I agree that WordPress shouldn't be written off, but we have to consider its plugin architecture, and the ecosystem and culture whereby plugins and themes get installed and used.
WordPress core is kept up to date by a responsive team. However, while some WordPress users may be content with a vanilla installation, there are many who are not.
A traditional way to add functionality and style to a WordPress installation is to add plugins and themes. These plugins and themes are not sandboxed, and operate with full privileges.
Unfortunately, there are many plugins and themes which do not uphold the standards of core WordPress with regards to security. And the people who determine which plugins get added to a WordPress install are often non-technical users who are not in a position to evaluate the security implications.
The outcome is that while the WordPress core is hardened, typical WordPress installations which use themes and plugins are still a security shitshow.
The only way I can see to solve this architectural/ecosystem problem would be to somehow nerf plugins, or at least themes, analogous to how browsers discontinued support for the old-style fully-privileged browser extensions. For example, themes could be restricted to inert HTML and CSS. But considering how WordPress gets used, this would be so disruptive that I can't ever see it happening.
And therefore, static site generators like Hugo will continue to enjoy a huge comparative advantage over WordPress in terms of security, even if WordPress core has all the positive traits that you lay out.
> However, while some WordPress users may be content with a vanilla installation, there are many who are not.
Very true. But it is clear that WP's broad trajectory is towards GUI-configurable, block layout themes that do satisfy more users. They are doing more on this than any other CMS project.
> A traditional way to add functionality and style to a WordPress installation is to add plugins and themes. These plugins and themes are not sandboxed, and operate with full privileges.
This is true, as is the risk with third party plugins. (Though ultimately end users will just install some other bodgy CMS if they can't get what they want from plugins. The tradeoff with WP is that those plugins receive some scrutiny through vulnerability databases, better educated WP developers etc.)
Sandboxing themes is always going to be a little tricky, but it is plausible (and indeed it's not out of the question to project WP moving in that direction, given the way its internals are being reconsidered around the REST API).
But do you know of any widely-installable, user-friendly CMS that sandboxes its plugins? That is a huge undertaking. It's something I've thought of many times before, but I can't think of a way to make that practical on the sheer range of hosting options that WP makes possible.
WordPress core is kept up to date by a responsive team. However, while some WordPress users may be content with a vanilla installation, there are many who are not.
A traditional way to add functionality and style to a WordPress installation is to add plugins and themes. These plugins and themes are not sandboxed, and operate with full privileges.
Unfortunately, there are many plugins and themes which do not uphold the standards of core WordPress with regards to security. And the people who determine which plugins get added to a WordPress install are often non-technical users who are not in a position to evaluate the security implications.
The outcome is that while the WordPress core is hardened, typical WordPress installations which use themes and plugins are still a security shitshow.
The only way I can see to solve this architectural/ecosystem problem would be to somehow nerf plugins, or at least themes, analogous to how browsers discontinued support for the old-style fully-privileged browser extensions. For example, themes could be restricted to inert HTML and CSS. But considering how WordPress gets used, this would be so disruptive that I can't ever see it happening.
And therefore, static site generators like Hugo will continue to enjoy a huge comparative advantage over WordPress in terms of security, even if WordPress core has all the positive traits that you lay out.