WordPress is often used to create CMS systems, but it has a bad reputation when it comes to cybersecurity. It’s one of the reasons why big corporations tend to avoid it. However, is this really an issue? And if so, are there ways to solve the problem and use this technology to create enterprise-level CMS solutions?
WordPress (WP for short) is an immensely popular technology that can be used to build various kinds of software, and Content Management Systems are one of the typical use cases for it. The solution’s market share in that area is over 65%, has been that high for quite some time, and is expected to grow even more in the upcoming years.
On the other hand, there are also some possible issues with WordPress CMSs, and one of the most prevalent is cybersecurity. In fact, it’s the main reason why corporations often avoid it. Is the bad reputation of WordPress deserved?
To a certain extent – yes. However, there are ways to make it secure and usable in enterprise CMS – we’ve successfully implemented it in a couple of custom software projects for market leaders (we also have some experience with DXP platforms).
Before we get to the topic of security, let’s quickly go through the biggest advantages WordPress has to offer – the reasons for its popularity. We’ll need that context to understand some of the problems WP faces. There are several main benefits of choosing this technology:
- Ease of use – WordPress is relatively easy to set up and configure, so you don’t have to worry about a steep learning curve. It also offers a well-made, intuitive website builder with drag and drop functionality that makes it very easy to use, even for people without advanced tech skills. Nicely looking, functional websites and landing pages are just a few clicks away
- The flexibility offered by plugins – one of WP’s main characteristics is that it’s built from two main components: the core system made by WordPress’s developers, and the plugins that can be created by pretty much anyone. There are nearly 60 000 of them. They offer a tremendous amount of flexibility and freedom, and can often be used to shorten development time
- SEO friendliness – WP is built with Search Engine Optimization in mind, and due to the technology’s popularity, as well as its clean code and structure, many search engines work with it very well. Ensuring good visibility in Google through improving organic SEO for your custom domain shouldn’t be a problem
- Availability of WordPress developers – since WP is very popular, it’s relatively easy to find experts who know it well
- Cost-effectiveness – WP typically isn’t very expensive to set up and maintain, though, of course, that’ll depend on the particulars
- Mobile readiness – WordPress can be used on many types of devices, including mobile phones and tablets
- Managing websites from anywhere – you can access WP’s admin and manage your web pages from any computer connected to the Internet
- Control over your content and design – you don’t need the help of software developers to control the content of your WordPress site. You can change it by yourself, and thanks to powerful content management features, and WYSIWYG (What You See Is What You Get) editors will let you see how it’ll look on the site. You can also customize the website’s design in many ways
- Built-in blog – WP was initially a blogging platform, which is why it offers this functionality from the get-go
- Well-known brand – WordPress is a giant brand, with a big and active community. It’s also constantly supported and upgraded by its creators
According to WP Manage Ninja, in 2020 there were 3 972 WP vulnerabilities, and websites built on this technology were attacked around 90 000 times. This isn’t limited to CMS systems, but on that front statistics don’t look all that great either – in 2019, 94% of successfully hacked CMSs were based on WordPress. Sure, market share is a factor here, but still… this doesn’t look good.
What’s more, a report from 2021 shows that in 81% of cases WP vulnerabilities have either Medium or High severity.
Considering all of this, it’s no wonder that so many businesses – especially big corporations – are worried if it’s the right choice for them. So what exactly makes it so vulnerable?
At a first glance, it looks like choosing WordPress for your enterprise CMS solution is a short road to a disaster in terms of security. But is it, really? To give an answer, we first need to identify WordPress security weaknesses.
The biggest question here isn’t “Is WordPress safe?” but rather “Why is it so vulnerable to hackers?”. The problem isn’t the core system, which is regularly updated by its creators. New versions offer additional features and answers to security problems, and there aren’t even that many of those to begin with – for example, in the first half of last year, only three vulnerabilities were discovered, and they were patched quite quickly. So, in general, the core WordPress can be considered very secure.
However, the same can’t be said of plugins and themes. Some of them are well-maintained, others aren’t. In the time period outlined above – the first half of 2021 – 552 plugin vulnerabilities and 47 theme vulnerabilities were cataloged in the WordPress vulnerability database. It’s easy to see that plugins are WP’s biggest security concern. Themes are a problem too, but they offer more limited functionality and there are fewer of them.
At the same time, the level of customization and flexibility offered by plugins is one of the reasons WordPress is so popular, so no one wants to give them up. So what to do?
The first two things are quite obvious: try to always keep your core WordPress up to date, and don’t use plugins or themes created by entities you can’t verify and trust.
So, that’s it? Done? Sadly, not quite. In reality, even these two things can be problematic. The simple truth is that, if you want to use WP to the fullest, you’ll likely install at least several different plugins, which means your cybersecurity will depend on several different teams of plugin creators. And statistically, with each such team, you get more vulnerable to a hack.
For these reasons, it’s a good idea to take at least a few of these additional steps – especially if you want to use WordPress for enterprise-grade software:
- Improve security of your login process – there’s a couple of simple things that’ll be easy to add and will affect your cybersecurity positively. For example, enable two-factor authentication to offer an additional layer of security, install plugins that limit log in attempts or captchas, and advocate the use of strong passwords
- Getting a security plugin that scans your website for malware – performing regular scans will help keep your system free of malware
- Secure your admin panel using an personal SSL certificate – you can protect your admin panel with additional SSL certificates such as X.509 so that it’s much harder to access for people from outside the organization
- Enabling ACL (Access Control List) – access to objects and resources should be granted selectively, based on the needs of specific people
- Separating front-end user accounts from WP – you can deliver the user account functionality using another solution (Okta, Keycloak, and so on), which helps you avoid some of the potential problems
- Hiding your admin panel – you can desing your admin panel in such a way that it isn’t easily accessible to users who don’t know where to look for it
At Pretius, we’ve successfully made WordPress secure and incorporated it into large, enterprise-grade systems by using two different approaches. We’ll now outline both of them using our projects as examples
Secure WordPress-based loyalty platform for a large FMCG company
The first case is somewhat straightforward. A huge company in the FMCG industry wanted to create a loyalty platform that would be responsive, fast, and easily editable. They also needed the system to use data segmentation, so that it could display different data depending on customers’ parameters.
The platform had to be editable for non-technical employees of the client, and had to be developed fast – as the client was launching a new product on a local market and this loyalty platform was key to building brand awareness. That’s why we have decided to use the battle-tested WordPress CMS. It would be partially visible to the users, so we needed to make it very secure.
One important thing we did was separate the users and application resources from the core WP functionality. Besides articles and the content on the websites which are WP-based, everything else is served via different mechanisms/API. We’ve also hidden the WP admin panel – you can’t access it from the platform’s front end because it’s behind AWS’s Web Application Firewall (WAF). We’ve made sure that WordPress is updated regularly, and we didn’t install any shady plugins.
Headless CMS for a big entertainment company
In the second example, we’ve used a different approach. Our client was a big company from the media sector. They weren’t happy with the software they’ve used to manage content on the e-commerce part of their VOD service, and so they’ve hired us to create a full-fleged CMS platform for them.
We’ve decided to use WordPress because of its powerful content edition features. We’ve created a so-called headless CMS – a Content Management System that works in the backend only. It’s completely hidden from regular users because it’s only available in the client’s safe, corporate network. This makes it a very secure solution.
How does it work? Client’s employees use the CMS to modify the content on their platform. Our system then issues data about their changes and the current state of the content via GraphQL, which is then used by Gatsby to create a frontend app in React – the so-called “head”. This is the part of the system that users will interact with. That application is then automatically copied onto the production servers, so that regular people can access it.
This system allows the customer’s employees to create content using all the awesome WordPress features, offering the company great flexibility and scalability. And since WP isn’t connected to the front-end at all, it isn’t a security liability.
Contrary to popular opinion, WordPress can be a pretty good choice for an enterprise content management system. You just need to make sure it’s secured properly, and you don’t need a full-time, dedicated security team to do that. You can achieve that by using the latest version of WP, avoiding unreliable plugins, employing top-grade encryption, and hiding your admin panel. All of these things have to be performed regularly.
You can also separate some of the functionalities from WP, and use other technologies where it’s applicable – or even by severing the entire WordPress back-end from the front-end, so that people from outside have no way to access it. What you get in return is a solution that can be developed fast and will be easily editable for your non-technical employees.
Do you want a WordPress-based CSM system?
As you can see, Pretius has experience with adapting WP-based systems to the needs of big corporations. We know how to make such solutions secure without compromising their flexibility and functionality. If you’re interested, write us at email@example.com or use the contact form below. We’ll see what we can do and get back to you in 48 hours.