Grading the White House’s WordPress website

After 8 years of Drupal under the Obama administration, the Trump White House has moved WhiteHouse.gov over to another open-source, PHP-based CMS, WordPress.

This is exciting news for WordPress devs like me, despite the irony of the administration assaulting net neutrality taking advantage of free, open-source software built to democratize publishing on the open web. But anyway! Exciting! I was curious to see the security measures and tech stack being used by the WhiteHouse.gov developers, so I ran it through WPMU Dev’s WP-Checkup tool and took a look at the source code as well. Here’s what I found:

Security

  • User enumeration is blocked
  • Folder browsing is blocked
  • WordPress version is hidden

This is all good stuff.

The /wp-content and /uploads directory paths haven’t been moved, which means bots can easily attempt to run arbitrary file upload attacks—not a vulnerability in and of itself, but a quick fix to reduce hacking volume. For instance, I can see that the site is running W3 Total Cache, which had exploits discovered in 2016 (since fixed). As this is a recent WordPress installation, I’m sure they’ve updated everything. I will also assume they are using a firewall.

The login page at /wp-admin and /wp-login.php is blocked. My best guess is that means it’s still at that location and protected by IP. As in the previous recommendation, I would move the location as an obscurity measure just for volume purposes—I have to imagine this page is being hit constantly. It’s also possible that the page has been moved and the /wp-admin URL has been blocked additionally, but I doubt it.

Since I can’t see the login page, I will cross my fingers it has two-factor authentication enabled.

Performance

HTML isn’t minified. Sigh.

Using W3 Total Cache is interesting because that plugin has so many settings that I wonder what it’s actually there for—presumably, you would want a serious server cache running on this kind of site with Varnish or Nginx, vs. making a page cache with a plugin.

Here’s the message from the bottom of the cached page I visited:

<!--
Performance optimized by W3 Total Cache. Learn more: https://www.w3-edge.com/products/

Object Caching 1900/91 objects using memcached
Minified using memcached

Served from: www.whitehouse.gov @ 2017-12-31 19:51:29 by W3 Total Cache -->

I’m not a W3TC user (Rawkblog uses KeyCDN’s Cache Enabler) but this suggests it is making a page cache, yes?

Memcached is a fine choice for object cache, though it seems like many devs are moving on to Redis lately. I’m imagining a White House sysadmin reading Digital Ocean tutorials and trying to figure out how to install it.

Tools

WhiteHouse.gov is using Google Analytics for traffic stats, New Relic for server performance metrics, and Salesforce’s Lightning platform to load CSS. It’s also using the WordPress plugins Yoast SEO, Google Analytics by MonsterInsights, and W3 Total Cache.

Yes, the White House is really using the same free plugins as your site. These are some of the most popular plugins WordPress has, and I have to wonder if the devs just went to the WordPress.org plugin repository and grabbed the top picks. Nothing custom? No Autoptimize, even? Curious.

Code

There’s an <h1> tag on the top article on the homepage, which was supposed to be a best practice when HTML5 launched, but as the browser outline hasn’t actually been implemented… for SEO and semantic accuracy, they really should put the <h1> on the “White House” homepage site title instead and go down the heading hierarchy for page links. The same module is wrapped in <div> tags instead of <article>, which is not semantic, either. This theme needs some work for SEO and accessibility—I’m sure they have the best people working on it.

There are some target="blank" anchor links in here, which is a bad security practice. If they must force open new tabs, they should also include rel="noreferrer noopener" to prevent tab hijacking.

Media

The White House logo is a .png and not an .svg, which is mystifying (and a bit amateurish) because there are other .svg images on the page, including the presidential crest.

Images throughout the page are also a hot mess, going back and forth between .png and .jpg images and not serving .webp files on Chrome, which is a considerable waste of bandwidth for a site this highly trafficked. Your tax dollars at work.

Final Grades:

  • A for security
  • A- for performance
  • B for theme design
  • C for image optimization

It’s nice to see WordPress make it into the highest levels of government—I can only hope the Trump administration’s FCC isn’t allowed to obliterate the generous, inspired community which created it and gave it away.