WordPress is a popular, easy-to-use, PHP-based content management system and blogging platform. Many enterprise organizations believe that WordPress is simply a platform used by smaller companies, entrepreneurs, freelancers and companies who don’t have a robust or sophisticated infrastructure. But what if this simply isn’t the case?
This article will discuss five strategies that can help you take advantage of the easy-to-use functionality of WordPress. We’ll also leverage the enormous community support to develop an enterprise-ready site. But first we’ll talk a bit about the reasons enterprises are hesitant to use this platform for their next enterprise project and why those reasons are unfounded.
Enterprise Hesitancy
Table of Contents
WordPress originally started as a blogging platform but quickly adapted to general website use. Today, it’s estimated that WordPress may power as much as 35–40% of the websites on the Internet, and nearly 28% of all ecommerce goes through WooCommerce (a WordPress plugin and system). However, many IT professionals and experienced developers still see the platform as only for blogging, and consider that it’s not suited to handling the larger needs of enterprises, which may need to integrate with their services. Many organizations see their systems as proprietary systems that are “too unique” for WordPress, and believe that it just won’t fit into their infrastructure.
Another fear that IT/development staff have about WordPress is that, to get the site up and running, and working with their system, they have to start from scratch. This is simply not the case. WordPress has done a very nice job of getting the main platform installed in as little as five minutes. In addition, through the use of sophisticated plugins, WordPress can tap into standardized systems, work with cloud services, provide SAML or OAuth2 functionality, and more. Even if you don’t find a plugin that does everything you need, it’s easy to build plugins and extend the platform to connect to your own proprietary system. We’ll look into some of that in this article.
Lastly, there’s a belief that WordPress is just not secure enough. Why do they think this? Well, perhaps it’s because they see a lot of security updates. But shouldn’t that tell you that WordPress is so active on the security front that it’s finding and fixing problems before your IT department even wakes up in the morning? With such a large footprint in the online world, and with so many companies using it, there are thousands and thousands of developers looking at every inch of core. Then with plugins (which can be written by anyone, that is true) we can apply a bit of basic discipline to only pick the best and vet what plugins we allow. Everything is open source, so all plugins are an open book and you can have your devs crawl through them and look for anything that may impact the organization.
The Strategies
Now that we’ve addressed some of the hesitancy and myths lurking about WordPress in the enterprise context, we can talk about some strategies for making WordPress something that could work for a company of any size. While these strategies will cover many topics, there’s always more that you can do. Be sure to look for more information on sitepoint.com as you explore these strategies.
Strategy 1: Identify what you need and lock it down
This is your standard security strategy for WordPress.
- First make sure that you set up the platform using the famous five minute install guide. One thing to pay attention to is generating your secure salts. This is super easy to do and will give you that extra layer of protection.
- Set up SSL. Pretty standard really.
- Protect your
wp-config.php
file. This file is a great place to put your secrets, passwords, API keys and links to the platform and also your enterprise services. I’d recommend not committing this file to your repositories and instead just keep a backup of it somewhere. Then you can give it to new developers who may need it. You can even move this file to a different location that’s not accessible by the public and then reference the file. If you do a search about movingwp-config.php
, you can find tons of information on the topic. In addition to moving it, you can also add a configuration to your web server configs or.htaccess
file to simply deny direct access to the file. - Move the login page for your admin panel. Typically, this page is found at
https://<yoursite.com>/wp-admin
. You can also change this URL to be some other location. There are plugins that can assist you with this. - Put the site behind a CDN or service like CloudFlare or CloudFront for even more security.
- Remove any labeling that mentions the WordPress version.
To complete point 6 above, you can use this simple code provided below to do this in two spots, putting them in your functions.php
file.
Do the following to remove the version number in the header and RSS:
function remove_wp_head_version() { return ''; } add_filter('the_generator', 'remove_wp_head_version');
And to remove the version details from scripts and CSS files, do this:
function remove_wp_styles_scripts( $src ) { if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) ) { $src = remove_query_arg( 'ver', $src ); } return $src; } add_filter( 'style_loader_src', 'remove_wp_styles_scripts'); add_filter( 'script_loader_src', 'remove_wp_styles_scripts');
If you’d like to take things even further, check out the official WordPress hardening guide for more tips! Again, the WordPress development community has thought a lot about security. So be sure to follow this guide to the extent your organization wishes to go.
Continue reading 5 Easy Strategies to Make WordPress Enterprise-ready in 2021 on SitePoint.