Physical Security compared to website security

Many people think about website security in the same way that they think about physical security in the real world. In the physical world, we might build a facility like a bank that needs to be secured. We build barriers to entry and access controls as part of the construction project.


Once the project is complete, we have a secure facility with walls, gates, secure entry and exit, cameras, access controls and human personnel to implement security procedures as people enter and exit. The physical construction does not change much over time, once the project is completed.


You are unlikely to discover that the concrete you used to build a wall for your bank is now vulnerable and needs to be replaced. A wall is still difficult to penetrate and a locked gate with a guard is going to still be quite effective a few months from now.


It is easy to make the mistake of thinking about Website security in the same way. If you install software that is secure to power your website and you implement good security policy and controls, one might think a website would behave in the same way. In other words, one might think a secure website today should be secure a few months from now if it doesn’t change.


That is not the case and I’m going to explain why. If you build a website using the newest software that has been verified to be secure and you implement good security policy, your website does not change, but the environment it is operating in changes. Attackers continually research the software that powers your website and vulnerabilities are eventually discovered in most popular online software.


Therefore the problem is that, while your website software starts off secure, it almost always ends up being insecure without anything changing on your website. It’s not your fault or the fault of the person who created your website. It is just the way of the online world. This differs from our building metaphor above in that a secure building doesn’t usually end up insecure a couple of months after being built without anything in the building changing. But a website does.


In fact, this is an ongoing cycle. Vulnerabilities are discovered, attackers start using them and ultimately if you are a responsible WordPress site owner, you upgrade your site regularly to fix those vulnerabilities. Then new vulnerabilities are discovered in new versions and the cycle repeats.