The weakest link in any security system is the human element. The most expensive alarm system won’t protect your house if you forget to activate it. The strongest deadbolt is useless if left unlocked. And, of course, the most robust, unhackable password might as well be “Password1” if it’s written on a Post-It attached to your monitor.
There are plenty of plugins and best practices to make WordPress more secure (we covered four basic ones in our Securing WordPress 101 post). But it’s important to account for that human element. WordPress security needs to be more than tech solutions: It needs to be part of an organization-wide culture of security.
We asked three WordPress security experts how they counteract the human element by making security a part of their organization’s DNA. Read on for tips from:
David Bisset, Freelance WordPress/PHP Developer
Luke Probasco, Director of Marketing/Drupal General Manager, Townsend Security
Chris Teitzel, Founder/CEO, Cellar Door Media/Lockr
Tips to Create a Culture of WordPress Security
Everyone’s a Target: Make Security Part of Your Day-to-Day
“Data security is a very personal thing. It is easy to consider it a “feature” when building a site, but at the end of the day, it protects the private information for you or someone you know. The average website is attacked 22 times per day.
Symantec recently published a report confirming that three out of five cyber-attacks target small and midsize businesses (SMB). SMBs typically have weaker security controls and often don’t consider security a priority. You might not have anything to steal per se from your site, but you do have resources. Once your site is exploited, hackers can insert spam links, redirect your traffic to other sites, or even spread malware to your visitors and steal their financial information.
Security Starts at the Top of the Org Chart
“The culture of security starts at the beginning and from the top. It is important that management recognize the need for their developers and team to focus on security and provide them the tools to do so.
Purchasing password management software for everyone, securing logins to critical systems, and most of all allotting budget to build security into every project from the beginning. By doing this the management of an agency or development team sets the team up for success.
Mistakes happen though, and keeping a level head, not pointing the blame, and having a candid but positive post-mortem when an incident occurs helps add a level of calm to what is already a stressful situation. Doing so keeps your developers happy, aware of threats, and most importantly the client and the site safe.”
A Culture of Security Means a Culture of Communication
“Just getting into the mindset of ‘is what I’m writing secure’ helps a great deal. I think getting into the habit of doing big ‘review’ tests at certain points during a project or schedule, along with ‘mini-reviews’ of smaller code commits, helps.
If you aren't a solo developer and have a team, then a culture of communication goes right along with that - casual reviews of code from other developers might help things missed. Every developer is going to miss things, so the more eyes the better.”
There’s no such thing as set-it-and-forget-it security. Security is a continuum, not an on-off switch. The right technology can nudge your organization toward the “safer” side, but it takes ongoing effort and attention to stay secure. It’s important to make security one of the baseline values of your organization; bake it into all of your process and best practices, and make it an everyday concern. Recognize that everyone’s a target, start with your upper management (even if that’s just you), and make sure to keep the lines of communication open.
To learn more about keeping your WordPress sites safe, keep an eye out for our upcoming Quickstart Guide to WordPress Security.
You may also like: