Classic City Consulting - C Logo

What is the WordPress Team Doing to Keep Your Website Secure?

By: Chris LaFay on April 16, 2018

Some 30.5% of websites use WordPress.  Let that sink in.  Almost one in every three sites you visit on a daily basis are built in WordPress.  That’s a ton.  And WordPress is 100% open-sourced, run by the community of amazing WordPress developers (as well as some people from Automattic on company time).  For each version of WordPress that is released, hundreds of Core Contributors (aka. volunteers) commit patches and fixes to the core of WordPress.

With that being said, this team of people have an intense job to do.  They need to make sure that all the Core Contributors are submitting code that actually works.  Once code has been submitted, they run the code through tests to validate it’s quality and doesn’t open up WordPress to any new vulnerabilities.  They wrangle their volunteer force and keep them excited about continuing to help – because without the volunteer force, WordPress wouldn’t be anywhere near where it is today.

So, how does a cooperative team mixing paid and volunteer workers keep WordPress safe for 30.5% of websites on the web?

What WordPress Does To Keep Your Website Secure

Daily Code Reviews

Every single day, the WordPress security team is doing code reviews of the core of WordPress.  They have a team of volunteers that are internal to WordPress, plus automated systems that make sure the code that is saved away and the most recent platform version is secure.

Bug Bounty Program

Who’s better than the millions of people who use WordPress on a daily basis to let the WordPress team know if there are bugs in the system?  The WordPress security team partnered up with HackerOne to create a bug bounty program.  If you find an error or a security breach in WordPress, submit it through their bug bounty portal.  If it’s a legitimate bug, you’ll receive a cash reward from WordPress!

Talking to Other CMS Providers

WordPress is by far the most used content management system out there – however, there are other large CMSs: Drupal and Joomla are the biggest competitors in the space.  The WordPress security team maintains active conversation with the developers of those platforms to coordinate their updates across the web.

Think about this: let’s say there’s a big hole in PHP (this is the foundation of a lot of the popular CMSs) – the issue isn’t WordPress- or Drupal-specific.  The chances of malicious hackers knowing about the hole are relatively slim at the beginning stages.  But, if one of the major CMS providers releases a patch before the others, now the vulnerability is out in the public. Malicious hackers will then attack the other CMSs.

Rather than fighting against one another, the security teams at the major open-source CMSs work together when they find an issue with underlying code that effects everyone.  They patch the holes in their systems, and they time a simultaneous release of their fixes.  This ensures that:

  • Holes in code aren’t publicly announced until an update has been accomplished
  • Problems are solved more quickly and fewer sites across the web are effected

Automatic Updates

Prior to 2014, in order to upgrade your WordPress website, you had to:

  • Download the new version of WordPress
  • Manually install it on your site, or
  • Push the button to update within WordPress

In 2014, that process improved.  Automattic created a way to push core WordPress updates to your website, rather than relying on each site’s developer to pull them down manually.  This allows Automattic to get the most secure code loaded onto your site before hackers can take advantage of any vulnerabilities in the code.  Since its initial run, the synchronous update has boasted fantastic results for WordPress users:

99.9% Perfect Successes
999,000 out of 1,000,000 sites upgraded perfectly without issue

.001% Fail Rate
10 sites in every million the upgrade didn’t work and broke the site

.099% Soft Fail
990 sites the system recognized that the site upgrade didn’t work well (something broke) and was able to safely revert back to the original version

What You Can Do to Keep Your WordPress Website Secure

Don’t Have Terrible WordPress Admin Passwords

The biggest problem with sites that get hacked are because users have very weak passwords.  This is one of the best things you can do to keep everything safe and secure on your site.  We recommend passwords at least 25 characters long and filled with combinations of: uppercase letters, lowercase letters, numbers and symbols.  The less “guessable” the password is, the better.

The goal here is that if hackers want to get into your website, they have to apply the most time intensive method possible – where they increment each letter and number individually until they find the right password.  When you use all the variables listed above within a 12 character password, there are 475,920,314,814,253,376,475,136 options hackers have to get through to figure out yours. If hackers could guess 2 billion passwords per second, it would still take them up to 7.5 million years to guess your password!

How Many Possible Password Combinations

LC = Lowercase Letters
UC = Uppercase Letters
N = Numbers
SC = Special Characters

Get an SSL Certificate

A lot of basic SSL certificates are free.  In fact, with Classic City Consulting’s hosting plans, we provide an SSL certificate free of charge.

Even if you’re just writing an entertaining blog about the crazy things your cat does every day, there are a couple of reasons why you need an SSL on your site:

  1. Everything is encrypted.  Everyone who visits a site online wants the data they type in to be secure.  SSLs used to only be useful if you were taking credit card information on your site.  Now, with identity theft, fraud, hacking, ransomware, and more sophisticated villainy possible online, everything on your site needs to be transferred securely from point to point.  Get a Let’s Encrypt certificate on your site today: most hosting providers have it available now.
  2. Google likes it – does it get much simpler than that?  Google changed their algorithm back in 2014 to give a rankings boost to sites that have SSL.  Must be important then.  Google wants to ensure that the sites that they are sending their searchers to are safe and do their due diligence to make protect their visitors’ data.

 

A secure site is a team effort for every website, from the core code developers like Automattic and WordPress Core Contributors to the webmaster you commission to manage your site once it’s live online.  Security means staying one step ahead of the risk and investing in the long term safety of your site.  Connect with a team you can trust.

Written By:

Chris LaFay

Chris founded CCC after trying to figure out how to have the work-life balance that everyone dreams of. Not only does he get to enjoy designing + implementing websites, he also gets to play with his dog, travel, enjoy family dinners, and keep up with baseball. Check back with Chris for articles on web design, user experience, and project case studies.