The future of online communities

danielunited

What do you think is the future of online communities? Do you think Flarum will be the next WordPress? Share your thoughts 🙂

tankerkiller125

danielunited In some senses yes, I want to see Flarum succeed like WordPress. I do not however want to see it get the bloat and the horrible security reputation that WordPress has.

Zeokat

tankerkiller125 Comparing the reputation of security between Wordpress and Flarum is totally unfair. WordPress was born in 2003, it has been on the web for 17 years and in its beginnings, there was not even the computer security awareness that exists today.

Also you can't compare software such as WordPress that serves 32% of Internet websites with Flarum, a software that does not even reach 1%.

danielunited At the current Flarum stage, I think that WordPress maybe will be the next Flarum 😅

jordanjay29

Zeokat Comparing the reputation of security between Wordpress and Flarum is totally unfair. WordPress was born in 2003, it has been on the web for 17 years and in its beginnings, there was not even the computer security awareness that exists today.

Dunno about that. SMF launched around the same time, and it's been very diligent at tackling security problems when it becomes aware of them. I haven't obsessively followed them for a few years now, but last I checked they were still keeping on top of new issues as they happened. Culturally, too, SMF's security reputation is better by miles than Wordpress'.

It's not about the time period, it's just about the attitude. Taking security seriously is what makes it count.

[deleted]

jordanjay29 Taking security seriously is what makes it count.

Couldn't have put that better myself.

tankerkiller125

Something else Ill add to the security standpoint is that WordPress almost weekly has some news article about an extension that has a security flaw that allows a attacked to wipe out your entire site, modify the site, etc. Further WordPress ships insecure by default with the API files that that are not needed by any modern extension but pose huge security threats. And if want to put the nail in the coffin on security I can just finalize this paragraph by saying that WordPress still insist on using MD5 hashing even on brand new installs, a hash algorithm that security experts and developers as a whole have abandoned for years.

So far from what I've seen from the Flarum community is that extension developers start working to fix problems sometimes hours after it's been discovered, the Flarum team itself publishes bug fixes to core within days to correct issues and I might also add that Flarum is built on top of PHP libraries that are battle tested by huge applications and companies instead of building its own.

The culture around security is critical, so far Flarum has taken security very seriously and so have the extension developers. WordPress has a history that when put in the limelight just doesn't look good.

[deleted]

tankerkiller125 👏 a great response and completely true. WordPress has a habit of holding onto old standards. Just look at BuddyPress.

rob006

tankerkiller125 Although you're right, the main problem with WordPress security is not hashing algorithm or API, but extensions ecosystem. And in that matter Flarum is in a pretty similar position than WordPress - extensions are mostly free and created by hobbyists and amateurs. It is just a matter of time when some serious issues pop up in popular 3rd party extension (there was already a leakage of private discussions) and the "insecure" label will stick to Flarum because of that.

luceos

rob006 wow you just labeled me as a hobbyist and amateur. Thanks 😘

askvortsov

rob006 I disagree with this. Right now, the main goal of the core team is to build an extender API that lets extension developers develop quickly and efficiently without significantly endangering security. Of course, it's possible to make an extension that breaks security, otherwise extensibility would be extremely limited. And larger extensions, naturally, will be more complex, but that holds for any software product. But the reason why software like Wordpress gets bad reputations for security is because their extension API is clunky and poorly designed. As a contributor, my goal is to minimize accidental security issues through helping build a robust API.

Additionally, as luceos mentioned, some of the most widely-used extensions are created by, or adopted by, organizations like Friends of Flarum that have robust, professional development teams.

rob006

luceos "mostly". But you will see what you want to see. 😉

luceos

askvortsov wow, you just labeled me as professional. Thanks 😘

The day is going well ❤️

rob006

askvortsov But the reason why software like Wordpress gets bad reputations for security is because their extension API is clunky and poorly designed. As a contributor, my goal is to minimize accidental security issues through helping build a robust API.

I wish you the best with designing this API, but there is no such API that will prevent mistakes. Even core extensions forgets to check visibility rules before displaying some data. Same for FoF extensions. If professional development teams made such mistakes, how could you expect more from amateurs that want to write the first plugin for their forum?

This is not a discussion "whether Flarum is better at security than WordPress". You will always have security issues at some point, it is just matter of time. It is important how you deal with them. Flarum should copy good solutions from WordPress and learn from its mistakes. Pretending that "Flarum is better than WordPress and it will never have such problems with security" is just naive.

danielunited

You're talking about the whole security/development aspect of it (typical developers 😃), but what do you think about the future of online communities in general? Will they become more and more common? Do you see Flarum become as popular as WordPress?

rob006

danielunited Do you see Flarum become as popular as WordPress?

Not a chance. 😃 It is just much easier to create your own blog and write some posts on it, than create forum with active community. Unless Flarum will explore other use cases (Flarum as blog, issue tracker, wiki, etc.), it will be limited by its own niche.

askvortsov

rob006 I don't think (or at least I hope not) that anyone assumes that Flarum is immune to security issues. I think there are certain factors in Flarum's design that improve security, but as with any software, issues sometimes creep through. We try to do our best to respond quickly and prioritize security. And of course it's absurd to say that the extender API will completely prevent mistakes, but what it CAN do is make security best practices easier.