But for a few recent months it seems I've seen some news on HN as about once per month that someone's Wordpress site was hacked.
Which web framework may be better for a small agency (or in a general business case): Wordpress or Django/Flask?
Can you describe a typical workflow and which other tools/frameworks/keywords/etc (like REST) I need to use for this?
As I am a bit nervous that I am self-taught in this field, though have tons of materials on that, but this job may provide some resources for my main projects.
But you need to choose based on what your objectives are. WP is quick and give you decent bang for buck especially if you don't need to create something from scratch and needs to be used by non developers. It is not really comparable to Django/Flask which are actual frameworks to build web applications. WordPress is more of a Content Management System (CMS) that has been extended over the years to technically create flexible Applications but mostly for non tech users.
Use WordPRess if you want to build websites with some dynamic functionality like contact forms etc (plenty of well vetted plugins for those). Use Django/Flask if you are building a full web application with tons of user interactions.
WordPress = Web Site
Django/Flask = Web App
If you want to install a theme and not adjust anything it’s ok-ish. For anything more complicated I’ve found Wordpress unworkable.
I feel myself lucky to have discovered craftcms - well architected CMS with flexible content modeling. Free for a single user.
Wagtail has over 15,000 stars on GitHub, is heavily supported and was created in 2014. It has since been adopted by organizations such as NASA, Google, and the National Health Service.
Below is a comparison between Wagtail and Wordpress.
2) If you need what is called a CRUD (Create-Read-Update-Delete) website, doing something more like a spreadsheet, but with more complexity than a spreadsheet can handle, then Django makes this as easy as it is possible to be. However, you will have to do a lot more programming than with WP, where really you shouldn't have to do much programming at all.
3) If you need even more customized functionality than CRUD, then Flask is easier to customize. For example, you need to make a real-time auction site, or connect to a machine learning library to train up new models every week, or some other really non-standard thing. There, Django's features that make CRUD easier, will just get in your way. Flask is more lightweight, meaning it provides less but is also much more flexible to do non-CRUD websites.
If you are doing what a typical small company needs, then you should go with Wordpress. It can do everything you need, there is an abundant ecosystem of companies to host and maintain it for you, and all of the extra power that Django or Flask would give you, are not going to be utilized. Wordpress is fine security-wise, if you keep it up to date.
No? You can import whatever you want into the view and do whatever logic you need to. The Django stuff doesn't get in the way at all.
> build a website for them plus a bit of marketing stuff, and maybe a remote desktop and a platform for invoicing for their personnel.
This is a shoe-in for Django, especially the invoicing part.
Wordpress is a blog engine. It's great for letting a bunch of people log in and submit news but every feature you implement beyond that is going to be through plugins, and those are routinely compromised. All sites I've deployed that used only the major plugins (Yoast, Jetpack, WooCommerce, etc.) are still running. All third-party ones have since been compromised, which is embarrassing for me. I wouldn't deploy Wordpress for a business again unless the alternative was Magento.
Django isn't bulletproof, but it will stop you from making amateur mistakes as you build it out. There is no convenient plugin architecture with a friendly UI, which makes it harder for yourself (and the client) to change themes/plugins every week and introduce code that can be exploited.
Sounds like you trying to learn to many things at once. And you for sure do not need to learn C++ for web development. PHP is and JS/TS is missing from your list. That would be the languages to learn for WordPress. But there there are already plugins for invoicing and things you need out there, sounds like there is nothing too obscure that can not be solved with already existing plugins. So do you really need to be a programmer? Probably not.
There is a reason WordPress is used to much, I am biased because I am a self taught WP dev but WP and PHP and evolving constantly, there is a plugin for everything ...
You supposed to build a website, remote desktop, invoicing for an agency and their hired you for what exactly? What skills did you tell them you have?
Sorry but you sound very naive and I could not find what your actually skilled in. You look for "keywords"??? And you read one article about someone WP site getting hacked that makes you think WP is insecure?
Even if I try to be unbiased this sounds like a clear case for WordPress to me.
By "keywords" I mean just the names of the tools/frameworks/concepts.
I posted a few links about WP being hacked below. It may be that's all I've seen on HN.
WP will be easy to set up, but adding custom functionality can be a real pain, and lots of plugins are of ... questionable quality, especially regarding security. I personally strongly dislike WP, but it does the job so long as you keep things simple and lock down your plugins.
Django will give you a good structure and some core functionality like login out of the box, and the built-in admin site is great, but you'll need to code your functionality. It looks like you're doing some custom code so this approach could work. You could also use something like django-cms or wagtail if want some of the WP functionality.
Flask: Deceivingly simple at first, but you'll spend full-time debugging it soon. It is NOT a framework for beginner.
Django: A bit more learning curve than WP, but will take you far, if you read its docs properly.
Using Django or Flask might be overkill for what you're trying to do. I suggest you to stick with WordPress, but check out the Sage/root style over at https://roots.io/sage.
It's not the classic WordPress; it's a modern, more secure version (not more secure but less prone to some common automatic attacks).
Also only use plugins when you absolutely have to, and if you do, stick with the pros (i.e. Gravityforms).
I've used WP alot (more than 1000s of websites) and I'm also using Python with Flask and FastAPI (but never used Django).
WP is mostly small business workhorse, nearly all included in package (admin, editor, lot of third party addons), which is good enough for small scale, cheap and simple (most things could be done without developers), but not scales well.
So if business grow, at some moment it will be very hard to use WP, and/or business will be slow down if continue use WP.
Django is better when have developers team, it is full featured framework, have many things included into one officially supported package (but not as complete as WP), optimal for medium business, and with good developer/ops, could serve any scale, but it have too steep learning curve for start small.
Flask, could be considered as simplified Django, also good, but to make same things as Django, you need to create modular design from many separate packages, which are not orchestrated/supported by one official source.
So with Flask you probably will start faster than with Django, (I myself spent ~half of year to learn Django, with Flask I started in weekend), but you may encounter problems, when some dependency will be changed too much, so you will need to recreate interface for it.
Unfortunately, Django does not offer standard way to transit between major releases, but within one major release you could expect minimal efforts to transit, if use standard components. Many things, possible to recreate on other version, just by change config and/or database scheme, so many works could be done by ops (Admin/Database administrator).
WP also does not offer standard transition way, but in many cases it is just very simple to recreate all from scratch, many works could be done by just user and some things need ops.
With Flask, when you need to transit to other version, you probably, will recreate all interfaces between components, need programmer to do this, also ops.
But when found weakness in some part of software, which you used in Flask, this could be big problem, because parts are supported by different persons, some may become just unsupported, or may be supported worse than others, and you will not have one subject to call, unlike case of pure Django.
Same problem could happen with WP, because many custom plugins are practically just other separate big system, also not supported by main WP team. But in many cases, SEO and leads tracker could be from official package.
But, from what I seen myself, with WP typically you will end with few sites, each serve part of business, each consisted from 2-4 big chunks, which working good together, so you will depend from limited number of subjects (with Flask, number of parts will be more than 5, because there nearly all separate).
With Django, it is possible, to make all in one site, and to not use anything from separate sources, except frontend framework and markup (for example in ideal world could be Django+React+Bootstrap, and nothing else, sure in real will be additionally some SEO addon, leads tracker addon).
*or Theme, or other 3rd-party code
The description isn't enough to know if it's something wordpress could handle out of the box.
There are places that host and manage WordPress. If you don't install any plugins, WP is secure enough.
The difference in a Django hello world and a fresh WordPress install is like a million lines of code.
Those that did website with other tech did not get same results, and thinked how to compete or survive.
For security, I use Sandstorm https://sandstorm.io fork of WordPress that generates static websites. But that does not work with some interactive plugins.
My workplace has multiple WP sites and Shopify stores, and I'm thinking of trying to consolidate all of these under a single presentation layer, probably with Gatsby.
Consider what is commercially available. Selecting, configuring, integrating, and supporting software services is still something you can charge for. Small companies pay for efficient results, they don't typically care how much code you personally write.
You could build their marketing site on a fully hosted solution like Squarespace, Wix, Weblow, etc. Or if you want to use Wordpress, stick to something like Wordpress.com or WP Engine with a commercial template and all auto-updating turned on. Make it easy on yourself and outsource security to folks who know what they are doing.
Remote desktop and invoicing also sound like needs that can be met more efficiently and securely by available commercial solutions.
It takes care of 99% of the things a marketing website needs to have. For the 0.999% other stuff it doesn't include, the plugins can take care of it.
"But what I'm building falls under those 0.0001% cases not covered :/"
Oh, then use Django.
But easy availability of plugins leads to high probability of hacking. Put another way, a WP site needs constant monitoring/upgrades of the plugins to avoid being hacked. This means $$ out of pocket for website owners but money for developers.
2) Personally, I don’t recommend WP. I prefer Python/Flask (I’m more familiar with it) or Django. You can build the site and essentially forget about it.
In addition, I prefer separating front end code from back end code (for WP, you use PHP which combines both html and server side code in same file)
Laravel fixed this with Blade templates, and this repo[0] brings it to Wordpress.
Django for any functionality-focused site or web application.
Flask for quick APIs of limited functionality that just need to "get done now".
You can use the one hosted in wordpress and change the domain, so you don't have to worry about hackers or anything. This one is a plug a play, so unless you want to do a custom template/plugin you don't need to learn to code.
* Django is like a wordpress but less popular and less SEO friendly (or less popular for them).
* Flask will require you to learn a lot of html, python, etc.. it will consume you a lot of time to get to the same point to the other 2. Flask can get better results than the previous two but for your use case I don't think it really matters.
Minimize customization, and keep it updated.
Then someone else can always work on it.
The core is fine but the attraction of WP is not so much the core but the huge number plugins and many plugins are not fine (but they dont say so on the label).
You cannot go wrong with Wagtail, but its learning curve is steeper. It doesnt come much out of the box.
[1] https://news.ycombinator.com/item?id=31584788 Researcher goes public with WordPress CSP bypass hack
[2] https://news.ycombinator.com/item?id=32561198 Hacked WordPress – over 17,000 spam links injected post compromise
[3] https://news.ycombinator.com/item?id=5702570 Tell HN: Bots are Constantly trying to hack your Wordpress Sites
There are more dating 5 and more years ago, but I didn't link them here. It seems I saw at least twice as more similar news for WP in recent years, but maybe these links were in HN server cache or something and with no comments so are not shown in search.
I can't imagine ever choosing it over Django with Wagtail. It's a little bit more work to implement and maybe maintain, but the payoffs are well worth the investment.
Yes, it does[0]. Crappy plugins just made it much worse.
[0]https://www.cvedetails.com/product/4096/Wordpress-Wordpress....
