I talked at WordCamp LAX this year about KISS Security, keeping it simple and being aware of what it is you’re doing. Because security isn’t about the right passwords, and upgrades, and plugins, and .htaccess, it’s about you doing what’s right. And in fact, while I did mention some plugins, some features on servers, and I certainly was willing to give my advice and opinion on them, I don’t recommend one security plugin over another. Instead, I talked about the mindset of being secure.
Don’t be stupid
My mother is one of the few people I know who has almost completely conquered the will to be stupid.
Miles Vorkosigan on his mother, Cordelia Naismith Vorkosigan
Brothers in Arms by Lois McMaster Bujold
If I can not be stupid, then I can be secure. Sounds easy, but ignorance is the lynchpin of stupidity, and you must defeat that first. But they’re not actually stupid at all. They’re just uneducated and this whole WordPress thing is new, and the security stuff is scary.
With that in mind, I aim more towards education when I help people. When I debug a site, I send the customer a two-fold email. The first is the tl;dr stuff. “You were hacked because you’re on WordPress 2.6 and your theme and plugins had backdoors due to old, vulnerable code.” That’s the easy part. Then I explain in detail how I found the hack, why it was a problem (like did you know inactive themes can still be visited in your browser and, as such, are vulnerable?) and some details on how to fix it, even though I know they’ll still make mistakes. But I get them started with understanding what I’m looking for and why I think it’s bad.
Use Common Sense
The reality of security is that we’re all ignorant, at some point in time, of what we’re doing, of what it means. Identity theft can go on for years because people don’t monitor their credit card statements. We get ripped off by not checking receipts. We give away our credit cards without thinking. We all do dumb things in the moment and regret everything. We have 20-20 hindsight. And getting to the point where we don’t do that, where we think first, takes deconstruction of myths, education, and trusting your gut.
Don’t Get Overwhelmed by the Hype
Stop me if you’ve heard this one. “You’ll be hacked unless you install a plugin.” Or maybe this one… “You’ll be hacked because you installed a plugin!” It goes on and on. Should you upgrade? Of course! But do I think upgrading alone is the answer? Heck no! Upgrading, being concerned with plugins and themes, using good passwords… those are all important, but they’re not going to be the end all of everything. They don’t make you smarter, and that’s why I hate them. What they really do is make you lazy. You think that because you have them, you’re safe, and you stop being aware.
Security Tripod
I came up with that in 2010, the Tripod Theory of Security when it comes to websites. In order to be smarter about security, I have this pretty simple tripod theory.
- Your Webhost (server)
- Your software’s developers (WordPress)
- YOU (everything else)
If everyone holds up their leg, the security of your site is locked down. If you have a responsive webhost, secure software, and good behavior, you’re going to be happy, the odds are that a WordPress upgrade never breaks your site, and you’ll be safe for a long time to come. Awesome! But as someone wailed at me at a barbecue, “How do you get to that point when you can’t CODE!?”
Education
The most simple answer is the most obvious. Know what you’re getting into with software. The plugins and themes you use are ones you should know about. Read the readme, follow the FAQ. Don’t be afraid to ask questions about features you want. But the best thing you can do is use your brain and think. When we grab code and don’t think about who wrote it, where it came from, and what it means, we open ourselves up to disaster, and we may as well be posting our passwords on the front of our websites. Taking that moment to be aware that hey, maybe a nulled theme is a terrible idea will save you.
The biggest thing to do, though, is not to research everything to an inch of it’s life, but to stop and think. When we jump in to things without any forethought or awareness, when we ignore that nagging feeling of doubt, we run the risk of being stupid. Gas station sushi is still sushi, right? And sushi is totally awesome. Well. Yes. But it’s also a fast track to spending the rest of your day in the bathroom. And you know this. Your gut knows these things because of your experiences, and when they outpace your knowledge, that’s when we get those momentary blips of “This is a baaaaaad idea!” Listen to them. If it helps, picture a relative looking over your shoulder going ‘tsk.’ Admittedly, mine would be Taffy holding a glass of wine, saying “Don’t be stupid, Mika.”
What I Look For
Practicality matters, though. I can’t just say “Find code by a WordPress Core Developer and never worry a day in your life” because everyone can make mistakes. Instead of looking for perfection, I look for behavior. I want to see a developer is active, both in general and in the overall community. I want to see how they respond to people, either in the same terms and language they use, or if they’re always super-technical. I want someone who understands what they’re doing, even if they’re not always right, and I want someone who can balance out the need for fixes with the annoyance of an update every day.