Yes. Keep the real application on a subdomain, and make your marketing website a simple wordpress install. Minimal effort, and works great if you don't care about authorization / integration between the two.
Yes.
Put the Wordpress on a completely separate server so the WordPress instance is properly firewalled from your main application/database. But don't leave it on a subdomain -- set up a reverse proxy so you can route to a subdirectory on your main domain. Better SEO. I'm not an SEO hawk, but if the point of Wordpress is marketing, then it's important.
Edit: All good replies regarding cookies. Thank you for the correction. It is not "properly firewalled". The server side code is on a different machine, but this doesn't get you "proper firewall".
Worked at a company that combined the two, which eventually led to half the dev team working for... the marketing dept.
It was a horrible mess.
Nope, I do not recommend this.
This is not really a safe and scalable solution for startups anymore.
In your scenario, the app developers create something that gains traction. But they have not spent any time writing guides, docs, or any sort of marketing content. They are only worried about their app code, and someone else will fix the tech debt eventually when they set up the WordPress blog site on a sub domain.
If the devs ever reach that point in success, they have now created a silo between the main app, and the WordPress instance. They two apps usually run out of sync in consistency and feel, and factioned teams form around who works within the app, and who works within WP on the content.
The two teams eventually get out of sync, and the users never get the basic info they need to use your app.
Then when nobody is paying attention, someone takes advantage of a vulnerabilty in a dumb WP plugin, and they spam your blog site with porn links and offensive content. Now you have to handle damage control, and closing the hole and erasing the content.
The only successful YC company in recent history I have seen pull this off is OpenSea, but I'm not even sure what they are up to today.
To the contrary, launching a startup is: 20% writing code. 80% writing docs, guides, and marketing content.
Further to the contrary, I have found that the most successful YC companies and products all started their code products with documentation.
Stripe and Shopify both launched, and immediately started building out user guides and marketing content.
The common denominator between Stripe and Laravel at launch was users commenting how easy their product was to use, and how complete and simple their documentation was to understand.
These companies didn't wait to find a content solution, they started writing their content alongside their code since day 1.
I beg of you, if you use Wordpress, and don’t have some reason you can’t do this:
Use a static site generator plugin for Wordpress, host it completely behind IP restrictions or firewall rules, for only whoever needs to actually update it. The static site plugin will regenerate/update plain HTML files out of your WP instance whenever you tell it to; then it transfers those to your location of choice where they’ll just be hosted statically.
Wordpress is a pile of garbage from a security standpoint and having it exposed to the internet is basically asking to be hacked constantly by spammers and script kiddies. But it is useful as an easy content generation tool anyone can use, and at the cadence most people actually update it, the regeneration compute time is trivial.
Alternate viewpoint: I keep several WordPress sites online, mostly for testing & experimentation.
They are all configured to auto-update. They have a mix of a small number of plugins - mostly high reputation ones.
They sit there and work and require next to zero maintenance.
Yep, they are regular hack targets. The biggest risk is brute force attempts overwhelming the server (until recently, I ran them on a 256MB VPS, because I like suffering, I guess), but with some decent protection there (e.g., fail2ban) it reduces risk significantly.
I would say if your plugin mix is simple and you have auto-updates, there is almost nothing to worry about for the vast majority of people.
>Wordpress is a pile of garbage from a security standpoint and having it exposed to the internet is basically asking to be hacked constantly by spammers and script kiddies.
Deleting (or renaming) wp_admin.php is so important I don't know why it hasn't become a standard part of the install. It's incredible how much your attack surface decreases with just that.
Not sure why this is the top comment. Set the permissions to read only and update via composer
Everyone is posting to defend “raw Wordpress exposed to the Internet” and pointing out the ways to convince yourself it’s secure, but no one has pointed out even one advantage to doing that, vs simply using it as a site generator and never having to worry about any of that.
Wordpress is a pile of garbage from a security standpoint
WordPress is fine from a security standpoint.
It's all the random plug-ins that are a security hazard. And letting non-technical, non-security-minded people install them.
WordPress, when updated consistently and used responsibility, has no worse security than most other PHP CMSs and frameworks.
WordPress has developed a bad reputation because of bad plugin authorship and bad theme authorship. If you are installing reputable plugins, keeping core up to date, and maintaining the standard best practices for hosting a PHP app, you're going to be fine.
Source: Industry experience working for enterprise clients in healthcare.
> Still, pretty impressive market penetration in a world that now has reliable generative AI and serverless lambda functions with 2 min deploys like Vercel and Netlify.
Huh? What’s the link between generative ai and the need for a wp like tool? Or indeed lambda functions? Does the author think that _everyone_ is using aws?
SEO keyword stuffing strikes again.
At one point The New Yorker, with its 90 year archive, was on WordPress.
It only moved off that because Conde Nast (parent company) had their own CMS and wanted to unify what all their brands used.
Many publishers (large and small) use it quite reliably at an enterprise level.
> Many publishers (large and small) use it quite reliably at an enterprise level.
Not out of the box, and the things they have to do to make it scale would make most devs cry.
I've seen it up close and personal.
WordPress out of the box is good for a low traffic blog. Even then it's not well designed software.
Recently tried Wordpress again, thinking maybe it has matured.
Terrible idea, terrible platform. For example, you want metadata on posts, you install ACF. You want to filter on that metadata, good luck if it's over a couple filters simultaneously, the SQL queries will time out. You're guaranteed to need different tweaks that get dumped into a scripts file, feels like patterns from 20 years ago. There are some people trying to untangle the Wordpress trash pile by refactoring and bolting Laravel onto it[1], but every layer is just a nightmare; the authors of different parts can barely assess why things randomly break.
You might find WP appealing for the plugin ecosystem, but the plugins are completely random in implementation, so you're likely to get a bloated scramble of CSS and JS pushed to your users.
I moved to Directus and Astro, but I would probably use a Laravel-based CMS like October or Statamic for more generalized PHP deployment.
[1]: https://roots.io/
This seems like a bit of the perennially-linked "Choose Boring Technology" bit. Your corporate landing page/blog is unlikely to need anything fancy. This is true especially if you aren't in tech, while the article focuses on YC startups, so a tech subset of (or subset of tech) startups. The categories listed do seem most likely to be cases where there isn't much need for anything fancy on the website front.
I chose YC startups bc they tend to be locked into early technology trends specifically bc 1. everyone tries them out on each other and 2. they need to leverage every advantage to make great product, being a tech early adopter is one of them.
It's true, choosing boring tech works. I analyzed some data to show that most YC companies in the last few years prefer Webflow by far. They seem to prefer it for their marketing sites. But I do think that it's impressive that some people in this tech-obsessed niche chose WP still.
If the simple marketing landing page of a project is slow because it runs a huge substack of PHP for literally nothing I wouldn't qualify that as boring tech but just lazy.
You don't need a dynamic CMS for a boring landing page.
The only reason I still use Wordpress is e-commerce where plenty of overhead is the standard anyway
I'm certain there are still endless amounts of little lifestyle businesses out there doing a few million in revenue on the same WP installation they've been configuring since 2011. I know because I built them back then and literally nothing has actually changed. I honestly can't say I'd reccomend anything else to someone intent on self hosting even today.
It's hard to argue against the technology that's been around forever. Have you tried new tech recently ie. Vercel?
Yep. Mine does. Works fine.
I don't. I dropped Wordpress years ago, because I got tired of dealing with all of the security problems.
Self-hosting WordPress is usually a bad idea. I guarantee you have more important things to do than worry about WordPress security!
But it's comparatively very inexpensive to host on wp.com with your own domain.
I am guessing the issues were mostly plugin related, thats the main vector and where people get sloppy by installing unvetted code.
I found Wordpress worked best when it wasn’t publicly available. I always cached/proxied the content via a CDN and then restricted access to the backend via an internal network. Helped a lot, if anyone is going through something similar
Can you list the main ones?
I know they exist, I just need the info so we can assess our own platform
Did any of your WP websites get compromised?
Yes we do in (both) my startups. And I know a friend who does too. Interestingly we’re actually coming back to WP after a time w/o it!
Interesting! What kind of products are you building and what were the tradeoffs that you made with other similar tools?
Wordpress has value in its ability to get a site up very quickly. If I, one person, want to, I can get a pretty professional site up in a day. That's a powerful. I can then come back to it later and improve it given my needs. Startups are all about limited resources and Wordpress is a good tool to use. What's a better alternative?
That's no real reason. If I use a bootstrap template and some rails magic I have the same professional site up just as fast but I don't hinder my future success trough a security nightmare, a overly complicated framework and super slow rendering times.
How do you feel about this? https://www.elegantframework.com/
It's literally a React based alternative to WordPress, built with Next.js and Tailwind CSS. An offical launch here and SHOW HN is coming soon :)
I'm able to create and launch a professional website in only just a few minutes, complete with users docs and a blog.
It has a near perfect Lighthouse score, and already crushes wordpress.com in all the SEO areas.
I used WordPress at my last job. We don't at my new job and I miss it terribly.
we were looking at this the other day while trying to assess what the standard tools are for ecommerce these days. We were using google trends.
There is still a lot of interest in wordpress, compared to say joomla which had its day in the sun but is now on the way out. However there seems to be a big move towards people using more SAAS (e.g. your broucure site being instagram) and less maintaining your own kit.
Also anecdote: my sax repair guy is moving off woocommerce onto an offering provided by his PoS vendor. PoS integration is also quite common - a local non profit I'm involved in also does this.
If you want, you can email me with a few ecommerce domains. I can generate some data and send you a report with the custom tech I used for this article.
Does anyone use Headless Wordpress here?
It's been quiet since they launched that, and I've never used it but it sounds like a good option for those who never really learned PHP
I did some consulting work for a name-brand online retailer who uses headless WordPress for managing at least some of their content. I didn't work on it to the level where I know all the places it touched, though.
Any tech that lasts this long has some serious mojo.
Was checking out the SSG scene and with the exception of a couple of gems its a loud, confused buzzword cacophony screaming for attention.
WordPress is great for finding site and hosting/config vulnerabilities, which you can fix and then delete WordPress. it's like outsourcing for free a bug bounty.
Could you link me some info about this? I'd like to update the article with this ^
Hah! I laughed too hard at this.
Why wouldn’t you? Great platform to get a site up and running quickly.
MVP.
Yes, it's usually a one-click install and comes with an easy way to switch between themes, can give access to others to write content (editors) and you can easily get extra goodies on the same installation like contact forms, newsletters, reservation systems, e-commerce, etc.
WordPress is dominant because it's the Lingua Franca of the web design world. Despite PHP sucking, WordPress is well known by everyone in the industry and competitors - even with far superior technology - have an impossible task disrupting something with such platform dominance.
For comparison, Microsoft Windows still holds about 75% market share, a figure that has barely budged in the last five years, despite Apple making major inroads.
https://www.statista.com/statistics/218089/global-market-sha...
Quite a few do - here is databricks https://www.databricks.com/
Its a good honeypot.
I don't mind WordPress. My company doesn't use it for its marketing sites though, prefers larger more monolithic enterprise options. But it's not a startup either. From what I heard WordPress was not favored because maintenance was difficult (plugins, vulnerabilities, upgrades) and also there was uncertainty about gpl. A while ago some startups I worked were using webflow and instapage for their marketing sites.
I've noticed some which only offer an app use WP for their basic web presence/brand landing page.
No, not since around 2017. I personally use Jekyll now for all my startup-y websites.
Anybody use ghost? How do you find that?
The article misspells the product
WordPress? That's too simple. We use a static webpage, served up through kubernetes.
Coming soon, running Kubernetes as a Wordpress plugin.
WordPress is a CMS, but it doesn't have to also your site runtime. Many people use WordPress as an SSG using tools like Simply Static.
for my company we still see it in use after all these years and countless security incidents because it's just left there. I could not personally ever imagine wanting to install that and thinking it's a good thing.
Recently I have had to help restore one that was completely infected, before we acquired the business. The amount of BS that still is exactly the same as it was the last time i was forced to manage WP in the early 2000's is insane. I get the draw, I just don't agree with it and would never openly advocate for it to be considered.
Every reason to not use it can be excused if you want to make an excuse for it or do something different with it, but at the end of the day it's dated and offers more headache and pain than any usefulness of it as a tool in hosting a site.
Here's some of my bug A boos...
- Doesn't scale
- Wants open permissions on files
- Wants you to use plugins
- Exposes services it doesn't need to expose
- Hardcode's FQDN in links and resources, and everything it can
- Defaults to be the dumbest install settings to make it "easy" for everyone
- Debugging is still a nightmare
- Logging is not consistent
- Maintains state on a machine, preventing you from scaling or high availability
- Codebase has no real framework to extend and use, preference on adding your own bad code to it in order to make it work.
- Does not work well with CI/CD automations
- Is a huge target of vulnerability scanners
- Page updates use a huge post size that is expensive to inspect w/firewall
- Making changes can and will take your site down
- Lets you modify a template file from the gui, but only the first directory level, making you still need to push changes to underlying files in a template.
- Performance is a joke
- Problem with a plugin can crash the full site
- SQL injection is still a significant problem
again, i know someone can rationalize them all away; you are putting in a ton of work that you could have done otherwise with a better solution and not have the ongoing limitations and nightmare associated with it. If you run it, you should consider it to already be hacked and move accordingly.
Often times i hear the argument, well there's nothing i need on there so it's not a security risk...i think your customers would dissagree when they start getting infected with crypto miners, clicking affilitate links that aren't yours, linking to malware, viewing content you didn't add, downloading files that are dangerous, using your hacked system to attack others, and on and on.
edit: format
The thing is, your real app doesn’t need any SEO. just your marketing site. That’s what they need to find (and if they’re customers they go for that Login button that takes them to the app).
Marketing site on www
Real app on app.example.com or similar
Unless your real app generates pages that are indexable and optimized for search engines.
Warning, that's NOT "firewalled" from your main application/database.
If it's just part of the path on the same domain, then almost any Wordpress security vulnerability can leak over into your main application (i.e., cookies, credential stuffing, xss, etc)
Client side web attacks don't affect how the two servers are firewalled from each other. I agree it isn't properly secure, but "firewall" refers to a specific type of security.
And then a malicious/compromised plugin has access to your primary sites cookies. I think that’d be worse for SEO.
Couldn't one set the path of cookies to be for your app? Then a malicious plugin shouldn't be able to read your apps cookies, since they won't be sent to Wordpress
Most web frameworks use encrypted cookie storage by now, right? Without the server key those cookies are useless.
You can get your reverse proxy to hide /wp-admin/ from the outside world but still allow access from your trusted IPs or whatever. That will close off a few potential snags.
You might also consider a full web application firewall (WAF) - there are plenty including WP internal solutions, commercial and open source. Me? I slap HA Proxy on the front.
As you imply, I wouldn't bother fiddling with domain names - that is not a security solution and will bugger up the "message".
this is dangerous because then a rogue piece of content in your wordpress instance can exfiltrate user cookies. subdomains are much safer, if worse for SEO.
Thank you for validating my comment above Kerblang!
I have experienced this myself personally, and have contracted with numerous companies who ran into the same issue.
The biggest issue I ran into was when the dev department started to not care about the WP instance because they don't work for marketing, and the marketing department failed to report one of their accounts was hacked, and a plugin was taken over :(
Reminds me of when IT reported to Supply Chain in a company I was at. For some strange reason supporting supply chain systems and initiatives made up 60% of our work…
To be fair, Supply Chain is 60% of a lot of companies' value.
This is poor business management and has nothing to do with the technologies at hand. If a company has a software product but the devs can be pulled into ' let's fix this button on our contact form' anytime, then it's simply mismanaged.
Yup, I've seen that. Catastrophic.
It’s pretty easy to point <hostname>/docs to an appropriate server. This is literally what Stripe does. There is no need to merge the marketing site with the API or docs.
I don't think that is how Stripe is doing it. The React app code is baked into their docs seamlessly, it's not two different things.
I have researched this to get the definitive, but it's difficult to find out what Stripe is using exactly. They are 100% generating their content statically though, and their user docs are dynamic with data.
I'm getting downvotted, implying that I'm off my rockers lol.
I promise to all of you that I'm somewhat correct, and I have all the data to prove it.
I spent over a year doing R&D on this issue, and I found that the most successful startups were actually rolling a detached Docusaurus instance hosted on Vercel or Netlify, as opposed to running WordPress.
Hacking and brute force attempts, and the risks they pose to uptime are big reasons I advocate for this. And yes, plug-ins matter but a lot of sites tend to have them installed. My point is, there’s rarely any reason to have to deal with any of that stuff. Plain old Apache or Nginx or S3, serving HTML behind cloudfront, is impossible to hack and basically can’t even be DDOSed. There’s little reason not to. It’s not like anybody even uses the features of WP that need to be dynamic, like the commenting feature which can’t be turned on without a flood of bot spam.
Yep as long as you remain up-to-date I've never had a WP install hacked. Not saying the security is good - but there a lot of vulnerabilities reported with other similar software too. Don't know if I'd say WP is worse. Given its market penetration, it is going to be targeted more often.
I've noticed a lot of big companies are using WP for their blog as well... companies that could easily pay for something fully custom (such as Sony/Playstation), so they are arguably doing something right.
That's what many of those hacked sites thought. And yet Google is full of hacked wordpress sites of any caliber.
This is just confirmation bias though - what matters is the percentage of hacked WordPress sites. It's probably not as high as you think.
The fact that WP hasn’t done that demonstrates how serious they aren’t about making security a priority.
Agreed, Wordpress is one of the leading CMSs, and with proper security it's fine. Any half-baked cache app will do what this commenter recommends anyway. Some people still irrationally hate PHP and WP.
In my experience the vas majority of security attacks to WP sites are plugin related.
But blaming WP and php for that is like bashing linux for users installing random binary files with sudo.
Seems like a lot of work to still have a slow site, wasting tons of CPU to dynamically generate a site when most such sites stay static for days to months.
Yes, you can probably install cache plugins to work around this but everyone is pointing out how you have to be super careful with plugins.
If you don’t need a super dynamic site, Wordpress exposed to the Internet is an unnecessary choice. And it does have 0-days sometimes, so just “being perfect about updating, and knowing what plugins are trash and avoiding them” isn’t 100% adequate to keep your WP site secure.
If the devs set up a static generator then they have to support it. Better to give your marketing department crummy software that they think they have to use without help.
Sure, and many sites use plugins.
Going to 100% disagree with you there.
My team did the migration and build-out of The New Yorker and its relaunch on WordPress. I launched Quartz (qz.com) originally on WordPress (acquired and moved to in-house CMS then at G/O Media), and other media orgs since then.
Sure, not "out of the box" but not the way you mean. There was a design to be put in place, but no more than any other CMS...
If your devs are being made to cry then you are doing it wrong?
> Sure, not "out of the box" but not the way you mean. There was a design to be put in place, but no more than any other CMS...
That's pretty much what I mean. Most CMS platforms on high traffic sites need caching, but not to the extent WordPress needs to be buffered. I've seen some ugly stuff that was solved very quickly by using a more robust CMS. I suspect you have too.
There are advantages to it for a newsroom but not enough to make me ever consider reaching for it in 2023.
> If your devs are being made to cry then you are doing it wrong?
I disagree with this. If I make people use the wrong tool then I'm doing it wrong.
Big media companies use hosted WordPress with high traffic and to great success.
You can even use WordPress as the backend to a static website (via Jekyll, Hugo, etc) with extremely minimal effort. I did this nearly a decade ago for a webpage with tens of thousands of content pages and a million uniques/day.
I then served it from a trio of $10 AWS boxes serving a very vanilla nginx configuration and a cloud loadbalancer. We didn't even bother paying for a CDN because it was never necessary. WordPress backend was on Pantheon and only accessible by employees via SSO.
The entire migration (from just serving WordPress), redesign, pipelining, setting up Solr for site search, etc was all done by one developer in about 3 months...including training the content writers to use Markdown.
So WordPress is just for internal usage (i.e. adding, editing content)? And then Hugo generates its content from the WP site? And then public internet access the web version from Hugo?
Unless we’re talking about real-time data, it’s fairly easy to add a caching plugin + CDN and have it scale infinitely.
It's not that hard to install a caching plugin that essentially serves your entire site from static files. Nor is it that hard to put it behind a load balancer.
Never heard of Webflow before.
My god 11 years old. 335M$ funding. 600+ employees.
Not public.
How on earth would you make a call to rely on something like this? All the runway they might have had last summer will end soon…
> Never heard of Webflow before.
Have you been living under a rock?
Not trying to be cheeky but its been the only tool brought up in the conversation of "what should we use for our marketing website" for the better part of 5 years.
edit: Their pricing can become outrageous, Ive heard of some companies paying five figures a year for their Webflow CMS, for multiple years. So I dont think their last raise is the only money in that bank account
Docusaurus on Netlify with the Netlify CMS panel is the more popular method for agile and scrappy startups currently.
Plausible is doing this: https://plausible.io/
Also Algolia: https://docsearch.algolia.com/docs/what-is-docsearch
> But it's comparatively very inexpensive to host on wp.com with your own domain.
True, but I'm not interested in anything other than a self-hosting solution. Pricing doesn't enter into it.
I resolved my issue and lightened my workload (not to mention gained performance) by ceasing to use Wordpress. That's not to say I don't think people should use WP -- it's just not for me.
Unfortunately eventually everyone gives in to the marketing team installing plugins. And to be fair, they’re just trying to do their job and you get sick of saying no. We all know how it ends though…it’s a sea of issues waiting to happen.
Not everyone :)
Yes, but Wordpress is substantially less useful if you avoid using plugins. I dropped wordpress because it was more effort than it was worth to deal with the issue.
I wouldn't avoid plugins, I'd just be very careful about which ones you allow.
There are several ones that are good-to-go and I'd use in any standard instance. Beyond that, code review!
It’s both mobile apps; we use WP for the marketing website. The other tool we used was Django but we do not have anybody left in the company who knows how it works, the software is outdate: it was easier to simply remake the website using WP (we also re-designed it).
Makes sense! Let me know if you ever need someone who knows (and loves!) Django.
> super slow rendering times
If you enable caching, the website with load as fast as a static website on most devices and connections.
Your missing some key pieces. What databases are supported? What does the schema look like? Is there an api? Why can't I try it out?
Yes! Thank you for the feedback.
This was just a simple idea and concept that dang encouraged me to prototype an MVP for.
The concept has been receiving really great feedback, and the project is progressing way faster than I had imagined.
The project is still in it's infancy, but the market is helping to drive the rapid developement.
Everything you mentioned above is in discussion or active development: https://github.com/orgs/elegantframework/discussions/49#disc...
Not really relevant to our problem tbh. At our scale (b2b) the answer seems to be there's a big trend away from places owning their own IP and using partnerships instead. Which is a problem when your competitive advantage is closely linked to owning your own IP, as it's hard to get external partners to advise you well in a way that's going to get the dev team and the execs aligned. However there have been many attempts to kill our code over the years, all of which has been unsuccessful to date because someone's got to route around the horrors of the ERP and the rest of the enterprise stack.
Be weary of ERP solutions and vendors selling one stop silver bullet integrations for B2B. We've had clients get badly burnt that way. The setup fees are often large, and doing any kind of customization can require going through the provider's reps. Implementing Kalviyo on an ERP storefront site cost the client somewhere around $5,000, which, on any number of other e-commerce platforms we could have done for them in an hour at our hourly rate (which is less than $5,000). Let me know if you want to talk B2B e-commerce as I have plenty of war stories.
Agh we're facing the same problem at my job, build vs buy conversation a long time ago that resulted in a buy decision that we're suffering from. Even worse is no one involved in that decision is around today
Could I spare a minute of your time and ask you to check out the side project that I have been working on?
We're ironing out the wrinkles and building content, but I am planning an offical SHOW HN very soon to get the communities feedback.
I contacted dang and Hacker News last year because I noticed how fragmented the content space was, despite there being so much frontend innovation the last few years. WordPress is still the leading CMS platform, and I have validated this a few different ways this year myself with different data sources.
I did a deep dive quantitative analysis last year on what popular startups were using for content, and the results were surprising. They either were using a WordPress instance on a subdomain, seperated from their core code base; or they had rolled their own code, and had a funky setup.
From the top of my head: - stripe.com had a crazy good static powered website. 100% not WordPress lol - opensea.io had a core Next.js application, but had an older WordPress instance for blogging on a sub-domain. - paulgraham.com has a super dated custom setup.. Even though he writes the best essays, I can't read them easily on my phone :( - patrickcollison.com is something simple and basic as PG's, just not as dated. - ycombinator.com has some janky "React on Rails" setup.
From that point, the quick and rapid startups who were gaining traction either figured out how to create content alongside their app.. Or they used Webflow and didn't create any sort of seamless and simple docs, users guides, blogs, etc.
I ended up eventually emailing YC directly to ask them why things were so wonky in the content space like this. I asked them why they would spend the resources to use Ruby to talk to a webserver and database to get basic static text. I also asked why PG's website was in the state that it was in, and if he would consider an upgrade if it existed.
To my surprise, I actually got a speedy response back from Daniel himself. He gave me a ton of feedback and told me that Paul probably wouldn't be interested.
He then said that if I was able to put together something impressive, I should do a SHOW HN because this is a large problem space.
I'd love to connect with you and get your feedback, and share any ideas or data.
My email address is in my bio if you want to connect :)
https://github.com/elegantframework/elegant-cli
Live Demo: https://www.elegantframework.com/
Nice branding. Any relations to Elegant Themes/Divi?
- to help you ship faster!
Ah, good point, I'm probably biased toward the kind of "app" which users would need to be logged into like a SaaS product, but that's not universal.
Actually, network firewalls have nothing to do with website paths at all, but that is how the parent was using the term, so clearly they were thinking in terms of a more ambiguous term like sandboxing or isolation. Not looking to be pedantic, but by conflating the two terms, the parent was confusing both themselves and others -- and giving dangerously insecure advice.
Not if someone takes the cookie and just passes it back to the app from their own browser to steal someone's authentication.
This was retail so we also had all the POS store systems, finance systems of course, payroll, collaboration (email, SharePoint and so on..)
I figured it was retail from the capital letters. ;)
And not diminishing the other components, but my understanding of retail at scale from working corporate for a moment shifted to "Supply Chain is where profit is made or lost: everything else is follow-through."
I worked at Stripe for over five years. It’s a monorepo with multiple services. The marketing site, docs site, and API are separate services.
Nice! Thank you for you the insight!
It's clear that it's a monorepo that they are packaging up at build time to create a seamless website.
Any ideas on what they are using to accomplish this?
Regarding the original topic of this post, I'm 99% confident that Stripe is not using WordPress to write their docs and content either way.
P.S. On another note, I've been leaning on BDC to provide me with insight and feedback on my current project.
I really doubled down on this modern content system idea after I interviewed with Increase for a senior frontend role under Ben. They asked me to critique the frontend and tell them what I would improve. The only improvements I could find was the lack of user docs and marketing content to promote all their development efforts. It's @bdc of course, how am I going to improve his work when he is setting the bar?
Increase lacked content at the time because they hadn't yet found a seamless method of content management with their existing Vue.js codebase.
My current project solves all of this with a simple Next.js app that comes baked with everything a startup could need for content.
P.S. Yes! Developers want to package up their blog content, user docs, API docs, and app code into seperate repositories, but pack them up together into a single website during build time.
Coming soon to Elegant: Split your docs, React code, and blog content into seperate repos, and pack them back up into one app during build time : )
Can WordPress or Ghost do that?
Precisely my point as well. Everything is bad when done poorly. :D
I was trying to indicate that most of the work is implementing a frontend design - as with any website.
> Most CMS platforms on high traffic sites need caching, but not to the extent WordPress needs to be buffered
I continue to disagree with you on the WP side. Setting up with a CDN was not difficult. First with Akamai and later moved to Fastly for the ESIs. No more effort required of any other CMS - thats not at WP specific.
In terms of WP specific work that was required, again, not a big effort. Caching was not an issue for us on that side. We made use of Transients API here and there for some larger queries (curated homepage) but no big hurdles.
> If I make people use the wrong tool then I'm doing it wrong
I'll stick with my original meaning. The tool is fine if you know how to use it. I'm able to demonstrate that that WP is fine for several high-traffic sites. Some of which were getting ~30M unique visitors (not pageviews) a month without being on fire.
Its very possible your editorial workflow requirements, or other site needs were very different from ours, and we did not need to contend with those pain points. We were fairly ruthless about what plugins we'd allow and they'd been mostly pre-vetted or semi supported by WP/Automattic.
> I'm able to demonstrate that that WP is fine for several high-traffic sites. Some of which were getting ~30M unique visitors (not pageviews) a month without being on fire.
So was I. But when I realized that commercial and even bespoke CMS' often blew WP out of the water I really changed my tune. And amazingly they ended up being cheaper, more performant and more secure.
Can you make it work? Yes. Should you? Very tough question. I can't see too many cases where I would reach for it.
The public access the web version via nginx, technically. Jekyll or Hugo just spits out files.
You set up your wordpress with custom post types and I wrote a Jekyll Generator plugin that builds content from a SQL query to WordPress' database. The whole pipeline to build and publish an update to the static site was around 5 minutes...with most of the build-time being eaten up by webpack to do its thing. Probably could have shaved off more time but at that point who cares.
There are also WordPress plugins that can do this now, but understanding how WordPress stores data in its database is dead-simple.
For a static site, a lot of tricks were pulled off to serve dynamic content and the site was still pretty tight and speedy. You can still get reliable Date stamps and CSRF tokens for formfills and stuff like that using nginx SSI.
Thanks
I've never heard of it either. Might be more popular in the uk.
Also never heard of it before now.
> I'd just be very careful about which ones you allow.
I did my best to do that, but it still required far more maintenance than I was willing to put into it.
> Beyond that, code review!
Yeah, no, that would take even more of my resources!
Really, I'm not saying "WP sucks" or anything. It just required a lot more time and attention than it was worth to me, personally.
yeah pretty much ... it's rare to see decent architecture in those systems. Masses of spaghetti curated by spreadsheets are popular though.
The fact that our competitors don't own their IP makes writing the occasional price scraping bot much easier, and has the knock on effect that there is likely a lack of people that care what I'm doing inside the competitors. The link between business process and customer activity is quite tricky to codify in our case, and it's a substantial source of value because it creates high availability in a less-than-robust system and gives a single point of entry to how the management of business processes links to outcomes.
Currently we're pushing the org to avoid complete rebuild and go for targeted rebuild where the old and new systems can share common functionality / features can get backported. It's not the standard type of work that partners do though, so that's tricky.
Hey thank you for the kind words!
Nope, no relation at all :)
Taylor Otwell’s coding style has been very influential on me, and I’ve used a number of his concepts to get this project rolling in just a few months.
His code is “expressive, elegant syntax.”
You can learn more about the current system at https://stripe.com/blog/markdoc. It was never WordPress.
You may be over-indexing on “packaging”. It’s been a while since I’ve worked on docs, but much of what you’re calling “packaging” is simply routing to another app.
I know many orgs dropping custom CMSs and proprietary ones and moving to WP :)
I've seen this, too (I think we've crossed circles before)
Generally it's because there are few commercial CMS companies left and media orgs are not software development companies.
So neither solution is ideal and most media companies operate in a 5-10 year loop of dissatisfaction and change.
133 Comments: