Does anyone have experience embedding Phoenix LiveView into a wordpress site? Perhaps as a plugin with shortcodes?
I need to replace an 11yo website written in Rails 2.1; it’d be a complete forklift to get it running on current Rails platform, and if I’m going to have to forklift it anyway, I could get a huge boost by using Wordpress for the core framework and Elixir/Phoenix for some interactive parts for which there is no existing Wordpress plugin. I’ve already got the Rails database models set up in Ecto so I can play with the existing database.
But I’m not keen to learn enough PHP to be able to write fancy interactive UX. There’s not, to my knowledge, anything in PHP that’s like LiveView. So I’d like to use Wordpress for the CMS parts, and LiveView for some low-level interactive parts.
I want to start to say that I started as a PHP developer, and now I am a Developer Advocate for Security.
Wordpress is a nightmare when it comes to security, just check here the amount of CVE’s it has every year, and this isn’t the full picture.
In all my years as a PHP developer I saw in first hand servers with Wordpress being compromised to be used for DDOS attacks or hijacking Google search index.
One big domain registrar and host provider that I was using some years ago had the majority of their clients Wordpress installations hijacked to be used in an attack against US. To note that the culprit was not on the host provider, just on Wordpress and how the clients deployed and secured it.
A few days ago, Caleb Porzio demonstrated some work he’s been doing; to replicate Phoenix LiveView in Laravel. I’ve been building PHP preprocessor stuff for a long time, and this really inspired me to try the same thing.
Yikes. That certainly paints an ugly picture, security-wise.
This site has a primitive homemade content management system that I wrote in 2006. I was hoping to replace it with Wordpress, so that the client can edit it more easily and we can take advantage of a mostly-off-the-shelf responsive template. However, for whatever reason, the site (which has about 16,000 customers annually) has withstood dozens of attempts to hack it, the most recent attempt of which lasted about 4 days.
Given that I have a decent understanding of security, I think I will be able to install it in a relatively secured fashion, but you do give me cause for concern, so I’ll rethink the plan.
Even given that, I still think that the Wordpress community could benefit from a way to have pages talk to an Elixir backend, so I’m investigating what would be required to embed LiveView into a page.
Many thanks for the heads up re: security weaknesses!
It’s very hard to secure, because when the code is flawed, even the best DevSecOps cannot do a miracle.
You need to remember the code base from Wordpress is coming from PHP 4 times, and while they have improved it enormously it still has huge potential for security issues, simply because off it’s architecture and design choices, that may had make sense on the time, but don’t do anymore.
Anyway the most dangerous part is when you start installing plugins done by non Wordpress developers, because a lot of them don’t have a clue about security, and some plugin are just available with bad intentions, like acting as malware or back doors.
I think that for you to achieve this you need to take the Phoenix live javascript file from a Phoenix project and load it in the Wordpress site. You may need to do some tweaks to it.
Once things settle down in my life I was thinking to tackle a first release of an Elixir sqlite3 library and then an Elixir WordPress read-only frontend (no CMS, just the WP rendering pages part). Stay tuned for announcements on this forum but it’s likely going to be in at least 6 months, if not 9-12.
I believe you should evaluate other options. There are many good CMS-es out there nowadays, like TinaCMS. There are headless ones like Contentful and DatoCMS (although you’ll have to write your own UI for those).
I am not denying the obvious ubiquity of the WordPress CMS but IMO it has been allowed to coast on past glory for way too long. I can dig some more links if you are willing to look into alternative CMS-es (this is an interest of mine as well but currently it’s a low priority, sadly).
How about having a headless WordPress in an isolated environment and use its REST API to only communicates with an Elixir Phoenix application that renders the JSON into .eex templates?
Yes this would be the better concept to go with… instead of embedding LiveView into the WP, the idea would be to put Phoenix ‘in front of’ WP and access the posts via the JSON API
