User guides & Security - areas of improvement

#1

Wordpress/Classicpress does not contain many core guides. I see this as a key area for improvement, especially where security is concerned.

Privacy policy guide

The guide isn’t too bad, but one thing missing is the recommendation to display the PP’s last update time/effective date. Even large websites often neglect this, for example Softaculous’s policy makes no mention of the last time their PP was updated, yet at the same time says “We may update this privacy statement to reflect changes to our information practices. We encourage and advice you to periodically review this page …” and in fact it says it twice! Yet there’s no easy way for a user to tell when it was last changed without re-reading the whole policy.

Password, login, and comment security

This is one area where I would like to see improvement. It’s definitely important for a “business focused” CMS. The first thing I would like to see is all login forms, and comment forms removed and inaccessible from the insecure version of a Classicpress installation, where the website has HTTPS. So… like this:

You could also just change the form to force https, I am aware of that, however that approach has a couple of drawbacks. Those are that the user will still see “http://” not “https://” in the address bar, and that browsers will still pop-up warnings even if the form itself direct to https. I reiterate, the behaviour should only occur when the website has a https:// version available, if people still want to make http:// only websites that’s their choice.

Now as for passwords themselves. Well you could go full NIST, what I would like to see personally is an informative approach. Educating users, not forcing standards by default (although you could certainly give the option in the settings to enforce a minimum standard). Here is where I think we do need a new guideline written that is clear and concise to users. It should be used in combination with a password checker that performs two operations:

  1. Checks if the inputted password is present in the haveibeenpwned database (there’s an API and even existing plugins that make use of it). Of course I would strongly suggest making a backup service available from the ClassicPress server as well - relying on a single server for this will never be a good idea. This would be a very powerful way of informing users when a password, one they are likely to be re-using, has already been hacked in the past, and the benefits will be far greater than CMS alone. I would also strongly suggest the wording where the password is found in the “haveibeenpwned” database informs the user that if they use the password elsewhere they should think about changing it, and directing to the password guide.

  2. Checks the strength/entropy of the password. As this likely requires a decent load of computational power I would suggest doing it client-side by Javascript.

Possibly a password generator should also be provided.

The guide needs to be simple, practical, and non-threatening. There’s no point in telling people they “must” do this or they “must” do that - presenting options are the best way. For example, it’s best to use a password manager for most passwords with strong random passwords, but a strong unique password for an individual use is also acceptable, and people can been given 2 or 3 options to direct selection of a good password. Weak passwords should only be used in situations where security is not essential.

As we know, passwords have been hugely problematic but they don’t have to be.

Migrating from a Softaculous installation of Wordpress.

At present after migrating to ClassicPress from a Softaculous installation of WP, Softaculous will display a notification to update the site to the latest version of Wordpress. There is a safe, easy way to prevent this though - remove the record in Softaculous. To do that follow this guide.

6 Likes
#2

Alright, there is a lot to unpack here… Generally speaking, the reason we have the petitions process is to better organize improvements to ClassicPress core, and I would recommend making threads for individual suggestions on https://petitions.classicpress.net/ in order to move forward with those. Some of these suggestions also already exist there.

Having said that, though, we do plan to take a more hands-on approach related to security improvements specifically. An initial home for these proposals could be as optional enhancements added to our upcoming security screen.

And as far as user guides… yes, we need a team lead for documentation :wink:

I think actually there is a lot of room for improvement here, as right now there is no place for users to understand what data we collect from each ClassicPress installation and why. So this is already part of our plans.

Adding a “last updated” date is a good suggestion too, thank you!

I would argue instead that making http-only websites available is a bad choice and something we should discourage. Some clarifying questions about this:

  • How do we know reliably that a site supports HTTPS? (There is not an easy answer to this that works reliably for all cases, even doing an HTTPS request back to the same site will fail under some circumstances.)
  • If a site supports both HTTP and HTTPS, wouldn’t we be better served by forcing the redirect to HTTPS instead? (I think the answer is yes, but if you are aware of a reason not to do this then I’d be interested to hear it.)
  • If a site doesn’t support HTTPS, wouldn’t we be better served by adding a notice that encourages the site owner to set this up?

See: https://petitions.classicpress.net/posts/63/default-support-for-hibp - and please leave your vote/comments there too!

I don’t have a test site with registration enabled handy right now, but isn’t this already present in every place where WordPress asks you to set a password?

#3

Good to know - can you create a separate thread for this, and/or suggest a place to fit it into our existing documentation at https://docs.classicpress.net/ ?

#4

Hopefully this last one might not be necessary. Softaculous are currently assessing CP with a view to add it in with their other software applications.

https://www.softaculous.com/board/index.php?tid=14799&title=Classicpress

#5

And if you want to keep using Softaculous in the meantime, then you can disable the update email notifications in the settings. I rarely go into Softaculous so the warning in cPanel doesn’t bother me.

http://www.softaculous.com/docs/enduser/unsubscribe-email-notifications/

I prefer to keep my CP sites in Softacaulous because I can do scheduled backups to Google Drive.