[wp-hackers] Wordpress as a CMS with user authentication

[Trevor Turk]

I have been using Wordpress as a CMS for a couple of
projects lately, and I would like to share some
feedback with the developers. This is in an effort to
see if there are better/different ways to do the
things I've been doing, and also in the hopes that the
problems I've run into might be brought to attention
for future development. I plan on making this into a
Codex entry, or adding my insights into an existing
entry that could be helpful for people trying to do
something like this.

Basically, I've been using the new Pages feature (is
that considered new anymore?) rather extensively. I'm
using the Posts as a means of keeping the sites fresh,
and they have been mainly little items that the users
are sharing with each other. I’ve also had to restrict
access to the site (it’s being used for bank
documentation) by using some (awesome) plugins.

In order to set up a Wordpress install as a CMS with
access control, I’ve installed the following plugins:

Cookie Timeout (http://www.freemoby.com/)
This shouldn’t be necessary with the new login
checkbox in 1.6

Fold Page List (http://webspaceworks.com/)
This is a great plugin, and I would LOVE to see the
“folding” feature added to wp_list_pages. Once you get
into using a lot of pages on a site, requests to do
this “folding” come pretty quickly.

Force SSL
(http://codex.wordpress.org/Administration_Over_SSL)
This is a little plugin I made and posted on the Codex
that forces an SSL connection. If you have an SSL
certificate, then this ensures it is being used on the
front-end, and on the admin side. The plugins_loaded
hook is super-sweet. In order to do this properly,
I’ve changed the Wordpress and Site URIs to “https”.
However, this change does not appear to be reflected
when uploading images, which means that the image link
generated after the upload is complete needs to have
the “s” added to the “http” in the link. If you have
non-https images in an https page, IE throws up these
lame error messages.

Include Page (http://beetle.cbtlsl.com)
This is something I use almost every time I make a
Wordpress site. It allows you to include the contents
of a certain page on the front page (or any page, for
that matter). This lets the user edit the contents via
the admin interface like any other page (as opposed to
getting into the theme editor). Although this isn’t
the place to do it, I’d like to suggest that this sort
of thing be made easier. What I envision would be a
new kind of “post” type, called a “piece” or something
like that. These chunks of content would be help aside
from regular Posts/Pages, and could be included
anywhere in a template with some user-friendly tag.
This would be nice for “about” text chunks, home page
content, etc. It would also be used for keeping
“notes”, like Chris J Davis’ CJD Notes plugin. Anyway,
I know this isn’t the spot for such a big item, but I
think it’s worth mentioning.

Last Modified (http://mtdewvirus.com/)
With Pages, I believe that the last modification date
is much more commonly used than a creation date. This
might be a nice function to add to the core.

Registered Only (http://blog.carthik.net/)
This is the starting point for restrict access to your
site. Basically, it checks to see if your logged in,
and then redirects you to the login page if you
aren’t. Along with installing this plugin, I have
disabled the ability for users to register themselves.
Quick feature request, the text on top of the Add User
section should clarify whether or not you have
self-registration enabled. Right now, it always says
that users can register themselves, which is throwing
people off. Also, having a link to the relevant option
would be nice. I have also set the number of feed
items to be syndicated to 0, which seems to “disable”
the feeds, and increases security. Additionally, I’ve
made some changes to the wp-login page. I’ll get back
to this separately, because I think this is worth
addressing on its own.

Search Pages
(http://randomfrequency.net/wordpress/search-pages/)
This plugin adds Pages to the search. This is
important when you’re mainly using Pages, instead of
Posts.

Wordpress Database Backup (http://www.skippy.net/)
What can I say? Sweet plugin.

x-Dashboard (http://wp-plugins.net/index.php?id=225)
Users at the bank using Wordpress as a CMS just don’t
need to see the standard Dashboard content and feeds.
I would love to see some way to customize the
Dashboard built into the core, but this serves the
purpose for now.

That’s it for plugins. I ALMOST made it without
modifying any core files, due to the plugin and theme
systems being so amazingly amazing. However, there was
core file I can’t see how to get around modyifying
directly – wp-login.php.

The wp-login page probably wasn’t added to the theme
system for security reasons, I’m guessing. Anyway,
there are two things that I needed to modify, and I
would like to see a way to change these things via an
option in the admin menu, or a plugin. The first thing
is the redirection. Now, when a user logs in, they are
redirected to the wp-admin interface. This makes sense
generally, but not when you are requiring users to be
logged in via the Wordpress users system in order to
access the site.

So, the first option I would like to see is a choice
of where to redirect on login, between wp-admin, and
your blog home page. Secondly, and this is more clear,
I would like to see a way to change the logo from the
Wordpress logo to something else. Ah, and another one
was removing the “back to blog” link. All of this
makes sense when you consider that the wp-login page
is the first thing a user sees, and (in this case) the
“back to blog” link just redirects you back to the
login page (also, I’m trying to push Wordpress as more
of a CMS than a blog).

The easiest (?) solution here would be to add wp-login
to the theme system, but if that isn’t possible,
allowing some configurability would avoid the need to
modify core files, which, I believe, is a worthy aim.
I would love to see the Registered Only plugin added
as a core feature, and I believe that (in conjunction
with these improvements to the wp-login page) we would
see a real increase in the number of people using
Wordpress as a CMS for sites that require user
authentication.

Finally (and this is a smaller issue), I’m confused
with the Add New User area on the users.php page. Why
is the first field “nickname” rather than “username”,
and how does the username get generated (if nickname
and username aren’t the same thing).

I apologize for the REALLY long message here. I think
that a lot of the issues I’m dealing with here seem
small, but they do add up. And I might be a little
ahead of the game in trying to use Wordpress as a CMS
with authentication, but you’d be amazed at the
positive responses I have been getting. I can’t wait
to drop in the 1.6 upgrade and suddenly have WYSIYWG
included by default!

I don’t know if I should try to report these issues as
feature requests or something else, but I’m hoping to
spark a discussion of the ways in which Wordpress can
be used as a rather full-featured CMS, and to make
using it as such even easier and more natural than it
is already.

Thanks so much to the developers and hackers in the
Wordpress community.

- Trevor