Table of Contents
It seems that every day there is a new article published about a popular WordPress plugin installed on millions of sites having had a vulnerability found. We don’t have millions of users (yet) but for the estate agents we do work with, we want to make sure our offering is as secure as possible.
We’ve just released version 2.0.10 of Property Hive which contained a couple of tweaks surrounding improved security. As a result I wanted to take this as an opportunity to speak more about security and outline what we do behind the scenes.
We’ve written in the past about how as a WordPress user you can keep your site safe, but unfortunately you have no control over the code for the individual plugins installed on your site. This is where we come in…
What do we do to make Property Hive secure?
Sanitise input
We ensure that all data input by users, both on the frontend and in the WordPress backend, is sanitised. This means that we clean the data to ensure it’s in the right format before it’s used by our system or stored in the database.
Escape output
Before any data from Property Hive is sent to be displayed on a user’s screen, we escape it. This means we make sure any data that could potentially be interpreted as code (such as HTML or JavaScript) is safely outputted, preventing Cross-Site Scripting (XSS) attacks.
Nonces
Nonces means Numbers Used ONCE. They’re a security measure used to protect against CSRF (Cross Site Request Forgery) attacks. We use nonces in Property Hive to ensure that any action or request made is genuine and originated from the site, preventing unauthorized actions.
Validate users capabilities
We check and validate the capabilities of each user, ensuring that they have the permission to perform the actions they are attempting. This way, sensitive features and data are only accessible to users with the appropriate level of access.
Use as much WordPress in-built functionality as possible
WordPress comes with a wide range of built-in functions that are regularly updated and maintained for security. By leveraging these functions wherever possible, Property Hive benefits from the robust security measures of WordPress itself.
We work with vulnerability database Patchstack
Patchstack is a great site where people can declare vulnerabilities that they’ve found in plugins. They’re sent to us in private first and we’re given a period of time to resolve them before it’s made public.
It’s never nice to hear that you’ve got a vulnerability in your code (we’ve had about 6 discovered in nearly 10 years) but it’s satisfying to have it fixed knowing you’ve potentially saved thousands of estate agents site from being compromised. This is why it’s so important to keep your plugins up to date.
We’re open source
Being open source means that anyone can examine our code. This transparency is a strength as it allows security researchers and our userbase to identify, report, and even fix, potential security issues. We believe that this collaborative approach leads to a more secure plugin for everyone to benefit from..
Closing words
We understand the importance of security in the digital age, especially for estate agents who handle sensitive client information. That’s why we are committed to maintaining the highest standards to keep Property Hive secure, ensuring that our users can focus on their business without worrying about the security of their data.
Saying that, no plugin or software is 100% safe. Even if you run the latest version of all plugins, that still doesn’t mean someone couldn’t gain access through an insecure server. Our own website has been the victim of hacking in the past and it really is crippling. Don’t leave it too late to realise how important security is. Take what steps you can to secure your property website today.