Many people know about WordPress as “that blog site.” Those who recognize that it’s open source know it primarily as “blog” software. However, more accurately put, WordPress software is a full “publishing platform.”
According to W3Techs, over 20 percent of all websites use the WordPress content management system. There are several good reasons for this:
- It is a mature platform. It’s been around since 2003.
- At its core it’s simple to use. Its target audience is primarily content publishers, not developers. At the same time, developers aren’t a forgotten audience. WordPress seems to have hit the sweet spot in balancing the needs of users and developers.
- It’s very flexible. It has a well-designed and well-documented plugin and theme system.
- It’s free and open source software, licensed under GPL.
WordPress as an Application Framework
As WordPress continues to grow in popularity, it’s moving beyond being simply a publishing platform: It’s becoming an application development framework. Indeed, WordPress says:
If you want to build an application, WordPress can help with that too. Under the hood WordPress provides a lot of the features that your app will need, things like translations, user management, HTTP requests, databases, URL routing…
Website developer Jake Goldman discusses this at length in a recent blog post. After reading it and having a few discussions in community groups, I’ve concluded that WordPress is still primarily a publishing system and is not, nor ever will be, all things to all programmers. It is, however, a powerful tool if you’re developing an app that retrieves and/or generates data from any variety of sources (internal calculations, external business processes, Web services and so forth) and publishes that on the Web (either on the Internet or an intranet).
Of course, there are many times, especially in a Web app, that publishing programmatic output is exactly what you want to do. That is when WordPress may be an excellent platform for developing cloud based SaaS Web applications.
WordPress Application Security
In light of the recent series of high profile website security problems, it’s clear that a Web application developer should plan application security from the beginning. The very features that make WordPress attractive to publishers and developers also make it an attractive target for attackers.
According to a recent Information Week article, “70 percent of WordPress sites are running outdated software and are vulnerable to hackers launching DDoS attacks. Recent examples hit MIT, NEA and Penn State servers.”
These numbers are disturbing. In May 2012, Netcraft estimated that there were over 660 million websites. If 20 percent of the Web is running WordPress and 70 percent of those are vulnerable, that means 14 percent of the Web, or nearly 100 million sites, have known vulnerabilities.
Clearly we don’t want our applications to be in that number. What follows are some tips to help make your WordPress application more secure.
1. Don’t Modify the Core Code
When vulnerabilities are detected in WordPress, you can count on two things:
1. The developers will quickly respond with an update.
2. Attackers will quickly develop and deploy an exploit.
If you modify the core WordPress code, you can be sure that these security updates will break your application. So instead of modifying the core code, design your application as one or more plugins and/or themes. This gives you several potential advantages beyond simple update protection.
- Productivity: By defining your app as (“WordPress Core” + Existing Plugins + New Plugins + a Theme), you gain two productivity advantages: First, you have the opportunity to reuse open source code and, second, the advantage of creating only the new code your app needs.
- Quality: WordPress has some well-defined coding standards, integration rules and implementation techniques for both themes and plugins. These make it easier for community developed plugins and themes to interact. Even though you are creating custom code for your own app, following these standards will help you design quality into your app from the beginning.
- Staffing: Because WordPress is the most popular Web development platform, there are a large number of developers that understand it. WordPress plugin development and WordPress theme creation are common skills among website programmers and designers.
One caveat: You should avoid the temptation of putting too much functionality into the theme. If you can, start with a stock theme and build your app strictly as set of plugins and filters.
If you believe that you can’t create your app without modifying the core WordPress code, you may want to reexamine the idea that WordPress is the best framework for your application.
2. Harden Your Site as Soon as You Install WordPress
At the very least you should:
1. Use the salt generator to create unique security keys within your wp-config.php file.
2. Remove the ‘Admin’ user. In April, the BBC reported that the user name “Admin” was used in an attack targeting WordPress coming from about 90,000 IP addresses.
3. Use SFTP, rather than FTP, to upload files.
4. Use a Strong Password. Most WordPress sites are most vulnerable to old-fashioned brute force attacks, and a strong password is the best way to defeat them.
5. Put a blank index.php file into your plugin directory. This will hide which plugins you are using — or not using — from a potential attacker.
6. Automatically back up your site’s code and database to an offsite location at least daily. Retain each day’s back up for at least 30 days, though a year is probably better.
You may also want to consider changing the database table prefix. This could protect your app from certain SQL injection attacks.
3. Take Advantage of Built-In Data Validation and Sanitation
WordPress provides a variety of functions to validate input and sanitize output. Be familiar with, and use these functions to protect your application against injection-style attacks.
A special type of validation is a “nonce” field. A nonce is a “Number Used Once.” It’s provided by WordPress to protect your forms from misuse.
4. Use the HTTP API to Access Web Services
WordPress provides an HTTP abstraction layer that you can use to allow your app to access Web services. This API makes it relatively trivial, for example, to verify than an SSL certificate is valid.
5. Plan Your User Roles and Capabilities
Security is not only about keeping attackers out. It’s also about limiting specific access to specific authorized users. WordPress uses the concepts of “Roles and Capabilities” to allow an application developer to implement such access control.
Since WordPress is primarily a publishing platform, most of the built-in roles and capabilities are about publishing and editing. However, your app isn’t limited to the built in access control. WordPress allows you to customize access. The user and author functions include the ability to add both roles and responsibilities. Some of these functions are:
6. Take Advantage of WordPress Security Plugins
These existing plugins are a good place to start when considering your WordPress app’s security needs.
- Maintenance Mode: This plugin will let you put up a “front” that keeps the “public” face of your app private until you’re ready to publish.
- Better WP Security: This plugin automates many WordPress security best Practices.
- WP Login Security 2: This is especially useful in making sure only authorized users can access your app. It enforces white listing of all IP addresses used to access the app.
- Word Fence is an application firewall and anti-virus plugin that’s also capable of providing two-factor authentication.
You will, of course, want to review the WordPress plugin directory for the security plugins most applicable to your application.
Although WordPress’s popularity makes it a regular target for attackers, the most common exploits can be mitigated by using secure programming techniques and practices. With proper design, planning and implementation, WordPress can be a secure, productive, high quality application framework for apps that want to publish programmatic data across the Web.