Wordpress/Classicpress does not contain many core guides. I see this as a key area for improvement, especially where security is concerned.
Privacy policy guide
The guide isn’t too bad, but one thing missing is the recommendation to display the PP’s last update time/effective date. Even large websites often neglect this, for example Softaculous’s policy makes no mention of the last time their PP was updated, yet at the same time says “We may update this privacy statement to reflect changes to our information practices. We encourage and advice you to periodically review this page …” and in fact it says it twice! Yet there’s no easy way for a user to tell when it was last changed without re-reading the whole policy.
Password, login, and comment security
This is one area where I would like to see improvement. It’s definitely important for a “business focused” CMS. The first thing I would like to see is all login forms, and comment forms removed and inaccessible from the insecure version of a Classicpress installation, where the website has HTTPS. So… like this:
You could also just change the form to force https, I am aware of that, however that approach has a couple of drawbacks. Those are that the user will still see “http://” not “https://” in the address bar, and that browsers will still pop-up warnings even if the form itself direct to https. I reiterate, the behaviour should only occur when the website has a https:// version available, if people still want to make http:// only websites that’s their choice.
Now as for passwords themselves. Well you could go full NIST, what I would like to see personally is an informative approach. Educating users, not forcing standards by default (although you could certainly give the option in the settings to enforce a minimum standard). Here is where I think we do need a new guideline written that is clear and concise to users. It should be used in combination with a password checker that performs two operations:
-
Checks if the inputted password is present in the haveibeenpwned database (there’s an API and even existing plugins that make use of it). Of course I would strongly suggest making a backup service available from the ClassicPress server as well - relying on a single server for this will never be a good idea. This would be a very powerful way of informing users when a password, one they are likely to be re-using, has already been hacked in the past, and the benefits will be far greater than CMS alone. I would also strongly suggest the wording where the password is found in the “haveibeenpwned” database informs the user that if they use the password elsewhere they should think about changing it, and directing to the password guide.
-
Checks the strength/entropy of the password. As this likely requires a decent load of computational power I would suggest doing it client-side by Javascript.
Possibly a password generator should also be provided.
The guide needs to be simple, practical, and non-threatening. There’s no point in telling people they “must” do this or they “must” do that - presenting options are the best way. For example, it’s best to use a password manager for most passwords with strong random passwords, but a strong unique password for an individual use is also acceptable, and people can been given 2 or 3 options to direct selection of a good password. Weak passwords should only be used in situations where security is not essential.
As we know, passwords have been hugely problematic but they don’t have to be.
Migrating from a Softaculous installation of Wordpress.
At present after migrating to ClassicPress from a Softaculous installation of WP, Softaculous will display a notification to update the site to the latest version of Wordpress. There is a safe, easy way to prevent this though - remove the record in Softaculous. To do that follow this guide.