As the CMS software used by over a quarter of the web and growing, and with an open source development legacy reaching back well over a decade, it’s no wonder WordPress application and data security is a topic we’re often asked about.
Any platform, open source or proprietary, becomes a potential vulnerability when not managed responsibly. Thanks to its transparency and the strength of its ecosystem, WordPress as an application is itself reliable, secure, and supported. Running it safely within an enterprise IT environment involves the discipline that keeps any enterprise software secure and performant – things like user access safety, application maintenance, and coding standards. Part of our value as a managed platform is in taking care of so many of those elements on behalf of our customers.
We’re happy to pass along some of the key security tenets and related approaches we employ in safeguarding enterprise WordPress applications for our clients.
- Staying up to date
- Managing your customizations
- User account safety
- External audits
Always run the latest version of WordPress
The easiest way to keep your WordPress install up to date is to enable automatic updates. Depending on your needs, automatic updates can be configured to cover all major and minor (security and maintenance) updates, or just minor updates.
If you prefer to manage your own updates to the core platform you can stay up to date on new releases by following the WordPress core announcement lists. For those major and minor WordPress releases, read the release notes and develop a testing plan to make sure everything is working as expected in a test environment before you deploy to your production environments.
Be sure to give your development and editorial teams a set window for testing, and then commit to deploying the release as soon as possible. Major WordPress releases will come with weeks of lead time (including betas and release candidates) for testing prior to release. Minor WordPress releases are typically much smaller in scope and address specific concerns, and should not be delayed in their release.
VIP handles all of this on behalf of our clients, including testing recommendations, staging environment support, and testing windows with required cutover dates. Read about all of our platform support services.
Manage your customization of WordPress
One of WordPress’ strengths is in the freedom it provides users to customize their applications specifically to their needs. This customization typically comes via existing community Plugins and Themes or through your own custom Plugins and Themes.
With this freedom comes the need to tailor its use to your organization’s needs. By default, WordPress supports management of Plugins and Themes via the WordPress administration. There are scenarios where this is incredibly helpful for WordPress users, but we also realize that this is incongruent with the development workflows and policies of other users. As a result, VIP has adopted processes to help ensure the security and stability of the applications we manage.
- By default, disable the ability to install and modify themes and plugins via the WordPress administration.
- Store all of a site’s customizations via Themes and Plugins in a source repository which is separate from the core WordPress installation. Code changes should only be possible via that repository.
- Only allow the authorized developers who are empowered to ship code to have write access to that repository and also keep a limit on read access to those who need it.
- Enforce coding standards on your customizations to ensure the upgrade path for WordPress is protected and your applications remain secure and performant.
On the VIP platform, the only way to deploy code is through a managed flow within GitHub that’s only accessible by authorized developers, and all changes go through our timely expert review prior to their deployment. Read more on our GitHub-based code review.
Keep your users secure
A key component to managing the security of your WordPress applications is managing the security of the users with access to WordPress’ administration. We have a comprehensive list of things we recommend for individual users, but some highlights include:
- WordPress’ user system includes the concept of Roles and Capabilities. This gives you as the site owner control over what users can and cannot do within your application. A key consideration is who belongs to the Administrator role as this role can change key settings. For even more finely tuned control of permissions, there is great flexibility and granularity through use of custom roles and capabilities.
- Enable Two-Factor Authentication. For VIP, we require that users on our platform have this enabled in order to access admin functionality.
- In addition to Two-Factor authentication, be sure to use strong, unique passwords for logins.
- Ensure that at a minimum your WordPress admin traffic is over SSL and ideally, the entire application.
- Leverage a corporate SSO. We support SAML-based SSO for access to the WordPress administration, which streamlines access control and typically comes with the additional features such as Two-Factor Authentication directly from that organization.
- Monitor for suspicious login activity. Our security tools at VIP automatically block malicious IP addresses and other attacks before they reach your site.
While more a best practice than a must-have, independent verification of the security of applications is something we consistently engage in for applications we support. A common approach we see is through bug bounty programs such as HackerOne and Bugcrowd. These programs provide a method for individuals to securely disclose security issues with applications as well as a way to reward those who identify these issues.
Specifically at Automattic, we operate a bug bounty program via HackerOne in addition to our work with a number of independent auditors and certifications.