Security Guidelines

Since this system is going to involve tracking a lot of personally identifying information (PII) belonging to unit leaders and scouts, it is important that proper security precautions are taken in the deployment of the website.

The primary concern is that any access to the pages involving this data must be encrypted in transit between the website and the user, using a proper CA-signed TLS (formerly SSL) certificate. Because a login cookie sniffed from a cleartext (non-secure) connection would allow you access to the secure portion of the site as well, non-secure connections to the entire website should probably not be allowed, at least for logged in users. Login cookies should have the sslOnly/secure flag set. Strongly consider using HTTP Strict Transport Security headers.

As this system is designed to use WordPress as the platform, it is essential that you keep up-to-date on WordPress security updates and updates to any of the plugins you are using on your site.

Remember that any software you run on the server could be used as an attack vector to access your database, so maintaining security updates for anything else you have on your site is also essential. A lot of shared hosting providers will take care of a lot of this for you, but as the person deploying the site you need to make sure that either they are or you are.