FAQs About WordPress Security: An Expert’s Advice
We interviewed Greg Boone about his experience working with the most high-risk customers.
We interviewed Greg Boone, a long-time Technical Account Manager at WordPress VIP, about working with public sector and federal government agencies to create secure, reliable web experiences for their audiences. Here’s what he had to say about some of VIP’s security FAQs.
Let’s address one of the most common misconceptions about WordPress and open source software: are they safe for enterprises?
WordPress being unsecure is a popular myth, in part, because the open source software powers so much of the web. When something does go wrong in WordPress Core, or a vulnerability is found in a plugin, it can potentially affect millions of sites and users.
Security risks aren’t unique to WordPress or open source systems. All content management systems (CMSes) and plugins, when left outdated, become vulnerable. Again, because of the market share WordPress holds, it gets more scrutiny.
Scaling introduces complexity
There aren’t a lot of hard and fast rules about running WordPress well at scale, especially for the enterprise. When scaling any system, you need to consider the risks of inviting large numbers of visitors to your site.
To have WordPress effectively serve millions of requests per minute, enterprises often end up continually adding more services and integrations: web application firewalls, database servers, caching servers, a single sign-on provider, digital asset managers, backup systems, etc.
Because some integrations require plugins to get systems talking to each other, they can introduce more complexity, creating new risks that need to be managed while impacting WordPress’s famous reputation for simplicity.
Why is WordPress VIP different and what sets it apart from out-of-the-box WordPress?
WordPress VIP manages a lot of enterprise complexity, risk, infrastructure, and site reliability, so you can focus on the pressing needs for your enterprise applications.
Our public documentation on security is a great place to start for anyone who has concerns about WordPress VIP security. It outlines every single security measure we take from top to bottom, including how VIP works in tandem with our customers to keep sites reliable and secure.
“We wanted to use WordPress, and the fact WordPress VIP was the only WordPress option with FedRAMP authorization to operate (ATO) made it a strong option for us as a government agency.”—Kristen Loflin, PR Manager, Marine Corps Marathon Organization
Here’s an example: Transport Layer Security (TLS) certificates cost money, they expire, and they need to be monitored for renewal. One of my customers told me the renewal process was a multi-day, multi-stakeholder process, before they migrated to VIP. They did it only a few times a year in part because the process was so tedious. Now they do it every three months without thinking because it’s built into our platform.
“Hosting a website on VIP means those staff have a better platform that doesn’t burden IT teams with routine maintenance.”—Greg Boone, Technical Account Manager, WordPress VIP
Another example is protecting individual components from each other. Your CMS shouldn’t be a “noisy neighbor” living next to your main application or a mission-critical system. You also want to protect your CMS database from the dynamic front end and vice versa. With VIP, you can get added security and reliability features right out of the box.
Our robust caching layer ensures that few requests from real visitors hit the PHP and database servers directly. Setting that up and doing it well doesn’t really happen overnight. We have a whole team designing, updating, and securing our infrastructure.
None of this is to say that our customers’ IT staff can’t do this. Many have extremely capable engineers. Instead, they can put that staff to work designing and protecting higher value web properties, or mitigating more serious risks to their organization.
The best companies run the web with VIP.
Salesforce does. Facebook does. Al Jazeera does.
Why do large public sector and government organizations like the VA and the White House trust WordPress VIP to run their websites?
For many customers, trusting VIP with their website means taking work and risk off the table so they can focus on their mission, a massive value add for their teams.
The U.S. Department of Veterans Affairs, for example, needs their IT and software engineering staff focused on improving and building out their benefit services for veterans. Government organizations have more pressing issues than worrying about the intricate details of their web configuration. It’s not to say these web assets aren’t important, they are; but the skills and resources that go into securing enterprise applications are scarce.
“The security, the trust, the expertise, is what brought us to WordPress VIP.”—Andrew Binns, COO, 2020 Democratic National Convention
Why federal agencies are different
One of the main things federal agencies need that private customers don’t is FedRAMP authorization. FedRAMP is essentially a clearing house of cloud service providers that federal government agencies have evaluated and sanctioned for use. It’s a rigorous program for a company to get that green light from federal third party auditors.
VIP became a FedRAMP authorized cloud services provider in 2021. When I recall some of the CMSes I encountered at my government agency before I came to VIP, I think about how much we would have benefitted from an authorized, trustworthy service provider.
We put in a tremendous amount of work into just keeping sites online and performant for users but didn’t always deliver value back to customers. We had a lot of process and infrastructure similar to what we have here at VIP, but we also had a complicated publishing workflow that slowed content creators. It left little time or energy for building out a more robust editorial experience.
We were fortunate to have the staff to provide that kind of support. Agencies or program offices that don’t can end up with extremely limited freedom to publish what they need and how they care to publish it. Sometimes both.
This isn’t for lack of interest, but hiring staff and procuring tools to dedicate to site maintenance is limited. Often those limited resources are directed toward more mission-critical needs: delivery of benefits, maintaining national parks, administration of grants and leases, public safety, processing citizenship applications, and so on.
In other words, the work of government comes first. To be sure, public communication is part of that work. Hosting a website on VIP means those staff have a better platform that doesn’t burden IT teams with routine maintenance.
How do VIP support teams provide additional security for federal agencies?
By providing a stable foundation for their WordPress stack and limiting things customers need to worry about. We also know our stuff.
For example, we always suggest using Git for version control of your WordPress themes and plugins rather than installing them directly from our wp-admin. If customers ask us for advice, we’re quite candid in our point of view.
Hannah Flom, Director of Digital Communications for the 2020 DNCC, shared some of my favorite feedback about our support team:
“One of the best parts about working with the WordPress VIP team was the customer service and responsiveness,” she explained. “We ran into some issues with the back-end of our site. Our web development team worked directly with WordPress VIP and got incredibly responsive customer service to solve the issue very quickly.”
At the end of the day, federal agencies need a team they can trust with their web properties. Because we work more like a partnership than a vendor, our customers know we have their backs.