that can dump all the pages from Wagtail into a static site which you can then just copy to a CDN, giving you the best of both worlds: The ease of publishing of dynamic sites and the speed/ease of deployment of static sites.
However, as software, Wordpress deserves the hate it gets. There is no real security or firewalling or permissions limiting of plugins, there is no hint of modern PHP practices like Composer integration, routing, or the use of a templating language (and no, PHP itself doesn't count) and the amount of cruft it carries with it for the sake of backwards compatibility makes it insanely complex and far more bloated than it needs to be.
Wordpress in principle is a wonderful, useful product, and anyone trying to compete with it needs to closely study what it gets right (ease of deployment, ease of extension, ease of configuration, auto-updates, plugins, etc.) as well as what it gets wrong. Wordpress in practice, though, needs to be tossed into a pit and burned.
I can't say all, but the huge bulk of security issues I've seen revolve around some exploit which ends up writing a new file, or overwriting an existing file, which is then publicly accessible. If your file system is not writable, the large majority of WP exploits go away. However, you lose the "press here to upgrade your entire site and all the plugins in one easy step!" functionality, and the "upload files via the browser" ease-of-use.
If you're truly modifying public media files on regular basis, a non-writeable file system kinda stinks (either make the FS writeable or use an external media host, which adds complexity and cost). MOST systems I run in to aren't doing this often - it's "put up the site and updates some pages every few months" (or, blogging, which is often just text). For these, I recommend turning off write permissions to the whole of the WP system, and periodically turning it back on to do updates, then turning it off again.
Yes, this doesn't cover 100% of exploit cases, but nothing does, and I've found this to go a moderately long way to reduce the impact of various exploit attempts.
So, to answer the question, I would say "it depends". If the .net hosted version also by default allows for writeable media that is also executable, then there would be problems. However, I don't expect a .net-based system would allow you to get a ".aspx" file in a publicly accessible URL and have it just execute when accessed (unless there's some deployment mode that would allow for that?)
The problems with Wordpress are mostly:
1. WP installations are often not properly configured or maintained.
2. The plugin ecosystem is a mess of vulnerable and/or malicious code, or simply dead code that isn't maintained yet still deployed in the wild.
That a POST param even was used to as the path to a file to delete without sanitizing it is not usually indicative of "secure coding practices".
I’d hate to see what you think is terrible then.
Wordpress is not and I imagine never will be anywhere close to “modern design patterns”.
It’s not even close to old design patterns, unless Heinz has a namesake software design pattern.
Wordpress uses practices that were considered a bad idea a decade or more ago, and still refuses to change.
However, not to disrespect the work that has gone into Wordpress, how hard can it be to write something better for the frontend and get marketplace adoption?
I do not like the frontend 'coding standards' and mess of plugins. Starting straight from the raw wp_ mySQL tables is a less insurmountable task than hacking some theme and bloating it out with 'jQuery' plugins that should never have been plugins. It seems that it is the ecosystem of design agencies with their lorem-ipsum big-up-front-designs and allegedly 'agile' workflows that have made Wordpress into something I do not like working with. Particularly when the add-ins make the backend far removed from sensible, making it a nightmare CMS for clients.
Hasn't anyone written a decent frontend for it that is not a tacky theme with ten thousand lines of CSS of which 97% is not used and a megabyte of scripts to get the carousel and share links working?
How's Linux for .NET hosting? Because Linux hosts are generally cheaper than Windows hosts.
For .NET Core there are binary packages [1] for Debian/Ubuntu, Fedora, Red Hat and SUSE, so you can apt-get/rpm/yum hosting environment in a matter of minutes. I'd say it's easier to set up and run ASP.NET Core app with Apache or nginx as reverse proxy than with IIS. For "old" .NET you are stuck with Mono [2] which works okay-ish if you don't use Windows-only dependencies.
[1] https://www.microsoft.com/net/download/linux-package-manager...
If it is so awful, why is it on over 25% of sites?
It has helped alot of people make alot of money, and continues to do so.
If McDonalds is so bad for you, why do they serve 550 million Big Macs every year?
WP is 'free', has a low barrier to entry, and for many years non-developers were able to relatively easily add custom functionality (sometimes done well, but often security and performance nightmares).
A lot of people make a lot of money from selling illegal drugs, or fatty foods, or bad investment/insurance products.
WP has its place, and in the right skilled hands, for the right projects, addresses many business needs decently well. Until it doesn't.
But this "right tool for the right job" argument has been beaten to death when it comes to WP. Biggest 'meta' issue I see with WP is that it doesn't do much to encourage most people "developing" on it to ever consider other tools; they just learn to fit more and more jobs in to the same ecosystem, whether it's a good fit or not. And due to the size of the ecosystem, it has enough gravity to keep attracting people to it.
Spot on. I do a fair amount of WP work. I'm a member of a number of WP groups on FB. I see this all the time. For most people WP is a hammer and everything is a nail.
Unfortunately, that's the Kool Aid served by Matt M all the way down. WP isn't an OSS application. It's a cult.
To the majority of the cult members there's nothing else. They know nothing other than WP. Truth be told, most of them don't even know WP.
This is an amazingly good comparison because in both cases the initial assumption is wrong.
Just like WP, McDonalds is not bad for you intrinsically. It’s poor discipline and usage that causes problems.
Think of any modern development best practice that you like (e.g. version control, or automated tests): Wordpress will make it harder, and if you take over an existing Wordpress site, there's a non-zero chance that the previous developer wasn't doing it, making the hairball of code underneath the shiny interface even harder to work with.
I raise you another:
God help us; we're in the hands of engineers.However, Peachpie seems like an awesome showcase what is possible in modern environments and apps.