The horrifying state of Wordpress (Plugins)
8 min read

The horrifying state of Wordpress (Plugins)

A story of Wordpress and Wordpress plugins in 2021

Lately I have been helping my significant other to get her personal blog up and running. She initially decided to go for a pragmatic approach by using a hosted offering first, Wix, and then gradually move to a self hosted Wordpress instance once the limitations and costs of Wix were known and understood. As a backend engineer I told her it should be a piece of cake and it shouldn't take long to get everything working with her own domain, SSL certificate and clean Wordpress installation for very very cheap.

Wordpress was the perfect candidate in this case, easy to use, lots of documentation and lots of help out there in case something doesn't exactly work out. Or so I thought... I haven't touched Wordpress in years and I only heard good things about it lately so yeah, let's give it a shot.

Managed Wordpress instances are quickly outdated

After renting a 5€/Month server with a pre-built Wordpress image running, I whipped up a small test instance so that she can try it out and get acquainted with the interface and the tools.

The setup was working quite alright and things like Elementor and others worked great. I was proud to see the progress and how things took shape. Overall, after a couple of weeks everything was working great and the first articles were there.

The experiment was a success and my girlfriend was convinced that Wordpress would be the way to go.

However, after having a quick look at the Wordpress instance it was clear that it needed some Ansible love and care. Many warning messages:  "update necessary", "php version outdated" and other things that needed to be taken care of. As a responsible part time sysadmin I know that these things are essential to take care of immediately otherwise it's an open door to trouble and eventually GDPR issues. No good.

Since these things require hand in the dirt kind of action I ssh'd into the machine and ran the first commands to get all the issues fixed.

Bad luck. The managed image was (very) badly configured, there was no configured firewall, no fail2ban or similar tooling, no documentation about where to find the tools or their configurations, it was basically a falsches Sicherheitsgefühl (false sense of security) to trust that image and build on top of it. I won't mention the provider but they should either do it good or remove the image. Make your customers look good ;)

Since this was a test instance, we thought, okay let's /32 restrict it and wrap the action up as quickly as possible.  

Moving to a Devops CI/CD Wordpress installation is straightforward

It was quickly decided that the test instance would be sent into early retirement and a more solid setup would be necessary.

So again, let's quickly spin up a server and get it configured. Luckily I have these steps automated so it was just a terraform init && terraform apply and an instance was created with latest patches, latest versions, configured keys, firewalls, nginx, Let's Encrypt and co. It helps to have things like that already configured.

That being done, the only step was to get wordpress, mysql and umami (analytics) running in docker containers and have an ansible script update them and the server periodically. That was done relatively quickly and https://domainname was giving the right stuff back.

Last step is then to move the content from the test instance into the main installation which in other terms is the productive instance whereas the initial setup would be the dev instance, even if they drift in configuration let's continue with that definition.

Should be a piece of cake right?

Wordpress backups and migrations are the Dark Souls of blogging

For some context, it has been years I did not play or work with Wordpress. I was more busy screwing around with static website generators and even spent some time trying to evaluate the benefits of creating my blog using emacs org-mode (I have a prototype lol!).

Let me cut to the chase by saying that backing up a website using Wordpress is an absolute nightmare if you haven't done it before. Moving a Wordpress website to another domain (or to another stage for the connaisseurs amongst us) is a Dark Souls kind of endeavor.

Now don't get me wrong, I know how difficult backing shit up can be but we're talking about a blog here and not kafka clusters! I wasted hours of my life getting this working and yet it did not work perfectly but let me elaborate.

Let's try it out!

A huge majority of Wordpress Plugins are straight out scams and suck big time

First thing I turned to were Wordpress Plugins since they seem to be the universal answer to every possible Wordpress vs the world argument. "Wordpress has plugins, you don't need to code!", "There is a plugin for everything".

Next time you hear that argument tell them Funnybretzel said "MY ASS". If I have to weed through 40 plugins to get some basic shit working it doesn't count as helpful. It is absolutely horrendous. Imagine a devops beginner getting hit with a "CrashLoopBackOff" error if they wanted to play around with Kubernetes or a Python beginner getting hit with "module not found" right after having done a "pip install pandas"? What kind of world would we be in?

So to elaborate, there are currently 4 "top" plugins to achieve the backup and migration functionality from a dev stage to a productive stage. Most of them let you create the "backup" but once you want to import the backup in the new server this is what you get:

Don't worry, it being in German is not what is wrong with it

When you import the file (spoiler alert: it's larger than 2MB) it will display a popup that you will need to pay a certain amount of money to be able to import the backup.

But for the attentive people amongst us, clicking the link on the bottom and screwing around a bit with the .htaccess file you can increase the max upload filesize to get your backup uploaded.

Doing that will let you upload but what happens next is very interesting.

Wordpress plugins are Dark Souls mimics

A loading popup appears.

And guess what? Nothing is happening. The loading popup keeps resetting, restarting and logging the server and the network traffic: NOTHING is happening.

That made me rofl. I was like "Here I am, installing some random plugin claiming to be a good one, that actually does nothing without auditing wtf they are doing or how they implemented it". After the fact, I checked the plugin reviews and they were total shit except the 80% that were generated by bots.

Doing the same experiment with other plugins you'll see how they bait and switch and low quality rug pull unknowing people into buying into their crap.

Crypto version of a Wordpress Plugin

In a sense, these plugins remind me a little bit of the mimics in Dark Souls which are kind of traps that look like normal objects but when you approach them they yeet you and your weak hands back to the previous bonfire.

Some plugins may be alright, I bet, but I couldn't care less anymore the trust is completely lost.

Is this the environment we are pushing beginners and people who just start their online experience towards? No wonders managed services like Wix and Squarespace gain traction. They just werk! An argument can be made about the hosted version of Wordpress, but come on, how better can it really be? Don't tell me about those fancy plugins now will you. :)

Being a black belt backend developer and team lead I couldn't let this be and just write another user story. I had to make this work.

My girlfriend was already looking at me with despair in her eyes. During this whole ordeal that played out during the course of a Saturday afteroon she witnessed me talking to myself and cursing PHP and the word Plugin again and again. But this was not a programming language issue. It was an issue about a huge majority of the Wordpress content out there is made by shills that want you to fucking click their shitty affiliate link pretending that "this plugin will solve your issue" but only if "you click on the link and type in my coupon code otherwise it won't work" and still won't solve the problem. I have no problem donating money to people who solve my issues but clicking on your link just so that you get a commission? Merde. Installing your plugin packed with Dark Patterns? Merde encore!

Some time later. Credit Spongebob

Getting my hands dirty and messing with databases

So to cool off I thought it would be a good idea to check out some database backup tool. That turned out to be funnier than expected.

The procedure to get the backup migrated manually is really from a clown world. You have to zip the wordpress content folder, make a dump of the database, move the stuff to the new installation, replace some strings from the old dump with some new strings (mainly absolute paths in the Wordpress installation lmao), play around with the wp-config.php. That was quite fun to get everything working and move the stuff around. But here and there there were glitches and it still did not work perfectly. (and nope, wp-cli did NOT WORK).

Many guides I checked online where inserting random stuff in the files that were diabolical: making clueless people shooting themselves in the foot. Others, were using PHPMyAdmin or cPanel kind of tools that did not work in my case for idk what reason (maybe because they didn't have dark mode?). But I was getting tired.

Quality Meme by

It's refreshing to see that JS is not the only space where you'd call the development a shit show. Everywhere there's stuff not working and we're all working in bubbles. And I think that's okay, just be careful that there are a lot of people trying to take advantage of you once you step outside of your comfort zone.

And believe me if you plan to work with Wordpress while being a developer that is used to other tools, you are a minority. Most of the people playing with Wordpress don't know what a command line is. Keep that in mind when you're back against the wall without any solutions from Stackoverflow.

Bottomline? Use managed hosting: you're screwed, unmanaged hosting: you're also screwed and on your own. Just find solutions that work for YOU and don't compromise until you tried everything yourself.

The backups are now full VM backups  with the MYSQL database hosted on the same VM (it's okay, don't worry too much). They cost zilch and are one click deploy.

Focus on solutions