WordPress (WP for short) is an immensely popular technology that can be used to build various kinds of software, and Content Management Systems are one of the typical use cases for it. The solution’s market share in that area is over 65%, has been that high for quite some time, and is expected to grow even more in the upcoming years.
On the other hand, there are also some possible issues with WordPress CMSs, and one of the most prevalent is cybersecurity. In fact, it’s the main reason why corporations often avoid it. Is the bad reputation of WordPress deserved?
To a certain extent – yes. However, there are ways to make it secure and usable in enterprise CMS – we’ve successfully implemented it in a couple of custom software projects for market leaders (we also have some experience with DXP platforms).
Source: Freepik, Rawpixel.com.
Before we get to the topic of security, let’s quickly go through the biggest advantages WordPress has to offer – the reasons for its popularity. We’ll need that context to understand some of the problems WP faces. There are several main benefits of choosing this technology:
According to WP Manage Ninja, in 2020 there were 3 972 WP vulnerabilities, and websites built on this technology were attacked around 90 000 times. This isn’t limited to CMS systems, but on that front statistics don’t look all that great either – in 2019, 94% of successfully hacked CMSs were based on WordPress. Sure, market share is a factor here, but still… this doesn’t look good.
What’s more, a report from 2021 shows that in 81% of cases WP vulnerabilities have either Medium or High severity.
Considering all of this, it’s no wonder that so many businesses – especially big corporations – are worried if it’s the right choice for them. So what exactly makes it so vulnerable?
At a first glance, it looks like choosing WordPress for your enterprise CMS solution is a short road to a disaster in terms of security. But is it, really? To give an answer, we first need to identify WordPress security weaknesses.
The biggest question here isn’t “Is WordPress safe?” but rather “Why is it so vulnerable to hackers?”. The problem isn’t the core system, which is regularly updated by its creators. New versions offer additional features and answers to security problems, and there aren’t even that many of those to begin with – for example, in the first half of last year, only three vulnerabilities were discovered, and they were patched quite quickly. So, in general, the core WordPress can be considered very secure.
However, the same can’t be said of plugins and themes. Some of them are well-maintained, others aren’t. In the time period outlined above – the first half of 2021 – 552 plugin vulnerabilities and 47 theme vulnerabilities were cataloged in the WordPress vulnerability database. It’s easy to see that plugins are WP’s biggest security concern. Themes are a problem too, but they offer more limited functionality and there are fewer of them.
At the same time, the level of customization and flexibility offered by plugins is one of the reasons WordPress is so popular, so no one wants to give them up. So what to do?
The first three things are quite obvious: always try to keep your core WordPress up to date, avoid using plugins or themes created by unverified or untrusted entities, and last but not least, follow basic secure coding practices when customizing wordpress.
So, that’s it? Done? Sadly, not quite. In reality, even these two things can be problematic. The simple truth is that, if you want to use WP to the fullest, you’ll likely install at least several different plugins, which means your cybersecurity will depend on several different teams of plugin creators. And statistically, with each such team, you get more vulnerable to a hack.
Source: Freepik, Rawpixel.com.
For these reasons, it’s a good idea to take at least a few of these additional steps – especially if you want to use WordPress for enterprise-grade software:
Source: Freepik, Rawpixel.com.
At Pretius, we’ve successfully made WordPress secure and incorporated it into large, enterprise-grade systems by using two different approaches. We’ll now outline both of them using our projects as examples
The first case is somewhat straightforward. A huge company in the FMCG industry wanted to create a loyalty platform that would be responsive, fast, and easily editable. They also needed the system to use data segmentation, so that it could display different data depending on customers’ parameters.
The platform had to be editable for non-technical employees of the client, and had to be developed fast – as the client was launching a new product on a local market and this loyalty platform was key to building brand awareness. That’s why we have decided to use the battle-tested WordPress CMS. It would be partially visible to the users, so we needed to make it very secure.
One important thing we did was separate the users and application resources from the core WP functionality. Besides articles and the content on the websites which are WP-based, everything else is served via different mechanisms/API. We’ve also hidden the WP admin panel – you can’t access it from the platform’s front end because it’s behind AWS’s Web Application Firewall (WAF). We’ve made sure that WordPress is updated regularly, and we didn’t install any shady plugins.
In the second example, we’ve used a different approach. Our client was a big company from the media sector. They weren’t happy with the software they’ve used to manage content on the e-commerce part of their VOD service, and so they’ve hired us to create a full-fleged CMS platform for them.
We’ve decided to use WordPress because of its powerful content edition features. We’ve created a so-called headless CMS – a Content Management System that works in the backend only. It’s completely hidden from regular users because it’s only available in the client’s safe, corporate network. This makes it a very secure solution.
How does it work? Client’s employees use the CMS to modify the content on their platform. Our system then issues data about their changes and the current state of the content via GraphQL, which is then used by Gatsby to create a frontend app in React – the so-called “head”. This is the part of the system that users will interact with. That application is then automatically copied onto the production servers, so that regular people can access it.
This system allows the customer’s employees to create content using all the awesome WordPress features, offering the company great flexibility and scalability. And since WP isn’t connected to the front-end at all, it isn’t a security liability.
Contrary to popular opinion, WordPress can be a pretty good choice for an enterprise content management system. You just need to make sure it’s secured properly, and you don’t need a full-time, dedicated security team to do that. You can achieve that by using the latest version of WP, avoiding unreliable plugins, employing top-grade encryption, and hiding your admin panel. All of these things have to be performed regularly.
You can also separate some of the functionalities from WP, and use other technologies where it’s applicable – or even by severing the entire WordPress back-end from the front-end, so that people from outside have no way to access it. What you get in return is a solution that can be developed fast and will be easily editable for your non-technical employees.
As you can see, Pretius has experience with adapting WP-based systems to the needs of big corporations. We know how to make such solutions secure without compromising their flexibility and functionality. If you’re interested, write us at hello@pretius.com or use the contact form below. We’ll see what we can do and get back to you in 48 hours.