2015 Predictions for WordPress and Beyond

WordPress

So 2014 has been a pretty awesome year for WordPress, PHP and all the stuff I talk about here on this blog. 2015 is looking to be even more interesting, so here are a few of my predictions for major talking points in 2015.

Let’s start with the negative one, which is security. 2014 has seen numerous plugin security breaches and a incredibly serious breach of WordPress core. It’s important for everyone to remember nothing can ever be 100% secure without also being non-functional, so everyone should be taking pragmatic steps when it comes to security not just with WordPress, but with anything they do online. Anyway, on to the prediction:

[aesop_quote quote=”At least 1 major commercial plugin will suffer a catastrophic security bug, forcing the closure of the plugin/company behind it.
WordPress Core will have at least 1 security update next year”]

To be honest this is probably the safest prediction. While WordPress core is reviewed regularly, and as the most popular CMS out there, is often reviewed by security teams and expert individuals, it’s inevitable somewhere in its codebase least one serious exploit is hiding. While w.org hosted themes are not security checked on a regular basis, an initial review is conducted and the plugins team have a far greater control of proactively managing security issues on plugins hosted on w.org. Likewise functional and unit testing is starting to creep into the WordPress ecosphere and while only a fraction of plugins are unit tested such tests should help reduce edge cases that vulnerabilities so often rely on.

In the commercial WordPress world, its pretty much the same old, too often people simply assume because they are paying for a superior product, but (certainly from a code standpoint) that is rarely the case. While there are some great commercial WordPress products out there, most are truly terrible from a code perspective and a project which has a closed source mentality (regardless of actual license) has to rely on the developers within the organisation. Not such a problem for IBM, Google and Microsoft, but at your average theme shop where the number of devs is 0 it’s more of an issue. Without external collaboration you are relying on the skill sets and knowledge within the organisation, which means every so often you will find a gem, but most of the time you will not.

So what has this got to do with a major security issue? Well, many commercial products can be built on dodgy foundations and the code often has limited opportunity for review. This means a project which becomes popular can suddenly be deployed on large number of sites without any form of security review. It’s certainly not inconceivable that a plugin (say one focusing on their sales and marketing, not their code) might have a vunerability, not dissimilar to the recent XSS exploit in core.

With that in mind, how would you expect such organisation to react, vs how would you want them to react?

Let’s move on to something a tad happier….

WordPress will continue to grow! Will it hit 25% by an independently verifiable source? Possibly not. Will its growth be hit by the Drupal 8 release? Probably not, but while I predict growth I don’t see an increase in the rate of growth – rather 2015 seeing only modest growth.

WordPress is starting to make large inroads within enterprise environments, and to walk in to a scoping meeting for a new brand site it’s not uncommon for WordPress to be the central proposal. What has changed is that many IT departments are no longer putting in the number of blockers they used to.

This year has seen a significant growth of WordPress sites within UK government and local government, hosting everything from Transport to Ministry of Justice. This looks set to continue.

While w.org officially doesn’t support anyone (rather it is made of volunteer led support forums etc), the recent release of backward version security patches for many 3.x versions of w.org is a very positive step when it comes to enterprise, who while you should think with all their resources should have an easier time with upgrades often have business processes in place making upgrading site problematic. The separation of security patches from feature upgrades is an important one for greater reach into enterprise.

The second is viable consulting partners and WordPress is starting to have that, assuming Automattic (the company behind WordPress.com) doesn’t keep buying them up. Through the wp.com VIP program and with a few larger branding agencies embracing WordPress we now have a top tier 5-10 agencies in a position to provide support/management services to enterprise level clients.

I mentioned Drupal, let’s also throw Magento into the mix. Both have their next major releases scheduled for 2015. Both projects have adopted more traditional product cycles and both have had massive delays with their respective new versions.
That said…

Drupal 8 is sweet. Seriously, if you are a developer, go play with the beta it might almost convince you to build your next project in Drupal. However, it’s still got it’s wacky terminology, it’s overcluttered interface and needs a lot of setting up. While it’s more user friendly it still leaves you bewildered after setting up. Under the hood however, it’s built in use of composer, symphony2 components, using PSR specs. It has a highly intuitive Web Services API baked into core with a lot of emphasis being about extending from the API rather then its other publicly exposed APIs. For themes it makes use of Twig as a templating language, which really does mean your theme designer doesn’t need to ever see PHP code ever again.

So how has Drupal managed this metamorphosis?
First off, it’s taken a long time. It seems like a decade has passed since Drupal 8 was announced, and while it’s not quite been that long, this has been a major project.

It’s not entirely backwards compatible, and while there is a upgrade path from older versions of Drupal, it’s not as simple as overwriting the files and hitting update database. This controversial approach has allowed them to be able to do whole sale rewrites, using the latest (or when they started latest) version of PHP and a myriad of features it brings. Something as simple as namespaces totally transforms the project.

The cost: existing users. With <10% market share and a historical reputation for complexity along with a higher barrier of entry, this cost is one the peeps behind Drupal believed was worth while. Magento 2 is also scheduled for release and this is the first really big release since Magento Inc was bought by eBay. The story is very similar to Drupal - a more or less complete rewrite introducing new technologies, and again Composer is at it's heart. Why refer to Magento in a post about predicting stuff for WordPress? Well, because some people reading this will continue to build e-commerce solutions on WordPress using plugins like WooCommerce so it's important that people see developments in, for want of a better term, real e-commerce systems. Magento 2 is a massive step for Magento and if you run an e-commerce site I strongly suggest you check out the developer preview https://github.com/magento/magento2 So 2 major competitors of sorts both with major rewrites on the way, how does this affect WordPress? Initially I don't think we will see much influence, but increasingly over time the drum beat to modernise the WordPress codebase is growing louder. Pretty much every week another voice questions the choice to remain outside PHPFig (though informal representation does happen) and the choice to remain on PHP5.2 The for and against arguments to jump PHP versions are well documented, unlike Drupal whose userbase have had to undertake many obstacles to get their CMS up and running, therefore finding a host with correct PHP is seen as not an issue, WordPress users are seen is incapable of selecting a host with PHP5.4/5 or higher. There may be some truth to the argument, especially as the figures presented by the WordPress core team do seem to show a significant % of WordPress installs on PHP5.2. Of course it's a catch 22, the hosts haven't bothered to upgrade because WordPress still supports PHP5.2, WordPress won't upgrade because hosts haven't upgraded. Worth bearing in mind PHP5.2 is not supported by PHP.net, nor any major Linux distro. Still if you run 5.2 for anything but testing get your host to update. [aesop_content columns="2" position="none" imgrepeat="no-repeat" floaterposition="left" floaterdirection="up"]So will 2015 be the year WordPress bumps version numbers? I think maybe, the problem is it's become a little bit of a political hot potato, several arbitrary lines have been put in the sand and if they are maintained stubbornly then no we will be looking to 2016 or beyond. If there is a shift in view on what point should something not be supported, and in face of increasing pressure of being the last remaining project supporting PHP 5.2 (certainly starting to feel that way) then maybe. It may seem really minor but increasingly the WordPress world and the rest of the PHP community are drifting apart. Two years ago I gave a talk on how if we didn't do something drastic we would have a shortage of WordPress developers as they will literally start dying out. My argument was that as the next generation PHP developers leaving school head for jobs, they will be working on projects, and WordPress will seem alien and backward to them - as the rest of the community gets closer code wise with projects like Composer, WordPress is drifting further away. If we continue along this track WordPress is likely to become a specialism and not in a good way, but as in a cobol developer way. While this doom scenario hasn't quite happened, the gap is there, and it is widening. Thankfully people are taking steps to address it at the community level with props going to Jenny Wong who will be keynoting PHPUK on this subject.[/aesop_content] So if we can bring everyone back together at a community level, maybe it's time to do it at a code level as well? One final thought. I don't release plugins on w.org mainly because I don't by default write plugins using the WordPress standards guides. I make heavy use of Namespaces and half the time they are written in Hack or at least using 5.4. Sure I can retrostep all of that, and at times I do. But this is me, pillar of the community (haha, laughs at own weight joke) and if I'm doing that think how many others must be doing the same? Perhaps it's not as bleak as it first appears, we just don't have a way to show it? Wow... I think I got a little carried away with the political stuff, important but not really interesting. I did mention hack so let's move on to my next prediction... [aesop_quote background="#282828" text="#ffffff" align="left" size="1" quote="HHVM will become a standard or at least an option on most major WordPress hosts, and you will see a lot more hacklang plugins around. " parallax="on" direction="left"] This year's big news in PHP has been the rise of virtual machines and Just in Time Compilers. With HHVM leading the way, though several others have popped up, the official PHPNG will be arriving well probably some time never, but there is a real enthusiasm about it at the moment and if nothing else HHVM has stirred up the PHP world. For those who live under a rock HHVM is a project by Facebook with the goal of speeding up PHP, though with the introduction of Hack (the second worst named programming language after Google Go) this goal has been expanded. Hack is one of the big changes in my workflow in 2014 and I think it's adoption will increase in 2015 now large amounts of xdebug are implemented, meaning it's actually possible to debug your hack applications. Due to it's interoperable nature with PHP it means themes and plugins can make use of Hack as they see fit. With my last two projects 90% of PHP code was written in hack and I can see this growing. The big news is that the HHVM project has introduced a backwards compiler to allow portability to non HHVM setups. This means we may well see more hack based plugins or dual plugins, though they are unlikely to be in the official w.org repo - at least not for a while. So in 2015 expect more hosts offering HHVM as standard, more people writing about how they use HHVM and Hack. Meanwhile keep an eye on the other Virtual Machines for PHP... it won't take much to knock HHVM of its perch. We haven't really touched WordPress yet, so let's get into some WordPress specific stuff. The WordPress JSON REST API will be in core by the end of the year. Not sure if this is a prediction or just a huge wish, it seems every major release of WordPress we hear the WP-API will be in the next one. However, in 2014 a momentum has been building up, with the core team talking about the WP-API not just within the WordPress community but externally at conferences. That being said, there is still a lot of work to do, and however much I want the API it needs to be implemented properly or it's just going to be a mess. Regardless, I can't wait for the API to hit and with rumours that the WordPress theme Twenty Sixteen or Seventeen maybe heavily using the new API they will need to get a move on! One thing the WP-API project has shown is the success of features as plugins. The idea is that rather than building a new feature into the core, it's built initially as a plugin, tested etc, and then merged into core. The idea has been a raging success and means features are being developed by small teams, then easily tested before being merged into core. Or sometimes left as plugins to be developed separately when it's deemed not appropriate for the core. This methodology really shows off one of the core tenets of WordPress - it's modularity. Which introduces another prediction and probably the furthest one out there so far: Serious discussions about restarting the BackPress project will occur BackPress was/is a project to strip WordPress core right the way back to a core set of common features, and make everything else optional, the idea being if you wanted to run let's say a forum, you would run BBPress which would be BackPress with BBPress on top. The BackPress idea was a brillant one, but suffered as WordPress core development outpaced that of BackPress. The new features just couldn't get backported quickly or easily and the two projects diverged with BackPress more or less dying. The deathnail really was when BBPress became a plugin of WordPress rather then a BackPress project. However just imagine if on the jump to PHP5.3 a radical idea was proposed, a stripped down core, with a default set of plugins for additional features added. So your default WordPress install consisted of: - BackPress - WordPress Admin Area - Post/Page plugin If you wanted to add plugin then you add: - BackPress - WordPress Admin area - BBPress Admin - BBPress Post Types - BBPress Functions For E-Commerce, you simply load the e-commerce plugin and associated plugins of choice. Suddenly WordPress or rather BackPress becomes the "platform" everyone talks about. We get a nice stable core, and everything else becomes a plugin. Sure it's going to take some work, and dependency management will be a bitch but what a wonderful dream it would be. Still a dream is all it will be, so the prediction is it will become a conversation piece a brief revitalisation before BackPress truly dies. Wow... that went depressing quickly, let's get back on track with another prediction: Elastic Search is going to be the next new cool thing I mean it already is, but with 3 or 4 major Elastic Search plugins available now and with Automattic so heavily relying on it for things like Related Posts expect to hear a lot more about how to integrate Elastic Search with WordPress and not just for search. Next year I expect to see a lot of sites offloading all front queries to Elastic Search away from MySQL. Some really interesting ideas are already starting to bubble to the surface with Elastic Search, Faceting and the new WP-API. Moving on, anyone who follows me will know I am a strong supporter of everyone using SSL on their sites regardless of what they do. Well 2015 is the year where SSL becomes the norm. 2 separate projects to offer free SSL certificates to everyone on the web, and with SPDY in widespread adoption their is no reason to not run SSL as standard on your sites. I mean now that SSL (TLS) is a broken, mangled mess it's about time we all adopt it after all. I think those are my tech predictions. Now let's move on to some community thoughts, again a mixed bag. At least here in the North of England we have a healthy WordPress user group scene with Sheffield, Manchester, Leeds, Newcastle, York, Preston, Oldham & Kendal all with local WordPress groups, and a Huddersfield user group is also coming online in 2015. The rest of the country doesn't look quite so good, however my prediction is this... We will see another 6-8 UK Meetup groups start within the year. I look forward to going to them all, I also think we will see 5 WordCamps within the UK. 3 are already announced London, Birmingham and Manchester, and something is also afoot for Yorkshire as well. Online the WordPress community will continue to grow in all directions. I have yet to work out if I think this is a good or bad thing. Which leads me on to my own world, and it's going to be rocked by the arrival of my daughter in March all being well. This means I'm cramming lots of work into the next two months so I can have a month off, except for WordCamp London... Oh, and speaking at another major conference. However 2015 will be an interesting year, and my personal goals are: Getting along to every meetup in the UK just once. I have visited most of them, but a couple of southern ones are missing, so I aim to get down and meet folks down at those meetups. Talk at more conferences. Last year I only spoke a couple of times for various reasons, but I will make more of an effort to get out and speak at conferences. I'm currently down to speak at 3 within the first quarter, and I have a few more yet to be confirmed. We will also be doing more video content. While the opening batch hasn't gone down as well as we hoped, with a huge amount recorded in editing or planned it feels a bit late to change tack. Still I'm making changes in the order and way we release content, so hopefully people will find the content useful and consider helping speed up video production via Patreon. Other than that I will be doing more training workshops, both in person but also looking at online as well though haven't entirely worked out the practicalities yet. There are also rumours of a book... they are true, though currently no other details are available, even to me! Finally I'm always available for training and consultancy so feel free to drop me a note if you have an interesting project. So those are my 2015 predictions, thoughts and worries. 2014 has been a blast, and I hope everyone is looking forward to 2015! What are your predictions? Agree with mine, strongly disagree? Let me know in the comments.

Helping you and your customers stay safe


WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)