[spp-player url="https://episodes.castos.com/wpbuilds/wpbuilds-episode-140.mp3"]
In this episode:
Discussion - Feeling insecure about security (Part 1)
It's been a little while since David and I did a podcast episode about something tightly related to WordPress. For a few weeks, we've covered some more personal topics and focussed upon client interactions and personalities.
This week we're back to WordPress but in the guise of security. Sadly, dear listener this episode ran on for so long that we ended up splitting it up into two parts. This is the first and you can hear part two in a week, which will be episode 141.
We split this subject up into some sub headings as follows:
GENERAL STUFF FIRST
1. Non WordPress security
GDPR (remember that?) and Data protection (looking after client’s personal date). What do we do regarding ensuring that our clients and visitors data is kept safe and that we're following the policies that we have are up to date.
Do we expunge all of the data that we no longer need? Do you still have client SSH keys in LastPass, are form submissions being kept for longer than they need to be? Have we got backups stored in some repository somewhere, gathering dust, which belongs to an ex-client? A backup that contains all of their site config.php data that you probably should have gotten rid of several years ago? How do we manage all this?
David is a digital nomad having laptops that connect to shared/public Wifi. Could this be putting data on his laptop at risk? Is this something that we need to worry about under law or is this just worrying for the sake of worrying?
How do we share password for WordPress websites with clients? There's great service called 1ty which allows you to send passwords or anything else that you want to send. As soon as the recipient reads it, the service deletes their version and so nobody can get at it again. There's also the use of password managers to send passwords securely. I use LastPass and this enables me to send passwords to fellow LastPass users in a way that never reveals the password, but enables other people to use the password in their browsers.
Whatever you do, I hope that you're using a password manager?! Please tell me that you are! You need to be using unique passwords that you cannot remember because them are too long and utter nonsense, including lots of odd characters that you'd never use otherwise!
Are clients sending you their login details in plain text emails which the entire world could read. Do they even send the username and password in the same email! What do you do with those emails? Are you also advising your clients that using the password "monkey123" is not advised as WordPress can be brute forced against a vast array of known passwords.
What about passwords clients share with us when we take their domain registration account over at during a project. Do you make sure that your clients alter their registrars login credentials after you've had access so that you cannot be accused of doing something in the future?. David always tells his clients to change their passwords in this way, but says that they just don't do it!
Google Domains (and some others too I'm sure) allow you to delegate each domain to another user who can then gain access to the domain that you set up for them, and if need be, then can revoke your access. I think that this is a great service which could have saved me hours in the past.
2. Sites we don’t manage
Do we have a responsibility to inform clients about security if we recommend WordPress? Many people take the opinion that WordPress is not very 'secure'. I think that this is a myth and is based largely upon the fact that WordPress is such a giant surface area of attack. The software is well maintained and updates to core can be automated. It's really the plugins and the themes that are the problem as there is no way to really keep all of that under control.
So how much of that do we need to communicate to our clients. Do they need to know anything? Do we need to pre-warn them about the fact that all websites are under attack, or do we just brush this aside and tell the clients nothing?
What about updates, how often to we perform updates to plugins and themes? Do clients need to be kept up-to-date about this too? Are you in the habit of sending them reports about this kind of thing?
Do we restrict plugins client may want to use?
Do we add a Security Plugin for them and can they manage it? Perhaps this is a cheap way of keeping clients who don't want to pay for care plans in some way protected?
Perhaps you roll a whole heap of security related information in your care plans? I myself mention backups, uptime monitoring and some kind of firewall. David offers to get hacked sites back up and running in the state that they were before any hack. Backups will only work if the hack is recent enough that restoring them won't destroy any new content that's been created.
We also discuss whether or not we advise clients on how to pick plugins as well as what roles we assign to users - spolier, we think that the editor role is all that's needed!
We completely ran out of time making this episode, and so, joy of joys, you get to hear part 2 next week!
Mentioned in this episode:
1ty - One Time Password (or anything) sending service.
WebARX - 35% off.
Wordfence.
WP Security Audit Log.
