Why We Like WordPress, but Not for Banks and Credit Unions
WordPress is the most popular blogging platform on the web with millions of websites running it globally. WordPress is one of the easiest platforms available for beginners and experts alike to start a blog. It fulfills its core purpose remarkably well! But while we like (and use) WordPress as a blogging platform and as a convenient tool to refer friends & family to when they want to build a personal website, it is not a platform that banks and credit unions should consider for their websites.
Impenetrable Websites are a Myth
This post isn’t an attack on WordPress or meant to suggest that WordPress is the only popular website platform with security issues. No website platform today is immune from attack. Any realistic conversation about website security must first begin with the acceptance that creating an impenetrable website is not a realistic goal. The only completely secure website is one that isn’t connected to the Internet or the power outlet. Once you’ve accepted that fact, then you’re prepared for a realistic conversation about website security.
Security as a Mindset
A realistic goal for any bank or credit union regarding website security is to make itself a less attractive target than the other potential victims on the Internet. The best way to do this is to place enough hurdles in front of attackers to make the level of effort required to hack the site greater than the reward.
When creating highly secure websites (or any software), developers must bring a security mindset to their work. Developers begin thinking about security before they write a single line of code. Security minded developers are constantly evaluating every architecture decision to identify security weaknesses and counter measures to eliminate each weakness. With every line of code and every completed function, developers are assessing how someone could attack their code and what counter measures they need to have in place to prevent each attack.
As the website codebase grows and evolves, developers repeat their analysis, continually looking for and shoring up weaknesses. Strong security is a foundation upon which the website is built, not a band-aid applied after the code is completed.
What We Like About WordPress
WordPress began life as an improvement to an existing open source blogging platform that had gone stale. The developers who first contributed to WordPress had a mission of creating an easy to use blogging platform that adhered to then current web standards. They wanted other developers to be able to easily extend the functionality of the product by building plug-ins. WordPress has achieved these goals exceedingly well! There’s a lot to like about WordPress, including:
- It’s easy to learn how to use
- It’s free (well, sort of)
- Many ready to use themes are readily available for users who cannot afford a designer or don’t have design skills of their own
- There are ample community resources available to help people learn and use WordPress
- Thousands of developers worldwide have contributed millions of hours of their time to build and support the product. WordPress is a stellar example of open source effort.
High Security Was Not a Core Design Goal for WordPress
Strict security within an application can diminish user friendliness and make plug-in development difficult, neither of which helped to achieve the developers’ goals. As we discussed earlier, when security isn’t a core focus of design & coding goals, it’s nearly impossible to build a highly secure product. Furthermore, security and user friendliness are often opposed to one another in website and software development.
Ease of use is why we love to use WordPress for blogs and why it’s a favorite to recommend to friends & family when they want to try building their own websites. Neither of these typically have the unique security & reputation concerns that financial institutions face.
Despite its popularity and ease of use, we never recommend WordPress for banks, credit unions, or other high probability attack targets. While security has improved in the product in recent years, there are still significant shortcomings in WordPress and many plug-ins that make it the wrong tool for banks and credit unions. Not only are new WordPress vulnerabilities discovered on a frequent basis, but the core product fails to meet most FDIC, NCUA, FFIEC, and software industry security best practices.
What is WordPress Missing that Financial Institutions Need?
As I mentioned, WordPress is a good choice for certain websites. We’ve setup many WordPress blogs and websites for people who aren’t concerned about high security and these sites perform well.
Bank and credit union websites aren’t like other websites though. For banks and credit unions, the list of missing security requirements in the core WordPress codebase is extensive. They include:
- Password complexity customization and enforcement
- Automatic password expiration policies and enforcement
- Automatic account lockout policies to mitigate brute force attacks
- Change auditing & versioning to track all changes made to text, graphics, design elements, attachments, and other website assets
- Granular permissions control to limit content editing access to just the pages, or even content elements on a page, to just the users who should have access
- Workflow management to require review & approval of all changes before they’re published live
- Ability to restrict access to login pages and administrative areas of the website by IP address
- Audit logging of all actions users performs while inside the management area
- Database encryption for stored data collected through web forms
- Encryption of database connection strings and other configuration settings stored at the file system level
You can add some of the above best practices via third-party WordPress plug-ins, but these require banks to perform a significant amount of due diligence vetting the plug-in authors and performing thorough code reviews before installing the plug-in. Most banks, and even most WordPress site creators and plug-in authors, lack the programming and security expertise to perform this due diligence
From a security and compliance standpoint, I’ve heard other security professionals use the word reckless to describe a bank or credit union’s decision to use WordPress for any website that also serves as a front door to its online banking, forms, live chat, bill payment, or other transactional features. While the term reckless may be a bit strong, it is fair to say that WordPress is a dangerous platform for financial institutions.
Already Have a WordPress Site?
One reason so many WordPress websites are successfully attacked is that the site owners do little to mitigate the inherent risks in WordPress. WordPress sites are often hosted on non-hardened LAMP servers with minimal or no firewalls in place, with many settings left at defaults, and no additional code, stack, or network level protections in place to prevent common attacks.
If you’re already running a WordPress site, there are actions you can take to mitigate some risks and make yourself a less vulnerable target. Some of these you can do yourself, but most are going to require the cooperation of your hosting provider and a skilled WordPress developer willing to work with you. The safest option is to migrate bank or credit union websites off of WordPress and onto a platform better designed to meet the unique security needs of a enterprise websites. You can reach out to us and we can help you directly, or we can give you advice to help yourself.