WordPress Installation

Recommendations

Written primarily in relation to the GDPR and European organisations, but equally applicable for others whose sites will be processing personal data of EU citizens.

  1. Install onto a staging site, perhaps not with the final website domain name. The reason for this is that as soon as the installation is complete the system automatically sends the domain name and number of users that are setup to WordPress.org. There is nothing wrong in the statistics being collected, as it’s mentioned in their privacy policy (we all read those don’t we?);  we are just mentioning it for the purposes of these recommendations and that it can be stopped. (Please ask for further details if required).
  2. Change the ‘admin’ username; create a new user with administrator credentials using a strong password, logout, and login using the new username/strong password and delete the ‘admin’ username completely and all pre-installed pages and posts. Ensure that the new username does not include ‘admin’, ‘administrator’ or the domain name. The reasons for this are:-
    a. Admin as the pre-install username is known to hackers and if not changed will automatically give 50% less security than adopting the advice above.
    b. Hackers will chose administrator or the domain name as their second choice to gain unauthorised access to the site.
  3. As part of the installation you will be asked to provide an email address and also when setting up users: if it is in the format of firstname@domain.tld, or firstname.lastname@domain.tld – its personal data so covered by the legislation.
  4. Install security plugins, ideally those which allow the database table prefix to be changed. The pre-install version of WordPress uses the ‘wp_’ prefix and this is also known by hackers, so the advice would be to change it. Additional ones that will keep your site protected, by providing directory security, firewall, malware and other scanning provision are also highly recommended.
  5. Ensure the security plugin(s) can stop access to reading the whole website content, such as the /wp-content/uploads folder. It’s your content and not necessarily published on the website – protect it. Also ensure that they are capable of hiding usernames from preying eyes or else 2. Will apply.
  6. Install a plugin that is capable of backing up the website content and database. Take care where the backups are stored. If in the EU then there should be adequate safeguards in place. If the US, then it is the Data Controllers responsibility to check that the organisation is signed up to the EU-US Privacy shield.
    a. Backups which include personal data need to be protected from unauthorised access and are covered by the legislation. So, for example, if they are stored anywhere using a third party provider, such as Dropbox or similar then the organisation providing that service will be a Data Processor acting on behalf of the Data Controller so the agreement needs to be in a written form (can be electronic). The same applies for Cloud storage.
  7. Backup the site at this stage.
  8. Ensure that any themes or plugins are being actively developed before installing them. Out of date or non-supported plugins can be a security risk.
  9. Any plugins such as contact forms, newsletter signup, ecommerce payment and reservation booking or similar will without doubt involve personal data and it is important to ensure that a clear, concise and transparent privacy policy/notice is provided on the site. Equally important is to know that the data cannot be used for any purpose not mentioned in the privacy policy/notice this is automatically unlawful (unless an exemption applies).
  10. Any plugins which transmit personal data to a third party for action such as outsourced sending of newsletter(s), payment gateways etc. will need to be detailed as the organisations providing those services will be Data Processors.
  11. On-going as WordPress issues updates and security fixes to their system these will need to be applied as will updates to themes and plugins in order to remain compliant with the legislation.

All the above is in part common sense and best practice but so often overlooked by organisations.  However the legislation is clear about what is expected here are a couple of examples of the “Principles”

Personal data shall be:-

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Site Statistics

Here’s the infographics of WordPress sites that have been passivley scanned in the last year by www.wPUPdate.co.uk. They show a worrying trend that site operators are still not updating their WordPress core system, plugins or hiding login usernames.

%

WordPress Outdated

%

Plugins Outdated

%

Usernames Exposed

Figures from 1st January 2018 all sites scanned were operated by United Kingdom entities.