back to article WordPress.com ditches PHP for Calypso's JavaScript admin UI

Blog hosting provider WordPress.com is embracing JavaScript and open-sourcing its code base, in what the platform’s chief reckons is a big, risky and controversial bet. Automattic, the creator of WordPress.com, has revealed the existence of Calypso, a 20-month-old project that rewrites and open sources the code behind the …

  1. FF22

    You realize...

    .. that the only thing they reworked was the admin UI, and that the new version is still using server-side calls to an unknown backend (which is most likely still written in PHP), don't you?

    1. localzuk Silver badge

      Re: You realize...

      The backend is written in Node.js according to Wordpress.

      1. FF22

        Re: You realize...

        They're only talking about the admin UI render backend, not the actual blog backend. The blogs themselves are also most likely still served using PHP, otherwise all their WP plugins, themes and such would stop working.

  2. Your alien overlord - fear me

    “A lot of people thought we should keep this proprietary, but throughout my life I’ve learned that the more you give away, the more you get back,” Mullenweg wrote. “Thousands more PHP developers will need to become fluent with JavaScript to recreate their admin interfaces in this fashion.”

    So you give it away, thousands of PHP developers will need to (re)learn modern Javascript. So what are you getting back from that?

    1. Midnight

      "So you give it away, thousands of PHP developers will need to (re)learn modern Javascript. So what are you getting back from that?"

      Some of them might actually learn something about programming.

      Then again, maybe the horse might sing.

  3. No Quarter
    Meh

    Wordpress. Meh.

  4. AMBxx Silver badge
    Stop

    PHP to Javascript

    Out of the frying pan into the fire.

    1. a_yank_lurker

      Re: PHP to Javascript

      From one turd to another. Both are badly designed languages at best.

      1. Anonymous Coward
        Anonymous Coward

        Re: PHP to Javascript

        A poor workman blames his tools

      2. sabroni Silver badge

        Re: Both are badly designed languages at best.

        No, both are badly designed languages but at best javascript is elegant, compact and very powerful. You just need to avoid the shit bits, because the good bits are really very good indeed.

        1. Vic

          Re: Both are badly designed languages at best.

          at best javascript is elegant, compact and very powerful. You just need to avoid the shit bits

          I always liked this photo

          Vic.

  5. Hans Neeson-Bumpsadese Silver badge

    In my experience...

    "The challenge is that WordPress’ venerable PHP code base, which started in the early 2000s, has become one of legacy and change."

    The challenge is that WordPress’ vulnerable PHP code base, which started in the early 2000s, has become a massive attack vector.

    FTFY

    1. Captain Scarlet
      Flame

      Re: In my experience...

      The challenge for me is every design agency marketing use, they seem to use WordPress for everything, make a pretty site slap it up and then never bother to update (as usual every time I ask why is this out of date I end up managing the bleeding things because of typical answers of oh its up to the hosting provider to secure it (FUME!))

      1. AMBxx Silver badge

        Re: In my experience...

        Moved my site to Wordpress 12 months ago (self-hosted). Still amazes me how they let you directly access the underlying tables through php - no proper integration layer to speak of. No wonder it's so vulnerable to daft script-kiddies.

    2. Anonymous Coward
      Anonymous Coward

      Re: In my experience...

      To be honest, Wordpress itself is pretty secure, it's the plugins you need to worry about. By "worry about" I mean use sparingly, update often and stick with ones that are maintained and popular. With such a large portion of the Internet using Wordpress, it's a target for sure, howver, it's only an "attack vector" if there is an unpatched vulnerability.

      1. AMBxx Silver badge
        Thumb Down

        Re: In my experience...

        No it's not. the fact that a plugin can directly access the underlying database is the problem.

        If I want to check a user's group membership, they provide a nice method to call. However, there's nothing to stop me just querying the database directly. Same goes for adding a new user. There is no reason to give the plugins rights to write to a database without going through some form of integration layer.

        1. Ian 55

          Re: In my experience...

          How would you stop arbitrary PHP code doing that?

      2. Ian 55

        Re: In my experience...

        The problem with the WordPress software is that the authors prioritise convenience over security.

        So, you install it and... you have a default spam magnet post that anyone can comment on, and those comments will be instantly published. Why not have comments off by default? 'People like comments'. Even having moderation on by default would be better.

        You're also left with a login form that allows attackers infinite attempts to bruteforce their way in as fast as your server will allow, with no blocking repeated failures, no delays on failure, no warning emails. I can't remember what they said about that one.

        If you block that one, then there's still the way that the xmlrpc interface will allow attackers to try hundreds of username/password attempts per request, again as fas as your server will allow with no blocking repeated failures, no delays on failure, and no warning emails. Turning the whole interface off by default would block Automattic's apps and Jetpack plugin, but there is simply no legitimate software using the multicall method that amplifies bruteforce attacks agains you. Will they disable it by default? Nope.

        There is more...

  6. Spudley

    Wordpress.com !== Wordpress

    The first thing to note is that Wordpress.com is not the same thing as Wordpress.

    Wordpress.com is a hosted solution allowing you to run a blog without installing any software.

    Wordpress is a PHP-based blogging/CMS platform which you can download from Wordpress.org (not .com), and install on your own server.

    This article is about Wordpress.com, not the downloadable CMS.

    Wordpress.com can get away with replacing their core platform software because they control the platform. You don't get to tinker with it, and you don't get to install plugins. The users don't care; all they care about is that their blog works. They don't know the software behind it; they might make an assumption based on the name that it's the same software as they could download from Wordpress.org, but the fact that apparently it isn't really won't make any difference to any of them.

    Wordpress.org cannot do the same thing nearly as easily. The downloadable CMS product is used in millions of sites, and has a library of thousands of plugins and templates, none of which will work if the underlying platform is changed. The size of that community means that the current PHP-based Wordpress product is not going anywhere.

    Trying anything radical that breaks all those plugins (heck, even just cleaning up the existing code, never mind switching language!) would likely just lead to a project fork where the original code is kept alive and most of the users switch to that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wordpress.com !== Wordpress

      Wordpress.org has been cleaning up code incrementally for quite a while and yes, plugins that don't get updated do break quite a lot. WP as a system is far better than just five years ago, and it didn't require any big forks. Any sites that don't want plugins breaking (and don't allow user input to the db) can usually forego any updates at all. The others (mostly personal blogs) must update to be safe and presumably have been doing that all along.

      This "update and fix" cycle is par for the WP course, at least among those who do it themselves and don't settle back into the loving arms of Wordpress.com, oy.

    2. foxyshadis

      Re: Wordpress.com !== Wordpress

      Most of the users wouldn't even switch, because they wouldn't even know an update was available, let alone that it was a new platform. Self-hosted Wordpress blogs are among the most abandoned and full of long-patched holes, which is why they're so heavily exploited. It's like running a Windows 2000 server today.

      1. Ian 55

        Re: Wordpress.com !== Wordpress

        To be fair, since 3.7 minor updates have been automatic... assuming your system setup allows them.

        You're still left to do major updates yourself unless you set a variable, and if you ever visit your site's dashboard, you're told about those.

        But yes, there are an awful lot of old sites that need updating / deleting.

  7. alain williams Silver badge

    Arrrgh!

    I went to https://cloudup.com/ with my standard browser set up and all that I saw was 5 links to JavaScript that the NoScript plugin had blocked. Come on guys, at least show a basic page without me having to enable JavaScript - if you do not then I will probably just go elsewhere rather than try to work out what I should enable, indeed what I want to enable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Arrrgh!

      It's nearly 2016, time to enable JavaScript. Bloody paranoid Luddites.

      1. User McUser
        Go

        Re: Arrrgh!

        I use the Firefox plugin "QuickJS" to enable or disable JS with a shortcut key so I can turn it back on when a site requires it (like Google Maps or my webmail interface.)

        When I turn Javascript OFF, my web browsing experience improves considerably; fewer ads (ZERO animated ads), WAY faster loading times, considerably lower exposure to malware, lower CPU usage (leading to lower battery drain), no crazy pop-up windows, no sudden hijacking of my pointer when I accidentally mouse-over something, no full-screen lightbox-stlye offers to subscribe to their newsletter or take a survey or whatever, nothing that stops me from right-clicking on the page, or using my keyboard to move the page around, no blocks on copy-paste...

        Boy, now that I think about it what exactly is the downside to disabling Javascript?

        1. VinceH

          Re: Arrrgh!

          "Boy, now that I think about it what exactly is the downside to disabling Javascript?"

          One of the downsides is that you get called a bloody paranoid Luddite by an anonymous coward. I've learnt my lesson as a result of that comment. From now on, no more NoScript for me, I'll be browsing with every script running, malware or no malware. In fact, I might even install Flash as well.

          Or maybe not.

          1. Lusty
            Paris Hilton

            Re: Arrrgh!

            The whole Internet uses JavaScript these days, must be a pretty poor experience with it off. Do you guys really think remving JavaScript improves your protection somehow? Can't tell if you're joking :/

            1. Anonymous Coward
              Anonymous Coward

              Re: Arrrgh!

              "The whole Internet uses JavaScript these days"

              See that other article "100 million users have updated to WIndows 10" - aka "Eat shit, 10 billion flies can't be wrong"

              1. Lusty

                Re: Arrrgh!

                Your irrational hatred of Windows 10 doesn't make it a poor product. If 100 million people are happy with it then it's doing what most customers want. Perhaps you're not the target market for Windows 10 - did you participate in the customer experience improvement program on Windows 7/8 which was used to shape Windows 10? If not, then perhaps next time you should be less surprised when the product does what other people wanted...

            2. Fibbles

              Re: Arrrgh!

              NoScript allows you to selectively turn on JavaScript for sites you trust. Considering that the majority of scripts seem to be for advertising/tracking/social media purposes even on sites you trust you can still leave 99℅ of the js disabled and still get the 'proper' browsing experience.

            3. User McUser

              Re: Arrrgh!

              The whole Internet uses JavaScript these days, must be a pretty poor experience with it off. Do you guys really think remving [sic] JavaScript improves your protection somehow? Can't tell if you're joking :/

              OK, first off some pedantry: The Web != The Internet. The Web is merely a protocol running on top of The Internet.

              Second, most websites work remarkably well with Javascript disabled. The main difference is that I see fewer ads but all of the actual content I was looking for since most ads these days are served from 3rd party advertising services and are deployed using Javascript (to read my cookies or whatever so they can "personalize" my advertisement-viewing experience.) Sure some site don't work very well without Javascript, and some like Google Maps don't work at all but A) I can easily and quickly re-enable Javascript and then the site works just fine and B) there aren't as many of these as you might think.

              Finally, because a lot of malware these days is being delivered by 3rd party advertising providers. If my browser doesn't execute the Javascript that would fetch those malware laden ads, I don't get them. Sure there are other attack vectors in the browser but without the ability to automatically execute they must rely on more obscure passive methods, like malformed JPEGs or something like that. It is far less likely that a specific website will be hacked to include such things versus using a 3rd party advertising service mainly as a matter of scale. If a group hacks a site like The Register, they can affect/infect its readers only; if they push malware out via ad networks, they can affect/infect *way* more people on many different sites without having to hack into anything. So yes, running w/o Javascript does lower my exposure to malware on the web even if it does not fully eliminate it.

              As they say, don't knock it until you try it:

              Firefox: QuickJS

              Chrome: Quick Javascript Switcher

            4. VinceH

              @Lusty Re: Arrrgh!

              "Do you guys really think remving JavaScript improves your protection somehow?"

              User McUser has already explained that, yes, disabling Javascript does indeed improve protection, and provided a link.

              Here's another - a new one: Hackers spray Reader's Digest stinky feet with exploit kit. And the Malwarebytes post on the same subject, containing more detail: Reader’s Digest and other WordPress Sites Compromised, Push Angler EK.

              The coffee's over there... ready for the smellin'

  8. g e

    And..?

    Am I the only one that (3-4 years ago, admittedly, when I last had to deal with it) has seen the downloaded install-yourself WP core code and thought it was written by a 12-year old?

    A serious question, I promise.

    1. theOtherJT Silver badge

      Re: And..?

      It's not just you.

    2. Anonymous Coward
      Anonymous Coward

      Re: And..?

      I'm pretty sure the guy was fourteen at the time.

      1. Third Electric

        Re: And..?

        And he outsourced it to a couple of 8 year olds.

  9. adnim

    Adapt...

    If one can code, one can code.

    The language/syntax is just an abstraction.

  10. Mage Silver badge

    The new WordPress is ditching its PHP code base for JavaScript,

    But Javascript usually is Client side.

    PHP is ONLY server side. Could be replaced by Java, which is NOT javascript.

    Explain?

    1. Graham Dawson Silver badge

      Re: The new WordPress is ditching its PHP code base for JavaScript,

      type node.js into your search engine of choice

    2. Vic

      Re: The new WordPress is ditching its PHP code base for JavaScript,

      But Javascript usually is Client side.

      Oh that that were still true...

      Vic.

  11. bollos
    FAIL

    wordpress is bloatware

    i had to do a simple blog page for someone a few years ago and i did it with one table and 6 fields and a simple admin script with a login for the site owner to add and edit blog posts and a simple blog page to read the blog table and display them on the page. the site owner decided to go with wordpress and after it was installed i checked the database and it had installed FIFTEEN TABLES!! incredible.

    if you want a fat bloated slow website with a large footprint, use wordpress :P

    1. Ammaross Danan

      Re: wordpress is bloatware

      Fifteen tables is certainly reasonable. I take it you didn't actually pay attention to what those tables were used for?

      I'd also assume your website design template (if you actually abstracted it from your display script) was terrible in-line styling or poor CSS at best? Perhaps you were not even escape-checking your input fields or base64-encoding enabled? Compared to a quick whip-it-out setup, it may feel bloated, but it's versatile enough to be used by more than the one person you wrote for.

      1. bollos
        FAIL

        pay attention.

        you're missing the point, it was just a simple blog. one table with one page to read it and one admin page to logon and add/edit bog entries. you don't need fifteen tables to do that.

        the CSS was loaded from an external style sheet, like it should be, stop guessing.

        it didn't need to be "versatile", it just needed to show the entries in the blog table.

        small code, just doing what needs to be done creates lightweight and fast sites. loading sites up with bloatware slows them down and creates pointless large footprints. imo this is a massive problem on the net.

    2. foxyshadis

      Re: wordpress is bloatware

      Of all the many reasons to loathe Wordpress, the fact that it uses a few more tables is the dumbest I've ever heard. Oh no, my database uses 5KB more of my 150GB disk now! Oh no, my queries are faster and more manageable after I've written a few hundred posts and started using tags and comments! Whatever shall I do!

      Face it, you didn't deliver what your client wanted because you thought you could fob off a half-ass project and convince them that was all they wanted.

      1. bollos
        FAIL

        less is more.

        the point here is one of philosophy or ideology. i like writing code that is as small as possible, using the least amount of code to get the job done. imo this creates lightweight and fast sites. some people load up sites with so much additional code that it slows them right down and they are over weight.

        to that end, decrying the use of fifteen tables when one does the job perfectly well is a perfectly valid criticism is not "dumb", it's perfectly logical and sensible. if you approach development from the point of view that less is more, you create nimble and fast sites. the actual differences in speed might not be noticeable in reality but it also makes the site easier to administer and port and obviously uses a smaller footprint so needs less server resources. again, this might not seem like a big deal but once adopted as a development philosophy can add up.

        for the record, this was a simple blog without "tags and comments". ID, utime, title, bodycopy and image were the fields, that's all that was needed.

        the client chose to do what they wanted, as was their right, they probably thought it was what they needed but it wasn't. the designer that was in charge of the project agreed with me and thought it was ridiculous that fifteen tables were used just to run a small blog, understandably.

        i'm amazed that you can't see that less code and smaller footprints make for smaller and faster and easier to administer websites?

      2. bollos
        WTF?

        "half-ass"..

        for the record i didn't build the website, the designer did, i just did some work on a dynamic page elsewhere on the site (products loaded from a products table etc) and this was going to be an add on at a later stage but in the meantime they foolishly went with WP.

        you couldn't really make a comment like that unless you were involved in the project, certainly not without being accused of making foolish, hasty and ignorant judgements of people!

    3. bollos
      Devil

      9 dislikes, really?

      i can't believe 9 WP fanbots disliked my message, aw diddums.

  12. Pomgolian
    Headmaster

    Had to read that twice

    >The challenge is that WordPress’ venerable PHP code base

    Was I the only one that read that as "vulnerable" the first time round?

  13. Anonymous Coward
    Anonymous Coward

    Javascript = Client Side Hell

    Some popular Javascript sites are getting so overloaded with cooperative data mining and intrusive advertisements I avoid them like the plague and contrary to the implied meme, the mobile versions are worse.

  14. TopBlogs

    Right, and they have explained it further on developer.wordpress.org site.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like