Its true, but its indirectly connected to budget concerns. Long term, a good code base will be easy to fix saving a ton of time effort and frustration. Thats why we usually do give a fuck. Technical debt is a pretty accurate metaphor.

That is certainly the orthodoxy of our times, and yet I am strongly skeptical in this instance. If you adopt an open source CMS the expectation is that the core and plugin dev teams will handle the overwhelming majority of code maintenance work. This leaves your team to focus on maintaining whatever customizations were coded for a particular project. Ergo code cleanliness outside of your own repo should be largely irrelevant to the project budget.

> This leaves your team to focus on maintaining whatever customizations were coded for a particular project

And if the API with which you must interact is poorly structured and documented, then this becomes harder. Furthermore, a messy core codebase makes projects harder to complete (as was my experience building custom auth for wordpress).

That is correct, but it's an unknown unknown for most of the people using Wordpress. They're not even aware that it might be a problem.

What about not having to patch a security bug every five minutes? I very much doubt the messy codebase has no impact on WP's poor security track record.

Wordpress doesn't have a poor security track record.

Wordpress users have a poor security track record.

Sorry, but the fact speak for themselves. Wordpress itself (excluding plugins) has had more than 10 CVEs this year alone. That's more than one per month!

As an ex-user myself, who built the site and only installed a couple of plugins, I moved my organization to another platform because I was sick and tired of having to babysit what should be a solved problem by now.

I am curious what is this great platform that you've moved to which is apparently bug free?

If it's something like Squarespace then what's really happening is you're paying someone else to babysit it for you.

"apparently bug free" - not at all! By solved problem, I mean like we've solved bridges; they fall occasionally, but I don't feel the need to call my loved ones before each crossing.

My preferred solution would probably Movable Type, but since my org can't afford it and we don't need fancy formatting, it's Nikola + Coil CMS. Easily editable by non-techies and yet there's no code to attack on the site - it's all statically served by Nginx.

We've decided that remote code execution bugs should be a solved problem class now? Fascinating. I'm sure the sendmail dev team will be delighted by this news.

Considering that the last RCE bug in Sendmail seems to have been a decade ago, I'm really struggling to understand your point. If anything, it seems to reinforce mine.

Or I've simply dated myself. :/

I hear you, and yet WordPress usage numbers speak a lot louder than our grumbling about messy codebases.

For anything non-trivial, a poorly written code base and/or poorly implemented database schema/layer becomes a liability, both in time and money.

It's a spectrum, where that liability is only a net negative past a certain point. Most WordPress users don't reach that point.

99% of the small business on the web is trivial. They never get the point to worry about code liability.

That's true, but even though there are plenty of tangles in the WP codebase it's not hard to do some pretty advanced customizations via plugins/themes.