WordPress: Victim or Maligned?

We often get questioned about WordPress security and whether or not WordPress is a true enterprise level content management system. We believe it is, that’s why we use WordPress as our go-to platform of choice when building many web applications for our customers.

WordPress is pretty much the most popular open-source platform on the Internet and it does therefore have issues; but that’s no different to many other systems, it’s really just the scale of the opportunity.

All installs are not created equal.

With many millions of installs, WordPress presents a huge number of opportunities for things to go wrong. The sheer weight of statistics means that there are bound to be many WordPress installs that have fallen behind the patch curve and are running with older versions of WordPress itself or one of the many thousands of plugins that are available. If you were wanting to find web servers to ‘attack’ then those running WordPress would seem to present you with the most opportunities for success.

All hosts are not created equal

As we are often told, security is a many-layered thing and it’s not just the application platform, i.e. WordPress that’s vulnerable. The host webserver runs an operating system and lives in a network; both of these things present further opportunities for vulnerabilities to creep in and for consequent compromise.

Oh The Plugins

One of WordPress’s many strengths is the huge number of plugins that can be used to extend the functionality of the system. However, many of the most high profile attacks on WordPress servers have been as a result of vulnerabilities in one or more of these plugins. Most recently, the most popular ecommerce plugin WooCommerce, has been found to be vulnerable to a SQL injection attack. Woo Themes fixed the plugin within a matter of hours after it was discovered.

Them Developers!

Developers will be developers; they just want the thing to work and may not really be aware of what security implications they may introduce by coding for the right answers. They should know about preventing what we now understand to be the standard risks such as SQL Injection by using PDO / WPDB or some other object layer that escapes SQL itself. Beyond that, they should also adopt a truly defensive approach to code to ensure the unexpected results are handled safely.

Then There’s YOU!

With the best infrastructure things can still go wrong. Weak passwords, careless configurations and unmanaged changes to any system will inevitably lead to weaknesses and vulnerabilities creeping into the system that you run.  It may seem a trivial change at the time, or it may start out to be a temporary change to overcome an urgent need from a fellow developer, but one day that unmanaged change will perhaps combine with something else that’ll create a vulnerability which can be exploited.

Reducing The Opportunity For Compromise.

  • Platform As A Service: Use a specialist hosting provider that can provide WordPress as a fully managed Platform. We have teamed up with WP Engine to provide what we believe to be the most cost effective, highly secure and performant WordPress hosting service available.
  • Manage Installs: Managing Installs means monitoring and patching everything very regularly. This overhead is significantly reduced by using WP Engine as all of the core WordPress infrastructure is automatically patched and the support systems such as staging, snapshot creation and backups make the whole process easy, safe and secure.
  • Manage Change: Manage all changes of your install no matter how small. The change management process need not be complicated and if integrated with your code development and staging processes, this can be automated.
  • Code in Defence: Code in defensive strategies and control behaviour of the system and it’s users. Most importantly, test for the unexpected. There’s little use of testing for all of the expected answers if you forget that all real users are unpredictable.

Your Next Web Project

Come and talk to us about your next web project and about secure, enterprise quality WordPress hosting from WP Engine.

it-workshop

  • Since the redevelopment of www.smartraspberry.com we have had great feedback from our customers and we have seen a significant increase in both new and returning traffic to our website. This is no doubt due to the team’s superb design work, and because Scott and Gavin really listened to our brief and specific needs, for what is a reasonably niche business model. Throughout the process the Ecommnet team have been friendly, flexible and a pleasure to work with.

    — Ellie Campbell, Business Manager, Smart Raspberry
  • Since the relaunch of www.roughguides.com in 2013, the monthly visits have reached 2,400,000 from a starting point of 200,000. This growth has been achieved through a cross-functional team effort of which Ecommnet have formed an integral part, providing their development and build expertise.

    As a web professional with significant experience working alongside agencies, I recommend Ecommnet without hesitation.

    — John Wood, Senior Product Manager, Dorling Kindersley
  • Ecommnet work in a very collaborative manner, they took the time to listen carefully to our ideas and requirements and to fully understand Squashed Tomato’s whole business.  They were then able to not only meet the remit but to also contribute valid, informed suggestions to further enhance the website’s contribution to our business.

    I highly recommend Ecommnet as a website partner.  Robert Campbell has built a strong team who are professional and friendly to work with.  Communication is very good; they listen as well as inform and obviously communicate well between the team too.

    — Zoe York, Director, Squashed Tomato
  • The Ecommnet team worked extremely well throughout the process – at all times ensuring they fully understood the brief and the numerous changes and adaptations that were made along the way. They were impressive as they were happy to try new methods in producing the App, resulting in one CMS that was able to populate both android and apple platforms.

    At all times they were extremely conscientious replying to all queries on the same day – and were very patient in dealing with ‘not so tech savvy’ customers.

    I would fully recommend Ecommnet.

    — Alison Lloyd, Duty Officer, Margam Country Park
  • I’ve nothing but praise for Robert and the team and despite their long trading history have seen how they have maintained a strong, exciting and invigorating culture of success within their business which, for me, having had 20 years in application development is often more important than pure technical capability as it’s this consultative and empathetic approach which extracts the requirements from non-IT staff to enable Ecommnet to design and deliver a stronger better product.

    — Jason R Wilkinson, Head of Business Transformation, Westfield Health
  • We wanted an interesting and engaging website with new features that motorsport fans would enjoy looking at. The website is fresh, easy to navigate and appealing.

    — Stephen Kilbey, Strakka Racing
  • During our 2FA POC and subsequent move to live system, Ecommnet provided a very attentive and responsive support service whenever we encountered problems.  Using the team’s web support portal to raise support calls and requests for changes results in a fast response and provision of support ranging from phone support, through remote console access to site visits as required. Due to the implementation of the 2FA system we now have secure remote access to internal resources while ensuring security compliance.

    — Allen Haigherty, Technical Support Officer, Kirklees Council
  • With the team’s help I was able to get the OTP authentication set up in time for our PCI audit. I just want to say I was very impressed with the level of service and the responsiveness, and the fact they were able to help us out under incredibly tight timescales speaks volumes.

    — Robin Whitehead, Technical Director, Iridium Corporation
  • Robert and the team were excellent, they qualified our environment quickly, were very strong on integrating security and mobile environments and the pilot went in easily. It was nice to deal with a company that was more than just a reseller, they truly believed in the solution and it was a great win for us to find their set of skills just down the road.

    — Steve Watchman, IT Executive, Newcastle Building Society
  • You always hope that when you bring in a third party, they have your goals in mind. Ecommnet engaged with us and were committed to helping us achieve our ambitions, not trying to upsell. As budget-holder, I was particularly impressed with their transparency; they quoted on an hourly basis, not by the day. This meant that we could prioritise the work, rethink our plans, make decisions and confidently justify them to our stakeholders.

    — Liz Statham, Web Director, Rough Guides
  • The team were a pleasure to work with in designing a new website for Squashed Tomato.  They understood the requirements of the site and the brand image we wanted to portray.  Their strength has always been in functionality, our requirements were relatively simple but I liked the way they didn’t try to make things more complex.  The new team has strengthened the design skills of the business and we were delighted with the look of the website.  Working with Ecommnet was a partnership.

    — Zoë York, Director, Squashed Tomato
  • Ecommnet was able to create and deliver an all-new website that has in a short space of time received many compliments and generated enquiries. The team is accessible, helpful and responsive and have removed the ‘pain’ of IT. We were so pleased that they’re now entrusted to look after all our IT infrastructure.

    — Nick Bailey, Director, Elan PR
  • Within just a month of launch, we’re seeing a 60% increase in visitors and page views are up by 35%.

    — Adrian Low, Web Development Manager, Rough Guides
  • After 6 weeks of implementation issues with a competitive product, Ecommnet were a breath of fresh air, helping us out of a very tricky situation with a great solution in just two days. What a fantastic team; extremely helpful, technically competent and able to deliver.

    — John Clayton, Network Consultant, Kirklees Council
  • The team were a breath of fresh air; they understand our business, how to integrate with our processes and infrastructure and work with the regulatory representatives to define what was compliant – we didn’t want them developing in the dark and coming back with something that wasn’t fit for purpose. They turned out to be more than just developers.

    — Rough Guides
  • Ecommnet has proved an invaluable partner, especially when developing technology solutions to loosely defined business ideas. They bring a diverse range of ideas from their work to produce innovative approaches to solving problems. They will back their ingenuity by sharing in the risk of developing solutions, and having proved a concept will ensure the same team work with you to create a fully fledged product.

    — Michael Bennett, Director, Charles Stanley & Co Ltd