Site: US UK AU |
Nexcess Blog

Posts by: WordPress

Ads.txt Can Reduce Advertising Fraud On WordPress Sites

April 13, 2018 0 Comments RSS Feed

Online advertising is a multi-billion dollar industry that places hundreds of millions of adverts on tens of millions of web pages every day. For good and for bad, advertising is the engine of the online economy, but few consumers are aware of the incredible complexity of the system that chooses which adverts they see. That system is far from perfect, and one of its biggest problems is fraud. Read more

Posted in: Nexcess, WordPress

Take Control Of Your WordPress Writing Experience With These Applications

March 13, 2018 0 Comments RSS Feed

WordPress’s builtin editor has improved enormously in recent versions: it’s a genuine pleasure to write in WordPress, which is not something I’d have been able to say with a straight face a few years ago.

But, as someone who spends most of my day writing, I prefer to use a text editor native to my operating system. Having my writing as Markdown files on my device allows me to automate some mundane writing tasks and organize my work in a way that makes sense to me. Read more

Posted in: Nexcess, WordPress

Using Docker to Build Local WordPress Development Environments

March 7, 2018 0 Comments RSS Feed

Over the years, we’ve looked at several different systems for setting up local development environments, from applications like MAMP to a Varying Vagrant Vagrants workflow. I’m always looking for the most efficient way to create new WordPress instances, both for development and because I need an easily replicable WordPress environment for testing plugins and updates I want to write about. Read more

Posted in: WordPress

How to Provide Secure Access to Your WordPress Site

March 6, 2018 0 Comments RSS Feed

WordPress site owners sometimes need to give a third-party access to their site. Once a site grows beyond a certain size, it’s impossible for one person to do all the work, even if they have the necessary skills. Bringing a professional on-board is a smart move.

But giving someone that don’t know well access to your site is a daunting proposition. It’s unlikely they will turn out to be malicious, but incompetence and carelessness cause just as many problems. No one wants to have their site hacked because a contractor used an insecure password or because a developer wasn’t as careful as they should have been.

Site owners should follow one simple rule when giving third-parties access to their site: provide the least access compatible with getting the job done. In the security world, this is called the Principle Of Least Privilege, and most of us intuitively understand its implications. When you pay a vendor, you don’t send them your bank details so they can withdraw any amount they want, hoping they’re honest: you send them a check or use a credit card that authorizes them to claim exactly the amount they’re entitled to.

What does that mean in the context of WordPress?

Granting Access To Your WordPress Site

WordPress provides a collection of user roles that determine the capabilities of a user account.

  • Administrators have complete control over the site. There is really no restriction on what an administrator can do.
  • Editors can publish and manage the posts of other users.
  • Authors can only manage and publish their own posts.
  • Contributors can upload posts, but they can’t publish them.

No one should be given administrator privileges on a site unless it’s absolutely essential. If a service provider needs admin access, they should not be given the authentication credentials of the site’s owner or other trusted users. An admin account should be created for their use and deleted once they no longer need it.

If you have contracted a writer and you want to check their work before it’s published, don’t give them an Author account because they don’t need access to the publication features.

Always give accounts the smallest amount of power you can.

Granting Access To Your Server

Occasionally, a developer or designer may need access to your server or hosting account. Once again, the Principle of Least Privilege applies.

Firstly, and most importantly, never provide root access to your server to someone you don’t absolutely trust. In fact, it’s better to give no one root access and to disable root logins.

If you can, you should do any work that requires privileged access to your server. If a designer asks for access to upload some files, you or someone you trust should upload them if it is at all feasible.

If not, create an FTP or database account for them, and then delete the account when they no longer require access.

If a developer or designer is likely to use FTP over an insecure connection, use a secure VPN to ensure that the data can’t be intercepted.

If you rigorously adhere to the Principle Of Least Privilege, you will be able to give vendors and service providers the access they need without putting the security of your WordPress site at risk.

Posted in: WordPress