Security & Compliance
Security Measures
| Measure | Implementation | Source |
|---|---|---|
| Admin lockdown | dezeen-admin-lockdown plugin | Restricts login pages |
| WAF | Cloudflare WAF rules | DDoS protection, bot filtering |
| XMLRPC blocked | Varnish layer | Blocks /xmlrpc.php requests |
| SSL enforcement | FORCE_SSL_ADMIN constant | Forces HTTPS for admin |
| File editing disabled | WordPress hardening | Prevents in-admin file edits |
| Server tokens | Apache ServerTokens Prod | Hides server version |
| Directory listing | Options -Indexes | Disabled globally |
| Trace disabled | TraceEnable Off | Prevents HTTP TRACE |
| Security scanning | WP Defender Pro 4.11.0 | Vulnerability scans, hardening |
| Spam protection | Akismet 5.6 | Comment/form spam filtering |
| Application passwords | application-passwords plugin | REST API auth alternative |
| JWT authentication | jwt-auth plugin 3.0.2 | Token-based API auth |
Authentication & Access
WordPress Admin
- Primary access via
admin.dezeen.com(dedicated server) - Standard WordPress username/password authentication
- Admin lockdown plugin restricts login page access
REST API Authentication
Two methods:
- JWT Auth — Token-based authentication for the Laravel Platform integration
- Secret key:
JWT_AUTH_SECRET_KEYin wp-config.php - Whitelisted endpoints in mu-plugin
rest-api-v2.php
- Secret key:
- Application Passwords — WordPress native API authentication for external tools
Platform Integration
The Laravel Platform at /platform (Awards, Competitions) authenticates via JWT. The PLATFORM_URL and AWARDS_URL constants control the integration endpoint.
GDPR & Privacy
| Requirement | Implementation |
|---|---|
| Data collection | Site is a read-only magazine; no user accounts are stored on the WordPress side |
| Cookie consent | Managed via Google Ad Manager and Cookiebot (Usercentrics) |
| Newsletter | Campaign Monitor handles email data; GDPR compliance is Campaign Monitor's responsibility |
| Comments | Disqus handles comment data; Disqus's privacy policy applies |
| Analytics | Parse.ly for content analytics |
| Advertising | Google Ad Manager with consent signals |
Cookie Consent Flow
dezeen-cookie-bot-tweaks Plugin
Adds data-cookieconsent attributes to script tags so Cookiebot can gate non-essential scripts. Hooks into script_loader_tag to modify <script> elements.
Cookiebot Integration
- Plugin: Cookiebot by Usercentrics 4.6.2
- Provides automatic cookie scanning and blocking
- GDPR/CCPA compliant banner
- Google Consent Mode v2 integration
Third-Party Data Flows
| Service | Data Sent | Data Received | Storage |
|---|---|---|---|
| Algolia | Post content, metadata | Search results | Algolia cloud |
| Campaign Monitor | Email addresses | Subscription status | CM servers |
| Disqus | Page URL | Comments | Disqus servers |
| Apple News | Article content | Publish status | Apple servers |
| Cloudflare | All traffic (proxy) | Cached responses | Cloudflare edge |
| Google Ad Manager | Page context, consent | Ad creatives | Google servers |
| Parse.ly | Page views, metadata | Analytics data | Parse.ly cloud |
| PayPal/Stripe | Payment info (Awards) | Transaction status | PayPal/Stripe |
| GeoTargetingWP | User IP | Country code | Cookie-based |
Secrets Management
Secrets are stored in wp-config.php which is not in version control. The wp-config-sample.php template contains placeholder values.
Secrets to Rotate on Handover
- WordPress authentication salts (AUTH_KEY, SECURE_AUTH_KEY, etc.)
- JWT_AUTH_SECRET_KEY
- Algolia API keys (especially write keys)
- Campaign Monitor API keys
- PayPal/Stripe credentials
- Database credentials
Footgun Warning
The wp-config.php in the repository contains real API keys and database credentials for the development environment. These should be treated as compromised and rotated for any non-local environment.
Nginx Security (Legacy)
The _provision/ folder contains Nginx configuration from a previous setup:
restrictions.conf: Blocks access to hidden files,wp-config.php,readme.html,xmlrpc.phpwordpress.conf: WordPress-specific rewrite rules
These may not be active if production uses Apache, but provide reference for security headers.
Unknowns / Needs Verification
- Whether
FORCE_SSL_ADMINistruein production wp-config - Exact Cloudflare WAF rules in place
- Whether WordPress file editing is disabled in production (
DISALLOW_FILE_EDIT) - Two-factor authentication availability for admin users
- Rate limiting configuration (Cloudflare or application level)
- Audit logging for admin actions