Security Code Review
WordPress is an open source project with a number of contributors from a large community of coders, designers, and implementing organizations and institutions. Being open source, anyone can examine the source code before integrating in an existing information system. Since there is no need for a Non-Disclosure Agreement (NDA) to review the source code, the organization or institution planning on implementing WordPress (i.e. core, themes and plugins), has the responsibility to conduct independent manual or automated code review of the WordPress code base – including themes and plugins – or have a third party service perform code review certification, especially when it comes to security.
Although being an open source project, a number of contributing developers have already browsed through the code base, this is not a justification to forgo the code review process, particularly when it comes to sensitive and privacy-related applications, like healthcare. In case of a security breach, the use of open source components that have not been independently reviewed or tested could be an aggravating factor. Other security measures should also be considered, such as penetration testing of the application, aside from testing server infrastructure.
Aside from security code review, nurse developers must ensure that sensitive personal information are encrypted while in storage or in transit. This is to make sure that if ever a breach occurs, personal data are not revealed in plain text. This is in conjunction with the practice of hashing passwords and not storing them in plain text in the database.
OWASP WordPress Security Implementation Guideline
For developers and implementing institutions who are planning on integrating WordPress in their current IT infrastructure, the Open Web Application Security Project (OWASP) guidelines for implementing WordPress can be a useful guide.