IT Departments, Infrastructure & Security
One common complaint we see time and time again within higher education surrounds scope of responsibility handed to the IT department. Your IT department has managed the inner digital workings of your organization for years, and their responsibility is only growing.
They’re tasked with ensuring that your campus is wired and connected. They manage hardware ranging from printers to id card readers to routers to servers to backups to who knows what else. And now, we expect them to manage dozens of software applications from web sites to course catalogues to directories and digital signage systems.
Beyond the sheer scope of work we heave onto our IT teams, we expect them to be digital marketers and content strategists as well. We expect that building a website is purely a matter of engineering. We expect them to be able to manage the diverse needs of higher ed (and the interesting ‘characters’ that work throughout universities).
WordPress as a platform can help IT departments quickly roll out robust solutions, without the overhead of continually needing to become experts in new proprietary platforms. The ease of use and training that we see with content creators is reflected at the engineering level as well. The massive amount of documentation, support literature, and readily available resources make customizing WordPress to your particular needs.
Finding new staff is easy due to large hiring pool, and there is no shortage of agencies and consultants to help get projects off to the right start.
The technical infrastructure that runs your digital platforms is as key a decision as the software itself. The ‘stack’ that runs WordPress is easy to set up and run. There are literally millions of instances of WordPress running on servers across the world.
WordPress is extremely easy to get started with, but becoming an expert is a significant undertaking. Ensuring that WordPress runs lightening fast, functions on any device, and is reliable is a complicated job that requires coordination between a number of experts with diverse skill sets. For any CMS, site performance is blend of code, content, and infrastructure. A slow or under-performing site could be the victim of some inefficient code. It could also be the result of a poorly configured server. It could be the result of a massive spike in traffic, or potentially people coming up with creative uses for your platform that you hadn’t planned on (think Napster in the 90s). Managing the relationship between code and infrastructure is a challenge for any IT department regardless of what software platform they’re running.
There are a number of massive websites that currently run on WordPress that act as exceptional case studies on infrastructure best practices and demonstrate that it can work extremely well.
When thinking about infrastructure and performance, we often encourage universities to partner with dedicated managed hosting vendors. There are hosting partners that specializing in scaling WordPress for massive amounts of traffic, content, and users. The underlying infrastructure of your digital platforms is essential – it can be more cost effective and reliable to employ a specialist than build the internal competency and staffing support. If your website hits a bump at 3am on Christmas Eve, who do you want to solve it?
Outsourcing key components of your organization is not to be taken lightly though. There are no shortage of managed WordPress hosts out there that claim to provide the kind of service and support that you need. That said, not all managed hosts are created equal. Interview your infrastructure partner with as much diligence as you would a development or design partner.
Any quick Google search about WordPress will surface accusations that it is insecure. To be sure, a poorly configured, amateurishly coded, unmaintained, and cheaply hosted WordPress site is ripe for tragic security exploits. WordPress is easy to set up. It is also the most popular CMS by a long shot and as a result there are millions of poorly secured or unmaintained installs all over the world that routinely suffer attacks. These attacks make the headlines and give WordPress a bad reputation. The good news is that a solid security plan and best practices in code and infrastructure can result in a secure website that is easily managed throughout any security concern.
The Basics of WP Security
We start with the assumption that any site, no matter how secure, could be compromised. While not the rosiest of assumptions, this necessitates a recovery plan. That recovery plan is what lets us sleep soundly at night.
Code lives in source control. This is a standard best practice of web engineering today – but it’s not always followed. By storing our code in a source control repository, like Git, we are able to roll a site back to any point instantly. That means if a hacker is able to compromise the code on your site, you can instantly rewind the site to its pre-hack state. This doesn’t solve the problem, but quickly resolves the symptoms. Whether you’re using WordPress or not – as a stakeholder you should insist that your developer is using modern source control.
Your code is effectively backed up because it is in source control. The next step is to solve for data. While most web administrators know the importance of backups, very few test their backups routinely. With support from your infrastructure partner or your IT team, the workflow for resetting a site based on backups should be tested frequently. There are too many sob stories of corrupted backups that were only discovered when they were needed.
The library of open source plugins available to extend the functionality of WordPress is one of its greatest features. It’s also a significant concern. Every plugin we use undergoes an extensive security audit before it gets deployed. This is necessary to ensure that we are not introducing any security or performance issues.
There are a number of aspects of any website, let alone a WordPress sites, where best practices can be applied to lock down the system. This is largely a question of hosting and server-side security, but we also like to make a point of blocking unused APIs, system information files, or any other avenues that a hacker might explore in an effort to compromise your site.
One of the biggest liabilities on any system is a weak password. There are a number of approaches that we take depending on the details of the project, to ensure that user-based security risks are minimized. We can limit the login attempts for an IP address within some period of time, set up 2 factor authentication, and we can block WordPress authentication entirely and rely on an external authentication service.
Security is the other facet of WordPress infrastructure where we like to reference a partner. Sucuri is a digital security firm that has proven to be a leader in supporting large organizations with their needs surrounding web security and mitigation. CEO Tony Perez is a frequent contributor to the WordPress community and knows how to support internal IT teams in their quest for keeping your digital properties safe and secure.
The managed WordPress hosting market has grown greatly in the last few years. We’ve found the following hosts to be the right blend of performance, reliability, and customer service and support.