Sin #3 users are assumed to be software developers

Wait what? didn’t you just say the exact opposite about users being assumed to be technical idiots?

This probably goes back into the days WordPress was created when it was far from being a complete software even if blogging is all you cared about, and you were mostly expected to be able to tweak the CSS, HTML, or add some PHP code. The days before commercial themes, plugins, or even a repository of them.

Those days are in the distant past, but WordPress did not succeed in finding a new balance between removing obsolete features which actually hurt security, and keeping a “hacking” culture. This is why you see the theme and plugin editor as part of WordPress, although just the ability to edit code files in the browser should be a big no-no from security point of view.

Worse, it is being made as an excuse for WordPress not solving security issues. To paraphrase WordPress’s security czar – “It is not our fault it is the fault of the user that didn’t configure his server properly” https://wptavern.com/wordpress-security-issue-in-password-reset-emails-to-be-fixed-in-future-release#comment-219662

It is not just the security aspect, more important is the software development aspect. If you are join to change the code you better save revision in a place from which you can extract them and reinstall them if something bad happens, but WordPress do not offer any such tool. So on the one hand you are encouraged to hack the PHP/CSS/HTML/JS with the most primitive tools around, but there is no support for basic development practices when using those tools.

Software development is not something magical, and to some degree everyone can learn to do it, but as you are unlikely to service your car by yourself all the time, servicing your site should be left to the minority of people who actually know enough to avoid doing stupid things instead of letting people the impression that they can just copy and paste some codes they found on the net.
Changing something is easy, making sure the change is scalable, will not hurt your UX, will not hurt your SEO and social sharing, and most importantly, will be documented so you will remember in two weeks why you have done it in the first place, is not that trivial.

It is as if there is not enough bad software developers that write code for wordpress, from time to time you run into sites which were hacked by their owners, and when they ask you how they can upgrade to the latest wordpress/theme/plugin, the only logical response is to run away.

Leave a Reply

Your email address will not be published. Required fields are marked *