Security Weekly

Who should take the responsibility of WordPress security?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 11

Whenever most people discuss WordPress security, the conversation typically revolves around which security solutions to use, where to host the website, and how to keep it secure. Something that often seems missing from these discussions is the question of who should do it.

All those articles we read online about “top security plugins” and “how to secure your WordPress site,” etc., are aimed at individuals who either build their own sites or those who create sites for others.

However, we all know that the majority of WordPress websites have not been built by the business or organization that owns the site. Most of them are constructed by an agency or a freelancer.

Shared Responsibility

When building a WordPress site, you essentially share responsibility with different parties. Hosts manage the infrastructure/server side of things, and you (or the agency) take the responsibility of ensuring the site has the functionality it needs and that it keeps running.

If you build the website for yourself, you take on the responsibility of maintenance and security. If you don’t do that, then security incidents are almost guaranteed and all you can blame is yourself. We often also see customers being misled by hosts who claim to cover all possible security and take that responsibility away, but all they get is a SSL & Cloudflare.

If you’re not building the website for yourself and have outsourced this to an agency or a freelancer, then you’re most likely not even aware of the responsibility you have. Here, it’s the responsibility of the agency or freelancer to ensure this requirement is clearly communicated and that this responsibility gets assigned.

Maintenance & Care Plans

One way developers & agencies can ensure that the responsibility over security and maintenance is assigned is by offering maintenance and care plans.

Every professional developer should clearly communicate the risks of owning a website and how important regular maintenance and security are. I would even recommend including the first year’s maintenance plan in the project cost. If you really don’t want to offer care plans, then you should still communicate the risks and requirements for security and direct them to a service provider who does.

At Patchstack, we work with many different hosting providers, and one of the most common issues hosts face is websites that have “lost” their developer. When issues arise (mostly when security has already failed and the site is compromised), the site owner does not know what to do and relies on hosting support.

This should not be the responsibility of a hosting company, yet this is forcing hosts to come up with solutions. We’re seeing more and more large hosts open a service business next to the hosting business because nobody else takes responsibility.

The space is already consolidated enough, so if you’re a developer or an agency, please offer care plans and make them an integral part of your business. It’s not only good for global web security but also a great recurring revenue opportunity.

Conclusion:

When talking about security, we often discuss how to do things and where, but we frequently forget to ask who should do it. It’s very important that responsibility is assigned to all critical aspects of having a website.

We, developers and agencies who bring new companies online, have the responsibility to explain the risks and requirements that come with it. Without doing so it could be straight up considered reckless.

Every website built on open source software should come with a care plan, even if the care plan service is offered by a third-party provider. Hopefully, one day we’ll get there.

Resources:

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …

Week 46

What Role Does AI Play in WordPress Security?

We can’t ignore the power of LLMs and AI when it comes to security. At Patchstack, …

Week 45

Where to get your WordPress plugins and themes?

As of writing this article, it’s a hot topic. Some plugins which have been available on …