Listen:

Patchstack Weekly #61: Should you use WordPress As a Headless CMS?

Published 28 February 2023
Updated 23 November 2023
Robert Rowley
Author at Patchstack
Table of Contents

Welcome to the Patchstack Weekly Security Update, Episode 61. This is update is for week 9 of 2023.

In last week's knowledge share, I talked about static sites, I mentioned headless CMS being different and a topic for another week. Well, that week has come, and this week's knowledge share is an introduction to headless CMSs and WordPress. I will dive into what a headless CMS is, how WordPress can be used as one, who needs headless, who doesn't, and the security concerns that go along with headless WordPress.

This week's vulnerability roundup includes 4 security bugs with a critical severity score. Two of the four bugs received no patch, but they affected the same plugin. Stay tuned for the vulnerability roundup to find out if you need to update or migrate to protect your sites.

What is a headless CMS?

A headless CMS is a content management system that manages all of its stored data in the back-end, but does not provide any front-end (design) aspects. Headless WordPress, just means a WordPress installation that uses another technology stack to create the front end (but all data is still managed by the WordPress admin panel.)

Headless is Ideal for businesses that want to have one data set (such as products, customers, or content) but display it on multiple applications or different platforms. Such as a website that is also accessible via a mobile application. There could even be a desktop or command line tool built to work with the same back end. The power of headless CMSs is in its ability to have multiple front-ends all managed through a single back end.

Who needs a headless WordPress?

If you are a site owner currently using WordPress for your business, and you do not want to change your workflow or migrate your data to a new back-end. But if you do want to offer the same service using another platform, then headless WordPress may be for you. You could even consider keeping the existing website's front end (generated by WordPress) but using the same back-end data on another platform (like a mobile app.)

For front-end application developers (web, mobile, desktop, etc..) if you know how to work with the WordPress API endpoints then you can provide your services to WordPress site owners. Offer them a mobile app, maybe a CLI tool for efficiency, or offer an awesome unique website design that pulls data from their existing WordPress back end.

Who doesn't need headless WordPress?

If you do not already use WordPress for your website, then there are many back-end options out there to work with for headless design. They are simpler and designed to work with existing frameworks. So, if you're starting from scratch, it is probably best to build your headless app without the WordPress part.

WordPress itself already includes a front-end constructor, the themes. If you are happy with how your site looks with existing themes AND there is no need for the same data to be accessible on other platforms. Then headless WordPress is not for you, just stick with stock WordPress (or consider a static WordPress site if that is an option.)

The big hurdle with headless WordPress

There is one big caveat before you can migrate to a headless WordPress site. Not all WordPress plugins expose their functionality via an API. Since the front-end developer needs to use API endpoints to interact with the back-end, features without API endpoints will not work. This can be worked around by looking for a replacement plugin (that has API endpoints the front-end developer can use) or a code refactor of the plugin (adding APIs) or simply deciding what is more important: the feature the plugin offers or going headless.

Headless WordPress still requires security

While many people say headless WordPress is more secure, there is only a sliver of truth in that statement. It is true headless is more resilient against some attacks, it is superbly effective at confusing botnets and helps avoid performance issues. But, the back end for the WordPress website will still be web accessible and discoverable, therefore it needs to be secured.

All of the same security practices still apply Backups, Updates, vPatches, Secure Passwords (2FA on admin accounts), etc… and so on. I'll say it again, Headless WordPress still needs security.

Vulnerability roundup

videowhisper-live-streaming-integration - Unauthenticated RCE

The developers for the VideoWhisper Live Streaming integration plugin released a patch for a critical security bug found in their plugin. This bug could have led to arbitrary code execution by attackers, but it has been patched, so site owners need to make sure they have updated their installation.

houzez-login-register - Privilege Escalation

The developers of the premium plugin/theme houzez login register (available on ThemeForest) have released a patch to address a bug that could allow attackers to create high privilege accounts. Site owners should double check that they have updated this plugin as it is a premium plugin, and updates sometimes need to be manually applied.

[UPDATE 2023-02-27: Patchstack has detected this vulnerability in houzez theme as being actively exploited. Site owners are encouraged to update immediately.]

zendrop-dropshipping-and-fulfillment - Unauthenticated File Upload

zendrop-dropshipping-and-fulfillment - Unauthenticated SQLi

Finally, the two unpatched vulnerabilities with details released this week affected the same plugin: ZenDrop Global Drop Shipping. This plugin was closed on February 24th likely due to these issues.

The vendor for zendrop dropshipping and fulfillment plugin was notified on October 5th, 2022 regarding these two critical security bugs in their code. It has been over 4 months, almost 5 now, and we have to disclose these vulnerabilities exist publicly. We do not include any details which attackers could use to weaponize an attack, but this notification will help site owners be notified about the risk so they can take action to secure their sites as soon as possible.

Thanks and appreciation

This week's thanks goes out to the developers of VideoWhisper Live Streaming Integration (VideoWhisper) and Houzez Login Register (favethemes). Thank you both for providing a timely patch for the security bugs found in your projects. Your users can be assured you are supporting them and protecting their sites.

A special thank you to all the headless and front-end developers out there. Bringing interoperability to a single back-end is complicated work, but when done right it makes for a seamless user experience across platforms.

I will be back next week with more security tips, tricks, opinions and news on the Patchstack Weekly Security Update!

The latest in Patchstack Weekly

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu