WordPress just lost its default status for publishers
The battle between Automattic and WP Engine has exposed an unexpected vlunerability of the WordPress ecosystem — and it's one publishers should be wary of.
For years now, whenever anyone has asked me which content management system a site should be using, my answer was pretty much always “WordPress”. Even when my site was running on Movable Type, or years later when I moved to Ghost, my answer would be the same.
Why?
Well, there’s such a vast ecosystem around the product that any non-technical publisher has multiple firms of varying sizes and prices that it can choose from to support them. The array of commercial themes and plugins mean you can build pretty much any type of site you like. There’s a reason about 40% of the web is powered by WordPress.
The problems with WordPress
Sure, there were downsides. The sheer fact that so much of the web is running on WordPress means that it’s a giant target. And every single one of those plugins and themes is a potential vector for attack. You need to keep everything on your site ruthlessly up-to-date to be safe.
Happily, years ago, the WordPress team made that much easier, by tying the plugin and theme management to the WordPress.org directories — allowing you to automatically update your dependencies from within that app.
And that’s why I can no longer recommend WordPress as much as I once did.
Matt pulls the plug
Last week, I wrote about the conflict between Automattic and its founder Matt Mullenweg, and WP Engine. That’s heading to court, with suit and counter-suit. And, frankly, I’m not here to litigate who’s right and wrong in that discussion. No, what has made me suddenly uneasy about WordPress is a unilateral action from Matt’s side of the equation which has put numerous WordPress users at risk.
He severed WP Engine’s connection to the wordpress.org directories. All of a sudden, WP Engine users could no longer automatically update their plugins and themes from within WordPress. And so, with every single day that passes, each of those sites grows potentially more vulnerable to being hacked.
This is a terrible situation for a commercial business, especially smaller ones, who probably don’t have full-time WordPress experts in house. While that block was temporarily lifted, it’s back on again now. And WP Engine had little or no time to build out an alternative system for their users.
The problem with plugins
I learnt long ago that plugin dependency was a real vulnerability of the CMS ecosystem. Years ago, when I was working as head of blogging for a publisher, we had one site that was stuck on an outdated version of Movable Type because a critical plugin used to build its functionality was never updated for Movable Type 4. (We eventually solved the problem by selling the site, and the new owners moved it to… WordPress.)
If you can no longer be assured that your site can get swift and easy updates because Automattic and your host have fallen into dispute, WordPress becomes a much less compelling proposition. Ghost might be harder to update (you need the command lie to do it), but if that’s beyond you and your tech team, you can use managed hosting to do it — as I do. And Ghost’s complete lack of a plugin infrastructure, while frustrating to some who have come from WordPress, means that massive vulnerability just isn’t there.
WordPress is no longer the default
So, I’m not saying that everybody should flee WordPress. But we have just had a taste of how the whole WordPress ecosystem is exposed to the whims of one man. Traditionally, wordpress.org was where the open-source version of WordPress lived, and wordpress.com was Automattic’s commercial hosting operation. But now we find that the walls between the two are more like, well, doors. Large ones. And one man has the key. And if Automattic — or Matt — has a beef with your host, keeping your site safe and updated will be tough.
That brings a load more nuance to the hosting conversation. And with publishers like Mill Media happily using Substack and Ghost to build successful sites, there are plenty of good alternatives to look at.
WordPress is no longer the default. And the longer this battle drags on, the more trust in the product will erode.
Sign up for e-mail updates
Join the newsletter to receive the latest posts in your inbox.