Justin is not the only person who’s asked me this one, and it boils down to “How do I run my own wp.com?”
I wouldn’t. It’s insane, and if you want just an inkling as to how frustrating it is, spend 8 hours a day, for 2 days, doing free support in the WordPress.com forums. That’s going to be your life. If you hate it, don’t do it. And more to the point … I don’t feel we need more generic ‘Anyone can host here.’ sites. The most successful modern one is Medium, which doesn’t give you a site like ‘ipstenu.medium.com’ but instead just share-posts everything. I’m personally not sold on the efficacy of it, but my point is I feel these gateway blogs are less and less necessary, the better we make WordPress software. We’re lowering the bar for people to own their own sites.
If IF I was going to consider it, I’d be looking at it from the aspect of a small group of people. For example “A network for small town newspapers.” I take care of the servers and code, they just write. That’s a smaller, niche, market, but also one that probably can’t afford VIP WordPress.com. You can always expand, after all.
But Justin actually has a security concern. Let me share in his own words:
I want to build a service like wp.com, blogger.com but with free and commercial themes and plugins. Drag and Drop themes (Headway, Ultimatum), plugins (Visual Composer). If my site is feature-loaded, people will come, is’t that right? But I wonder why people don’t use all those nice software to build better than those companies. I want to ask, is it because people can insert malicious codes in css and javascript code editors?
Yes and no.
Its not the malicious codes in CSS and JS, though that is a concern. WordPress.com has a CSS editor that you can pay extra for, and the question many people ask is “Why isn’t that free?” The issue isn’t with security, it’s support. Frankly, people who need (note the word ‘need’) a managed site like that generally haven’t a clue what they’re doing in CSS for design. They need those baked and locked themes because they’re not ready for the rest without a conscious choice and a monetary investment. You’re paying more for something, ergo it’s worth more.
But JavaScript? Well that would be security but also support. I certainly don’t want people messing with JS because it’s easier than CSS to break your site with it. Don’t believe me? Go look at everyone’s whose visual editors broke after upgrading to WordPress 3.9 because of plugins that don’t work well with the new JS settings in TinyMCE. Those are plugins, written presumably by people who know what they’re doing. And they broke.
Is there a security risk to letting people edit CSS? No.
Is there a security risk to letting people edit JS? Yes. And worse on Multisite (which is what WordPress.com is running) as that could break the entire network, not just one site. A bad CSS call will only break your own site on the network, after all.
But I think the question may be “What’s so dangerous about JS anyway?” and the answer there is “Cross Site Scripting” (aka XSS). XSS is a vulnerability that will allow hackers to inject scripts from their computer into your site, which is normally (in WP land) used to bypass the requirement to be logged in, dump garbage into the database, and then log in and create merry havoc on your site. I’ve been told up to 84% of all vulnerabilities in the web are XSS related. This may or may not include CSRF (Cross Site Request Forgery). The XSS article on Wikipedia is pretty good.
Based on that alone, I would not allow users to make their own javascript edits. I would perhaps provide plugins to allow them to make certain adjustments, but not anything they wanted, any time they wanted. If they need that, then they need to get their own hosting on their own server, so they only blow up themselves.
Oh and whatever you do, don’t try to become ‘the next…’ anything on your own. That way lies madness. Get some help.
Comments
4 responses to “Mailbag: I want to make WordPress.com”
I have done this and would also not recommend it. It takes over you life, for sure. π
Also, even if you have paid options the opt in rate is around 2%. Or less.
@Andrea_R: I think that depends on the add-ons π I mean, like Pippin’s EDD is awesome as is and totally free, but the add-ons make sense and are a reasonable fee for what they are. It’s a clever way to make a product that works 100% but that extra bit is more.
WordPress.com makes its moolah on mapped domains and CSS mods (and paid themes) I’d bet π
So would you say that all the above also applies to membership sites? After all WP.com could be considered one large membership site couldn’t it?
@chris odell: Yes and no. I think it entirely depends on what you’re doing WITH the site, and how much time you want to spend managing your users. Saying “A membership site” is like saying “I’m going to have a party and invite people over.” It’s a start, but it’s got none of the information anyone actually NEEDS to tell you what you might want.
What is the membership for? Do you need to track people for legal reasons? Convenience?
I don’t require (or allow) membership on my store because it’s not needed π WPCOM needs members to be able to selectively grant permissions for the sites, and segregate data. It makes sense for them. But if you make me sign up to your site just to comment, I’m going to walk away. It’s not needed, and I don’t WANT another place to have to remember a password :developer: