1

I'm going to create a website with Wordpress.

I'm a junior software developer myself and I have experience working with servers and with the Magento Ecommerce software. But I'm not a systems administrator or either a junior web developer, all what I have learned has been through practice and more Magento (PHP) related.

I'm afraid my lack of experience in cybersecurity could affect the website. I would like to hire a server and put the website there. I'm sure there must be lots of tutorials and I do know how to transfer the files with Wordpress.

With the server, should I get support and security or some kind of similar service?

But as title states, what aspects should I really be aware of?

And definitely a certificate for the website, which I think it gives proper info for the visitor.

I have read this other post, which I think it has similarities with my question, but It differs a bit.

Raül
  • 113
  • 4
  • 1
    I get that this is important, but this question is way too broad to answer. Books have been written to answer this. Encryption, passwords, patching, secure coding, secure logic flows, data privacy, regulations, etc. If you can narrow your question to more specific things, we might be able to take another look. – schroeder Nov 21 '18 at 20:54
  • 1
    @schroeder I think the problem with the post is mainly that there are multiple questions in a single post. The OP is asking about WordPress security, what aspects of security he should be aware when it comes down to web development and how to handle server security for a web server. Can you confirm these questions, when posted alone, are not necessarily too broad? That way the community, including myself, might be able to improve the question. – Kevin Nov 21 '18 at 20:58
  • 1
    Hi @schroeder. I think Kevin gave me the answer I was expecting. The truth is that probably even I didn't know what I wanted to specifically ask... I'm sure there might be people in the same context where I am, and this will be pretty useful for them as well. – Raül Nov 21 '18 at 20:58
  • @KevinVoorn even those individually are too broad – schroeder Nov 21 '18 at 21:05
  • 1
    Thanks for the duplicate; I did not find that question. Really appreciate – Raül Nov 21 '18 at 21:31

1 Answers1

2

When you're dealing with WordPress, the most important thing is to do their updates very often. WordPress brings out security patches every few days-weeks and you should think about the workflow of doing updates on a regular basis.

The most common vulnerabilities when dealing with web development, are things like SQL Injections, Cross Site Scripting (XSS), wrongly implementing authentication and session management, Cross-Site Request Forgery (CSRF) and things like this.

You can find more about these topics on the internet, I would suggest you take a look at the top 10 OWASP vulnerabities. OWASP (Open web application security project) has lots of resources available for you to learn about vulnerabilities and how you go over fixing them. This blog articles explains the current top 10.

If you want to learn more about security by design, which is the topic you should really explore more, you can take a look at the OWASP Security Knowledge Framework. This framework gives you a lot of information and examples about secure programming in several languages.

You should indeed use a SSL certificate, not just because it gives proper information to your users, but because it makes the connection between your website and your users secure. You can read more about SSL and why you need a certificate on this website.

With the server, should I get support and security or some kind of similar service?

Most services that let you rent servers, have a managed solution. They are more expensive but if you are new to security and securing servers, this is your best option when you are in production. Obviously I would recommend you setup your own server and learn about security along the way, but not in production.

To add on to the subject of server security, this answer does a great job at explaining the difference between you as a web developer and system administrators:

But it's a different thing when you rent a virtual server which provides you with a naked operating system (or not even that) and expects you to set up everything on your own. In that case you are responsible for updating everything. When you require this for your project, you should consider hiring someone who knows how to harden a server properly, who knows which components need to be updated and how this is done. But the person you are looking for is not a software developer. It's a system administrator.

Kevin
  • 1,653
  • 10
  • 20