Restricting access to pages / documents on InsideLaw
We use the "Groups" plugin to restrict access to materials on a page-by-page basis. The "Access Restrictions" box in the upper right of the admin edit page allows selection of groups to have access. Leaving the box blank allows open access.
The menus only show pages that the current user can access.
Note that photos or documents placed in the Media library have very little access protection - use the "Documents" repository for more protection.
Usernames / passwords
Local username/password set ups are inherently insecure as the password is e-mailed to the user and the user is not forced to change that password. If the user has an account set up and never logs in, or logs in but does not change the password, the original e-mail with the username/password is a ticking time bomb.
Using CampusID solves most of these issues. So, recommend that local accounts be severely limited. Use these instructions to manually add users. Note that faculty and students are almost always added automatically by background scripts.
Updates
WordPress now has automatic version updates for some types of updates, but most plugin updates still must be performed manually (good thing, too, as updates are known to break other functions or even the whole site!).
Plugins
Plugins represent the largest source of possible security vulnerabilities for our WordPress installations. Special care should be exercised in selecting and installing plugins. Considerations of a mature plugins, a large install base, an active developer involvement and an active user base should be included in any plugin selection.
Plugins should only be site-wide "network activated" is the plugin is to be widely used on the subsites. Unused plugins should be promptly deleted.