Backing up is something people know they should do, but put off until some unspecified day in the future. It never seems urgent and there’s always something more pressing to do. At least, that’s true until the moment disaster strikes and you kick yourself for not backing up sooner. Read more
Posted in: WordPress
Online advertising is a multi-billion dollar industry that places hundreds of millions of adverts on tens of millions of web pages every day. For good and for bad, advertising is the engine of the online economy, but few consumers are aware of the incredible complexity of the system that chooses which adverts they see. That system is far from perfect, and one of its biggest problems is fraud. Read more
WordPress’s builtin editor has improved enormously in recent versions: it’s a genuine pleasure to write in WordPress, which is not something I’d have been able to say with a straight face a few years ago.
But, as someone who spends most of my day writing, I prefer to use a text editor native to my operating system. Having my writing as Markdown files on my device allows me to automate some mundane writing tasks and organize my work in a way that makes sense to me. Read more
Posted in: Nexcess, WordPress
Over the years, we’ve looked at several different systems for setting up local development environments, from applications like MAMP to a Varying Vagrant Vagrants workflow. I’m always looking for the most efficient way to create new WordPress instances, both for development and because I need an easily replicable WordPress environment for testing plugins and updates I want to write about. Read more
WordPress site owners sometimes need to give a third-party access to their site. Once a site grows beyond a certain size, it’s impossible for one person to do all the work, even if they have the necessary skills. Bringing a professional on-board is a smart move.
But giving someone that don’t know well access to your site is a daunting proposition. It’s unlikely they will turn out to be malicious, but incompetence and carelessness cause just as many problems. No one wants to have their site hacked because a contractor used an insecure password or because a developer wasn’t as careful as they should have been.
Site owners should follow one simple rule when giving third-parties access to their site: provide the least access compatible with getting the job done. In the security world, this is called the Principle Of Least Privilege, and most of us intuitively understand its implications. When you pay a vendor, you don’t send them your bank details so they can withdraw any amount they want, hoping they’re honest: you send them a check or use a credit card that authorizes them to claim exactly the amount they’re entitled to.
What does that mean in the context of WordPress?
WordPress provides a collection of user roles that determine the capabilities of a user account.
No one should be given administrator privileges on a site unless it’s absolutely essential. If a service provider needs admin access, they should not be given the authentication credentials of the site’s owner or other trusted users. An admin account should be created for their use and deleted once they no longer need it.
If you have contracted a writer and you want to check their work before it’s published, don’t give them an Author account because they don’t need access to the publication features.
Always give accounts the smallest amount of power you can.
Occasionally, a developer or designer may need access to your server or hosting account. Once again, the Principle of Least Privilege applies.
Firstly, and most importantly, never provide root access to your server to someone you don’t absolutely trust. In fact, it’s better to give no one root access and to disable root logins.
If you can, you should do any work that requires privileged access to your server. If a designer asks for access to upload some files, you or someone you trust should upload them if it is at all feasible.
If not, create an FTP or database account for them, and then delete the account when they no longer require access.
If a developer or designer is likely to use FTP over an insecure connection, use a secure VPN to ensure that the data can’t be intercepted.
If you rigorously adhere to the Principle Of Least Privilege, you will be able to give vendors and service providers the access they need without putting the security of your WordPress site at risk.
Posted in: WordPress
WordPress is — as content management systems go — very secure. It’s the most targeted web application in the world, but it’s also the best protected. It is in the interest of many thousands of developers and users to seek and destroy any vulnerabilities that may find their way into the code of WordPress Core, themes, and plugins. Read more
Last week, WordPress 4.9.3 was released. It brought the usual variety of minor enhancements and security fixes, but it also introduced a nasty bug that may prevent your WordPress site from updating itself properly in the future. Read more
