Title: Security
Last modified: August 22, 2016

---

# Security

 *  [katrinashaw](https://wordpress.org/support/users/katrinashaw/)
 * (@katrinashaw)
 * [11 years, 7 months ago](https://wordpress.org/support/topic/security-35/)
 * I work for a corporate organisation who are wanting to create a WordPress blog.
   Before we can do this we need to have our standard Security questions answered.
   I was hoping you could put me in touch with someone within your organisation 
   who can do this.
 * Thanks in advance

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [11 years, 7 months ago](https://wordpress.org/support/topic/security-35/#post-5342392)
 * Sorry, but there’s really no one to put you in touch with. This is a volunteer
   staffed support forum for an opensource software platform. 😉
 * > Before we can do this we need to have our standard Security questions answered.
 * What questions do you have? You won’t find anything as formal as a SAS 70 (see
   opensource volunteer staffed software platform reference above) but generic questions
   can be answered here by many people.
 *  Thread Starter [katrinashaw](https://wordpress.org/support/users/katrinashaw/)
 * (@katrinashaw)
 * [11 years, 7 months ago](https://wordpress.org/support/topic/security-35/#post-5342601)
 * Security Component
    1) Security Policy a) Does the organisation have a Security
   Policy? If yes, how is the awareness and compliance with this policy promoted
   within the organisation and with its business partners?
 * 2) Physical Security
    a) What physical access controls exist within the organisation’s
   Data Centre(s) to restrict access to systems that may directly or indirectly 
   handle Customer data to authorised personnel? b) What environmental controls 
   exist within the organisation’s Data Centre(s) to protect Customer data stored
   on systems within this environment?
 * 3) Back-ups
    a) What process is employed by the organisation to back-up critical
   data? Has this process been documented? b) How regularly are backups performed?
   c) Are back-up logs maintained to track when and what data has been backed up?
   Who has access to these logs? d) Are the backups stored securely offsite? If 
   so where? e) Does regular testing of backups occur? If so how regularly and what
   type of testing is performed?
 * 4) Disaster Recovery Plan (DRP)
    a) Does the organisation have a documented disaster
   recovery plan? b) If the organisation does has a disaster recovery plan how regular
   is this plan tested? c) What priority would be given to restoring services provided
   to The customer in the event of a disaster?
 * 5) Logging/Auditing/Monitoring
    a) What logging occurs at the network, system
   and application levels on hosts that may directly or indirectly handle Customer
   data? b) What type of information is captured in these logs and is it sufficient
   enough to allow a particular event to be traced back to its source? c) Are all
   logs “read only” and tamper proof? Where are they stored (i.e. locally on the
   host or in a central location)? d) Are the logs reviewed? If so how regularly?
   e) How long are the logs archived for?
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [11 years, 7 months ago](https://wordpress.org/support/topic/security-35/#post-5342604)
 * Those are very good questions and standard ones too. But I think you might be
   mistaking this place (WordPress.ORG) for another place (WordPress.COM) and those
   questions don’t really apply here.
 * This place is for supporting WordPress _software_ that users or companies install
   on their own systems in their own data center. In that scenario your own staff
   would answer those questions for yourself.
 * WordPress.COM (not this place) hosts blogs using the software that is provided
   here. Those questions may apply to them and you may wish to contact them on their
   separate forums.
 * [http://en.support.wordpress.com/](http://en.support.wordpress.com/)
 * You will need to create a .COM user ID and password there (the accounts from 
   here do not work there) but that’s not difficult to do.
 * [https://signup.wordpress.com/signup/](https://signup.wordpress.com/signup/)
 * Once you are there then you can post those questions in the .COM forums.
 * The differences between .COM and .ORG are detailed in this article.
 * [http://en.support.wordpress.com/com-vs-org/](http://en.support.wordpress.com/com-vs-org/)
 *  Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/)
 * (@ipstenu)
 * 🏳️‍🌈 Advisor and Activist
 * [11 years, 7 months ago](https://wordpress.org/support/topic/security-35/#post-5342648)
 * Some of those make sense for WPORG though, considering it does push out updates
   for plugins etc.
 * Tagging this for someone who may be able to help…
 *  [kf4tvi](https://wordpress.org/support/users/kf4tvi/)
 * (@kf4tvi)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/security-35/#post-5342724)
 * For security reasons, I was wondering if the Core Wp Software could treat the
   username/userID/loginname in the same manner as it does the passwords? I was 
   wondering if it could be set up so that on the first login of a new user, including
   the admin accounts, you are instructed to create a ‘nickname’ and if desired ‘
   first’ and ‘last’ names as well, then the user must select which of those entries
   or combination of first and last names is to be used for front-end publicly visible
   stuff like ‘author pages’ or ‘posted by’ or the name displayed in wp chat plugins
   etc.etc… so the actual login name NEVER becomes publically visible just like 
   the password? It seems like we’re essentially giving hackers half of the puzzle
   before they even get started by allowing this…am I right, or super paranoid wrong
   on this?
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [11 years, 6 months ago](https://wordpress.org/support/topic/security-35/#post-5342725)
 * [@kf4tvi](https://wordpress.org/support/users/kf4tvi/) That’s not really related
   to this topic but here goes:
 * >  For security reasons, I was wondering if the Core Wp Software could treat 
   > the username/userID/loginname in the same manner as it does the passwords?
   > . . .
   > It seems like we’re essentially giving hackers half of the puzzle before they
   > even get started by allowing this…am I right, or super paranoid wrong on this?
 * Think in terms of risk. Can you really restrict your user ID getting out there?
   Unless you also use user IDs such as SAaJw32S!!*22 (which I don’t recommend by
   the way) then your user ID will remain something that’s guessable and that’s 
   alright. The user ID getting out there is something that’s conceded.
 * WordPress like many platforms does use and display the user ID in lots of places.
   The reason that’s alright is because of that concession. The security is in the
   password and not the user ID.
 * There are plugins that will obscure or not display the author ID but those are
   add-ons. WordPress at it’s core would need to be modified to not display those
   user IDs.
 * Or if someone has a patch that can be implemented without breaking existing installations(
   that’s a big ask!) then that would help move the idea forward.
 * Note: yes, WordPress recommends that you don’t use admin because many scripts
   hammer at that user ID all day and night long. But if the password for the admin
   account is sufficiently strong then it really doesn’t matter.
 * Note for the note: most users use weak passwords. I use 1Password myself to deal
   with that and there are other aids. 😉
 *  [kf4tvi](https://wordpress.org/support/users/kf4tvi/)
 * (@kf4tvi)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/security-35/#post-5342729)
 * Thanks for your reply.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Security’ is closed to new replies.

## Tags

 * [nacin](https://wordpress.org/support/topic-tag/nacin/)
 * [otto42](https://wordpress.org/support/topic-tag/otto42/)

 * In: [Requests and Feedback](https://wordpress.org/support/forum/requests-and-feedback/)
 * 7 replies
 * 4 participants
 * Last reply from: [kf4tvi](https://wordpress.org/support/users/kf4tvi/)
 * Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/security-35/#post-5342729)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics