
Ask HN: How do you manage Wordpress? - scollins
Most startups I see are using wordpress for their blogs, even if their programming stack isn&#x27;t based on PHP.<p>How do you manage wordpress security and updates if you host the blog in house? If not, what service do you use to maintain wordpress?
======
davidgerard
We outsource it. I know how to administer it myself, but damn I don't want to
ever administer WordPress myself any more. (Except on my personal blogs, but
I'm a control addict there.)

If at all possible, use wordpress.com. Pay some $$ for the redirection.

Other outsourcers: Pagely. They're not terrible - they are middling in
competence, we have occasionally had to tell them precisely how to do some
simple thing - but basically we don't have to interact much, and that's THE
DESIRED OUTCOME.

WordPress is a commodity these days, treat it like one.

(The reason to use WordPress: it is _the best_ blogging platform these days,
and is really good as a simple-semistatic-site platform, and it is
commoditised with third-party developers and hosters growing on trees. In
almost no cases are you actually going to have a legitimate need to
reimplement blogging yourself.)

~~~
balac
I can't agree more, manually managing wordpress security, updates, etc. is a
pain. Keep your site simple and wordpress.com can work great.

------
pjbrunet
More important than maintaining WordPress, you want a secure server. Here's a
not-comprehensive list...

\- Use a VPS. If you talk to Olly, author of "wpCop"
[http://wpcop.com/](http://wpcop.com/) and the VPSBible, he recommends CentOS.
I believe it has a good reputation for security, for web hosting. Also Ubuntu
& Debian are about as popular as CentOS for web hosting and they're probably
just as secure, but choosing your distro is a big deal because they're all
different.

\- Automated backups of everything, and make sure you know how to restore
everything. Backups of backups and offsite backups. So even if something goes
wrong, you're not completely screwed. You need "offsite" backups because
there's a million ways onsite backups can be lost, stolen, destroyed, etc.

\- Configure MySQL to ignore remote connections.

\- Don't use "admin" users for WordPress or MySQL. Is this really necessary?
Probably not but it's fairly easy to setup.

\- Don't use FTP, use ssh.

\- I know a guy who was on vacation in a certain country and they totally
destroyed his server. So be aware of your environment.

------
ereckers
Use a WordPress Managed Hosting platform like WP Engine, Pagely, Pressable.
I'm most familiar with WP Engine and what they provide you is a security layer
protecting against zero-day vulnerabilities (like today's 4.2.1 update),
automatic core updates, caching layer, daily snapshots, rollback, and cdn
integrations if your service level includes it.

It's everything a competent server admin and webops person could handle, but
if you're trying to build a startup, dedicating any resources towards that is
just taking engineering talent away from building the business.

The only technical consideration you'd then be tasked with is managing your
plugins. Some now have automatic point updates, but most do not. These you'll
need to monitor, test, and upgrade yourself.

There's value in even outsourcing that, simple design updates and production
tasks, implementing marketing and visitor tracking, etc.. When you're looking
at that option, you can look to a firm (such as mine) that can take that on
for you.

------
d2xdy2
Not sure what I understand what you mean; I approach it much the same way that
I keep up with security on my laptop. I find software (plugins) that seem
reputable and update them when I get a notification to update them. If I
happen to see a vuln pop up on seclist with no update from the publisher, I'll
probably deactivate that plugin for a while until there's a response / update.

I think that's a fairly reasonable methodology for any web application or
stack-- I run updates on most of my linux machines a few times a week, as
needed, to edge out the would-be attackers (or fix other bugs I wasn't aware
of).

I personally host the bulk of my stuff on a Linode VPS and just
compartmentalize it into areas of duty and responsibility. My blog / portfolio
gets the most attention right now from me, but stuff like my time tracking and
CRM have their own areas that are "reasonably" separated from stuff like
WordPress.

------
hawe
Yes, outsource it, WP Engine or Mediatemple are two options. \- Don't run it
on the same server as the web app \- use less plugins \- If the blog is on the
same domain/a subdomain as the web app, take care of the cookie scope so that
a potential XSS vulnerability can't be used to steal sessions etc.

------
pen2l
Wordpress is not as insecure as people think, it's only insecure when you
start loading unknown plugins and such (which it seems a lot of people do do).
My wordpress site has been up for about 4 years without me updating it or
doing anything at all to it... and somehow it still hasn't fallen down.

~~~
pjbrunet
I agree. I've been generally following WordPress news since 2004 (the
beginning of its popularity) there's been no serious security problem in many
years, as long as you had open user registrations turned off. Why you would
allow a complete stranger access to your admin panels in the first place is
another debate, but basically: don't allow user registrations on your blog and
you're safe.

If you look back in history, the so-called "WordPress hacks" in the news had
nothing to do with a flaw in WordPress. What actually happened was, like in
the case of the Media Temple hack, the hacker got access to the MySQL database
and obviously all the blog data stored in MySQL was vulnerable. There was
never any indication that WordPress was the attack vector when all those big
hosts were affected. So what can you learn from that? Don't use shared
hosting. Shared hosting was never that reliable in the first place. From my
perspective, the shift to VPS was a big leap forward in terms of uptime for
most websites/blogs.

Another big problem was the "timthumb" plugin. But from 2004 onward, that was
really the only plugin that caused widespread problems for WordPress blogs, as
far as I can remember. Yes, some plugins are dangerous and maybe you want a
service like sucuri.net if you're really concerned about bad plugins. But bad
plugins are rare, IMO.

Also weak passwords, again not a WordPress-specific problem. People using FTP
carelessly, I bet that's the issue most of the time.

I'm not saying security is easy, I'm just saying WordPress is generally not
the culprit. If there was ever any major hack that made the mainstream news
that I missed, please post the link.

------
fsk
1\. Apply all the security updates and patches as they come out. It's
literally just one click.

2\. Don't to get too fancy with too much customization (writing your own
plugins, weird post types).

3\. Using a less mature blogging engine has its own problems. Rolling your own
blog engine is nuts.

4\. You can find someone to write a wordpress theme for you pretty cheaply.

5\. There's a reason so many websites run on wordpress.

6\. If blogging isn't your core product, there isn't much point to using
something nonstandard. Would you write your own E-Mail system? Why not just
use the standard blogging system?

------
PebblesHD
We run it on a secondary box in our hosted environment. It's not able to
access any critical data and runs only two or three plugins that weren't
written in house. Basically we keep those up to date through WordPress and
patch our own stuff when issues pop up. Since it's a totally seperate
environment it never really caused us any concerns about security, nor has it
ever really posed a problem.

------
twunde
If you are hosting in-house, keep it on a box by itself, seperate from the
rest of your network. Then lock down the permissions so that a web user can't
write files. That should eliminate 98% of the security problems. If possible
you may want to consider running it in a chroot as well

------
emergentcypher
We manage ours in-house, it doesn't change very often, it's mostly a matter of
staying on top of security patches. But we keep it on an entirely isolated vps
where it won't be able to break anything else when it gets hacked.

------
eonw
its strange to me that a place full of developers and this is a question? is
installing, managing and securing a basic wordpress site really that much of a
hassle or headache, or even a stretch of basic web dev skills? If you cant
stand up, install and manage wordpress, at the very least, maybe you are on
the wrong forum?

you have to watch for security updates and changes for almost every other
thing you use in your work life(from OS to JS libs), why not just add
wordpress and the few plugins you use to that list?

------
amac
Open an AWS account, install WP on a server and just install the updates
within WP as neccessary.

------
anthony_franco
We outsource it out to WP Engine so we don't have to worry about it.

