66 comments

  • sshine 13 hours ago ago

    My boss asked me to set up a WordPress for a product landing page.

    I naturally won't do this; it's no more than a couple of weeks ago that some SQL injection landed in the search query function of this monstrosity.

    WordPress always was and always will be terrible.

    So I set up the landing page with a Hugo static site, and I've been vibe-coding a WordPress-like dashboard that operates on git repositories containing Hugo sites.

    I call it WorbPress (not released yet), and I'm sure that's what my boss told me to install, or I might've misheard.

    And yes, it's written in Rust (with Axum and Alpine.js), because why not?

    • techscruggs 11 hours ago ago

      Let me make sure I am hearing you right. 1) The person you report to asked you to accomplish a discrete task 2) of standing up one of the most common websites on the planet 3) and your response was to begin building your own custom CMS?

      I know I am removing the train of thought that led you down this path, but is there anything I just said that is factually false?

      • igetspam 10 hours ago ago

        AI has helped us all lose the plot because now we don’t just know better than everyone else, we can prove it by project managing our better versions of the same things.

        What I find really great is that we’re only a prompt or two away from proper docs for these novel solutions but we still don’t make them and if we do, we definitely don’t read them first.

        • sshine 8 hours ago ago

          I’ll say “proper docs” has shifted for me for two reasons

          I used to insist on commenting code richly, so I could better read it. But comments lie, while code is truth. Read the code, that’s what it does.

          With AI, the cognitive overhead of getting a human-worded explanation of what’s true, is one prompt away and is never a stale leftover.

          So the purpose of docs: Specs for implementing and getting an architectural overview, and API documentation for exploring the interface of something new.

          What I find great is that people still don’t test their code when it became practically free to do so.

      • sshine 8 hours ago ago

        I’ll try to tell the story in a more responsible way: My boss asked me to install a WordPress, to which I advised against it; while it’s easy to set up, it doesn’t align with our tech stack (his main team won’t be able to support it easily, woohoo army of juniors!), and the convenience of a quick start is outweighed by having a thing that needs CVE patching when, guess what never got hacked: pure, static HTML.

        Since my wife had asked me twice the same week to set up a website with a design mock she’d sent me, I thought: what’s holding me back in both cases from giving them a Claude Design’ed Hugo theme is that they need to edit Markdown on their filesystem and run terminal commands.

        So I picked an item out of my infinite backlog, which was very well-defined: a web dashboard that acts as the equivalent of the WordPress admin page that lets you manage a Hugo static site, use a rich editor on top of Markdown, and commit to git instead of a database. I spent the better part of a weekend making this, with my wife as the customer, and when it got good enough, I presented it to my boss. He was happy with the choice, but mostly because of the vibed design, he ultimately didn’t care about the technology.

        When someone wants “a WordPress” they’re asking for convenience of an easily updated website.

        You don’t have to actually give them a WordPress.

      • asp_hornet 11 hours ago ago

        Is this the “taste” I keep hearing people say they bring?

    • kmoser 12 hours ago ago

      Just to clarify: you think your vibecoded dashboard is more secure than WordPress? Not saying you're wrong, just wondering why you think you're right. Are you auditing the generated code, or is it a giant yolo?

      • lopatin 11 hours ago ago

        Auditing the generated code would defeat the purpose of reckless insubordination.

      • fastily 11 hours ago ago

        I’m reasonably certain GP is (humorously) trolling us

        • sshine 7 hours ago ago

          Thank you.

      • sshine 7 hours ago ago

        How do you hack a static HTML page?

        The point is that most WordPress pages don’t warrant the dynamic code execution on every page load.

        When you use a static site generator and make content creation convenient behind the scenes, you move the entire attack surface to, in my case, nginx, the load balancer, and OpenSSL.

    • sureglymop 13 hours ago ago

      I feel like not choosing WordPress was a great choice but I'm not sure about the rest of the comment. A simple html file might make for a good landing page though.

    • is_true 13 hours ago ago

      Why not use headless WordPress?

    • brailsafe 12 hours ago ago

      > because why not?

      I'm not certain, but it seems like you're not being entirely serious here, however..

      If you aren't joking, or for other people in this position, I'd first wonder if the landing page required a search function that would hypothetically be subject to the vulnerability, then I'd wonder about what the normal nature of your business is and how much latitude you personally have in the allocation of billable hours to arbitrary technology choices and whether those do actually align with the deliverable, then if I was the boss I might wonder why you created a bunch of (potentially) out-of-scope random liability using unusual lesser-known tools based on a personal vendetta against WordPress.

      I've been in this position, conceptually if not literally, and I've probably been (in a way, rightfully) fired for it, but my country's labor protections are likely not quite as good as Denmark's.

      If there's a question about why money was spent on implementing a bunch of stuff nobody knows for a reason nobody cares about, especially for a very short-lived thing like a landing page, then it's a sticky situation if the answer is basically novelty. Something like this, if it does serve a purpose, should be planned for and a case made for it, but that also doesn't really seem like agency work.

      If I was asked for WordPress, which I have, and I delivered Rust, I don't think I'd keep that job, but mileage may vary.

      Most work is about solving problems as they are, not what we wish them to be, and if a 5 min job becomes a month long job that the customer didn't ask for, it's an extreme case of yak-shaving.

      • sshine 7 hours ago ago

        I get what’s you’re saying, and if I couldn’t justify making the best alternative I can imagine in my free time, because I’ve wanted it for a long time, I’d install “a CMS” (not WordPress).

        > If there's a question about why money was spent on implementing a bunch of stuff nobody knows for a reason nobody cares about, especially for a very short-lived thing like a landing page, then it's a sticky situation if the answer is basically novelty.

        The economy behind a decision like is this: alternative SaaS website builders are $20-60/mo./seat. We’ve historically paid $720/mo. for the ability to edit a single website that doesn’t look great but is dead simple to modify.

        So if I can make something that scales up to any amount of sites and any amount of editors with ~10 hours on landing the design (which isn’t included in “a WordPress” either way), at ~$700, then I can justify making ten sites per year at the cost of our first.

        Or more realistically: The total operating cost of the current website gives me 125 hours in a year to make something better.

        Then the question is not “Can I make something better?” (Yes.) Or “Is it affordable to make something from scratch?” (It is.) But rather: Could I make more money doing something else? (I could halve the Azure budget in less than a month by optimizing and cleaning up.)

    • librasteve 6 hours ago ago

      what, no HTMX?

  • lawrenceduk 13 hours ago ago

    Is it astonishing you got to 17% with some vibe code? Sure.

    But most of the stuff I’ve vibe coded this year has been astonishing by 2025’s standards.

    If you got 100% I’d be genuinely blown away.

    • sdesol 13 hours ago ago

      The article doesn't go into how they managed the AI context when implementing things but I would not be surprised if it was done in a methodical way, 80% - 90% of the test could have passed.

    • general_reveal 12 hours ago ago

      Standards vary.

    • pylua 13 hours ago ago

      Does anyone know why we write code anymore? Why not pass through to an llm that generates the page on the fly (ssr)?

      Is it cost ?

      • 12 hours ago ago
        [deleted]
      • Jabrov 13 hours ago ago

        Yes: cost, speed, and reliability.

        But all of those things are improving at shocking speeds, so I think we’re on a path where code is losing value quickly.

        • pylua 13 hours ago ago

          Yeah, I agree. It will be like serverless but for code : codeless.

          It’s a disconcerting future.

    • UncleEntity 10 hours ago ago

      What I suspect is this 17% is the exact sub-set it needed to hack together to make the goal (running some example website) a reality as this is what those dodgy weasels do if you let them. Then you get to spend 200x the time to fill in the rest of the "speculative features deferred due to no real consumer" on top of whatever dodgy system they made up, which is usually whatever is easiest/closest to the literature instead of the actual intended design. Lots and lots of fun to be had doing the full-pipeline refactors to add that last 2% which need support from tip to tail.

      It's all in good fun, though... probably?

  • mgaunard 12 hours ago ago

    Why is the AI only able to reach 17%?

    Surely it can just keep iterating until it implements the full test suite?

    • ekinertac 6 hours ago ago

      its still iterating, 17% is just where the counter is today. three weeks ago it was at 10%, two weeks ago 13.8%. i didnt post this as a final result, i posted becuase wp-admin rendering surprised me.

      but no, it cant reach 100%. around 55-60% of the suite tests C extensions, gd, curl, soap, intl, mysqli, ffi, sockets etc. passing those would mean writing all those extensions from scratch too (libcurl, ICU, an image library...) which is a completely different project. the realistic ceiling for a from scratch engine is around 40-45% and thats the number im climbing towards.

    • hoppp 12 hours ago ago

      Money probably. This is a cash burn project.

      • ekinertac 6 hours ago ago

        it's not that expensive actually. been working on this about a month with my 20x Max Claude subscription while I'm working on other projects as well.

      • dzhiurgis 7 hours ago ago

        I suspect it cost less than $100 using chinese models.

  • AmazingEveryDay 15 hours ago ago

    Interesting read. Given what the process is producing it's probably quite cost-effective?

    • Chaosvex 11 hours ago ago

      What do you mean? What's cost effective about this?

  • rbbydotdev 11 hours ago ago

    I’d be curious for a similar experiment converting frankenphp to rust.

    https://frankenphp.dev/

  • fuckinpuppers 13 hours ago ago

    Use AI to make Wordpress secure and not suck as much

    • lioeters 13 hours ago ago

      Even an AGI can't accomplish the impossible.

  • tensegrist 11 hours ago ago

    > Here’s the part I need you to sit with

    no, i don't think i will

  • MichaelMoser123 11 hours ago ago

    Wow. Now did you try to check the setup with something like Claude Fable? Will it find issues, what kind of issues? Another question: how many tokens did this effort cost? Did you learn new prompting tricks?

    • ekinertac 5 hours ago ago

      [flagged]

    • 6 hours ago ago
      [deleted]
  • wsor4035 13 hours ago ago

    Ill preface my comment with saying: this might not be the best solution give the goal of your project to iteratively loop through and improve on the tests each round, and using deps would make that process longer/more complicated having to work potentially with another project.

    .....however.....

    mago, a static analyzer for php is written in rust and might be useful for gaining some "free" performance uplift: https://github.com/carthage-software/mago. iirc it splits out a far bit of its internals so they can be used by other projects (citation needed)

    • ekinertac 6 hours ago ago

      thanks, mago is a cool project. probably not as a dep tho, the parser isnt where the time goes (the 55x gap is all in evaluation, thats what the bytecode vm is for) and our parser is deliberatly tuned to match php's exact parse error messages, which is itself worth tests in the corpus. but using it as a second oracle to cross check my parser against theirs is actually a neat idea, same trick as the phpt suite but at the syntax layer.

  • gamblor956 13 hours ago ago

    Maybe the takeaway is that 20% is about all the LLM can muster.

    • malisper 13 hours ago ago

      > Maybe the takeaway is that 20% is about all the LLM can muster

      At this point there's a long list of projects that have used LLMs to rewrite a system in Rust including:

        - Bun (https://github.com/oven-sh/bun/pull/30412)
        - Valkey (https://github.com/ianm199/valdr)
        - Git (https://github.com/gitbutlerapp/grit)
        - Postgres (https://github.com/malisper/pgrust)
      
      With the exception of Bun, these projects were done pre-fable too, so I bet Fable will make these types of rewrites even easier.
      • verandaguy 13 hours ago ago

        I'm not sure about the other three, but Bun's rewrite from Zig to Rust was a bit of a joke. `unsafe`s in the thousands, a quarter-million lines of diff, and merged inside a week with no significant public discourse (at least, not much that was responded to by the author).

        • solid_fuel 12 hours ago ago

          Still waiting on that blog post from Jarred that will supposedly answer all the questions and concerns about the rust port.

      • gamblor956 11 hours ago ago

        I think the standard should be rewrites that are at least as good as the original, not buggy piles of unfinished unmaintainable crap.

      • ekinertac 5 hours ago ago

        [dead]

    • UncleEntity 10 hours ago ago

      I mean, I got them to 100% using the official conformance suite on my copy-and-patch jit compiler/interpreter WASM VM...

      Saw that Salt Language article a day to two ago on how they do the static verification as part of the compilation process (or whatever they really get up to) and that's next on the agenda, tried that with a JavaCard VM I was poking at as its 'computation space' is much smaller but that was too much for my poor little laptop to handle but, apparently, this Salt thing is much different and actually tractable so, we'll see, still working out the details.

  • ekinertac 16 hours ago ago

    Author here.

    To be upfront about what this is: I'm not a Rust developer or a PHP internals person. This is an experiment in whether the "point the AI at the original project's test suite" methodology (the way Bun was driven against real-world suites) holds up when the human can't review the code. The oracle is php-src's own .phpt corpus, ~22k tests I didn't write. Current honest score: 3,844 passing (17.4%), with a realistic ceiling around 40-45% since the rest tests C extensions (GD, curl, intl, etc.) that are out of scope.

    "Renders WordPress" means: fresh install completes into SQLite, the front page renders with real posts, a real theme and /wp-admin/ renders without issues. The REST API is untested, and it's currently ~55x slower than PHP on the front page (a bytecode VM is in progress, micro-benchmarks are already at 1-3x of PHP 8.5).

    The scoreboard auto-generates into the repo after every run, whether the number went up or down.

    Happy to answer anything.

    • adamtaylor_13 13 hours ago ago

      This is a pretty cool experiment. Thanks for sharing!

      • ekinertac 5 hours ago ago

        thanks! the devlog in the repo has the longer war stories if you enjoy this kind of thing.

    • 13 hours ago ago
      [deleted]
    • pluc 13 hours ago ago

      Compare with FrankenPHP?

      • ekinertac 6 hours ago ago

        I'm not there yet but I'll run the benchmarks against FrankenPHP and include it in the project when we get at least %60 test parity.

    • bbg2401 13 hours ago ago

      Will you answer questions yourself, or will you simply pass on what your LLM of choice writes for you?

      Edit: On further inspection, the blog design, the blog build, the blog articles and even the anecdotes used in the articles are entirely Claude generated.

      Stop being so lazy. Get Claude to do something interesting and use your own intellect to assess and challenge the work in your write up. Or the other way around. Inject some amount of human work, at least. Otherwise, what's the point in sharing?

      • cataphract 11 hours ago ago

        The "honest score" is the most annoying claudism of the comment, with the short disjoint sentences a close second.

        • superdisk 11 hours ago ago

          It was "I need you to sit with:" that immediately made me close the article. I like LLM programming, but I really don't understand why so many people just post LLM-generated articles. What did the human even do at that point, press the start button?

      • ekinertac 6 hours ago ago

        well, thanks for the tips on how to run my own blog :) but the post already tells you this, the last paragraph literally says an LLM drafted it and i edited it. the whole project is an experiment in what a non rust/php guy plus AI can ship, so hiding the AI in the writing while disclosing it in every commit would be a weird place to draw the line.

      • ShinyLeftPad 13 hours ago ago

        > will you simply pass on what your LLM of choice writes for you?

        But it will be as least 17% correct!

  • Ozzie-D 12 hours ago ago

    [flagged]

  • keepupnow 13 hours ago ago

    Why stop at 17%, come back when you are at 100% otherwise it's just another project.

  • t1234s 11 hours ago ago

    I feel like the future will be a git repository with text files and a markdown file describing how the site should look and how any endpoints needed for functionality should work and the AI will be the runtime for your site instead of wordpress.