If you've been keeping up with WordPress news, you'd know that WordPress just recently released version 5.2. While the update focused on a number of areas, it would seem this update focused primarily on improving the overall security of the WordPress CMS as well as the security of the WordPress ecosystem.
Well, it would seem that the new and improved WordPress 5.2 has just gotten it's first big security "co-sign" from none other than the United States Department of State.
Sometime this morning (May 15, 2019), the Department of State rolled out a brand new, really attractive website built on WordPress 5.2.
The site features a really modern, sleek design, really creative website navigation, and great internal linking. Sure there are a few little quirks that jump out to my trained eye, but as far as a government software project goes, this seems to have been a success. Let's take a closer look...
Website Navigation
The website uses what I would call "hybrid navigation". Hybrid navigation is a mix of "traditional" navigation and more modern navigation.
Traditional navigation would be horizontal links stored in the header of the website with simple menus that drop down with child link options.
Modern navigation will place very few links, if any, in the actual header, and instead, opt for a "menu trigger". When clicked, the menu will take over the full screen, giving the user the full website navigation. Modern navigation options give designers and developers a lot more space and flexibility when organizing the website.
On the new Department of State website, they have a great mix of the two. Because the site is so large, it makes sense that they would utilize traditional header navigation. This allows users to more easily visualize the pages and find what they're looking for.
However, once a navigation item is clicked, it then triggers a full-screen takeover as a more modern navigation would. The full-screen navigation then does an excellent job of cleanly organizing and displaying multiple levels of additional links.
WordPress Website Security
From a security standpoint, it would seem the Department of State has taken some precautions but could definitely lock down further.
First, it seems that the majority of the forms and inputs are submitting to subdomains. For example, the Contact Us page serves from register.state.gov. This form and others are also being served with Microsoft ASP.NET.
This may be for security purposes, it may be because it was easier to just leave those existing systems in place, or maybe a combination of the two. For example, the website feedback form appears to be a Gravity Form being served directly from WordPress.
I don't think it would be wise to attempt to test for any actual vulnerabilities, or publicly publish any others, but will say that all-in-all it seems like they've done a great job.
Plugins
It would appear at first glance that the website is running a few plugins. Right off the bat, I can see that Gravity Forms is being used for a few of the website forms.
Based on the CSS and JS files being loaded, it would also appear they're using plugins to do things like display related posts by taxonomy, pop up different modals for messaging, Yoast SEO for on-page optimization, and a few others.
I'm glad to see that many of the "utility plugins" that I deemed valuable in this article about WordPress theme development are being used here as well.
While I probably would've opted for custom code instead of a few of the plugins they are running, it would seem the number of plugins being loaded is minimal so likely not creating any major security concerns there.
Website Speed Optimization
From a website page speed standpoint, the Department of State website could use some work.
At the time of the writing of this article, was scoring a 0% on GtMetrix.com
It would seem they're not optimizing images, not combining or minifying their static files, not serving scaled images, and a number of other pretty major concerns.
There are currently 6 separate CSS files being served and 14 individual JavaScript files being loaded. While some of these are being loaded by third-party embed, i.e. Google Tag Manager, there are still a lot of opportunities here to cut down on requests.
Some of the biggest issues that I'm seeing though are being caused by uncompressed, oversized images. For example, one image on the home page is loading at ~17mb and 6000px in width. I would assume that a majority of the page speed issues being seen are as a result of this and other images.
So, What's The Verdict?
All-in-all, I'm thrilled to see a government agency as large as the Department of State utilizing WordPress as their content management system. As a WordPress developer and owner of a WordPress web design agency, this gives me great confidence in the future of WordPress.
Sure, there are a few things I may have done differently, or a few areas they can definitely improve on, but at the end of the day, the Department of State has built a pretty good WordPress website.