WordPress as a CMS – Part 1

As WordPress approaches the big 3.0 more and more people are recognising that WordPress can be a very powerful CMS (Content Management System).
Clients approach Point and Stare as we are recognised as prolific WordPress developers having created many bespoke WordPress as a CMS projects.

In this short series we will explain our approach, feature tips and tricks and, finally, release our own, stripped down, free WordPress theme enabling anyone to set up WordPress as a CMS in one tidy package.

Although you will be taken through some easy to follow steps, this guide is far from the final word and in quite a few cases there are many ways to do what is outlined below. These are simply either the way we choose to carry out the task or just a simple solution.

We advise against editing core files if possible and of course cannot take any responsibility for any damage, problems or loss caused by the use of any details within this article.
BEFORE YOU MAKE ANY CHANGES TO ANY FILE – BACK-UP
It’s your website and therefore your responsibility.

Step 1, Security:
It’s very easy to spot a WordPress based website, a lot of installs stick with the default Kubrick theme but even when free, premium or bespoke WordPress themes are used there are still tell-tale signs.

Instantly this gives the game away to would-be hackers but there are ways to reduce the possibilities.

4 tips to secure your WordPress install
1, Check the footer – does it say “Powered by WordPress”?
Using one of the literally thousands of free WordPress themes available is one of the many advantages for choosing WordPress but check the license – Can you remove the ‘Powered by’ line? Probably not.
If you purchase a Premium WordPress theme, again, check the license.
Better still, if you can, create your own bespoke WordPress theme.

2, View source and check for wp-content in the code?
Everyone that knows WordPress knows that the essential elements are housed in the wp-content folder. Easy thing to do is simply rename the folder but be aware that some plugins reference the wp-content folder so you might have to edit those as well.

If you do choose to rename the wp-content folder, make sure you update the wp-settings.php file:
– Open wp-settings.php in a text editor
– Search/ replace wp-content with the new folder name
– Upload the changed file

3, Does the header code contain ‘meta name=”generator” content=”WordPress …’?
Assuming you have the latest version this isn’t such a bad thing to announce but if you haven’t upgraded for a while this can leave you open to many attacks especially if you are stuck on WordPress 2.8.3.

Some things that we suggest that you can do:
– Depending on your theme you can either edit the line out of the header.php or if it’s included as part of the PandSWP_head() hook you can then edit the general-template.php (core file)

– Add the following to your theme’s function.php
if (function_exists(’PandSWP_generator’)) {
remove_action(’PandSWP_head’, ‘PandSWP_generator’);
}

– Install and activate JR Remove Generator Metatag plugin

4, Who’s the Admin?
Easiest way to hack into the admin is … well … log in as admin.
As soon as the install is set up:
– Login as admin
– Add a new user with a unique password and make this user ‘administrator’
– Log out
– Log in as the new user
– Delete the original ‘admin’

That’s all for part 1. Now onto WordPress as a CMS – Part 2

FURTHER READING