WordPress - A 'Very' Brief History Of...

Since its initial launch in 2003, when Matt Mullenweg and Mike Little created a fork of b2/cafelog, WordPress has become one of the most used blogging tools in the world.  As of January 2015, it was thought that something like 20% of the world's most visited sites had been developed using the tool... a tool which, let's not forget, was designed purely to let people create online blogs.

Through years of development and constant improvements, coupled with a fantastic open-source culture, (which in itself has spurred a huge community, or army, of bedroom-coders and commercial organisations alike), this free blogging tool has become one of the most feature-rich and flexible web development systems on the planet.  If you have a neat idea for a widget that would look great on your website, you can bet someone has already created a plug-in for it. The market of both free and commercial plug-ins is enormous, boasting nearly 40,000 unique widgets, plug-ins and tools for instant download and installation.

 

WordPress Security Issues & Vulnerabilities

...but, as is true for pretty much any platform which is well adopted, WordPress started to become a key target for many hackers and exploiters.  By 2007 the user base had grown to such a degree that it became a worthwhile target... the theory being that because the codebase was the same for all sites currently live on WordPress, if a back-door or exploit could be found, it could mean a big prize of thousands of sites becoming easy pickings for hackers, with minimal effort.

And so it was that by the middle of 2007, a study showed that a whopping 98% of sites running WordPress were exploitable due to out-of-date versions and a complete lack of patch/upgrade philosophy being adopted by most webmasters.  The misguided belief was that you could build and release a website using WordPress and then leave it for years without a care in the world for updates or security patches.  This was basically an attitude that led to the downfall of many a blog as exploits became well publicised but webmasters failed to do anything about it.

By December 2008, the WordPress codebase had been significantly improved in a bid to protect its users from these exploits by making the system much easier to update, but the very thing that has driven the success of WordPress over the years, (its community of plug-in builders), is also one of the main reasons why so many sites have become vulnerable over the years.  As recently as 2013 a survey showed that 7 of the 10 most used e-commerce plug-ins were vulnerable to attacks such as SQL injection... not a good show if you're planning to setup a business on this framework!

It became all too clear that whilst the platform itself offers many shiny reasons to be used, it should only be done so whilst showing the level of respect for the internet's underworld, that it commands.  The WordPress codebase must be updated regularly to ensure you get all of the released security patches and upgrades BUT maybe more importantly, the plug-ins and widgets that you or your web developer has chosen to use must also be updated on a regular basis.

It would be simple to adopt the attitude of, "Well I paid my web developer to build my site, so surely they should be maintaining it forevermore and fixing all these issues as they arise", but we're fairly certain this will just lead you down a very dark alley.  Most web developers will base their charging model upon hours spent in the development lifecycle, and rightly so.  Once the site is signed-off and launched, the developer is very rarely responsible for ensuring it stays healthy, unless a specific on-going maintenance plan has been negotiated up-front.

So then you could turn to the hosting provider, (normally a company recommended by the developer but with no affiliation or association), but they will most likely just shrug and say, "you need to speak to your developer about things like that, we only host it."

And that's where we come in...

WordPress Hosting - Belt and Braces

WordPress
Standard Hosting
£240pa +vat

Our entry level WordPress Hosting package includes nightly backups to disparate hardware, ensuring that in the event of any service disruption caused by errors made in the administration of the site; attacks made possible due to out-of-date versions; or simple hardware failure; we will be able to restore your site back to the state it was in, before the problems were discovered.

We support three versions of PHP, Apache and MySQL at any one time, ensuring that we can cater for all versions of WordPress and any other CMS system built upon these three key platform requirements.  Oftentimes PHP features or functions are deprecated due to security concerns or just pure 'because we can' attitudes within certain ranks.  These changes can cause serious issues with sites that were built using features that were, at the time, considered perfectly fine to use and so we ensure backwards compatibility with at least 2 older versions of all 3 technologies, so you can choose which platform your application will be hosted on. 

The main datacentre is located within a 25 acre ring-fenced Research Centre at the heart of the Kent Science Park. Physical security features include razor-wire fencing to all boundaries and a bullet-proof/blast-proof security gatehouse.  Surveillance measures include 24x7 manned security and extensive CCTV monitoring. As for the datacentre itself, this has electronic locks linked to a central COTAG card access system. Issue of cards is controlled, and all access to the datacentre is recorded.

WordPress
Belt Hosting
£440pa +vat

To help ensure your site and therefore your business 'stay up' and operational 365 days a year, we offer what we affectionately call the Belt Hosting package, which not only includes nightly backups but additionally ensures that the WordPress codebase and all installed plug-ins are up-to-date, never more than 1 month behind the release curve. 

These patches and upgrades are essential to ensure your site is always as secure as possible and can stand-up to any publicised exploit that becomes an issue throughout the annual hosting lifecycle.

Our team will manually check your site on a monthly basis and where required install any new plug-in or codebase updates, (we will request you create a full-permissions user for us, to use for this purpose).  Before we do this however, we will create a test version/replica of your site and apply all updates to this version, giving us a chance to check that all version upgrades are compatible with your site and don't break the theme, (for example).

Only once we can see the site is not ill-affected by the upgrades will we then apply them to the live site.

An update email is then sent to the administration email address of your choice, with a breakdown of what updates have been installed and/or what updates haven't been installed due to detected incompatibilities.  This will then ensure your web developer can be made fully aware of any theme or content issues that are beyond our remit.

WordPress
Belt & Braces Hosting
£680pa +vat

OK, so the analogy is wearing a bit thin by this stage, but you can see what we're getting at!  In the full-fat belt & braces hosting for WordPress we will apply all of the features as listed above but with the un-matched, (as of June 2015), addition of full security reporting and penetration testing.  So whereas the Belt Hosting package is great if you just need to ensure you are applying any fixes and patches that the developers make their user-base aware of... this package actively tests and scans your site for vulnerabilities, each and every month.

We run a suite of tried, tested and respected, (in the industry), applications that will check your site from both the back and the front doors... this means that not only do we run scans against the site via standard HTTP protocols, (outside, looking in); we will also run tests from within your web server's O/S to assess whether there are any security issues throughout the entire application, (including, but not limited to: SQL injection, CSRF, LFI, RFI and XSS tests.)

The reason this level of security is worth the extra cost is simply based on the fact that not all plug-in developers will be aware of vulnerabilities until they are notified... and even then, they may not be very timely in their approach to fixing those issues.  We make you aware of those issues so that you can approach your web developers, possibly with a view to swapping the offending plug-in for another, more pro-actively updated plug-in. 


In short, we aim to make your life on the internet a comfortable one. We take the headache out of managing WordPress so that you can get on with what you're good at... and the developers can get on with what they're good at.

At these prices, it's one of the best value pseudo-insurance policies you'll ever have!

The 'Smaller' Print

OK, so here's the bits that we think are obvious but we need to be careful and make sure that you, the customer, also understand the intricacies and limitations of the services we are offering here.  1. We will never be held liable for any monetary value greater than the cost of the services which you have paid in the current term.  2. (and as an extension to 1 for clarification), if your site is an e-commerce site, we will never be liable for any loss of earnings, under any circumstances, no matter what.  All hosts will say the same thing, it sounds blunt, it is. If you need cover for loss of earnings due to your site being unavailable at any particular time, you should speak with your insurance broker. 3. This is a 'best endeavours' service and therefore you must accept that with the best will in the world, no hosting environment is ever 100% safe from the wily ways of hackers and miscreants.  We pride ourselves on running an extremely tight ship and we know our environment is considerably more secure than any of the stack-it-high, sell-it-cheap providers we could mention... but still, we have to accept that if NASA can get hacked, so can we.  This is why our mantra is "backup, backup, backup". 4. We are only responsible for the maintenance of the infrastructure of your site, i.e. the standard WordPress codebase & all associated plug-ins. This includes standard themes too, but where the developers have used non-standard themes or have 'edited' standard themes, we are not responsible for the amendment of these themes to fall in line with any updates that may be issued by the original theme developer.  This would be a matter for your web developer.  Having said that, as you can imagine, we work with many great web developers and if you have difficulty finding one to maintain your themes or content, we would be happy to make some introductions, (for which we take no commissions btw!). 5. Whilst our services, (and in particular the Belt & Braces Hosting package), goes far beyond the call of duty when compared to other hosting companies in the UK, we still rely on external security experts to update us with their findings... forewarned is forearmed and all that.  However, we all need to remember the scary truth that for every 100 security experts trying to lock the doors, there's at least 1000 hackers trying to bust them in.  We can only be as forewarned as the global network of security advisors enables us to be.  If we all remember these points above, we'll all get along just fine.