With yesterday’s WPEngine Hack, the case for not having a user hosting control panel just increased 100 fold . If you are a developer you need ssh access, but most WordPress “Designers” are not that comfortable with Linux Server (or Apache) System administration. In fact, most WordPress developers we know don’t really even fiddle at a high level with DNS.
The point is: Harden the server and take care of all the items that the tech geeks in the developer/designer world do not want to deal with anyway so they can get on with pleasing the client. Wordsrack specializes only in taking WordPress to scale for agencies with 25+ WordPress clients. Obfuscation of even the simplest login url and changing the admin username is discussed widely on the net, but in fact probably less than 5% take heed. When you’re talking about WP powering 25% of sites worldwide this number is large. Thwarting attacks at the WordPress level is easy when the simple kind of attacks are of a brute force style vector if the botnet is simply trying to gain dashboard access. Cross site scripting, XSS and injection defence should include a form of WAF in front of the server, and individually deflect bots from WP installs, but this is not the case when it’s at the company level we’re talking like if it were Media Temple, Pagely or WPEngine.
The case for IAAS or even ITAAS strengthens every day. If you give granular file control access to a designer, for instance through a customized or proprietary panel to the wp-config.php file you are doing a disservice if your “heroic” or “fanatical” support mechanism cannot have a call center to address each and every instance of file modification. You don’t need SFTP if you have SSH and most sys admins get that. Just a noob with 5 WP Installs on Godaddy using Port 21 on ftp gets the 5 sites hacked simultaneously…. sorry, that’s an easy one. But is it?
Most CSS and JS issues can now be addressed through the WP theme editor in the dashboard for your child themes functions.php, JS and Style/CSS.
The fact is, we train our agencies to focus on their clients and WordPress directly while we take care of the heavy lifting of server security and dns record keeping. There is NO account login except that which we allow customers to join a plan which is initiated through the payment gateway API. Since everything is offloaded from our servers concerning sensitive data, a hack into our site or app at the most could expose a customers name and email and never a non hashed password for anything, anywhere.
5 passwords on WPEngine. Seriously.
This post was updated on Dec 12, 2015 @ 6:09 pm est