Because you sound like you know a bit about a11y, we could really use a hand. Accessibility meetings are weekly in the Make WordPress.org Slack instance. One of the problems is that Gutenberg's technology is very different than the rest of WordPress core, so some of the a11y contributors to WordPress Core are staying away from code-contributions to Gutenberg because of that (myself included). I've been playing around with node.js a bit to try and contribute, but it's very different than what I'm used to (PHP).
How close is it to 2.0 A, currently?
There's also a very nice library that can dump all the pages from Wagtail into a static site which you can then just copy to a CDN, giving you the best of both worlds: The ease of publishing of dynamic sites and the speed/ease of deployment of static sites.
However, as software, Wordpress deserves the hate it gets. There is no real security or firewalling or permissions limiting of plugins, there is no hint of modern PHP practices like Composer integration, routing, or the use of a templating language (and no, PHP itself doesn't count) and the amount of cruft it carries with it for the sake of backwards compatibility makes it insanely complex and far more bloated than it needs to be.
Wordpress in principle is a wonderful, useful product, and anyone trying to compete with it needs to closely study what it gets right (ease of deployment, ease of extension, ease of configuration, auto-updates, plugins, etc.) as well as what it gets wrong. Wordpress in practice, though, needs to be tossed into a pit and burned.
But those are The Right __and__ The Wrong.
For example, adding Composer to the WP "stack" makes sense. But now you've eliminated 90% (?) of the WP "developers."
That is, in the Universe of WordPress Composer is more friction, not less (i.e., ease of use).
Long to short, for better or worse, WP is Justin Bieber. It will never be Radiohead.
I can't say all, but the huge bulk of security issues I've seen revolve around some exploit which ends up writing a new file, or overwriting an existing file, which is then publicly accessible. If your file system is not writable, the large majority of WP exploits go away. However, you lose the "press here to upgrade your entire site and all the plugins in one easy step!" functionality, and the "upload files via the browser" ease-of-use.
If you're truly modifying public media files on regular basis, a non-writeable file system kinda stinks (either make the FS writeable or use an external media host, which adds complexity and cost). MOST systems I run in to aren't doing this often - it's "put up the site and updates some pages every few months" (or, blogging, which is often just text). For these, I recommend turning off write permissions to the whole of the WP system, and periodically turning it back on to do updates, then turning it off again.
Yes, this doesn't cover 100% of exploit cases, but nothing does, and I've found this to go a moderately long way to reduce the impact of various exploit attempts.
So, to answer the question, I would say "it depends". If the .net hosted version also by default allows for writeable media that is also executable, then there would be problems. However, I don't expect a .net-based system would allow you to get a ".aspx" file in a publicly accessible URL and have it just execute when accessed (unless there's some deployment mode that would allow for that?)
WP could address some of this by requiring plugin media/js assets to be copied over to public folders during an 'init' process, while requiring the core PHP code to be outside of the document root/public area. But it would break on certain hosting platforms (I know that years ago, Plesk templates would enforce that nothing could live outside the document root - every upgrade they'd change all PHP permissions to only allow PHP execution inside the document root, perpetuating poor security practices for anyone who wanted to host on plesk-managed servers).
The problems with Wordpress are mostly:
1. WP installations are often not properly configured or maintained.
2. The plugin ecosystem is a mess of vulnerable and/or malicious code, or simply dead code that isn't maintained yet still deployed in the wild.
That a POST param even was used to as the path to a file to delete without sanitizing it is not usually indicative of "secure coding practices".
I’d hate to see what you think is terrible then.
Wordpress is not and I imagine never will be anywhere close to “modern design patterns”.
It’s not even close to old design patterns, unless Heinz has a namesake software design pattern.
Wordpress uses practices that were considered a bad idea a decade or more ago, and still refuses to change.
However, not to disrespect the work that has gone into Wordpress, how hard can it be to write something better for the frontend and get marketplace adoption?
I do not like the frontend 'coding standards' and mess of plugins. Starting straight from the raw wp_ mySQL tables is a less insurmountable task than hacking some theme and bloating it out with 'jQuery' plugins that should never have been plugins. It seems that it is the ecosystem of design agencies with their lorem-ipsum big-up-front-designs and allegedly 'agile' workflows that have made Wordpress into something I do not like working with. Particularly when the add-ins make the backend far removed from sensible, making it a nightmare CMS for clients.
Hasn't anyone written a decent frontend for it that is not a tacky theme with ten thousand lines of CSS of which 97% is not used and a megabyte of scripts to get the carousel and share links working?
Hard.
Very hard. Especially because you first have to pick something as well installed and supported on hosts as PHP to even get traction. Good luck there.
Then you need to be at least as good in most or all features on launch to get any mindshare. Hope you have a few years to work on this side project before you release...
There have been plenty of attempts and of them all Ghost is about the only one to be taken seriously it seems and it’s niche at best (and not yet at the same level of features or ease of use & configuration).
So yeah, the answer is hard. Harder than you think.
Changing WP to use more modern design patterns (whatever that would entail) probably means breaking all themes and plugins, which isn't acceptable (and even if that wasn't an issue, I doubt the WP maintainers would just accept a PR that completely rewrites everything). This isn't really a thing random contributors can help with.
But, in response to your general theory: I can criticise a car as being fucking terrible without someone suggesting I “go build my own then”.
How's Linux for .NET hosting? Because Linux hosts are generally cheaper than Windows hosts.
For .NET Core there are binary packages [1] for Debian/Ubuntu, Fedora, Red Hat and SUSE, so you can apt-get/rpm/yum hosting environment in a matter of minutes. I'd say it's easier to set up and run ASP.NET Core app with Apache or nginx as reverse proxy than with IIS. For "old" .NET you are stuck with Mono [2] which works okay-ish if you don't use Windows-only dependencies.
[1] https://www.microsoft.com/net/download/linux-package-manager...
If it is so awful, why is it on over 25% of sites?
It has helped alot of people make alot of money, and continues to do so.
If McDonalds is so bad for you, why do they serve 550 million Big Macs every year?
WP is 'free', has a low barrier to entry, and for many years non-developers were able to relatively easily add custom functionality (sometimes done well, but often security and performance nightmares).
A lot of people make a lot of money from selling illegal drugs, or fatty foods, or bad investment/insurance products.
WP has its place, and in the right skilled hands, for the right projects, addresses many business needs decently well. Until it doesn't.
But this "right tool for the right job" argument has been beaten to death when it comes to WP. Biggest 'meta' issue I see with WP is that it doesn't do much to encourage most people "developing" on it to ever consider other tools; they just learn to fit more and more jobs in to the same ecosystem, whether it's a good fit or not. And due to the size of the ecosystem, it has enough gravity to keep attracting people to it.
Spot on. I do a fair amount of WP work. I'm a member of a number of WP groups on FB. I see this all the time. For most people WP is a hammer and everything is a nail.
Unfortunately, that's the Kool Aid served by Matt M all the way down. WP isn't an OSS application. It's a cult.
To the majority of the cult members there's nothing else. They know nothing other than WP. Truth be told, most of them don't even know WP.
This is an amazingly good comparison because in both cases the initial assumption is wrong.
Just like WP, McDonalds is not bad for you intrinsically. It’s poor discipline and usage that causes problems.
People who've been raised on fast/processed foods, and may never have actually done any cooking themselves, honestly may not even understand the problems with the food they're eating, or what the alternatives are. Yeah, 'home cooking' is more initially expensive (need some basics tools, place to store ingredients, keep them fresh, etc), and certainly more time up front learning how to cook certain things. But... you know what's in the food you've prepared. And you have knowledge and skills that can serve you for a long time.
if you're not big in to development, you're reliant on a plethora of plugins, and you need to hope that the dozens of plugins you tie together know how to play nicely together. I'd run in to multiple situations where poorly built plugins for plugins were hacked on and then conflicted with other plugins - everyone pointed the finger at someone else. and then the standard support line from a couple vendors (these were plugins with paid support, btw) - "disable 100% of all your plugins, then enable them one by one to see where the problem is". Sweet.
And when I tell people I inherited a wp site with just shy of 60 plugins, few people actually believe me. "I would never do that! I would never built anything with more than 4 (substitute with various numbers representing experience levels of people) plugins - that's all anyone ever needs!"
When it works well, it works well. When it doesn't, it's a bloody nightmare.
Think of any modern development best practice that you like (e.g. version control, or automated tests): Wordpress will make it harder, and if you take over an existing Wordpress site, there's a non-zero chance that the previous developer wasn't doing it, making the hairball of code underneath the shiny interface even harder to work with.
I raise you another:
God help us; we're in the hands of engineers.However, Peachpie seems like an awesome showcase what is possible in modern environments and apps.