This was written in response to a software engineer’s comments about the weaknesses of WordPress.  He is not wrong. WordPress has those weaknesses. But it became the dominant small website software because of how it satisfies website owners and visitors, not engineers.

“It’s not written for programmers, Tom. It’s written for the general public. If you want a script that is open source and written for programmers and the logical, you use Drupal.

Yes, WordPress was the most hacked script in existence, but, to be fair, the real vulnerabilities were in PHP and SQL (MySQL), and in the bad code practices of plugin and theme makers.

Most of that has been corrected, and the hacker pressure on WordPress forced PHP and MySQL to improve, and as the new languages have emerged they were created in an environment that was aware of malware and exploits, something barely imagined back when WordPress was first conceived and built. The new languages and database models assume a hostile environment.

And so does WordPress now. I hated the insecurity of old WordPress. Nowadays, however, I see more problems with overly aggressive security than with insufficient security.

If I want hackerproof, I might choose to use HTML. Or, a WordPress install with no plugins and the basic theme.

But whatever site I build that way will NOT be competitive if I am trying to sell something or undertake some kind of activism or cause, or do almost any of the kinds of things one builds a website for these days.

When deployed the way it should be, WordPress wins the competition for traffic, search positions, and visitor actions and bonding every time, in the class of small to medium-large websites.

That’s why it has become the backbone of the private citizen internet. Not logic. Not ease of use. Not security. But because it wins the cutthroat competition for internet results at an acceptable ROI.