Security

Sorry, but there’s really no one to put you in touch with. This is a volunteer staffed support forum for an opensource software platform. ??

Before we can do this we need to have our standard Security questions answered.

What questions do you have? You won’t find anything as formal as a SAS 70 (see opensource volunteer staffed software platform reference above) but generic questions can be answered here by many people.

Security Component
1) Security Policy
a) Does the organisation have a Security Policy? If yes, how is the awareness and compliance with this policy promoted within the organisation and with its business partners?

2) Physical Security
a) What physical access controls exist within the organisation’s Data Centre(s) to restrict access to systems that may directly or indirectly handle Customer data to authorised personnel?
b) What environmental controls exist within the organisation’s Data Centre(s) to protect Customer data stored on systems within this environment?

3) Back-ups
a) What process is employed by the organisation to back-up critical data? Has this process been documented?
b) How regularly are backups performed?
c) Are back-up logs maintained to track when and what data has been backed up? Who has access to these logs?
d) Are the backups stored securely offsite? If so where?
e) Does regular testing of backups occur? If so how regularly and what type of testing is performed?

4) Disaster Recovery Plan (DRP)
a) Does the organisation have a documented disaster recovery plan?
b) If the organisation does has a disaster recovery plan how regular is this plan tested?
c) What priority would be given to restoring services provided to The customer in the event of a disaster?

5) Logging/Auditing/Monitoring
a) What logging occurs at the network, system and application levels on hosts that may directly or indirectly handle Customer data?
b) What type of information is captured in these logs and is it sufficient enough to allow a particular event to be traced back to its source?
c) Are all logs “read only” and tamper proof? Where are they stored (i.e. locally on the host or in a central location)?
d) Are the logs reviewed? If so how regularly?
e) How long are the logs archived for?

Those are very good questions and standard ones too. But I think you might be mistaking this place (www.ads-software.com) for another place (WordPress.COM) and those questions don’t really apply here.

This place is for supporting WordPress software that users or companies install on their own systems in their own data center. In that scenario your own staff would answer those questions for yourself.

WordPress.COM (not this place) hosts blogs using the software that is provided here. Those questions may apply to them and you may wish to contact them on their separate forums.

https://en.support.wordpress.com/

You will need to create a .COM user ID and password there (the accounts from here do not work there) but that’s not difficult to do.

https://signup.wordpress.com/signup/

Once you are there then you can post those questions in the .COM forums.

The differences between .COM and .ORG are detailed in this article.

https://en.support.wordpress.com/com-vs-org/

Some of those make sense for WPORG though, considering it does push out updates for plugins etc.

Tagging this for someone who may be able to help…

For security reasons, I was wondering if the Core Wp Software could treat the username/userID/loginname in the same manner as it does the passwords? I was wondering if it could be set up so that on the first login of a new user, including the admin accounts, you are instructed to create a ‘nickname’ and if desired ‘first’ and ‘last’ names as well, then the user must select which of those entries or combination of first and last names is to be used for front-end publicly visible stuff like ‘author pages’ or ‘posted by’ or the name displayed in wp chat plugins etc.etc… so the actual login name NEVER becomes publically visible just like the password? It seems like we’re essentially giving hackers half of the puzzle before they even get started by allowing this…am I right, or super paranoid wrong on this?

@kf4tvi That’s not really related to this topic but here goes:

For security reasons, I was wondering if the Core Wp Software could treat the username/userID/loginname in the same manner as it does the passwords?

. . .

It seems like we’re essentially giving hackers half of the puzzle before they even get started by allowing this…am I right, or super paranoid wrong on this?

Think in terms of risk. Can you really restrict your user ID getting out there? Unless you also use user IDs such as SAaJw32S!!*22 (which I don’t recommend by the way) then your user ID will remain something that’s guessable and that’s alright. The user ID getting out there is something that’s conceded.

WordPress like many platforms does use and display the user ID in lots of places. The reason that’s alright is because of that concession. The security is in the password and not the user ID.

There are plugins that will obscure or not display the author ID but those are add-ons. WordPress at it’s core would need to be modified to not display those user IDs.

Or if someone has a patch that can be implemented without breaking existing installations (that’s a big ask!) then that would help move the idea forward.

Note: yes, WordPress recommends that you don’t use admin because many scripts hammer at that user ID all day and night long. But if the password for the admin account is sufficiently strong then it really doesn’t matter.

Note for the note: most users use weak passwords. I use 1Password myself to deal with that and there are other aids. ??

Thanks for your reply.