What do Flickr, TechCrunch, eBay and Best Buy all have in common?
They all use WordPress. Initially developed as a blogging platform, WordPress has evolved in the last 11 years to a full-fledged popular content management system (CMS), capable of hosting static and dynamic content, e-commerce and event calendars, audio and video podcasts, and more, thanks largely to an expansive plugin system and a supportive community.
Of the top 10 million Alexa-ranked websites, 23% use WordPress; of those sites that use a CMS, WordPress accounts for 61% of the market. WordPress dwarfs the competition, with Joomla and Drupal holding only 8% and 5% of the CMS market, respectively.
The latest version of WordPress is 4.0, released this week. WordPress 4.0 does not represent as significant an upgrade as WordPress 3.0 did. Released in June 2010, WordPress 3.0 merged the previously separate WordPress and WordPress MU (Multi-User) variations, bringing with it the ability for a single installation of WordPress to host multiple sites.
WordPress 4.0 offers no such groundbreaking new features; it could just as easily have been dubbed WordPress 3.10. But it does offer an improvement over its predecessor, with little reason not to upgrade.
There have been intermediate updates, of course. For example, WordPress 3.7 introduced automatic background updates, but only for minor versions of WordPress, such as 3.7 to 3.7.1. Major updates, including to 4.0, will still need to be manually applied (unless you've configured your site to automatically grab these updates, too).
(Note: This review is based on the WordPress 4.0-beta4-20140823 beta, which came out a few days before version 4.0; as far as I know, there are no significant differences.)
Media and plugins
WordPress 4.0 focuses on making it easier for site admins to write content, install plugins and manage media. If you spend any time at all in your site's back end (as opposed to using a client like WordPress for iOS or Android or MarsEdit 3 for Mac), these changes will be apparent and appreciated.
There are now more options for adding rich content to your posts. Have an image, video or tweet to share with your readers? Since WordPress 2.9, authors have been able to paste the link directly into the WYSYWIG editor (or by clicking "Add Media > Insert from URL") and WordPress would automatically embed the referenced media at a width appropriate to their theme -- for example, so that a YouTube video would play within a site. There's been no need to obtain separate embed code or use the HTML editor.
With WordPress 4.0, that automatically embedded media can now come from any of 26 supported sites. Joining essential platforms such as YouTube, Flickr, Twitter and Instagram are others such as CollegeHumor, Issuu, Mixcloud and TED Talks.
Also new in 4.0 is the ability to see the embedded media in the WYSYWIG editor, offering a more accurate preview of the published post. But this feature works only when pasting in URLs from the aforementioned 26 hosts. If you prefer to manually obtain, configure and insert a site's embed code in order to, say, start a video at a certain time or add captions, WordPress will not show a preview of media embedded in this fashion.
WordPress 4.0 also makes it easier to browse local media. Previously, when writing a post, local media could be viewed in a grid of thumbnails, making it easy to see what art was available for embedding. But outside this context, the standalone Media Library lacked this grid layout, instead opting for a text-heavy, reverse-chronology list that could be filtered only by date. WordPress 4.0 corrects this inconsistency, adding a visual grid option that focuses on thumbnails and allows filtering by media type, such as audio, photo or video.
A grid display has also been added to the plugin installation process. Line items with incomplete plugin descriptions have been replaced with cards that neatly summarize a plugin's title, purpose, author, rating and last update, as well as whether it works with your current version of WordPress. "Featured" plugins are broken down into categories, such as "Performance," "Social" and "Tools."
(During the WordPress 4.0 beta period, I noticed that almost all the "Featured" plugins were developed by Automattic -- the same team that runs the WordPress.com hosting service -- or its affiliates, crowding out third-party competitors. Which makes one wonder if some curating is involved.)
Although not officially a part of WordPress 4.0, it's hard to review the CMS without mentioning Jetpack. Ostensibly an optional plugin, Jetpack is meant to bridge the feature gap between the hosting service WordPress.com (which has all those modules already packed in) and self-hosted WordPress.org sites. Jetpack (which is also developed by Automattic) is a single plugin that has ballooned to include 33 modules that can be individually enabled or disabled.
Some of those modules benefit webmasters, such as Monitor, which emails an administrator should the site go down. Others are aimed at end users, such as Mobile Theme, which is handy for sites whose themes aren't designed to be responsive (in other words, optimized for display across multiple platforms). Yet others are aimed at developers, including the JSON API, which lets you build links between Wordpress and JSON-based applications, or are even more esoteric, like LaTeX, which adds support for math symbols.
The Jetpack method of delivering everything in one package is not perfect. New users may find it convenient to install only one plugin and get 33 modules at one shot, but they may also discover that the multitude of options can be intimidating. Likewise, webmasters who want just a single Jetpack feature will still get all 33.
In fact, some of these features would be better served integrated into the WordPress core. For example, allowing visitors to use their Facebook profiles to leave comments would seem to belong in the discussion settings, not in a separate page called Jetpack Comments. But this disconnect is actually part of WordPress' philosophy that core functionality should accommodate 80% of users, leaving the other 20% to be served by plugins -- even though Automattic itself insists that every site should run Jetpack.
I use 16 of the 33 modules -- and if I were building a site from scratch and hadn't already developed workarounds for some of the problems Jetpack solves, I'd likely use even more. On the whole, Jetpack is still essential and useful.
Whether coming to WordPress 4.0 anew or upgrading from a previous version, any and all webmasters should think about the security of their sites. With such a large installed user base, WordPress is a prime target for hackers. My own WordPress sites have been hacked, most recently under version 3.5, though I never did find out if the vulnerability was in WordPress itself or in one of the dozens of plugins or themes I use. (All plugins in the WordPress repository are examined for malicious code, though this task can be Sisyphean: The archive, which numbered fewer than 10,000 plugins when WordPress 3.0 was released, now contains nearly 33,000 plugins.)
But even though WordPress 4.0 doesn't offer any significant new security features, it is probably no more inherently insecure than any other open-source, PHP-based CMS, and with some best practices, the likelihood of being hacked significantly diminishes (though never completely disappears).
To avoid problems, I always run the latest version of WordPress and I never install any free plugins or themes that didn't come from WordPress.org. In addition, I always install the two plugins iThemes Security Pro and BruteProtect. (The latter was recently purchased by Automattic, making its once-premium level of service free to all WordPress users; it will likely soon be rolled into Jetpack.) Once properly configured, these security plugins are invisible to both administrators and visitors, silently doing their job of hardening WordPress against attacks.
I've been using WordPress since version 2.0.5. In the eight years since, none of the incremental changes to the platform may have been substantial by themselves, but taken as a whole, it's remarkable how far WordPress has come. Through extensive use of plugins and custom themes, it has handled every need I've ever had for it, all while remaining fun and innovative.
As more features are added, WordPress' challenge is to remain accessible to the novice. WordPress 4.0 accomplishes this with an improved rich content editor and plugin discoverability. The learning curve for a new webmaster can be a bit steep, but WordPress' user friendliness beats that of more developer-oriented Drupal, and webmasters can easily craft limited access for content creators, making a perfect platform for service providers to hand off to clients with limited support.
One note of caution: WordPress 4.0 will surely introduce some minor bugs. Cautious admins may want to wait for the next minor release (4.0.1), which often comes a month or two after a major release.