Custom code / Code hacks

Protection Requirement:



>Review use of custom code / code hacks on your website.

Custom coding can introduce multiple security concerns.

Beware of the security concerns and review you current site for any custom coding or hacks.

There are times when there is just nothing out there that does exactly what we need, and this is when custom coding or code hacks can provide a solution or a work around.

Custom coding is fine as long as its done in accordance with the following:

  • you need to find a coder you can trust
  • the code must be well written
  • the code should to be responsive
  • the code must be well documented
  • must not interfere with upgrade path for WordPress or any plugins

You need to find a coder you can trust

The person writing your custom code or hack will have full access to your system and the opportunity to create any number of back doors or insert malicious code.

A unethical coder may get the job by quoting a lower price but then create code that makes you reliant on them in the future for any maintenance, creating a situation where they may charge exorbitant fees effectively holding your website to ransom.

You need to work with a highly ethical professionals. The best way to find one is by public reputation (forums and other places with genuine reviews) or word of mouth referral.

The code must be well written

Finding a coder you can trust is only the first step. You also need to find a competent programmer that understands and follows best practices for writing code.

Badly written code will not working efficiently, may crash the website and can cause data corruption. In addition to this badly written code can introduce serious security vulnerabilities.

Again the best way to find is by public reputation (forums and other places with genuine reviews) or word of mouth referral.

The code needs to be responsive

Your website needs to be responsive (mobile friendly). If its not, then this is something you need to address from an online visibility perspective.

Assuming your website is responsive, any modified code introduces the possibility of breaking the responsive functionality. Coders tend to work with larger screens where everything may look fine to them, but they might not be aware of the impact of changes on smaller screens.

Discuss the need for changes to be responsive with your coder, and check the website on a mobile device or online mobile emulator. I have a free mobile emulator on my website here:

The code must be well documented

Many coders are happy to produce the code but getting them to document what the code does can be like trying to extract teeth.

There are two types of documentation you should have for your custom code. At the code level commenting explains to any maintenance programmer what each piece of code does.

At a higher level the custom coding needs to be documented with a description of what it does, where it is located and any dependancies along with any other important information.

The extent of documentation will depend on the size and type of custom coding job. For larger projects I will create a private wiki for the website. Smaller size jobs require less documentation.

The custom code should not interfere with upgrade path for WordPress or any plugins

When WordPress system files or plugins are directly modified this will impact on the upgrade path. Any future updates will overwrite the code modifications. This is another situation where documentation is critical.

If the custom coding is substantial (more than a few lines here and there) then the best approach is to plus the code in a separate file and include or call it as a function, rather than radically modifying the original code.

Many theme providers now use the parent / child model which allows you to place any modified files into the child theme allowing you to upgrade the parent. If the upgrade has made changes to the file you modified, then you may need to apply the code modifications to the new version of the file and replace the old modified file. I love the parent / child model and it is something I consider when looking for a theme.

My own experience

I actually have lots of experience with all of the above but at the time of writing this I am working on a site where almost all the above rules were broken. The only exception being responsive design as the site was old. An associate of mine was contracted to design a new responsive theme for them. I was called in when they discovered the website was an absolute mess. In addition to many other issues there was a major custom coded plugin the site owner had contracted a developer to create. Getting this to work with the new theme proved challenging.

They had no contact with the developer who they said had ripped them off. The plugin was not documented and after many hours I had determined that part of the code was a plugin, part of the code was in custom templates and the remainder was in its own file system along with its own database. The code used absolute URL addressing (the links were all hard coded) instead of relative, meaning I had to make about 100 individual edits over multiple files to change URLs.

From the website owners perspective it was just a simple job to change the theme of his site, but doing so opened a can of worms that was waiting like a ticking time bomb.

Following the above five guidelines will help ensure you do not have to face this type of nightmare scenario.


If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services