Week ago I learned about security headers and found weaknesses of this blog. In my previous post I did not write, that beside mine I checked other websites, which I know are run by WordPress. All of them have the same problems. No matter where the WordPress page is hosted or stored. I contacted Happiness Engineers and got feedback that my question will be forwarded to Network Engineers. Still waiting for an answer from them.
One thing what made me especially concerned was the blog post “stopmullware-on-the-security-of-27-of-the-websites-on-the-internet” written by Scott Arciszewski, which got deleted shortly after I read it – the post was about priorities of Automattic, hint – security is not one of them. Here are some tweets which should explain why it was deleted:
Use Google and read yourself who is Scott and what he does. And make your own picture of the situation.
But Scott is not the only one who is alarmed. Here is another article about WordPress vulnerability. In fact I have a feeling that suddenly everyone writes about how insecure is WordPress. German media people seem to be little slow – they are informing about update bug just now.
Long story short – I spent whole week reading and understanding how it works all together – touched certificates and domains as well. My aim was to find out, what can I do to improve the security of my website. My current answer – as long as I use WordPress, I cannot fix security header issues. But optimist inside me is really looking forward to WordPress Network Engineer answer. May be there is a way.