I think there are a lot of valid points here, but sometimes in reality it’s not as simple as “banning WordPress from my server” or similar, as the end users maintaining the sites or updating the content are non-techie, and even with WordPress often struggle to understand some concepts. I’ve converted my own website to static content to move away from WordPress, but that’s not easy or possible for everyone.

I suggested using WordPress as an editor and using a plugin to export to static files, and was met with blank responses. They also couldn't understand that their editor would be on a different URL to their website, and that changes may take a short while to be reflected.

Fundamentally, WordPress is the Windows of CMSes, their large install base makes them a target and to some extent no matter now secure WordPress is, there are so many people targeting it that vulnerabilities will be found. WordPress accounts for 43% of all websites on the internet; modx is 0.1%. So it's largely security by obscurity.

My approach is simply that I can't (easily) eliminate WordPress from my life, so I'll take every precaution to minimise the impact IF it gets compromised. For me, that's running it in containers and keeping it up to date as best possible.

On Sun, 26 Nov 2023 at 10:52, iain <iain@hairydog.co.uk> wrote:

The reality is that users do not update addons. So the admin has to do it, which is a pain and good luck with getting paid!

Again that’s not the fault of Wordpress as a platform.

Yes, the core of wordpress is pretty secure (though way too slow).

That’s subjective

But that's like saying that guns don't kill people: the bullets that users put in them are the problem.

Actually what you’re describing is guns don’t kill it’s the person pulling the trigger.

My point remains, whatever your issues with Wordpress are, to say it shouldn’t be as it’s just not safe is wrong.