Potential Client Project:
"HIPAA compliant WordPress website"

Me: Can you tell me more about the website you're trying to publish?

Client: Site for uploading patient medical test results

Me: 🤦‍♂️ Fuuuuuuck. Sorry, you're on your own.

WORDPRESS?!?!

I mean yeah, nothing is more secure than their undoubtedly php 5 plugin based cronenberg.

First let me just say this: I am by no means a wordpress or PHP hater, PHP has made me wealthy enough to live comfortably and successful enough to pick my projects and tooling within the language.

I tend to step away from wordpress because of plugins themselves being a part of the bigger issue, but even on the few infosec conferences that I have attended where the topic of wordpress is included(and a lot of the times it will be included since it accounts for a large coverage of web development out there for most common folk) the presentation makes a point in blaming users that did not know better about securing it all the way to the developers that went trigger happy with the plugins without bother to ensure that everything was up to standard. I have done wordpress projects before, in which I made sure to use 0 plugins and if the application needed something inside of it that required the extensible side of things I would code it myself

@AleCx04 (continued) to which I can make sure that proper practices are in place as well as code testing and structure, all included. The experience has been enjoyable, without most of the pitfals people encounter as well as some very profitable ordeals i.e literally adding a page with information, mind you that this is something that ALREADY exists in the platform by default amounts to $400 to $500 of my time....that being about 30 minutes or less for which my clients, as aware as I have made them be of the process are happy to pay for it even when I offer to just make it free as a gesture of good business relations etc.

So, considering that, wordpress carries a lot of negativity to it, well deserved as well, can't deny it, but as an engineer you have the ability to make it better, make it useful for the client and make it secure with very happy results.

Also it ain't stuck in the old ways, you can 100% use php7+ and it will be fine.

@SortOfTested i remember seeing some noob code that retrieved data from another db inside the db that contained the wordpress db, it had this strange plugin that the original "dev added" that threw an error to the screen such as:

"hey something went wrong with DBNAME USER PWD IP
please take a screenshot of this and send it to somedipshit@fuckno.com!"

it was so bad....

🤦‍♀️
HIPPA? Is this client insane?
This is goimg to cost him a lot.

@AleCx04
Not gonna lie, that level of "this human can actually make something work in this platform" terrifies me 🙀

I would definitely reject this...

It's less about my knowledge of PHP or wordpress hate...

But seriously - security on that level requires a constant presence (monitoring, law advisements / requirements and so on)...

As such - big no no for me...

High risk to get in serious trouble with government and law when you bork this up and the company drops you as a sacrificial lamb.

@IntrusionCM yes, especially when the client has plugin install rights. I don't mind HIPAA security work, but I certainly don't offer it for a few measly contract hours.