Ask HN: How do you manage Wordpress?
Most startups I see are using wordpress for their blogs, even if their programming stack isn't based on PHP.
How do you manage wordpress security and updates if you host the blog in house? If not, what service do you use to maintain wordpress? We outsource it. I know how to administer it myself, but damn I don't want to ever administer WordPress myself any more. (Except on my personal blogs, but I'm a control addict there.) If at all possible, use wordpress.com. Pay some $$ for the redirection. Other outsourcers: Pagely. They're not terrible - they are middling in competence, we have occasionally had to tell them precisely how to do some simple thing - but basically we don't have to interact much, and that's THE DESIRED OUTCOME. WordPress is a commodity these days, treat it like one. (The reason to use WordPress: it is the best blogging platform these days, and is really good as a simple-semistatic-site platform, and it is commoditised with third-party developers and hosters growing on trees. In almost no cases are you actually going to have a legitimate need to reimplement blogging yourself.) I can't agree more, manually managing wordpress security, updates, etc. is a pain. Keep your site simple and wordpress.com can work great. More important than maintaining WordPress, you want a secure server. Here's a not-comprehensive list... - Use a VPS. If you talk to Olly, author of "wpCop" http://wpcop.com/ and the VPSBible, he recommends CentOS. I believe it has a good reputation for security, for web hosting. Also Ubuntu & Debian are about as popular as CentOS for web hosting and they're probably just as secure, but choosing your distro is a big deal because they're all different. - Automated backups of everything, and make sure you know how to restore everything. Backups of backups and offsite backups. So even if something goes wrong, you're not completely screwed. You need "offsite" backups because there's a million ways onsite backups can be lost, stolen, destroyed, etc. - Configure MySQL to ignore remote connections. - Don't use "admin" users for WordPress or MySQL. Is this really necessary? Probably not but it's fairly easy to setup. - Don't use FTP, use ssh. - I know a guy who was on vacation in a certain country and they totally destroyed his server. So be aware of your environment. Use a WordPress Managed Hosting platform like WP Engine, Pagely, Pressable. I'm most familiar with WP Engine and what they provide you is a security layer protecting against zero-day vulnerabilities (like today's 4.2.1 update), automatic core updates, caching layer, daily snapshots, rollback, and cdn integrations if your service level includes it. It's everything a competent server admin and webops person could handle, but if you're trying to build a startup, dedicating any resources towards that is just taking engineering talent away from building the business. The only technical consideration you'd then be tasked with is managing your plugins. Some now have automatic point updates, but most do not. These you'll need to monitor, test, and upgrade yourself. There's value in even outsourcing that, simple design updates and production tasks, implementing marketing and visitor tracking, etc.. When you're looking at that option, you can look to a firm (such as mine) that can take that on for you. Not sure what I understand what you mean; I approach it much the same way that I keep up with security on my laptop. I find software (plugins) that seem reputable and update them when I get a notification to update them. If I happen to see a vuln pop up on seclist with no update from the publisher, I'll probably deactivate that plugin for a while until there's a response / update. I think that's a fairly reasonable methodology for any web application or stack-- I run updates on most of my linux machines a few times a week, as needed, to edge out the would-be attackers (or fix other bugs I wasn't aware of). I personally host the bulk of my stuff on a Linode VPS and just compartmentalize it into areas of duty and responsibility. My blog / portfolio gets the most attention right now from me, but stuff like my time tracking and CRM have their own areas that are "reasonably" separated from stuff like WordPress. Yes, outsource it, WP Engine or Mediatemple are two options.
- Don't run it on the same server as the web app
- use less plugins
- If the blog is on the same domain/a subdomain as the web app, take care of the cookie scope so that a potential XSS vulnerability can't be used to steal sessions etc. Wordpress is not as insecure as people think, it's only insecure when you start loading unknown plugins and such (which it seems a lot of people do do). My wordpress site has been up for about 4 years without me updating it or doing anything at all to it... and somehow it still hasn't fallen down. I agree. I've been generally following WordPress news since 2004 (the beginning of its popularity) there's been no serious security problem in many years, as long as you had open user registrations turned off. Why you would allow a complete stranger access to your admin panels in the first place is another debate, but basically: don't allow user registrations on your blog and you're safe. If you look back in history, the so-called "WordPress hacks" in the news had nothing to do with a flaw in WordPress. What actually happened was, like in the case of the Media Temple hack, the hacker got access to the MySQL database and obviously all the blog data stored in MySQL was vulnerable. There was never any indication that WordPress was the attack vector when all those big hosts were affected. So what can you learn from that? Don't use shared hosting. Shared hosting was never that reliable in the first place. From my perspective, the shift to VPS was a big leap forward in terms of uptime for most websites/blogs. Another big problem was the "timthumb" plugin. But from 2004 onward, that was really the only plugin that caused widespread problems for WordPress blogs, as far as I can remember. Yes, some plugins are dangerous and maybe you want a service like sucuri.net if you're really concerned about bad plugins. But bad plugins are rare, IMO. Also weak passwords, again not a WordPress-specific problem. People using FTP carelessly, I bet that's the issue most of the time. I'm not saying security is easy, I'm just saying WordPress is generally not the culprit. If there was ever any major hack that made the mainstream news that I missed, please post the link. And yet only yesterday another serious issue was disclosed: Link to your blog? I'm certain it's vuln to xmlrpc vulns if you haven't updated it. 1. Apply all the security updates and patches as they come out. It's literally just one click. 2. Don't to get too fancy with too much customization (writing your own plugins, weird post types). 3. Using a less mature blogging engine has its own problems. Rolling your own blog engine is nuts. 4. You can find someone to write a wordpress theme for you pretty cheaply. 5. There's a reason so many websites run on wordpress. 6. If blogging isn't your core product, there isn't much point to using something nonstandard. Would you write your own E-Mail system? Why not just use the standard blogging system? We run it on a secondary box in our hosted environment. It's not able to access any critical data and runs only two or three plugins that weren't written in house. Basically we keep those up to date through WordPress and patch our own stuff when issues pop up. Since it's a totally seperate environment it never really caused us any concerns about security, nor has it ever really posed a problem. If you are hosting in-house, keep it on a box by itself, seperate from the rest of your network. Then lock down the permissions so that a web user can't write files. That should eliminate 98% of the security problems. If possible you may want to consider running it in a chroot as well We manage ours in-house, it doesn't change very often, it's mostly a matter of staying on top of security patches. But we keep it on an entirely isolated vps where it won't be able to break anything else when it gets hacked. its strange to me that a place full of developers and this is a question? is installing, managing and securing a basic wordpress site really that much of a hassle or headache, or even a stretch of basic web dev skills? If you cant stand up, install and manage wordpress, at the very least, maybe you are on the wrong forum? you have to watch for security updates and changes for almost every other thing you use in your work life(from OS to JS libs), why not just add wordpress and the few plugins you use to that list? Open an AWS account, install WP on a server and just install the updates within WP as neccessary. We outsource it out to WP Engine so we don't have to worry about it.