Bringing security to CMS

Tips for web developers faced with securing pre-existing WordPress sites

Andrej Kovačević
© Shutterstock / bluebay

WordPress is the most widely-used content management system in the world, powering over 35% of all websites. However, many pre-existing WordPress sites have a number of security flaws. Find out how web developers can overhaul an existing WordPress site into tip-top shape and how to handle potential security concerns.

For web developers, the topic of content management systems can be quite divisive. Some see them as a hindrance to building customized solutions for clients, while others believe them to be flexible architectures that speed up site construction by providing support for common functions. Like them or not, however, they’re a fixture of the modern internet.

Take, for example, WordPress. It’s by far the most widely-used CMS in the world, powering over 35% of all websites. That means there are few web developers that won’t encounter it in their work, and most will have some experience developing for the platform. Unfortunately, many of those encounters will be with pre-existing WordPress sites, the majority of which were initially built by amateurs.

That’s an issue because the majority of WordPress site owners spend more of their time agonizing about choosing the perfect domain name than they do on making sure their site’s competently constructed. That reality often leaves the follow-up developer with a confusing mess on their hands – and the first casualty is the site’s overall security. To help developers dealing with that kind of issue, here’s a rundown of how to whip an existing WordPress site into shape from a security perspective.

SEE ALSO: PHP to Hack, an Incrementally Typed Adventure at Slack

Modify the default database prefix

More often than not, the first place an attacker will hit on a WordPress site is its database. That’s because the software uses a standardized and well-known naming structure to create its backend database tables on install. That means the first modification a web developer should make on an existing site should be to rename the site’s database tables to make them harder to guess. It’s a process that takes only a few minutes and provides an instant security upgrade for the site.

Update to the latest PHP version

Many of the common exploits that tend to affect WordPress sites stem from the underlying PHP coding the site and its plugins use. To defend against an attack on that code, first, make sure that the site is using the most recent PHP version available. According to WordPress itself, 59.3% of active sites are using PHP versions that no longer receive security updates. That means there’s a pretty good chance that any preexisting site a developer encounters is going to need a PHP upgrade ASAP.

Remove unused or redundant plugins

One of the best features of WordPress (and CMS platforms in general) is that it’s easy to find plugins that provide needed functionality at a fraction of the cost it would take to build from scratch. In the hands of a developer, that’s a powerful tool. In the hands of an amateur, it’s an invitation to disaster.

That’s because first-time WordPress users have a tendency to install plugins just to try out functions when they’re deciding how to create the site they want. On top of that, it’s also common to find installed plugins with duplicative functions that went unnoticed. That makes the next step to remove any unnecessary plugins to reduce the site’s overall attack surface. Then, try to limit the remaining plugins to only those that are still under active development and maintenance.

SEE ALSO: WordPress Acceptance Testing: Solved

Suggest using 3rd-party defenses

Part of the lure of using WordPress is that it allows a site’s owner to assume the role of updater and caretaker for their site when the developer’s done with it. As a developer, that means accepting that you likely won’t be there to keep the site safe from attackers in the future. For that reason, it’s a good idea to suggest that the site owner opt to use a 3rd-party site security provider to protect the site. There are some companies that offer both free and paid versions of their security platforms, so there’s a solution for every budget. That also means there’s no excuse for the site owner not to take the developer’s sage advice on the subject, either.

Locked down and ready for anything

For web developers, it’s a given that security should be at the heart of everything we do. The consequences of failure are too severe for that not to be the case. When it comes to CMSs like WordPress, though, much of the ongoing security burden is out of the developer’s hands and falls squarely on the shoulders of site owners and operators. Still, by making sure a site’s as secure as possible from the beginning, so much of the ongoing risk can be eliminated. If we all do our part, the internet will be a safer place for everyone – even amateur WordPress site owners.

Andrej Kovačević
Andrej is a digital marketing expert, editor at TechLoot, and a contributing writer for a variety of other technology-focused online publications. He has covered the intersection of marketing and technology for several years and is pursuing an ongoing mission to share his expertise with business leaders and marketing professionals everywhere.

Inline Feedbacks
View all comments