Website security can be scary business. Regardless if you have a small marketing site or a large ecommerce platform, security should always be taken seriously. The primary goal of website and application security should focus on reducing risk. Completely eliminating risk is impossible: new vulnerabilities are discovered (or exploited/created) frequently.
WordPress is a technology that can sometimes get a bad rap for not being secure enough. There’s unfortunately some misconception that software that’s Open Source is inherently insecure. However, there’s a lot more to it than that.
When it comes to hacking for nefarious purposes, most bad guys want to be efficient. Many years ago, Macs were considered virus-proof compared with PCs in large part because PCs had a higher market share. While Macs have other reasons that give them better security, the abundance of PCs made those machines a greater target for attacks.
WordPress is currently powering almost 30% of the web. This unfortunately gives bad guys a wide platform for spreading spam and malware, the primary reason WordPress sites are targeted. Malware and viruses will always be an issue for popular software and devices specifically because of their widespread usage. Having a team of responsible developers to track and resolve vulnerabilities helps immensely, which brings up the next point...
“This works, don’t touch it” is a sentence I dread hearing. It suggests someone at some point experimented until they could get the exact functionality they wanted and now refuses to have to go back to make changes, come hell or high water.
By ignoring or refusing to update your core software, plugins, or functionality over time, you’re increasing your risk of security issues. This is true of any technology platform as evidenced by Equifax’s failure to update Apache Struts web-application software, which led to a hack that is currently affecting millions of people’s most personal data.
Although it’s open source, WordPress still has a core team that plans, reviews and deploys minor and major updates to the core code, including security updates. They even introduced Automatic Updates in version 3.7 of WordPress to increase the collective security of WordPress sites. If you or someone else has done a lot of custom development, it’s still a good idea to test locally first. However, patches for security generally have a low chance of affecting your site (unless you tinkered with Core WordPress files, which is bad anyway).
I love Bob from Accounting. We’re good friends. But does he really need to have an administrator role in the WordPress admin? With the principle of least privilege, you make a system more secure by only granting access to those who need it.
Let’s go back to Bob. His role on our website is adding articles and scheduling them. Should he be able to add new plugins with his account, or upload to a directory on the server instead of through the WordPress Media Manager? Nope. By restricting Bob’s access to only what he needs to do his job, we prevent possible security issues that could arise if Bob’s user account was compromised. This is even more important if Bob’s the type to use a bad password.
The principle of least privilege can apply to programs and functions as well. If a developer is building a template that displays all of the available entries of a specific post type, all it should do is get those posts and display them. If it’s also able to add or delete them, it just adds to the possible risks.
Knowledge is one of the best preventative measures for security. What version is the site’s software? Who has access? When did the last deployment of custom code occur? The better the documentation for changes and functionality to your system, the faster a developer or customer service rep can assist if a security issue does arise.
In general, if you choose a content management system that has robust documentation and an active community of contributors, concerns regarding security tend to be found, patched, and released in a timely manner. Solid documentation that warns of coding methods that could create a security risk also give responsible developers a heads-up while building. WordPress’s Codex contains numerous examples and details to the functions built for it, makes a point to detail which methods are best and which to avoid, and includes an overall security hardening section.
Documentation and organization from developers that built a site’s custom functionality or plugin is also a major factor for site security. Maybe it’s an explanation of what a function’s purpose is, where to find a specific file template, or simply organizing the site’s file directories in a manner that makes sense. Any method that reduces the amount of time to find and correct security concerns when they arise is a blessing for the person working to patch the issue.
This is just a small sample of considerations when it comes to security. Whatever your web presence, correcting security issues before they cause harm to your customers, or the web in general, should be a high priority.
Are you looking for a secure website for your business, but need a little help getting there? Contact us today for help from our experienced WordPress developers!
Ed Morrissey, Partner and Chief Creative Officer of Integrity, will lead a breakout session at the upcoming ScalePoint on AI Conference hosted by TechSTL.
Integrity is excited to welcome Evan Kelly as our newest Technical SEO Consultant.