April has been a troubling time for a couple of well known web-hosts security wise. Ipstenu wrote a post on the various hacks that took place this month and I thought it was a well written piece that explains the variables that needed to happen for those events to occur. I’m not sure if she coined the phrase but I like her idea that security is a tripod.
* The Web Host is responsible for making sure the server itself is up to date with the latest patches etc, and that the server is configured in a safe way.
* Web-apps are responsible for not unleashing needless insecurities to the system.
* The end-user we pray to the flying spaghetti monster that they’ve not done something to violate security out of ignorance.
We’ve also been chatting in the WordPress Tavern forum on whether WordPress should ship with a built in set of security tools. Based on feedback within the thread, the majority don’t feel as if that is necessary. When thinking about this topic, it’s important that we try to figure out how far the responsibility of the WordPress codebase goes in terms of security. Should WordPress make sure that the code is secure out of the box and that’s it? Or should it have built in mechanisms to protect users in certain use cases? Security only goes so far on the application level and as has been discussed on the forum, if the server that is hosting a WordPress powered site becomes compromised, then it’s all over. The only glaring security issue I’d like to see tackled in WordPress is a built in login lockout system where password crackers can’t sit on the WP-Admin page and try out as many passwords as they want.
I think the biggest part of security as it relates to WordPress is using a competent host, especially if it’s shared hosting because you as a customer can’t configure anything on that server as it relates to security. Therefor, when hosting with them, you are putting your eggs in their basket hoping they don’t break. I think what I’ll do is try to put together a guide or questionnaire with the help of the Tavern community that you can use for potential webhosts you’re interested in to see if they meet certain requirements for secure hosting.
Keep an eye on the following thread as the responses come in.
Ipstenu’s a she ;) But thank you so much for the link-back :) (and may I say again how invaluable your site is?)
I’ve been using the phrase ‘Tripod of Security’ ever since I was a lowly pimply-faced intern, saddled with the job of cleaning up viruses off people’s PCs. If I got it from anyone, it was from the curmudgeon security guru whom I revered as my idol.
And if you’ve read the thread on security, I’m one of those arguing that WP doesn’t need a built-in security feature. I just don’t like the idea of WP taking on more responsibility like that (and I feel it’ll be a detriment, in the end, to what WP is – a good blogging/CMS utility).