WordPress as a Secure Application Framework

Many people know about WordPress as “that blog site.” Those who recognize that it’s open source know it primarily as “blog” software. However, more accurately put, WordPress software is a full “publishing platform.”

According to W3Techs, over 20 percent of all websites use the WordPress content management system. There are several good reasons for this:

  • It is a mature platform. It’s been around since 2003.
  • At its core it’s simple to use. Its target audience is primarily content publishers, not developers. At the same time, developers aren’t a forgotten audience. WordPress seems to have hit the sweet spot in balancing the needs of users and developers.
  • It’s very flexible. It has a well-designed and well-documented plugin and theme system.
  • It’s free and open source software, licensed under GPL.

WordPress as an Application Framework

As WordPress continues to grow in popularity, it’s moving beyond being simply a publishing platform: It’s becoming an application development framework. Indeed, WordPress says:

If you want to build an application, WordPress can help with that too. Under the hood WordPress provides a lot of the features that your app will need, things like translations, user management, HTTP requests, databases, URL routing…

WordPress LogoWebsite developer Jake Goldman discusses this at length in a recent blog post. After reading it and having a few discussions in community groups, I’ve concluded that WordPress is still primarily a publishing system and is not, nor ever will be, all things to all programmers. It is, however, a powerful tool if you’re developing an app that retrieves and/or generates data from any variety of sources (internal calculations, external business processes, Web services and so forth) and publishes that on the Web (either on the Internet or an intranet).

Of course, there are many times, especially in a Web app, that publishing programmatic output is exactly what you want to do. That is when WordPress may be an excellent platform for developing cloud based SaaS Web applications.

WordPress Application Security

In light of the recent series of high profile website security problems, it’s clear that a Web application developer should plan application security from the beginning. The very features that make WordPress attractive to publishers and developers also make it an attractive target for attackers.

According to a recent Information Week article, “70 percent of WordPress sites are running outdated software and are vulnerable to hackers launching DDoS attacks. Recent examples hit MIT, NEA and Penn State servers.”

These numbers are disturbing. In May 2012, Netcraft estimated that there were over 660 million websites. If 20 percent of the Web is running WordPress and 70 percent of those are vulnerable, that means 14 percent of the Web, or nearly 100 million sites, have known vulnerabilities.

Clearly we don’t want our applications to be in that number. What follows are some tips to help make your WordPress application more secure.

1. Don’t Modify the Core Code

When vulnerabilities are detected in WordPress, you can count on two things:

1. The developers will quickly respond with an update.
2. Attackers will quickly develop and deploy an exploit.

If you modify the core WordPress code, you can be sure that these security updates will break your application. So instead of modifying the core code, design your application as one or more plugins and/or themes. This gives you several potential advantages beyond simple update protection.

  • Productivity: By defining your app as (“WordPress Core” + Existing Plugins + New Plugins + a Theme), you gain two productivity advantages: First, you have the opportunity to reuse open source code and, second, the advantage of creating only the new code your app needs.
  • Quality: WordPress has some well-defined coding standards, integration rules and implementation techniques for both themes and plugins. These make it easier for community developed plugins and themes to interact. Even though you are creating custom code for your own app, following these standards will help you design quality into your app from the beginning.
  • Staffing: Because WordPress is the most popular Web development platform, there are a large number of developers that understand it. WordPress plugin development and WordPress theme creation are common skills among website programmers and designers.

One caveat: You should avoid the temptation of putting too much functionality into the theme.  If you can, start with a stock theme and build your app strictly as set of plugins and filters.

If you believe that you can’t create your app without modifying the core WordPress code, you may want to reexamine the idea that WordPress is the best framework for your application.

2. Harden Your Site as Soon as You Install WordPress

At the very least you should:

1. Use the salt generator to create unique security keys within your wp-config.php file.
2. Remove the ‘Admin’ user. In April, the BBC reported that the user name “Admin” was used in an attack targeting WordPress coming from about 90,000 IP addresses.
3. Use SFTP, rather than FTP, to upload files.
4. Use a Strong Password. Most WordPress sites are most vulnerable to old-fashioned brute force attacks, and a strong password is the best way to defeat them.
5. Put a blank index.php file into your plugin directory. This will hide which plugins you are using — or not using — from a potential attacker.
6. Automatically back up your site’s code and database to an offsite location at least daily.  Retain each day’s back up for at least 30 days, though a year is probably better.

You may also want to consider changing the database table prefix. This could protect your app from certain SQL injection attacks.

3. Take Advantage of Built-In Data Validation and Sanitation

WordPress provides a variety of functions to validate input and sanitize output. Be familiar with, and use these functions to protect your application against injection-style attacks.

A special type of validation is a “nonce” field. A nonce is a “Number Used Once.” It’s provided by WordPress to protect your forms from misuse.

4. Use the HTTP API to Access Web Services

WordPress provides an HTTP abstraction layer that you can use to allow your app to access Web services. This API makes it relatively trivial, for example, to verify than an SSL certificate is valid.

5. Plan Your User Roles and Capabilities

Security is not only about keeping attackers out. It’s also about limiting specific access to specific authorized users. WordPress uses the concepts of “Roles and Capabilities” to allow an application developer to implement such access control.

Since WordPress is primarily a publishing platform, most of the built-in roles and capabilities are about publishing and editing. However, your app isn’t limited to the built in access control. WordPress allows you to customize access. The user and author functions include the ability to add both roles and responsibilities. Some of these functions are:

  • add_role()
  • remove_role()
  • get_role()
  • add_cap()
  • remove_cap()
  • user_can()
  • current_user_can()

6. Take Advantage of WordPress Security Plugins

These existing plugins are a good place to start when considering your WordPress app’s security needs.

  • Maintenance Mode: This plugin will let you put up a “front” that keeps the “public” face of your app private until you’re ready to publish.
  • Better WP Security: This plugin automates many WordPress security best Practices.
  • WP Login Security 2: This is especially useful in making sure only authorized users can access your app. It enforces white listing of all IP addresses used to access the app.
  • Word Fence is an application firewall and anti-virus plugin that’s also capable of providing two-factor authentication.

You will, of course, want to review the WordPress plugin directory for the security plugins most applicable to your application.


Although WordPress’s popularity makes it a regular target for attackers, the most common exploits can be mitigated by using secure programming techniques and practices. With proper design, planning and implementation, WordPress can be a secure, productive, high quality application framework for apps that want to publish programmatic data across the Web.

2 Responses to “WordPress as a Secure Application Framework”

  1. Michelle Greenlee

    Hi David. This is a great post about WordPress. Some recommend using child themes instead of customizing core theme files but even that can be troublesome once a parent theme updates. I like to use a custom.css file and a customized home.php file. I don’t like to touch the theme files if I can avoid it!

    Core WP files are now self-updating as of version 3.7 which will help cut down on aging vulnerable sites as long as they get updated to 3.7. If you’re not keen on keeping up with security you can also opt for managed WordPress hosting from a company like WP Engine. They do a good job keeping sites updated and secure.

  2. David,

    Great post about using WordPress as a development platform. Just knowing php and sql is not enough when it comes to developing for wordpress directly. And you are absolutely right that wordpress security should be a concern from the get go. Many plugins and themes are too often behind the root causes of many wordpress hacks and intrusions. Great suggestions on the security plugins but I think more could be done as part of the WP core engine. The recent auto-updates are a step in that direction if they work as planned. Thanks again for the great post.