I was doing some anecdotal research about password security preferences and I was surprised to find that most of the people I talked to favored two-factor authentication (using Google Authenticator) over expiring passwords. My survey pool consisted of project managers who I think are pretty typical enterprise software users. Around half of them had not seen two-factor authentication until I showed it to them. The general attitude was that anything is better than expiring passwords — an opinion that I agree with.
Are my colleagues unusually geeky or is this a trend that other people are seeing as well? If you have experience, research, or intuition around this, I would love to hear from you. @reply me on Twitter: @sggottlieb if you have something to say.
We run our corporate marketing sites on Wordpress. It's not the perfect web content management system for us but, as long as we keep things simple, it does the job reasonably well. When we want to do something that Wordpress doesn't comfortably handle, we tend to use an alternative platform such as Marketo, UnBounce, or develop static web pages.
Wordpress is great, but one thing to consider when using it is that you make yourself a target to all sorts of hacker attacks. When planning server capacity, we need to accept that a lot of our traffic comes from bots trying to hack into WP Admin. There are three things about Wordpress that contribute to this.
-
Wordpress is by far the most commonly used web content management system. According to BuiltWith, 47.90% of CMS powered websites run on WordPress. The second most commonly used CMS is Drupal with 13.10%. Now I know that those statistics are not perfect but it is clear that Wordpress is head and shoulders above the competition when it comes to CMS adoption.
-
Wordpress is incredibly easy to identify. If you look at the source of any Wordpress generated page, Wordpress's signature is impossible to miss. Moreover, Wordpress makes it really hard to hide these tells even if you wanted to.
-
Wordpress is the "go-to" platform for people who know nothing about web development or security. While there are plenty of savvy WordPress developers out there, the majority of WordPress sites were built by people with no clue about security and operated by companies with limited technical know-how. Many of these sites were insecure from day one and only got worse as patching and other maintenance practices were neglected.
Put these three facts together and it is obvious why WordPress is the most attractive platform for hackers and botnets to attack. If you are a malicious hacker and want to get the most out of your efforts, you go after the biggest and most vulnerable target. And in that way, WordPress is a lot like Windows. Windows is everywhere because it is the go-to OS for people who just want a computer at a reasonable price. If you walk into a BestBuy/Staples/Costco to buy a computer, you will walk out with a Windows PC unless you have something else in mind. The majority of these computer shoppers know very little about managing their computers. These users will not keep their software up to date and will accept any dialog. Most of us have spent countless holiday hours removing adware, browser bars, and viruses from these computers.
Just to be clear: Wordpress and Windows are not inherently insecure. With conscientious maintenance, both of these platforms can be as safe to use as the alternatives. It as a sign of success for both Windows and Wordpress that they have earned the distinction of being prime targets for hackers. It is also a great opportunity for external software companies to market services to secure these platforms. The Windows security software market is already large and mature. The number of Wordpress security options is growing fast.
So my advice to everyone is to keep on using Wordpress if it meets your requirements. But accept that your site will be a target for hackers and plan for security. Work with Wordpress specialists (not designers who happen to know a little about Wordpress theming). Follow all the advice in the "Hardening Wordpress" page. Look into 3rd party services that help protect your site. Be safe
The PHP programming language has historically gotten a bad rap in the area of security. While the language itself has had some vulnerabilities, three other aspects have (in my opinion) played a larger role:
-
PHP is an easy language to learn so there are a lot of unsophisticated beginners with no awareness of security holes writing web applications on it.
-
The rise of PHP coincided with a rise in community content applications (bulletin boards, blogs, Nukes) where external, untrusted users could insert their own content with potentially malicious payloads.
-
The PHP programming community was a little late in adopting web application frameworks. Good frameworks provide the plumbing for a web application and take care of security holes so that the custom code that developers write doesn't have to worry as much about known hacker exploits.
Two of these three factors are rapidly changing. The PHP development community is getting more sophisticated from a technology perspective and frameworks are getting better and are becoming more commonly used.
I am seeing more and more articles concerning security on PHP developer websites and magazines. For example, there is a really good article on the None site about Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). It goes over how a hacker can inject malicious code into your site and how to protect yourself against these attacks. Here is a hint... never trust anything that a user enters. For more reading, check out Rob Miller's None.
If you have been holding back on using a framework, I would reconsider. Most of the PHP frameworks have filter components (The Zend Framework has their None. None has a User Input component) that disarms potentially hazardous user input. Tapping into the collective intelligence about security can free your own mind to building better, more effective web applications.