SOC Compliance for WordPress  Websites

SOC 2 (System and Organization Controls 2) is a framework for assessing security, availability, confidentiality, and privacy of business systems that work with stored customer data. WordPress is widely recognized as the most commonly used CMS system by modern businesses today. Most of these businesses will work with custom-built plugins and themes, and they also rely on customer data collection and use for advertising marketing and more.

SOC 2 compliance audits will typically evaluate the following general criteria during an exam:

Information Security

This SOC 2 requirement ensures that information and systems are protected against unauthorized access and disclosure, and damage to the system that could compromise the availability, confidentiality, integrity and privacy of the system. In the context of WordPress it means that we need to have the following systems in place:

• Firewalls
• Intrusion detection
• Multi-factor authentication

Installing and properly configuring the Wordfence plugin will provide your WordPress website with all three of these systems.

Availability

To ensure that all information and related services are available for operational use at all times, your WordPress website will need effective systems for handling the following.

Performance Monitoring

This is best handled at the server level, and New Relic is a great option for a WordPress website. It must be installed on your server, and the simplest way to do that is with a specialized WordPress host that supports it. Both WPEngine and Kinsta provide easy approaches to enable New Relic. Once enabled, you can configure the apdex to suite your website, and configure alerts that notify your team when incidents occur.

Disaster Recovery

Snapshot backups are provided by most WordPress web hosts. They’re typically handled automatically each day, and they back up your entire WordPress database and file system. Hosts like Kinsta and WPEngine provide this as a feature for all the sites they host, and provide an interface to revert to a previous backup if any issues occur. Manual backups can also be created on-demand as needed.

WPEngine has both automated and manual backups to help protect your data and are stored offsite on Amazon S3 and are encrypted in transit and at rest.

Backup services can be used if your host doesn’t provide snapshot backups for you. The Jetpack VaultPress Backup add-on for the JetPack plugin is a good option. It’s developed and maintained by Automattic, and it provides a dependable, secure backup storage solution separate from a web host.

Jetpack VaultPress Backup allows you to easily restore or download a backup of your site from a specific moment in time. It’s like having a powerful undo button for your WordPress.

Incident Handling

Uptime monitoring systems like Pingdom or CloudFlare’s health checks provide tools that will constantly monitor your website for uptime and availability. These tools will continuously monitor important pages on your website and notify you if there are any issues. Notifications happen instantly with emails to team members, create tickets directly in Jira, or post a message to a Slack channel.

Browser automation testing tools like browserless.io are useful for more advanced testing of critical forms and interactions. If your services and products depend on API’s then these can be used to log in to make authenticated requests and verify their uptime. When a test fails, notifications can be sent to team members instantly.

Confidentiality

This requires that all information is protected and available on a legitimate need to know basis, and generally applies to sensitive information.

Encryption

SSL encryption for all connections to your website is obviously a must-have. This means that all URLs are only available over https://, any requests to unsecured URL’s over https:// need to be redirected to their secure equivalent. This needs to be handled in your server configuration (nginx or Apache) or at the DNS level with systems like CloudFlare or Imperva. It will ensure that redirects to https:// URL’s happen for all requests, including static files such as images, CSS and JS.

Sensitive customer information that’s stored in the WordPress database needs to be encrypted to comply with SOC 2. If you’re submitting your information to a third-party system that’s SOC 2 compliant, than submission data is probably handled properly already. If you’re collecting information with a form plugin like Gravity Forms, then you’ll need to take extra precautions to comply. Many form tools provide a way to do this without code, a good example is the Encryption for Gravity Forms
add-on for Gravity Forms. This add-on allows you to encrypt submissions values for any fields that collect sensitive data. This will avoid storing any direct customer information in your database, instead encrypted strings will be stored.

Access controls

WordPress provides a set of built-in roles and capabilities that control the permissions available to various users. If you need to manage specialized permissions, then you can create your own custom roles and capabilities using built-in WordPress API’s. These provide fine-grained control over the access levels that users have within your CMS system.

Third-party SSO providers can also be used, through services like Auth0 and Okta to provide single sign-on access controls to IT teams that need to seamlessly manage access remotely. This is often the approach I see used when companies need to make WordPress SOC 2 compliant.

Firewalls

In addition to a code level firewall like Wordfence, a DNS level firewall should also be in place. CloudFlare is the best option in my opinion.

DNS level security systems like CloudFlare can provide you with many security related features. These features assist with many of the trust principles outlined in the SOC 2 requirements specification.

• Content Delivery Network (CDN) — Cloudflare’s CDN improves website performance by caching content at its global network of data centers, reducing latency and speeding up page load times.
• Distributed Denial of Service (DDoS) Protection — Cloudflare provides robust DDoS protection, mitigating both volumetric and application layer attacks to ensure the availability of your web services.
• Web Application Firewall (WAF) — The Cloudflare WAF helps protect against web application attacks, such as SQL injection and cross-site scripting (XSS), with customizable security rules.
• Load Balancing — Cloudflare’s load balancing features help distribute traffic across multiple servers or data centers, improving application availability and redundancy.
• DNS Services — Cloudflare offers fast and secure DNS services, including domain registration, management, and protection against DNS-based attacks like DNS amplification attacks.
• SSL/TLS Encryption — Cloudflare provides SSL/TLS encryption for securing data in transit, with options for both free and advanced SSL/TLS certificates.
• Bot Management — Cloudflare helps identify and mitigate automated bot traffic, including malicious bots, to protect against web scraping and other malicious activities.
• Access Control and Authentication — Cloudflare Access provides identity and access management solutions, allowing organizations to secure internal resources and applications.
• Zero Trust Security — Cloudflare Zero Trust Security extends security perimeters beyond traditional network boundaries and ensures secure access to resources regardless of location.
• Performance Optimization — Cloudflare’s performance optimization features include image and mobile optimization, HTTP/2 support, and automatic content minification to enhance website speed.
• Stream and Web Sockets — Cloudflare Stream offers video streaming capabilities, while support for Web Sockets allows real-time communication between clients and servers.
• Serverless Functions — Cloudflare Workers enables the deployment of serverless functions to run code at the edge, improving application responsiveness and reducing server load.
• Analytics and Insights — Cloudflare provides analytics and insights into web traffic, threats, and performance, allowing organizations to make data-driven decisions.
• Workers KV (Key-Value Store) — Workers KV is a distributed key-value store that can be used with Cloudflare Workers to store and access data at the edge.
• Argo Smart Routing — Argo is a smart routing feature that optimizes network paths to improve website performance and reliability.
• Rate Limiting — Cloudflare offers rate limiting capabilities to protect against abuse and ensure fair usage of web resources.
• Mobile SDK — Cloudflare’s Mobile SDK helps protect mobile apps from threats and improve their performance.
• Page Rules — Page Rules allow you to create custom rules for how Cloudflare handles web traffic, providing fine-grained control over your website’s behavior.
• Serverless Durable Objects — Serverless Durable Objects allow you to create stateful, scalable applications that can run at the edge.

Other DNS level firewall provides include:

• Cisco Umbrella
• Sucuri
• Imperva
• Infoblox BloxOne Threat Defense

Processing Integrity

This optional addition to a SOC 2 audit evaluates whether an organization’s:

System processing is complete, valid, accurate, timely and authorized.

In the context of a website CMS system like WordPress, this focuses on your DevOps workflow. It will look at your process used to bring a design to a fully functional part of your system. This includes verifying that a design or enhancement functions properly per a specification, and that it’s delivered without any customer facing delays, vulnerabilities, errors, or bugs. Quality assurance, deployments, and active post-deploy monitoring of your WordPress website or application will be important aspects of this principle.

Deployment Pipelines

Version control systems should connect to a continuous integration deploy pipeline hosted on an independent and secure location like GitHub. When a developer makes a change to the codebase it is transparent and self-documenting, and has proper access control restrictions in place. As an example, the system might ensure that junior developers don’t have access to change potentially harmful aspects of your system. Once changes are pushed to a remote origin, a pipeline is run that performs a series of tests to verify the integrity of the codebase. These tests typically check for code level syntax errors, deviations from defined coding standards, potentially dangerous or insecure code, and also end-to-end tests of critical aspects of your website.

GitHub Pipelines are the recommend approach I use for handling these tasks. They’re well understood by many developers and team, are fully transparent, and have the best marketplace of out of the box integrations. They can be connected directly to popular WordPress hosts like WPEngine.

Zero Downtime Deploys

Once a pipeline passes all automated tests, it will deploy the code into your production website without causing any possible downtime to your website. To do this, a copy of the updated codebase is deployed alongside the existing version, and once all files are successfully deployed this copy is switched out with the current version. This approach ensures a seamless transition between the existing version of your site and the new, updated version. It can be handled in your pipeline scripts, or using a tool like DeployHQ.

Quality Assurance

Once a deployment is successfully completed, all server and DNS level cache should be cleared on the pages that have changed. Once the updates are available to your customers, they can be tested with automation using quality assurance software like Leapwork. These tests will open a virtual web browser and walk through specific customer workflows that are critical to the services your business provides, ensuring reliability and uptime. If one of these tests fails, you can notify your team of the issue, or automatically roll back the recent deployment. Typically, these tests are run against a deployment to staging environment first, submitting test information and credentials to a sandbox environment.

Process monitoring

Monitoring your live website for critical errors is an important step in SOC 2 compliance. In the context of a WordPress website, this typically involves two areas:

• Server error logs
• Client browser errors

Server logs are provided by your web host, and can usually be connected to an external system for long-term storage and analysis. This allows you to configure notifications and alerts of any reported errors that have occurred within your website. For a WordPress site it’s important to have this, especially if you ever update plugins, themes or the core using the built-in update process.

Browser errors can be tracked using a system like sentry.io, which will store any client-side errors (typically JavaScript) that customers encounter on your WordPress site. This can uncover many unanticipated issues and conflicts like:

• Code conflicts with a popular browser extension
• Issues and conflicts with third-party scripts for analytics and advertising
• Unexpected code errors with a new version of a browse

Similar to server-side error logs, these issues can be sent out notifications to your team, either instantly or in a daily round-up.

Adherence to Principle

Leapworks

Privacy

Personal information collected, used, retained, disclosed and disposed according to policy. Privacy applies only to personal information, but this requirement will make sure that what you claim to do in your website’s privacy policy aligns with what you are actually doing under the hood.

Cookie Law Banners

One thing that will likely be called into question is the functionality of your cookie law bar or banner. When someone selects “No” or signals that they do not want their information tracked with cookies, your tracking scripts must adjust to do that. In many cases I’ve seen, the cookie bar doesn’t actually do this.

Most modern WordPress websites load their analytics and advertising tracking scripts with Google Tag Manager. If you’re using this, then you can configure some of the built-in consent features it provides to make sure your tracking properly adapts based on what a user selects. You’ll need a developer with a good understanding of analytics and advertising implementations to do this properly. GTM consent only applies to Google Analytics, Firebase and Google Ads tracking, so modifications are needed to connect to a separate cookie banner used on your website.

Providing an Opt-out Method

If your WordPress site does not have a cookie opt-in banner, then it should provide a method to opt-out of tracking on your Privacy Policy page. In place of an actual link to opt-out, you can also do what Etsy does and provide a set of instructions to users on how to disable cookies in their browser:

Opt-in and Opt-out for Browsers: In addition, when you use Etsy via a browser, you can change your web browser’s settings to reflect your cookie preferences. Each browser is a little different, but usually these settings are under the “options” or “preferences” menu.
Etsy Privacy Policy

Encrypted Customer Data

This has already been mentioned in the Encryption section above, but it is also relevant here: any sensitive customer information that’s stored in the WordPress database needs to be encrypted. This ensures that it is not available to anyone that maliciously gains access to your database.

Summary

SOC 2 compliance can offer benefits, ranging from enhanced data security and customer trust, to competitive advantages and legal compliance. It’s a valuable framework for improving an organization’s overall security posture and operational excellence, but my opinion is that it’s not something that alone makes a company secure on the web. Security is always best handled by understanding all systems that exist, and thinking like a bad actor about how you could work around them. That is and always will be one of the best ways to protect a WordPress site from exposure to malicious activity.

If you’re looking to hire someone to help make your WordPress site SOC 1, SOC 2 or SOC 3 compliant please let me know.