If more PHP "frameworks" had come with a standard registration/login/password reset system, and a semblance of an administration system that could be customized, Wordpress likely would not have achieved such dominance in the period it did. The PHPNuke family almost had it, but focused too much on copying slashdot vs being a bit more open-ended or content-focused.
The alternatives have been "build-your-own" frameworks with hundreds of libraries but nothing out of the box. When I bring this up, I typically get "but everyone's security needs are different". With WP powering 20%+ of the web right now, that's clearly not true. The dominance of a few oauth systems tied to walled-gardens proves that false even moreso; you, mr senior-enterprise-developer might have extremely-specific use cases (CAS tied to legacy Novell supporting IE5, maybe), but the majority of starter apps need self-registration, email, password, maybe cell token or Facebook registration to get started.
Instead, every single person trying to use almost any major PHP framework has to roll their own security from scratch, which is precisely what we also tell people not to do. I can't tell you how many bizarre hand-rolled security systems I've seen over the years in various PHP frameworks. But hey, they all came bundled with top-of-the-line URL routers and templating libraries...
I completely agree, but the "serious" developers who create the frameworks don't seem to see it this way. I had exactly this discussion with the Symfony community when Symfony2 was released, but got no traction or support for a RAD-framework on top of the Symfony 'framework'.
If you ever see one, in any language, please let me know!
The alternatives have been "build-your-own" frameworks with hundreds of libraries but nothing out of the box. When I bring this up, I typically get "but everyone's security needs are different". With WP powering 20%+ of the web right now, that's clearly not true. The dominance of a few oauth systems tied to walled-gardens proves that false even moreso; you, mr senior-enterprise-developer might have extremely-specific use cases (CAS tied to legacy Novell supporting IE5, maybe), but the majority of starter apps need self-registration, email, password, maybe cell token or Facebook registration to get started.
Instead, every single person trying to use almost any major PHP framework has to roll their own security from scratch, which is precisely what we also tell people not to do. I can't tell you how many bizarre hand-rolled security systems I've seen over the years in various PHP frameworks. But hey, they all came bundled with top-of-the-line URL routers and templating libraries...