Chetarn

Out of my comfort zone – no. I’m used to working through code technicalities, just not of this flavour, my background is in scientific data analysis. The learning’s a matter of time, but I’m looking for my site to go live in the near future and I wanted to be relatively confident that anyone who happens to sign up is looked after.

The “business” side of things I have in mind may not even come to pass, but if it does then I do want to feel I have people’s details well kept, even though there won’t be any credit card info or the like as that’ll be dealt with by PayPal. I can rebuild the site if something gets screwed, that’s the game, and I can keep backups. My work isn’t the important thing here, it’s other people’s names and addresses.

I guess my basic questions are too broad-based – general security etc.. But I think I have enough to get started on the right foot. I’ve found a hosting company that looks fairly solid (no further comment there) and have enough to go by for now. I’ll come back with more specific questions!

Thanks very much to you both for your pointers and advice, very much appreciated.

Good pointers RE the plugins. I’m experienced with other languages and trying to pick up the PHP etc. as I go, so I am getting my hands dirty. I’ll bear that advice well in mind.

Having a theme “based on” 2010 could still mean there’s a chance of something screwed up, no? I don’t know what the “basing” entails, whether it’s largely cosmetic or what …

About passwords – browsing through my SQL databases, I see that there’s a password field for each dummy user I’ve registered, but that it’s in some encrypted format. Not that I guess it would matter if there’s an intruder in the database already, but just for argument’s sake, do the passwords have any value when they’re in this format? i.e. Are they easily (“easily”) decrypted?

And apologies in advance for this last bit, I’m going to break my silence on hosting companies which I said above I’d keep, but you tempted me – the buzz from some people that seem to be in the know looks like it’s in favour of Hostgator, but they have plenty of flashy unlimited offers. Still concerning, in your opinion? They do have a cartoon alligator though …

I’ll dish up plenty of thanks later on, but I’ll slip some in at this point too – all help is much appreciated.

TCBarrett – without asking you to go into detail, can you outline what makes a theme or plugin bad for security, are there some tell-tale signs that are relatively easy to pick out? I’m trying to keep plugins to a minimum, and the ones I do have seem pretty well established, but of course that’s no guarantee of anything. I’ve got a Twenty-Ten-based theme, but no intuitive feel about how solid it really is.

Ipstenu – that’s what I’ve been picking up about the weak link from a number of sources, about the servers rather than the WP software. I’m guessing that without a private server then you’re pretty much open to the elements on that one, and have to weather whatever storm may come your way. In fact, having been reading about this for a couple days, I’m so surprised in finding out just how many hosting companies seem … less than impervious. More so than I’d expected.

Just read that back, not to sound too naive, I meant “relax” only to an extent. From what I’m reading around the interwebs right now, it seems you can have the most secure site in the world from your own efforts but it still being more or less vulnerable from the level of host effort. Found some interesting GoDaddy info. Not good. I’ve gone through enough material about hosts to know not to ask that question any more on these forums, at least. No perfect solution. It’s a shame there aren’t any clear winners out there on this front, just a few lesser of many evils, perhaps.

Thanks for the links Ipstenu, I’d seen the first already but not the second. But the first doesn’t really answer a number of things I’m after.

I understand that SSL covers the process of someone signing into a site and having the subsequent data transfer encrypted. Fine. But let’s say there’s no SSL set up, nor any users logging on or anything at all in fact, let’s say the site has been set up and is left untouched by admin for a good period – is getting into the WordPress files still relatively “easy” for someone in the know? And is having an SSL certificate enough to sit back and relax?