I want to start a little website, for my ideas and other stuff but I can't convince myself to use WordPress and I'm kind of lazy to code my website because I'm afraid of security problems... Do you have any advice to make a choice ?

@Letmecode why ?

@Orionss because wordpress is bad. It's probably the worst architecture on any widely used web platform out there. It's the epitome of spaghetti code and there are facepalms literally everywhere.

Because it's spaghetti code, it's decentralized, and securing it meant changing stuff in a ton of places for every single discovered vulnerability. What that meant is that it's very easy to miss something.

I don't follow WP news in the last couple of years, but before that, news of WP vulnerabilities were posted regularly. You could literally follow these news then go hack a few Wordpress sites. It's just that bad.

Come on, there is a file called 'functions.php', which contains random functions. It's the second biggest file in Wordpress, and has over 5000 lines of code. If that doesn't say 'shit', I don't know what does.

So in order to ensure security, all you need to do is:

1. NEVER trust user input. That means that you should NEVER output the input of one user to any other user. And NEVER use the user's input when forming any sort of code (like SQL, or JSON queries to APIs, etc) without making sure that it can't possibly break your query. Always treat user input like someone is trying to fuck with you. Because they always do.

2. Never trust the network. If it's not HTTPS, then 100000 shady 40 year old virgins from China are watching every exchange of information. Every GET you take, every POST you make, they'll be watching you.

3. Never store passwords. Store only something that will let you validate the password (a hash), but it's also good to make the computer work for a bit in order to validate it, so that some dude can't buy the entire stock of new AMD Polaris graphics cards and start cracking them. Just use bcrypt.

@Letmecode it depends how you set WordPress up and how well you maintain it

@apisarenco I would add that to avoid a rainbow attack you should implement and use SALT values before and after the password before it's hashed.

EG:
$password = bcrypt('rjsktn836!4' . $userSubmittedPassword . 'hrjek847!');

Where rjsktn836!4 and hrjek847! are salt values. It helps protect against someone matching the hash value to a dictionary of hashed values.

Of course there are then very thin creepy vulnerabilities that take time to learn. A good practice is second-guessing yourself in every crucial coding decision. In order to get any work done, you need to make these crucial decisions only once, in a single place, and not on every page or module that you make.

You need a solid core, and then extend it in ways that don't do the things that the core is supposed to do.

You can either make that core yourself (only if you're experienced enough and are a masochist who likes people blaming you for inventing yet another framework - like I am), or use existing ones.

If you're on PHP, just use Symfony. It's bad, I hate it, but at least its community isn't full of fuckwits who parse HTML with regex in order to retrieve a list of image URLs linked to a page by first outputting the image list as HTML, then intercepting that output and parsing it for URLs. That's a thing I actually saw in a popular plugin for Wordpress. Yiiihhh!

@Letmecode I admit it has its faults but it is continuously updated and improved upon due to its mass use. I agree that there should be a code review team before plugins are available on the open repos but that is a pipe dream that I hope comes true but I fear it won't.

@laceytech version 3.7 had wp-includes/functions.php with "only" 4000 lines of code. Current version has more than 5000 lines of code in that file.

I wouldn't call that "improvement" one small bit.

And it's just something that I don't get. Why pop out a major version if it's just as shit as the old version and no meaningful improvements?
Is it for backwards compatibility? No! Most plugins break on minor version changes, because they're just THAT poorly written. The more popular plugins are updated in time, so if the API changes, they can quickly adapt.

So in all of that time, WP didn't even bother making the code base robust and readable. Up until this day, WP is probably the biggest source of bad PHP developers in the dev community, second maybe only to w3schools, who up until last year was still teaching php+mysql with mysql_* functions.

@apisarenco You either use what is there or you build something that is better. The only problem is that new system then gets popular and more heavily utilised and then sooner or later it will be plagued with similar issues. Open source is great, but when you have thousands of developers maintaining the core and possibly the same number writing plugins then you are asking for problems. At the very least we feel WordPress should have a code review process for themes and plugins. They have best practice documentation on developing themes and plugins but nothing to check this before a project is approved - it's mad!

@Orionss, you could look into GitHub Pages (https://pages.github.com) and a static site generator like Jekyll (https://jekyllrb.com).

It's free and you don't have to worry as much about security.

If you want/need a back-end, consider a "serverless" architecture (i.e. using AWS Lambda functions to act as your back-end).

@cGF0 Thanks for the infos but I need a real backend !

@Orionss That's what she said! ;-)