The thing I enjoy the most about being an online business owner is this: Nobody can take away what I have built with SBI! - John Shank, SBI! member since 2003

The Latest Rumors About WordPress Are Wrong

wordpress-blog-post

Calypso has been the hottest topic in the WordPress community over the past week, following this announcement from Matt Mullenweg. While many have praised the development as genius, and a long time in coming, others have been less generous in their comments. In fact, there are some rumors and ideas being fervently discussed in various WordPress groups that are flat out wrong.

It all stems from confusion about what Calypso really is, and how it’s changing WordPress and the future development of that platform. Developers who have invested incredible amounts of time to create themes and plugins that are based on the traditional WordPress platform are understandably concerned that all of that work, and the basis for their businesses, could be going up in smoke.

We’re going to review how WordPress works today, how Calypso changes the platform, and what that really means to developers and site owners alike.

The Players

To understand how WordPress works in the background, let’s think about what happens when you go to a fast food restaurant. You order a burger and a few moments later you’re walking to your table with a tray filled with food. Is it magic? Nope. Behind the scenes, several employees were working hard to get your burger assembled to the chain’s standards. In the same fashion, when you load a web page, several things go on behind the scenes until a few moments later you see the page you requested.

HTTP Requests

There are 2 main actors in play when you access a web page. The first one, considered the front end, is the browser. When you type in the URL or click a link, the browser calls the second actor – the web server – requesting that page. The server identifies the type of file being requested and reads it into memory. Depending on the type of file, it will execute a set of instructions and then spit out the result for the browser to display. Simple enough, right? But where do PHP, MySQL, and JavaScript come into play?

PHP is considered a server-side language. It’s just one of many, but like any server-side language, it has no say whatsoever in what the browser does. The same goes for MySQL, one of many database systems. The web server calls the PHP script, which in turn calls the database, before generating the HTML code that gets sent back to the browser. That’s pretty much all that the browser reads.

However, a basic HTML page is dull and isn’t very useful by today’s standards. So browsers also have the ability to style the HTML output using CSS (Cascading Style Sheets), as well as execute predefined instructions that it gets from JavaScript blocks or linked external files.

For example, here’s what the wordpress.org site looks like with- and without CSS styling.

image01image00

Bottom line – JavaScript is for browsers, PHP and MySQL are for servers (with the exception of Node.js which is a mini web-server that runs JavaScript in the back end. Calypso runs on a thin layer of Node.js to generate the initial page, but has not dropped PHP/MySQL altogether). More on this in a moment.

REST API

REST means Representational State Transfer. It is an architecture style that relies on regular HTTP requests from the front-end to the back-end. In short, it’s basically a one page load that calls several other mini page loads during the same run. Each mini call loads a piece of information.

WordPress

WordPress is a Content Management System; system being the operative word. Its strength comes from the ability to extend it with plugins and themes. All WordPress plugins and themes are written in PHP and use MySQL to fetch and store data. In WordPress.com, the number of plugins and themes are limited and users do not have the power to install new ones – only to turn on those already vetted by WP.com. Self-hosted WordPress.org users have over 10,000 plugins to choose from, again, all of which are built in PHP/MySQL.

The Problem

Now, let’s get back to Calypso. I saw a slew of incorrect reports and conclusions because of this statement on Calypso’s home page:

“The new WordPress.com codebase, codenamed “Calypso,” moves WordPress.com away from MySQL and PHP. It’s built entirely in JavaScript, and communicates with WordPress.com only using our REST API.

This statement led people to believe that WordPress.com no longer uses any PHP and MySQL. If that were true, it would mean that either they broke hundreds of plugins and themes that relied on the database, or modified them all to work with the new technology. Neither are likely. Especially since they say they use REST API.

It’s also a very confusing statement. The new WordPress.com codebase communicates with itself using their REST API? If you’re running from inside a single codebase, there’s really no reason to make an external HTTP request to yourself.

The fact is that Calypso, WordPress.com’s new Admin Interface is mostly just that – an Interface – a Client Side interface. Using our fast food analogy, to suggest that WordPress.com would no longer use PHP/MySQL is like you asking yourself for a burger, not using any bread or meat, and still expecting to get a tray filled with the same exact food as a result.

The PHP server language, and the MySQL database structure, is still a very necessary element to WordPress’s ability to deliver filling content.

This has been confirmed by WordPress:

The old WordPress.com page (or any web page, for that matter) never had any PHP and MySQL to begin with – just a ton of HTML, CSS, and lots of JavaScript. Is Calypso better than the original admin interface? Sure, it looks better and runs faster, but the announcement had misleading statements that essentially blows it out of proportions.

WP.org and Security Concerns

Calypso is the new Admin interface for WordPress.com. It can, however, work for self-hosted WordPress sites. (We recommend self-hosted WordPress, where you can use the SBI! for WP plugin. If you’ve installed WordPress from cPanel or downloaded it directly from WordPress.org, you have self-hosted WordPress.) If you have Jetpack installed and its Manage module enabled, you can use the new Calypso admin interface. However, if you follow the basics of WordPress security, then you’ll find that it won’t work at all. This is because it relies on the XML-RPC API, which many WordPress professionals agree should be turned off at all times as it has been the target of extensive attacks. WordPress 4.4 will be releasing an improved REST API, and hopefully Calypso will adopt that for communicating with self-hosted WordPress sites.

Alternatives to Calypso

So, you saw that you can manage multiple sites with Calypso and you really want to be able to do that without putting your self-hosted site at risk by enabling XML-RPC? ManageWP, InfiniteWP, and WPDash, just to name a few, provide good alternatives.

WordPress User Impact

What does Calypso mean to the average self-hosted WordPress user? Absolutely nothing. Maybe in the future, but not now. So there’s no need for alarm or action. But you should be aware of it, because it may create some changes for self-hosted WordPress in the future. And we don’t want you to be caught off guard. Trust us to give you up-to-date, ACCURATE information, without hype.

SBI! for WP
Vinny Alves

Vinny Alves

Vinny has nearly 20 years of training experience, and 15 developing web sites and applications. Lately he’s fallen in love with developing plugins for WordPress. Vinny finds innovative solutions for complex problems – whether it be debugging legacy code or developing shiny new Object Oriented applications, setting up blogs and e-commerce sites, or envisioning new products.
Vinny Alves

Latest posts by Vinny Alves (see all)

  • However, it’s the beginning of a complete rift between the .ORG and .COM versions of WordPress: http://answerguy.com/2015/12/01/wordpress-calypso-market-dominance/

  • Excellent article, but I have to know one more thing, please. Should I deactivate Jetpack for security reasons, or not?
    I recently start using it again, after a few years of pause. It was much too “heavy” for my hosting plan. After moving my content on cloudflare, I thought of using it again, just for traffic stats’ reasons.

    • Vinny Alves

      Hi Daniel, thanks for reaching out. The culprit isn’t Jetpack itself, but XML RPC (which Jetpack uses lots of). What you can try doing is allowing XML RPC to be accessed only by Automattic’s IPs if you don’t have the need to access your WP site via mobile device apps.

      You can achieve this by adding this to the .htaccess file in the root of your WP install:

      Order deny,allow
      deny from all
      allow from 76.74.254.0/25
      allow from 216.151.209.64/26
      allow from 66.135.48.128/25
      allow from 69.174.248.128/25
      allow from 209.15.21.0/24
      allow from 64.34.206.0/24
      allow from 76.74.255.0/25
      allow from 216.151.210.0/25
      allow from 76.74.248.128/25
      allow from 207.198.112.0/23
      allow from 207.198.101.0/25
      allow from 198.181.116.0/22
      allow from 192.0.64.0/18
      allow from 66.155.38.0/24
      allow from 185.64.140.0/22

      It’s a pretty big range of IPs, but it’s what’s recommended by one of the Jetpack maintainers at https://wordpress.org/support/topic/whitelist-ips-1?replies=5&view=all. Props to our helpful sysadmins who condensed the suggested range into the list above.

      Cheers,
      Vinny.

  • Calypso will be one of hundreds of admin interfaces which will popup. I am looking forward to being able to give my clients some nicely cleaned up admin area. 🙂

  • skeeterz71

    Will Calypso break my site? Will Calypso break my plugin I have hosted in the WordPress repository? That is all I want to know and can’t seem to find an answer.

    • Vinny Alves

      No, Calypso will not break your site. It’s not something you install on your site to begin with. If you’re using the Calypso App for Mac OS X, consider it as a new browser just for WordPress.

Join The Solo Build It! Community

Get the latest in best-practices and advice for your online business. Let each new article be delivered to your Inbox for free.