WordPress is easily the world’s most popular content management system. It is used by more than 75 million websites, with 22% of new U.S. registered domains installing WordPress. That’s why it comes as a surprise to many that WordPress is not considered a well-coded application by some programmers.
WordPress is often criticised for using outdated coding practices, mixing coding styles, and being open to vulnerabilities from both themes are plugins. It is also criticised because it uses PHP — a coding language that has its own set of issues. But are these criticisms valid? In this article, we’ll take a closer look at the risks associated with poor coding and see if WordPress is actually safe to use.
What is considered poor coding?
Most programmers adhere to certain standards when they code software applications. These standards are designed to ensure the application is easy to maintain, secure and performs well.
Unfortunately, some programmers are less skilled, lazy, inattentive, or working to a tight deadline — which leads to mistakes in their code. Some of these mistakes increase the risk of a vulnerability which can be exploited by hackers. The most common poor coding practices include:
Not formatting code well
Good programmers will format their code in a way that is easy to read. They also maintain a widely-used formatting standard throughout their work, so other programmers can understand it easily and write code in the same style. The poor use of formatting is considered poor coding because it makes code harder to maintain.
Typos in code
Programmers are only human and sometimes misspell variable or function names. This simple error can completely stop an application working or create a vulnerability which can be exploited.
Not using modularising code
Modularised code separates the logic of the program into classes and functions. It makes it easier to understand the application’s logic and shortens individual files. Poor coding would be large sections of code containing loops, numerous “if” statements and confusing sections of code. Non-modularised code becomes more difficult to maintain, which leads to more vulnerabilities.
Poor handling of user input
Good programmers will be very careful about how they process and store the data given to the application by users. That’s because user data is often a source of cyber attacks including SQL injections and Cross-site Scripting (XSS). Poor coding practices won’t handle user data appropriately, adding vulnerabilities to the application.
Insufficient data protection
Poor coding includes practices like hard-coding passwords into files and not using encryption correctly. These practices make the application’s data more vulnerable to hacking.
Ideally, applications will log significant events that occur, including users logging in and database transactions. Poor coding practices do not include logging, making it much more difficult to track hacking attempts or vulnerabilities.
Poor error handling
Poor coding practices will reveal error information that is useful to hackers. Errors should be handled gracefully and in a way that minimises application exposure.
How is poor coding dangerous?
According to the Software Engineering Institute, 90 percent of all reported security incidents occur as a result of exploits and defects in the design or code of the software. Many of these defects have occurred as a result of poor coding practices.
According to HP Security Research’s 2015 Cyber Risk Report 2015: “The primary causes of commonly exploited software vulnerabilities are consistently defects, bugs, and logic flaws. Security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors.”
It is clear that poor coding practices can create vulnerabilities in your website that can be exploited by cyber criminals — but what about WordPress?
How is WordPress poorly coded?
WordPress’s naming conventions are strange
One of the most common criticisms of WordPress is its unusual and irregular variable and function names. For example, there is a
get_the_content() function that returns blog post data and the_content() function that prints blog post data. But strangely, the
get_permalink() returns data — when you would expect that function to be called
get_the_permalink() if naming was consistent. It highlights the lack of attention and legacy mistakes present in the WordPress core.
WordPress is missing some very basic features
WordPress is a very flexible CMS that can be used for everything from powerful eCommerce stores through to simple blogs. However, the most useful features found in WordPress applications are typically achieved through the use of plugins and customised themes. The core application is also missing some basic functionality compared to other apps.
One piece of functionality that is missing is advanced caching. Users are forced to install third-party plugins to obtain memory caching, disk caching, and file minification.
Requiring users to install third-party software for what is a core feature in other content management systems is unusual. It also increases the risk of vulnerabilities because most plugins are coded by people not employed by WordPress and tend to have less oversight compared to the WordPress core.
WordPress uses some old coding techniques
Third party plugins and themes are a source of concern
Because WordPress users are often forced to install third-party plugins to obtain certain functionality, they are more likely to be exposed to poor coding. The low coding standards in some user-submitted code clearly demonstrated by the high number of vulnerabilities found in plugins.
There are reports saying that of 3,972 known WordPress vulnerabilities, 52% we from WordPress plugins, 37% from the WordPress core, and 11% from WordPress themes. Many plugins are vulnerable to file inclusion exploits and SQL injections. Unfortunately, some plugins stay in an insecure state for months or years before being patched.
Should you still use WordPress?
Despite the issues with the WordPress core, third-party plugins, and third-party themes, WordPress remains one of the safest content management systems around. Because it is an open source project, there are thousands of developers and contributors around the world looking for bugs and vulnerabilities in the code base.
The WordPress development team is very proactive when it comes to identifying and repairing bugs and vulnerabilities in the WordPress core. They have also written extensively about their approach to securing WordPress and are very fast when it comes to patching security issues.
They are continually hardening the application to address common security concerns, including the ones listed by the Open Web Application Security Project (OWASP). These issues include brute force attacks, file injection, and SQL injection.
WordPress users can also harden their own installation by:
- Installing 2-factor authentication
- Limiting the number of plugins they use
- Only using plugins from trusted sources
- Picking strong passwords
- Installing security plugins and malware scanning plugins
- Keeping the application updated
- Setting correct file and folder permissions
- Removing unused files like inactive plugins and themes
- Disabling trackbacks
- Securing the website at the server level
For more WordPress security articles, subscribe to the blog or follow us on social media.