A short the back we had a server problem that introduced to our server by way of a dodgy plugin. We thought we'd locked down that plugin well enough for the particular broker to replace it with our own superior Yabber tool. We were wrong, and we've dealt with a small malware issue over the last few days that impacted a very small number of websites.
We're now enforcing strict security policies to ensure your continued protection. We work in the finance industry so we're required to hold ourselves to a higher standard than others. A NOTAC will detail all changes.
First, all websites are vulnerable to attacks. Without exception, every website will be compromised at some point during its life, and attempts to access your site are made every day without you knowing about it. The idea is to have measures in place to lock down vulnerabilities, identify any potential breach, keep backups to restore full functionality, and have agile systems in place to mitigate damage and quickly patch compromised systems.
Downloading plugins from the WordPress Malware Repository is the weakest link in our (or any other) system, and it turns security into somewhat of a joke, so we now require any third-party plugin to be thoroughly vetted before it is used (keeping in mind that Yabber does virtually everything, so a plugin should never be required).
The 'problem' with enhanced security is that it generally limits digital freedoms. However, the reality is that our system already provides far more tools than any business will ever need, so more stringent security measures are unlikely to have an adverse impact.
Pictured is an example of one security feature we pushed earlier today. The tool simply 'opens' your website dashboard when required for a defined period (a similar tool prevents user creation). It's simple but effective, and the time taken to action is more than justified given the significant security advantages. It's just one of a dozen new tools you'll see in the next week.