Wordpress Security
Why we Chose WordPress
Allbound’s primary user base consists of sales and marketing teams, and what better way to allow for simplified & familiar usage than to utilize one of the most adopted open source platforms on the web today? WordPress is utilized by millions of people worldwide, and is consistently updated with the latest and greatest feature sets. In fact, WordPress accounts for over 34% of websites that are live today.
We use WordPress in our user interface to allow our users to have a simplified experience of managing their content; however, keep in mind that the backend systems that power Allbound are all developed internally, and do not utilize WordPress. For those parts that are loved by our customers and utilized on a daily basis, please keep on reading to get a bit of insight into how we secure these components.
How we Secure WordPress
We understand security is a primary focus for our clients, and want to reflect that in our technology stack. For the portions of our architecture that utilize WordPress, we do the following:
Passwords and Permissions
Allbound utilizes unique passwords/permissions that are separated for each one of our customers, thus allowing for no access across accounts.
Users and Data
Allbound separates database users and schemas, with rotating credentials stored in AWS Secrets Manager, in a SOC2 compliant format. We also allow for SSO implementations that overwrites WordPress’ default login process, should our customers choose to do so, along with providing support for MFA.
Configuration
Inside the wp-config file, where WordPress stores all passwords and confidential information, we have written our own packages to allow WordPress to utilize AWS secrets instead. Each customer has a different rotating secret that is encrypted using AWS KMS, and we have overwritten how WordPress accesses those secrets, thus allowing for a much more secure architecture
Updates
We automatically update WordPress version and plugin security versions, and push core WordPress updates to the Allbound platform within days of their launch. This allows us the time necessary to perform security and reliability regression testing, and enables a seamless update experience for our customers.
Plugins
Allbound does not currently offer the ability for customers to utilize their own plugins. For the few plugins that the platform does utilize, we have a strict vetting and testing process (covering both reliability and security) for integration into the main product, with a number of those plugins needing modifications to work with the changes we have made to the WordPress platform.
GDPR Compliance
As of the latest WordPress updates, the core WordPress software is GDPR compliant, and Allbound does not modify any of these core files to contrast those changes. You can read more about those changes in the 4.9.6 release notes: https://wordpress.org/support/wordpress-version/version-4-9-6/
Conclusion
If you have any other questions regarding WordPress, and the ways that we have modified it to remain secure, please contact [email protected], and we’d be more than happy to help!