BuddyPress, Peepso and Others Are Not Viable WordPress Social Network Plugins

I would like to mention that Peepso have since taken action to remedy this and they seem like a cool bunch of people who know what they are doing.

I was asked today to install Peepso for someone who wanted a private social network.

Aside from the obvious points of how this is a terrible idea, there is an even bigger problem.

I pointed out that these WordPress installs are awful and should never be used in production.

After, he asked “Why?” To which I replied “It uses only Ajax for everything” As you can guess, he then replied “Ajax?”

My final statement was: “Yes, Ajax. It allows for the notifications and chat you see, however, all of these plugins means a page opens about 3 concurrent Ajax connections and many browsers, including Chrome, limit number the of concurrent Ajax connections in a single browser session to 6 which means someone can only have your page open on two browser tabs…”

More than one WordPress developer obviously did not know that to create a set of plugins that cannot get around that problem, this is why WordPress developers are rarely web developers.


41 thoughts on “BuddyPress, Peepso and Others Are Not Viable WordPress Social Network Plugins

    1. Yes, 100% true. It is very scary to think of how many actually pay for this sub-standard coding. If they cannot even get a basic concept like this then what else do they not understand? This is why I hate people who say “I learnt WordPress so I am a web developer” because you really are not.

  1. Hello. I am a kind of mediocre to web development and was trying to create a small social networking forum kinda thing for my college just for fun. It wont have much traffic or wont occupy large volume. So I just wanted to know weather buddypress would be an option for me?

      1. Well I, a student will be starting it, and if everything goes on well, I can expect around 500 users. Still a no?

    1. Hmm, I am leaning towards no, but it could be a yes under the right circumstances. It all depends on usage etc etc. But if the site were to ever get even a little bigger than it would be a no.

    1. Definitely, and, if done right, it would be very complex and expensive. If someone offers to build a cheap one then I would suggest you run because they clearly are not telling you the truth.

  2. So in your opinion there are no viable options for WordPress to create a social network? If not WordPress, can you recommend any other platforms that might do the trick for someone with no programming knowledge? Looking to get an MVP up and running for proof of concept and I don’t want to invest a ton of money until that point.

    1. I cannot think of any off the top of my head, I only really looked at those since the client wanted them. However, a social network that is done right will not be easy to install and configure, you are looking for one with multiple parts, for example: at the very least a node.js integration.

      Not only that but considering how much code must go into one I would be surprised if it is free.

  3. I agree with you. A WordPress developer is not automatically a web developer, since most of the code is written by other developers, if you stick to the WP-Api.

    I find it interesting that you clarify this situation here. However, it would be nice if you could explain in more detail what a solution might look like.

    In WordPress the use of “admin-ajax.php” is quite slow, because many parts are loaded, which are often not needed at all. Originally, this interface was probably not intended for the use that is carried out with it today. But meanwhile the REST-API is pretty well implemented and so you can run much more efficient AJAX requets against REST.

    But you still need AJAX to retrieve dynamic content from the server. Google also relies on AJAX in many applications, so it doesn’t seem to be the worst technology.

    So back to my question: What do you think is a sensible alternative? How do you think a social network plugin should be built to avoid these disadvantages? So what technology do you think should be implemented?

    1. I should really expand on a decent solution, I wrote this a bit quickly since my time for writing blog posts is quite limited these days.

      Oh yes, AJAX is still very valid, just not for notifications and chat, one good example is using PJAX (which is what Google uses to load page fragments), but AJAX is, of course, only used for one time items or slow recurring tasks that release their locks for extended periods of time, like more than 6 minutes as you will see if you open dev tools on Facebook.

      Any notification or chat system should be implemented in node.js, preferably using socket.io, don’t use the PHP websocket servers since PHP really is not designed for this and the PHP team will not fix fundamental problems since their answer is the same as mine “PHP was not designed for this”.

      So, what you should have is a node.js server sitting on port 3000 or something running a socket.io server with the frontend using the socket.io browser JS library to communicate websocket frames (this allows you to communicate different types of data down a single socket) to the node.js which then implements the functions required or routes them to PHP, but routing to PHP is normally a bad idea since it is slow and loses some of node.js’s abilities and node.js could easily do what you need. Be careful of exposing sessions in node.js, the way I do it is to send an encrypted key (AES 256) down to the node.js server on page load which identifies the user.

    2. Basically any task that might need long polling or extended locks on connections needs to go over websockets really since the browser has limitations and will lock you out per browser session for that user (in the case of Chrome users).

    3. Though on the case of “real web developers”, using a pre-built API is not bad, I am personally a Yii2/CakePHP developer these days and I would never imagine coding a site from scratch, that gives me shudders.

      One problem with WordPress is its coding standards which were out of date maybe in PHP4 and I have even seen a few places where they use certain globals and stuff they really shouldn’t and could be open to abuse if not properly locked down.

      I looked through woocommerce and found maybe 4 security holes I could abuse if not installed right, which many are not.

      Another problem with WordPress is that they only understand PHP4 coding, so 90% of the PHP features other developers will know a WordPress dev won’t.

      The API for WordPress is so complete that the user has no understanding of what they are actually coding, the WordPress documentation almost rewrites the PHP documentation at times.

      The list does go on, but yeah, basically it isn’t about code written by others but the code that is written and the scale of it, the scale of it is also a plus though, WordPress is insanely easy to build quick disposable sites in.

  4. Thank you for your effort to illuminate this. I also think node.js is a very good choice for tasks like this. I will also check PJAX and socket.io. Thanks for pointing that out.

    Do you have experience in combining node.js with PHP Frameworks, especially Laravel? Does this work well?

    What do you think of ReactPHP and pusher.com?

    I am planning a larger network and would like to start at the beginning with the right way. I don’t care about the learning curve. Rather learn more at the beginning than later on rebuild complicated stuff. I prefer the MVC/MVP pattern.

    In any case, I agree with you that WordPress is based on outdated standards. I’ve written some plugins for it in the last few months and it’s terrible to get a neat structure inside.

    I also find the community behind it very sobering. Many people believe because they can upload some pictures and style them they are the heroes of the world. And every time you start to dig deeper, there is a recommendation for a plugin, because they don’t know anything about programming. When you say that certain tasks are much easier to solve yourself, you only get a frown. Very strange.

    1. I have combined Yii2 and node.js a few times and it is fairly easy.

      As for react, I would strongly suggest no, as I said PHP is not designed for this stuff and some of the core problem with PHP the PHP team refuse to fix.

      Pusher.com is good but expensive, as are all these push services, if you can afford it that’s the best option.

      Yeah, I see that too: “I am a WordPress teacher because I know how to click “install” on the plugin page and fill in some text fields” and then they go on to lecture me about the use cases of WordPress and the internals/speed etc etc…

  5. hey sammaye,

    I was going to build a social site using buddypress but now I’m glad I found your post.

    However, I don’t have the resources to create a site from scratch. What if I create a MVP using buddypress then transfer over to a custom made site later? Is a seamless transition to a new server/site realistic and possible with existing users? How much labor time do you estimate this would take? If you can think of any other precautions I should think of, please let me know. Thanks

    1. Considering that 90% of all your fields will be stored in the meta table, and on a new site you will need to bring those out into index-able fields (WordPress does not index that table properly since MySQL cannot do key-value indexes, plus the only indexes on these tables are two: one of meta_key and other on item ID, so these tables use a slow intersect query), it will very quickly become a very large project if you have a proper set of users, and you will probably easily lose data, maybe in posts or photos, but you will lose data somewhere, there is just an infinite amount of fiddling required to migrate to a non-WordPress install.

      You could just migrate only users and delete all other data. That’d be moderately painless.

      I’m sure there are more, I have only just thought of this as you mention migrating data in the database, I guess one thing to bare in the mind as well, is that you will need maybe a different server, you would run WordPress on a relatively low powered server (even though you shouldn’t) and an actual social network on a far more powerful server. And now that I mention that I think of something else, this is definitely not seem-less due to the way DNS works, it can take weeks for it to fully update and in that time you could even be taking writes to your old database, the only way is to force a refresh of your DNS in browsers by completely removing the old server and giving the user errors.

      I’m sure there are more, this is just how my mind works

      1. Yeah, I actually have this already, hopefully it will open WordPress developers to more technologies and better standards than the core PHP ones they are used to, some won’t like it but then… Well, why are they in programming?

  6. So your recommendation for someone that wants a low cost private social network is to custom build the entire thing because “WordPress uses AJAX”? If you’re running a really low end web server, using stock Apache2 or hosting on a shared server, Ajax calls can bog the site down or make it unusable but if you’re operating an optimized dedicated server, Ajax calls nor hundreds or simultaneous users are issues. I personally have PeepSo running on a private social network with 1,200 users. Peak usage has been 500 simultaneous. Using a custom NGINX configuration I don’t have any issues maxing out connections. I’ve never even came close. My average CPU usage over 30 days has been less than 5% and out of 8GB of system ram, I have 3 free at any given time. Not quite sure why you believe data will go “missing” either. The queries are optimized to only pull as someone is ready to view them so the system isn’t bogged down even with hundreds of thousands of records. People don’t want to build the next Facebook, they just want something where their user base can discuss and interact, personally I think PeepSo is a fine addition, Ajax & all πŸ™‚

    1. AJAX calls do not tend to bog the server down, especially if you have correctly configured the server (unless you have some really terrible coding server side), nignx has the ability to to run AJAX calls very efficiently simply due to how it, fundamentally, processes a request (unlike Apache which can actually get problems from AJAX calls, though again the amount of AJAX calls you are making is irrelevant to that limit) your configuration is doing very little (read nothing) to defend against AJAX problems, but more just handling the weight of your user base in general – nginx is designed to process these kinds of requests very well.

      AJAX calls actually tend to bog the client down, they also hit limits within the browser. While you can guarantee the device/server you will use you cannot say the same for the user who visits your site, this is where better technologies actually take over, such as websockets.

      Though, I will say here that AJAX JS is very easy to abuse to DDOS a site that has bad server configuration, but again, for something like nginx that would need to be one serious DDOS, you will hit CPU limit before you hit nginx connection limit.

      I think I did actually say somewhere in the comments thread about private social networks with very few users, however, most people I see who use peepso actually want to “run a Facebook” and this particular user in question did as well.

      RAM should be irrelevant to the processing of an AJAX or even normal call (in PHP), CPU is what’s used by the threads. RAM becomes relevant when you do high data processing cronjobs that require huge amounts of data to be loaded into the mysqlnd (which takes up the memory) or something similar that cannot be gced by PHP itself. With 500 connections I am not surprised that you are only using 5% CPU, though that is actually quite a lot and shows something of a potential problem, but then I am unsure as to the specifications of your server. Using websockets I wouldn’t even register a CPU usage higher than that for at least 5x that count, but that could be down to bad coding on part of peepso etc etc etc (basically I don’t have a clue). In this case the usage would not be generated by the connection overhead produced from the AJAX calls but rather processing overhead due to the use of bad coding in PHP.

      Sorry, where did I say stuff would go missing? It has been a while since I last commented on this so you might need to refresh my memory.

      I find, from freelancing, that actually people want to use peepso commonly to build their own network where they expect more than 20,000 users at times. But there are also people who run peepso privately and I think I remember saying something about that.

  7. Hi there, I am a co-founder and CTO of PeepSo. Thank you for this article, it’s one of the things that pushed us forward into redesigning our architecture. Unfortunately, building a WordPress plugin we are pretty limited with the fact most people use inexpensive hosting with not so many customization options.

    That being said, we are nowadays implementing PHP based SSE into our plugin and I would love your opinion about that. In essence, there will be one keep-alive connection per browser (shared between tabs) listening to events sent from the server. If an event is sent, it triggers the legacy AJAX to pull the data. We are hoping to cut the amount of connections and general overhead by a lot. The SSE script works completely outside of WordPress (pure PHP) and uses no database.

    We are about to release a pre-alpha version of it in PeepSo 2.0.1 – it will be dormant and users won’t see it, but by using a special define() it becomes available – so that we can test it in a few select environments.

    I would love to hear your opinion about our ideas since you seem pretty experienced and knowledgeable about this. let me know if you’d be interested in reviewing our ideas.

    1. The problem with a PHP based script is that PHP was not really designed for this kind of work (especially daemon work), it is the same reason why I find it a bad idea to use web socket PHP servers, because they are attempting to make PHP do something which it was not designed to, and from what the PHP team says, never will; this is why many turn to node.js on this front, even if all it does is fork a PHP process which handles the incoming data in that environment (which is not a great idea but it isn’t a terrible one if being pushed).

      Disconnecting it from WordPress could introduce a lot of problems with having to maintain your own security (for one). Personally (from my experience), WordPress security in code, by standard, is not that great and you will find better in most frameworks, but that’s simply because WordPress cannot update many of its core mechanics, so disconnecting it from WordPress, while applying more pressure to you, as a company to develop good code, could also be a chance to implement something better than what WordPress could offer.

      I find myself with very little time these days, but I could review the core functionality and ideals of the script if you want me to.

      1. node.js is our next step, but it will be obviously a solution only for the power users, great majority of WordPress is hosted on machines incapable of such feats. We are “stuck” with PHP (and worse of all, still 5.6) because that’s what the WordPress reality is. The Gutenberg is a shift towards JavaScript, but it’s safe to assume it will be moving slowly.

      2. Agreed, and this is the big problem with WordPress, unlike Google and others who took an active approach to disabling out of date and insecure code WordPress has instead tried to code around the the problems, they should take a step out of Google’s, Facebook’s etc book and just say “upgrade or die”, there is no excuse, most hosters, if not 95% offer free PHP 7.1 upgrades, it is literally just useless webmasters who would get caught out and I say “meh”; if the internet is ever to move on from insecure code then they need to get some tough love.

      3. But WordPress is scared of doing such things, they get such huge market share from being the people who never fix or change, since PHP4, if they update then they will be forced to compete with others on equal level and, if it goes anything like their battle with Tumblr, they will lose miserably, I mean you can imagine about 70% of WordPress’ ecosystem being rendered useless overnight, people would actually look at WordPress the same way they do any CMS and WordPress are scared they will lose massive amounts of market share if that ever happens, so while Facebook said to 3b people on the planet, 50% of whom are like my parents and dunno what a web browser is: “stop using IE9” WordPress will never say to a bunch of sysadmins, “upgrade so we can secure our code and use modern standards and tools”

  8. After a few weeks of playing with the PHP approach, we decided to abandon it. We will go into a JavaScript serverside technology actually designed to do this. With people running PHP-FPM, FastCGI, servers messing with buffering, Apache limitations (max connections etc) it’s hard to even define system requirements needed to run it.

    We will most likely go the node.js way completely – database-less approach lets us do it pretty easily.

    As for PHP, I have been repeatedly bashing the topic and reminding our customers to upgrade. Right now we have a “your site might be in danger” wp-admin notice if the site is below 7.1

    1. I’ve also noticed quite a few WP plugins (like WP Chat) are starting to use node.js as well, so it seems plugin users are going to either have to learn to use node.js or… Well, no other alternative.

      Ah, that’s good, should hopefully make quite a few migrate to PHP 7.x, any move like that is a positive one, then the sysadmin has to explain to the client why they are still using an old PHP runtime, and the question won’t go away when worded like that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s