On Fri, Sep 29, 2017 at 9:11 AM, Rick Moen <rick@linuxmafia.com> wrote:

Quoting Todd Hawley (celticdm@gmail.com):

> I used to maintain a site that ran WordPress, we migrated it to DH and they
> insisted
> they could only run WP if our URL included the Dreamhost name in the URL.

How funny.

Yes. Looking back, I highly suspect they didn't want to have to do the work involved in setting up WP
for the site and then said, "Oh. You want this? Well then you have to do this for us." Free
advertising for them. What a concept. <sigh> Why didn't I realize this at the time? Ah well.

> Aha! I wondered why WP had so many security issues. Although from what
> I'd heard PHP was a nice scripting language and easy to learn. I had no idea
> it was prone to security issues.

Just for fun, here's a cranky rant giving a full rundown on the problems
with PHP:  https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

Interesting piece.

I suspect it's difficult verging on impossible to write good and
reasonably secure public-facing PHP code if it does anything
significant.  In any event, for whatever reason, there are continual,
repeating security breakdowns in WordPress itself.  Troublingly, these
tend to keep occurring over and over in the same areas, suggesting that
there are deep architectural flaws that give rise to the recurring
implementation flaws, i.e., the underlying problems don't ever get truly
fixed, only this week's manifestation of the problem.

If you've been around software for a while, you learn to recognise that
pattern.  Fixed, this time for sure!  Oh darn, here's another one that's
technically different, and we've fixed that.  Wait, here's another one
and a fix for it....

Or you have programming teams on tight deadlines who aren't allowed time to fix
a fundamental problem. Instead, they're told to find a patch for a bug and then "when
time allows," they'll go back and fix the fundamental problem. Which of course
never happens. Or they say, "that's not a bug, that's a new feature." :p

-th