A Bank Website on WordPress

WordPress

There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

In terms of security, there are a two simple points:

  1. Make sure you’re on the latest version of core and all the plugins you run, and update as soon as new version become available.
  2. Use strong passwords for all user accounts. For extra credit you could enable a 2-factor plugin, use Jetpack’s WordPress.com login system, or restrict logged-in users to a certain IP range (like behind a VPN).

If your host doesn’t handle it, make sure you stay up-to-date for everything in your stack as well from the OS on up. Most modern WP hosts handle this (and updates) for you, and of course you could always run your site on WordPress.com VIP alongside some of the top sites in the world. If you use any non-core third party code, no harm in having a security firm audit the source as well (an advantage of using open source).

For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

If you wanted any help on this feel free to reach out to Automattic as well, we have a decade of experience now dealing with high-risk, high-scale deployments, and also addressing the sort of uninformed FUD you see in this thread.

If you’ve developed a major bank site in WordPress leave a link in the comments.

What is music? There’s no end to the parade of philosophers who have wondered about this, but most of us feel confident saying: ‘I know it when I hear it.’ Still, judgments of musicality are notoriously malleable. That new club tune, obnoxious at first, might become toe-tappingly likeable after a few hearings. Put the most music-apathetic individual in a household where someone is rehearsing for a contemporary music recital and they will leave whistling Ligeti. The simple act of repetition can serve as a quasi-magical agent of musicalisation. Instead of asking: ‘What is music?’ we might have an easier time asking: ‘What do we hear as music?’ And a remarkably large part of the answer appears to be: ‘I know it when I hear it again.’

Elizabeth Hellmuth Margulis writes on why we love repetition in music and the neurological effects repeated songs have on us. Hat tip: Brian Groat.

Starting with the results helps refocus the day, clear away busy work, and make sure your actions and time are being spent with an eye on the results you want to achieve. Results, not just work.

Sara Rosso writes Start With The Result.