In part one of our “Audience Questions From Our Fund Websites Webinar” mini series, we answered inquiries about miscellaneous topics such as fund data and publication workflow. In this second post, we respond to the questions surrounding a popular topic — WordPress security.
The subject of security deserves separate attention. Besides being the number one concern of financial institutions, there is misconception floating around about WordPress — one that claims that the platform has weak security. We’ve already debunked this allegation in a previous article, and even made it a point to mention the truth during the webinar.
Since security for fund websites was one of the hottest topics of our webinar, we decided to cover all of the questions asked about this theme during our webinar in one post. Check out the answers to the security-related questions that we were unable to get to in our webinar.
#1 How do you ensure WordPress plugins and software updates do not compromise security?
We research the plugin and carefully select those that are kept updated with the latest version of WordPress. It’s important that they are verified for enterprise levels of security as well. All plugins are the result of demand from our enterprise clients that share in our desire to provide a secure environment.
Additionally, any WordPress software update is tested by the Kurtosys development team. This is to make sure there aren’t any gaps in security with the rollout of the new update.
#2 What type of plugins are available for secure access to different areas of your website?
In the wealth management segment, for example, we provide a strong form of authentication – which includes the option of mobile/text/voice as a two-factor authentication mechanism. Additionally, we allow for softer forms of authentication for gated content or regulatory bound content. Our plugins accommodate comprehensive needs for configuring features such as password strength and form, browser fingerprinting, challenge questions and registration/reset password automated workflow. We also support SAML 2.0 for Single Sign-on.
#3 How can you enhance the security around accessing the site?
WordPress sites usually get hacked through the login area. We recommend using two-factor authentication to ramp up security here. The most common example of 2F authentication will prompt you to enter your username and password like usual, but then will direct you to a second step which requires you to confirm your identity on a secondary device like a cellphone or tablet. There are a number of plugins like SecSign and Clef, but we highly recommend using Duo.
#4 What about encryption for sensitive information?
Sensitive information is contained in our UDM database which uses encryption of all data being transferred over the wire, as well as encryption of the database on disk. We do not store sensitive information in the WordPress MySQL database itself.