Starting in mid September (2024) there has been plenty of WordPress drama (maybe there was drama before this?). I have often recommended WordPress to anyone who wanted to have a simple website done quickly and I had used it for my own Contrary Code LLC website until recently. I had been planning on migrating away before, but with the recent explosion of drama, I decided to move more quickly.
WordPress only for simple sites
For years I have been getting the At Risk summary email which lists recent important security vulnerabilities and WordPress does show up in there frequently. All of the notices that I recall are for WordPress plugins, but if you want to do anything sophisticated in WordPress you need to use plugins. It is discouraging to read how many issues there are with WordPress plugins and the number of the issues which are sql injection vulnerabilities.
Here is a quick comparison between the frameworks I work with (on Nov 15 2024):
I'm not a security researcher so an in-depth analysis by a researcher would be good to fully understand if WordPress really is that terrible. It doesn't look good.
Abandon WordPress
WordPress, like many other opensource web frameworks, has a community. Like a lot of opensource software that I use, I rely on the communities of developers to work on the projects that form the foundation of my work and hobbies. I do not know what it is like in the WordPress community but it is not good news when there is a single gatekeeper to the project that can and is messing with people that depend on the project. It isn't a good sign for the community.
There are alternatives. There is Drupal and in the Django world, there is Wagtail. I will no longer recommend WordPress even for simple sites because it is just better to invest in something that doesn't create so much anxiety for the community that supports the project.