We've seen some strong arguments on Linkedin about both the GDPR and the effect it will have on Wordpress. Let’s start with some facts
The problem with Wordpress and GDPR
In recent months there have been major data breaches that have brought the importance of security sharply into the spotlight. The Equifax and Yahoo breaches have highlighted that if you get security wrong it can be devastating - potentially terminal - for a business. If such large companies with thousands of staff can get it wrong then what chance has a small recruitment agency?
What about Wordpress?
The problem is not that Wordpress is insecure per se, but that Wordpress gets a lot of media attention about every vulnerability that is discovered - making it easy for hackers to then find and use these vulnerabilities. If a hacker can find a way into one of the million WordPress websites on the web, they can scan for other Wordpress websites and hack those too.
WordPress runs on open source code and has a team specifically devoted to finding, identifying and fixing WordPress security issues that arise in the core code. As security vulnerabilities are disclosed, fixes are immediately pushed out to patch any new security issues. That’s why keeping Wordpress updated to the latest version is incredibly important for the overall security of your website, although that only covers the CMS platform not the plugins. When researching recruitment plugins, we were unable to find one which accepted responsibility for their code or maintaining security.
Plus you’re reliant on your website provider investing time in checking, upgrading and maintaining these sites, which is is both risky and expensive. They also need to remove plugins that become insecure.
The GDPR is not the reason why Wordpress is insecure - it’s the consequence. If you don’t have clear responsibility then the liability for breaches becomes unclear. Where data is considered sensitive, it’s essential that you can demonstrate that the sites have been maintained to the highest possible level.
Can you get cyber insurance?
The acid test is to try and take out cyber insurance. We contacted one of the top providers of cyber insurance and asked them to quote for a Wordpress site but they declined to cover this risk. We are not saying you can't get insurance, we are merely stating that there a reluctance to cover so that there may be a reluctance to pay out if you can't prove that the necessary security steps have been taken.
Because the GDPR makes each individual company responsible for security, you need to demonstrate that you manage this aspect of your website to the highest possible standard.
We believe that every recruitment agency and job board provider would be well advised to pass this risk onto a supplier who will provide you with the necessary responsibility and insurance-backed liability.
Volcanic is supporting the recruitment industry towards GDPR compliance ahead of the May 2018 deadine. Download your free guide to GDPR for recruitment agencies.