Wordpress is marketed as a “free, open-source” CMS that empowers anyone to build a website in five minutes. In reality, it’s a carefully engineered funnel into a paid ecosystem.
Core features missing
The very core features (that effectively boil to one, or at least very similar): backups, cloning, and migrations – are not built into the core. None of those are made simple – and that’s not in the pipeline for any future updates!
So, Wordpress is designed as a nice “preview” that urges users (in more or less subtle ways) to pay money to various plugin creators and hosting providers (which are sometimes the same company).
The main players (largest companies) are all in it and are all doing fine. Users get hooked into “free” and “five minute install” but then need to spend a lot of time to learn how to do stuff on their own, and still end up paying for at least some plugin(s) – on top of “just” hosting expenses.
To be more blunt, I see no reasonable explanation for not making the following features a part of the core:
- Backups to a FTP location or similar off-site backup.
- Local backups.
- Cloning.
- Migration.
- SMTP email sending.
These are not “nice to have.” They’re fundamental to running and maintaining a website safely. Yet Wordpress still doesn’t include them after two decades – and, as I said, there’s no sign they’re even being considered!
I don’t believe this to be an accident or just pure incompetence (let us not play naive). The moment you go looking for these features, you’re pushed into the “ecosystem.” There, you find dozens of paid solutions – most owned, endorsed, or cross-promoted by the same few companies (who owns who).
Automattic (the company behind wordpress.com – and wordpress.org as it turns out – and Jetpack) monetizes “backup,” “security,” and “migration” features through Jetpack add-ons. WP Engine – one of the biggest hosting providers – sells similar tools baked into its premium hosting. GoDaddy, Bluehost, and SiteGround advertise their WordPress plans as “fully managed,” meaning they charge extra to cover what WordPress deliberately leaves out.
Even many “independent” plugin authors eventually sell to the large players – turning the marketplace into a self-reinforcing web of interlinked profit centres.
The result is a system that looks open and free but functions like a walled garden with optional toll booths. You can run your own instance, but you’ll still end up paying: in money for plugins, or in time wrestling with things that should have been one-click features (don’t get me started on the plugin system that supports only the biggest “players”).
There’s no technical reason Wordpress couldn’t include built-in backup, migration, and SMTP tools. Even basic control panels like cPanel or Plesk already handle those jobs out of the box. But if WordPress did that, it would cut off a massive stream of ecosystem revenue — and that’s why it won’t happen.
Gaping security flaws
In Wordpress, “prepared” statements are merely sanitization functions and not true prepared statements that separate code from data! This article discusses it in more detail (see the section titled “Ultimate Member SQL Injection”):
https://hackaday.com/2024/03/01/this-week-in-security-forksquatting-rustdesk-and-mms/
This well-known weakness is not getting fixed AFAIK.
On the other hand, Wordpress core has a “capital_P_dangit” function that turns every of the word “Wordpress” without a capital “P” into a capital-P “WordPress.”
Additional bonus for bloody altering text on my own website without even asking me – I must go out of my way to custom-code it to stop!
My fix for this nonsense – a tiny plugin:
https://files.bikegremlin.com/wordpress/plugins/bg-capital-shit.zip
Wordpress Trac is a spamfest
I don’t often report problems I notice to Wordpress Trac, but sometimes I do. My last problem report resulted in a spamfest page – see this Wayback Machine capture:
https://web.archive.org/web/20251110113740/https://core.trac.wordpress.org/ticket/62680
This looks like far from a good anti-bot / anti-spam protection. I had to unsubscribe from trac emails altogether to try and stop this annoying flood of spam emails:
https://lists.wordpress.org/mailman/options/wp-trac
Conclusion
Wordpress could have been the ultimate independent publishing tool. Instead, it became a storefront disguised as open source. A system that thrives not by empowering users, but by keeping them dependent: perpetually stuck between a free “preview” and a paid solution.
Last updated:
Originally published:
