The right Content Management System is critical for success or defeat of a website. The most popular CMS today is, of course, WordPress. It’s not only free and flexible, but also easy to install. Therefore, so many websites’ developers and owners use it most often. That is all good. However, does the fact that WordPress is now powering about 41% of the web makes it the best platform to choose for your business?
Read the article to find out:
- If WordPress is really that bad as sometimes claimed to be?
- If you could use WordPress to meet your business needs?
- What is the true potential of libraries in the WordPress core?
- What are actions, filters, hooks, and Child themes?
- How to deal with WordPress security issues?
Many developers claim WordPress to be the best way to manage a website, although making necessary custom changes can sometimes be a good solution, in some cases they are a recipe for disaster. By means of code modifications one can add all needed features, but they can also open a Pandora’s box full of bugs, problems, and hacks. A skilled developer will certainly help you manage your website without any problems for a long time. The idea here is to find the right support for your custom WordPress project, otherwise you will end up with a customized website that might become a real torture for the user and the owner.
Does this mean that WordPress is bad?
No, absolutely not! WordPress, due to its flexibility, is a great option for many developers, users, and business owners to build any type of a website. So, where is the rub you might ask. The problem isn’t in WordPress itself. It is about the people who claim to know WordPress. They say that simply because it is “free” and “flexible”, and it has a huge community built around it, almost everybody can handle this platform on a professional level. I want to show you that WordPress is more than a blog and can give you almost endless possibilities. You need to use it right, look at the big picture and don’t go beyond its capabilities.
There are many companies that sell WordPress products and services. Depending on your business needs, you might choose from a variety of plugins and add-ons, to make it an excellent tool to sell your product, present your company or create a booking platform. As long as we talk about personal and professional blogs or small websites with basic needs, which do not require knowledge of HTML code or PHP programming skills, all is good. WordPress, with its very low barrier to entry, allows thousands of people without programming skills to create such websites. These websites might be used by their happy owners and internet users for years …at least up to a point, when everything works properly.
However, WordPress is more than a blog or a simple website. Since it is an open-source platform, plugin developers continue adding new solutions to the CMS. That is why WordPress is a great and very powerful tool for all those who know much more than plain, vanilla WordPress. For developers, who have spent years on developing their experience, and gained uncommon skills to craft a website that integrates with other software, brings necessary automation, gives you the unique features that your business needs.
What WordPress really is?
WordPress has evolved towards being a fully-fledged, very powerful platform. Using its full potential requires a lot of experience. Even the best PHP developers, who just occasionally use WordPress, often try to reinvent the wheel, as their knowledge of the WordPress engine and possible use cases isn’t broad enough. WordPress has even more features that you can find in its official datasheet. It has become an excellent tool that, when used by a conscious and skilled developer, will perform magic. Don’t’ have to believe me, test that out and share your experience with me.
Let’s take WooCommerce for instance. It has a lot of very useful functionalities hidden deeply in the code, not always well documented. Using them allows us to highly customize the e-commerce platform, and maintain the ability to easily update the WordPress/WooCommerce core and plugins at the same time. But to know them and to understand how to use them correctly, one needs to spend years on developing solutions based on that “framework” and also learning and exploring their functionalities. This is why, I think, the specialization of a programmer must go further than a good knowledge of PHP, OOP, or general good programming practices.
A person having a good understanding of the platform internals (and obviously understanding its limitations as well) can build complex, reliable and cost-effective solutions. There are much more complex e-commerce platforms nowadays, based on WooCommerce, that deny the widely spread bad fame of WordPress, which unfortunately comes with its popularity and the fact that many people use it without deeper knowledge.
The same already happened, for example, in the Magento world. You can rarely find a developer, who is just an occasional Magento specialist. There are devs who love it, and others who hate it. But not much in between. It simply takes years of practice to become a professional. And I believe the same concerns WordPress and WooCommerce.
So, is the poor reputation of WordPress really deserved?
There are many stereotypical, negative opinions about WordPress, such as poor architecture or security risks. But most of them come from people, who are not familiar with the “framework” insides. For example, WordPress offers a huge amount of ready-to-use, proven tools like libraries. Libraries in the WordPress engine or email sending functions, allow developers to build effective solutions by connecting appropriate actions and hooks without having to write sophisticated lines of code. These solutions are simply there, at your hand, they are good and tested. All you need to know is where to look for them. This kind of knowledge comes with years of experience with different projects.
The true potential of libraries in the WordPress core
WordPress comes with a bunch of regularly updated libraries that can be used in plugins and themes. And many not-so-experienced devs use WordPress themes/plugins with doubled files that are already written in the WordPress core (e.g., jQuery or Color Picker). These third-party libraries not only make the page bigger and extend its load time, but also need regular updates, what is one of most often claimed WordPress “flaws”. Placing redundant libraries is a straightforward path to conflicts and hence project disaster.
Being aware of libraries and functions that are already included in WordPress standard installation helps to build websites smaller and easier to maintain.
Regular updates make the website more secure in case of any vulnerabilities. Moreover, WordPress core, plugins, themes, and Dashboard are consistently improved and offer additional features.
Actions, filters, hooks, and Child themes
We might say that making custom modifications in the core of a plugin or theme is a really bad idea, since all the changes will be lost in the case of any automatic update. And they have to be made again. And again. But this is what an inexperienced programmer would say, and that is not the right reference. WordPress, having the hook mechanism, allows you to get out of this situation. Experienced development teams create plug-ins by embedding hooks in them for future modifications. It is a proven and very effective programming method that has been started by the WordPress community. This gives WordPress the largest marketplace of add-ons and modifications from all available CMS platforms.
The right and most effective approaches to a theme modification are: actions, filters, and creating a Child theme extending the parent one. They allow making changes to existing functionalities without editing the parent theme.
Use Version Control System!
All custom coded files, such as a custom plugin or child theme, should be under version control. That’s why you should use Git. It not only records all changes, but also allows developers to work together on the same WordPress project. It also enables us to revert to a previous version whenever something goes really bad. Moreover, Git can keep track of all the work history of all the developers working on a particular website. Keeping track is really useful in the case of large, long-term WordPress projects.
Too many HTTP requests
And the cherry on the top: the Security
Many novice developers focus on results and functionalities the client wants. That’s why they often put security aside during the WordPress website development. But what if the client’s website gets hacked or a plugin published on WordPress.org has a vulnerability affecting thousands of websites developers and users?
These things happen more and more often, although WordPress development team has identified and removed a fair number of security vulnerabilities so far. That’s why the devs are responsible for the security of their projects. But knowing how to keep the website really secure requires some skills and knowledge. That’s why it’s usually the last thing that upsets a newbie, who prefers easier paths.
A common mistake of inexperienced developers and architects is to “leave the safety issue until the end of the work”. This logic, followed by people who suggest using a WordPress “security” plugin, which should magically take care of the security of the entire project. What about the code that you write exclusively for the client? Remember that plug-ins are not always the answer to all problems. They can even give you a false sense of security. Nothing can replace an experienced development team that will take care of security from the very first line of the code.
Depending on the context, data, and the developer level of expertise there are several methods to avoid the XSS vulnerabilities. They represent the zero-trust approach to any input data and any data that is going to be printed. For example, sanitize_text_field() function for input data. It looks for invalid UTF-8 characters, converts single < characters into HTML entities, removes line breaks, tabs and extra white space, and also strips all tags and octets. To display URLs use the esc_url() function. It keeps the URLs safe, removes invalid or dangerous characters. There are more functions that ensure the safety of our website users, and each of them corresponds to a specific data type (e.g. esc_textarea (), esc_js (), or esc_html ()). Escaping content is generally a very good practice.
Prevent direct access to files
Most hosts allow direct access to files, but it can result in printing data valuable for potential attackers. Especially when the code is poor and can’t deal with this problem. Solution is, for example, a common snippet often added to plugins and themes:
// Exit if accessed directly
if ( ! defined( ‘ABSPATH’ ) ) exit;
Properly embedded code causes the script to exit and print nothing, when the ABSPATH constant is not defined.
Nonce is a “number used once”. It protects URLs from certain types of malicious, misuse, or otherwise. This is one of the most important functions already present the WordPress engine. Nonce can effectively increase the security of your project by generating one-time tokens.
For instance, the below URL can trash a post 140:
When accessing this URL, WordPress validates an authentication cookie. If you are, for example, an administrator with all necessary access rights , it deletes the post 140.
But a cracker can make a browser access that URL without your knowledge with, for example, a link on a third-party page:
<img src=”http://example.com/wp-admin/post.php?post=140&action=trash” />
Nicely crafted request and knowledge of the WordPress engine architecture will allow the cracker to prepare a theoretically effective attack scenario, which triggers your browser to request a WordPress and to automatically attach your authentication cookie. Then WordPress considers the request valid.
But adding nonce would prevent the attacker from getting a valid request, since the new URL request would be as follows:
Without a nonce, the browser receives a “403 Forbidden response” with a common error message: “You don’t have permission to access.
But, although, majority of people, especially novice developers, don’t take WordPress’ websites security seriously, the experienced devs always make penetration tests to identify vulnerabilities before any attacker would be able to identify and use them.
What business purpose does WordPress serve in the end?
It is worth noticing here that WordPress fits a certain purpose. So, if you want a simple and cheap website do it yourself or hire one of the many not-so-experienced devs available on the market. But, if you want to build a business and compete with other business grate solutions, you should probably look for a real WordPress stager, somebody with experience and knowledge of WordPress internals and potential.