Ask HN: WordPress vs. Django/Flask?

WordPress is totally fine and used by many agencies in the real world. It gets a bad rep because it is extremely popular and has low barrier to entry which also attracts more eyeballs and script kiddies trying to break in due to vulnerability in some low quality plugins.

But you need to choose based on what your objectives are. WP is quick and give you decent bang for buck especially if you don't need to create something from scratch and needs to be used by non developers. It is not really comparable to Django/Flask which are actual frameworks to build web applications. WordPress is more of a Content Management System (CMS) that has been extended over the years to technically create flexible Applications but mostly for non tech users.

Use WordPRess if you want to build websites with some dynamic functionality like contact forms etc (plenty of well vetted plugins for those). Use Django/Flask if you are building a full web application with tons of user interactions.

WordPress = Web Site

Django/Flask = Web App

Django has a CMS called Wagtail, which has some really nice features including custom content blocks which allow you to easily create unique looking pages.

Wagtail has over 15,000 stars on GitHub, is heavily supported and was created in 2014. It has since been adopted by organizations such as NASA, Google, and the National Health Service.

Below is a comparison between Wagtail and Wordpress.

https://wagtail.org/wagtail-vs-wordpress/

1) If you just need a website, not any custom functionality but just the basics (i.e. a glorified blog), then Wordpress is fine. Pick a good WP hosting company and they will take care of a lot of the security stuff. WP is secure if kept up to date, and you're not using third-party plugins.

2) If you need what is called a CRUD (Create-Read-Update-Delete) website, doing something more like a spreadsheet, but with more complexity than a spreadsheet can handle, then Django makes this as easy as it is possible to be. However, you will have to do a lot more programming than with WP, where really you shouldn't have to do much programming at all.

3) If you need even more customized functionality than CRUD, then Flask is easier to customize. For example, you need to make a real-time auction site, or connect to a machine learning library to train up new models every week, or some other really non-standard thing. There, Django's features that make CRUD easier, will just get in your way. Flask is more lightweight, meaning it provides less but is also much more flexible to do non-CRUD websites.

If you are doing what a typical small company needs, then you should go with Wordpress. It can do everything you need, there is an abundant ecosystem of companies to host and maintain it for you, and all of the extra power that Django or Flask would give you, are not going to be utilized. Wordpress is fine security-wise, if you keep it up to date.

Your business requirements:

> build a website for them plus a bit of marketing stuff, and maybe a remote desktop and a platform for invoicing for their personnel.

This is a shoe-in for Django, especially the invoicing part.

Wordpress is a blog engine. It's great for letting a bunch of people log in and submit news but every feature you implement beyond that is going to be through plugins, and those are routinely compromised. All sites I've deployed that used only the major plugins (Yoast, Jetpack, WooCommerce, etc.) are still running. All third-party ones have since been compromised, which is embarrassing for me. I wouldn't deploy Wordpress for a business again unless the alternative was Magento.

Django isn't bulletproof, but it will stop you from making amateur mistakes as you build it out. There is no convenient plugin architecture with a friendly UI, which makes it harder for yourself (and the client) to change themes/plugins every week and introduce code that can be exploited.

"I am self-teaching myself web-design and the related stuff (Python mainly for everything, but HTML/CSS, C++, SQL and databases also) and a few years ago I also administered a Wordpress site for a while, so am a bit familiar with themes/addons etc."

Sounds like you trying to learn to many things at once. And you for sure do not need to learn C++ for web development. PHP is and JS/TS is missing from your list. That would be the languages to learn for WordPress. But there there are already plugins for invoicing and things you need out there, sounds like there is nothing too obscure that can not be solved with already existing plugins. So do you really need to be a programmer? Probably not.

There is a reason WordPress is used to much, I am biased because I am a self taught WP dev but WP and PHP and evolving constantly, there is a plugin for everything ...

You supposed to build a website, remote desktop, invoicing for an agency and their hired you for what exactly? What skills did you tell them you have?

Sorry but you sound very naive and I could not find what your actually skilled in. You look for "keywords"??? And you read one article about someone WP site getting hacked that makes you think WP is insecure?

Even if I try to be unbiased this sounds like a clear case for WordPress to me.

Flask (or fastAPI more recently) will give you a basic webserver... and that's about it. You'll have to do everything yourself basically. I would not go this route, unless you have no deadlines and want to learn a lot on the way.

WP will be easy to set up, but adding custom functionality can be a real pain, and lots of plugins are of ... questionable quality, especially regarding security. I personally strongly dislike WP, but it does the job so long as you keep things simple and lock down your plugins.

Django will give you a good structure and some core functionality like login out of the box, and the built-in admin site is great, but you'll need to code your functionality. It looks like you're doing some custom code so this approach could work. You could also use something like django-cms or wagtail if want some of the WP functionality.

https://www.django-cms.org/en/

https://wagtail.org/

Wordpress: Least learning curve, hard to customise down the line.

Flask: Deceivingly simple at first, but you'll spend full-time debugging it soon. It is NOT a framework for beginner.

Django: A bit more learning curve than WP, but will take you far, if you read its docs properly.

Hey there!

Using Django or Flask might be overkill for what you're trying to do. I suggest you to stick with WordPress, but check out the Sage/root style over at https://roots.io/sage.

It's not the classic WordPress; it's a modern, more secure version (not more secure but less prone to some common automatic attacks).

Also only use plugins when you absolutely have to, and if you do, stick with the pros (i.e. Gravityforms).

I've used WP alot (more than 1000s of websites) and I'm also using Python with Flask and FastAPI (but never used Django).

They are totally different axis.

WP is mostly small business workhorse, nearly all included in package (admin, editor, lot of third party addons), which is good enough for small scale, cheap and simple (most things could be done without developers), but not scales well.

So if business grow, at some moment it will be very hard to use WP, and/or business will be slow down if continue use WP.

Django is better when have developers team, it is full featured framework, have many things included into one officially supported package (but not as complete as WP), optimal for medium business, and with good developer/ops, could serve any scale, but it have too steep learning curve for start small.

Flask, could be considered as simplified Django, also good, but to make same things as Django, you need to create modular design from many separate packages, which are not orchestrated/supported by one official source.

So with Flask you probably will start faster than with Django, (I myself spent ~half of year to learn Django, with Flask I started in weekend), but you may encounter problems, when some dependency will be changed too much, so you will need to recreate interface for it.

Unfortunately, Django does not offer standard way to transit between major releases, but within one major release you could expect minimal efforts to transit, if use standard components. Many things, possible to recreate on other version, just by change config and/or database scheme, so many works could be done by ops (Admin/Database administrator).

WP also does not offer standard transition way, but in many cases it is just very simple to recreate all from scratch, many works could be done by just user and some things need ops.

With Flask, when you need to transit to other version, you probably, will recreate all interfaces between components, need programmer to do this, also ops.

Go with the one you know. "WP got hacked" is (~99% of the time, when on a competently-run web host) a case of (1) Webmaster used an iffy WP Plugin* or few (the plugin was obscure/orphaned, and not getting timely security updates), (2) Webmaster didn't bother installing Plugin security updates, (3) Webmaster disabled WordPress' own automatic security updates, or (4) Webmaster wasn't smart about his admin password.

*or Theme, or other 3rd-party code

If you don't have a developer, you need WordPress or an alternative.

The description isn't enough to know if it's something wordpress could handle out of the box.

There are places that host and manage WordPress. If you don't install any plugins, WP is secure enough.

The difference in a Django hello world and a fresh WordPress install is like a million lines of code.

Use Wordpress (or Wagtail) as a headless CMS to let your client add and edit content, and hit the endpoints to hydrate your templates in your front-end framework of choice.

My workplace has multiple WP sites and Shopify stores, and I'm thinking of trying to consolidate all of these under a single presentation layer, probably with Gatsby.

I think you are smart to be nervous. There is risk when you don't know very much but are getting paid by a company to do technical things to enable their business.

Consider what is commercially available. Selecting, configuring, integrating, and supporting software services is still something you can charge for. Small companies pay for efficient results, they don't typically care how much code you personally write.

You could build their marketing site on a fully hosted solution like Squarespace, Wix, Weblow, etc. Or if you want to use Wordpress, stick to something like Wordpress.com or WP Engine with a commercial template and all auto-updating turned on. Make it easy on yourself and outsource security to folks who know what they are doing.

Remote desktop and invoicing also sound like needs that can be met more efficiently and securely by available commercial solutions.

As a Django fanboy, I recommend you choose WordPress everytime.

It takes care of 99% of the things a marketing website needs to have. For the 0.999% other stuff it doesn't include, the plugins can take care of it.

"But what I'm building falls under those 0.0001% cases not covered :/"

Oh, then use Django.

1) Lots of Wordpress (WP) sites. This makes it quite easy to find devs (to maintain the website in the future). There are also lots of plugins making it easy to add functionality/features.

But easy availability of plugins leads to high probability of hacking. Put another way, a WP site needs constant monitoring/upgrades of the plugins to avoid being hacked. This means $$ out of pocket for website owners but money for developers.

2) Personally, I don’t recommend WP. I prefer Python/Flask (I’m more familiar with it) or Django. You can build the site and essentially forget about it.

In addition, I prefer separating front end code from back end code (for WP, you use PHP which combines both html and server side code in same file)

WordPress for any content-focused site - especially where non-technical users will need the ability to modify content.

Django for any functionality-focused site or web application.

Flask for quick APIs of limited functionality that just need to "get done now".

I'd recommend for your use case Wordpress (or static site generator like MkDocs).

You can use the one hosted in wordpress and change the domain, so you don't have to worry about hackers or anything. This one is a plug a play, so unless you want to do a custom template/plugin you don't need to learn to code.

* Django is like a wordpress but less popular and less SEO friendly (or less popular for them).

* Flask will require you to learn a lot of html, python, etc.. it will consume you a lot of time to get to the same point to the other 2. Flask can get better results than the previous two but for your use case I don't think it really matters.

You had also mentioned you were looking to create a platform for invoicing. There are several Django apps that offer invoicing functionality. I do not have experience with any of them, but below is a good feature matrix which should allow you to drive decisions as you prototype and test them out.

https://djangopackages.org/grids/g/invoicing/

Wordpress with as few plugins as you can manage; and then only use super popular plugins.

Minimize customization, and keep it updated.

Then someone else can always work on it.

Wordpress is the perennial hacking target because of its popularity.

The core is fine but the attraction of WP is not so much the core but the huge number plugins and many plugins are not fine (but they dont say so on the label).

You cannot go wrong with Wagtail, but its learning curve is steeper. It doesnt come much out of the box.

Where are all these HN posts you're talking about Wordpress installs being hacked? Not saying it doesn't have some risks / for a very long time, but there aren't posts on here about it regularly.

Or here's a follow-up question: can Django/Flask provide the same functionality/user experience as Wordpress?

Given you're willing to learn some code, I'd go with Flask — it's fairly easy to get started with IMO. It might be a better fit for more complex apps, but should be fine for marketing stuff as well. You do have to implement pretty much everything from scratch though (or, more realistically, use plugins).

WordPress is incredibly bloated and has a terrible security history, mainly due to insecure plugins but not only.

I can't imagine ever choosing it over Django with Wagtail. It's a little bit more work to implement and maybe maintain, but the payoffs are well worth the investment.