Our discussions around WordPress security should change

chrislema-face

wordpress-security
Think about the most recent conversations you've had about WordPress security.

Now, if you're someone who's deep into WordPress security, I'm not talking about you. I'm talking about the everyday folks that use WordPress, and the developers and designers who talk to their customers about WordPress and security.

Another way to think about this, to get a handle on the conversations that are happening around WordPress security, is to do a little search on Slideshare.net – where people upload their presentations. If you filter it to presentations uploaded in the last month or two, and look thru them, you'll see what I'm talking about.

People are talking about security

I'm not saying that we're not talking about security. We are. But if you look at the slide decks, and listen to the meetups, and attend the WordCamps, you'll hear a lot about:

  • The admin account
  • Stronger passwords
  • Backups
  • Files like wp-config.php
  • Security plugins
  • Companies to help you clean hacked sites

Now to be clear, there is nothing wrong with fantastic security plugins, or a company that fixes your hacked website. Those are wonderful and awesome things.

People should know about them.

Here's the challenge

Like I said, all of those things are great. But there's a challenge with that approach – at least with that approach as the main point of the discussion.

Because what it means is that every single person is going to learn all of these lessons on their own.

Every person is going to learn the hard way about each of those items – backups, passwords, and plugins.

Additionally, plugin developers are also doing the same thing – learning every lesson on their own.

So we're all learning individually, where every lesson learned is seriously painful.

The security conversation should shift

When I first signed up with WP Engine, one of the reasons I liked their service was that they had integrated their offering with Sucuri.net.

That kind of collaboration was good for everyone – because the lessons that Sucuri was learning were being applied at the hosting provider level to all of its clients at once.

It also meant that WP Engine didn't have to learn its own lessons the hard way – which would mean pain for a lot of customers at once.

In short, our conversations about security should shift from passwords and plugins to companies and collaboration.

Look at Sucuri & Yoast

Recently you might have noticed this announcement. It highlights the kind of collaboration I'm talking about.

Security is too important to hope that every single plugin developer out there is going to learn everything they need to know before they start writing plugins that may get downloaded by millions of users.

And we both know better- developers won't wait until they know everything, because there's no way to know everything.

That's not their fault. They want to solve a business problem for their clients. They should.

But the companies creating these plugins should seriously consider a kind of collaboration like the one between Yoast and Sucuri – to ensure that their code is reviewed.

That's not the only kind of collaboration that's out there

In my day job (which I'll only have for a little bit longer) we do a lot of acquisitions. And before joining Emphasys, I was part of several startups that we sold. So I've been on both sides of the table.

(Side note: if you want to learn more about this stuff, read yesterday's post.)

About a year ago, Cory Miller and I were talking about how things were going. I was remarking how well BackupBuddy was doing. It's when we started talking about security. After all, backups are just one part of the larger security landscape.

He could have grabbed a few of his guys and started building a security plugin. Instead he took a different approach and brought new talent onto the team.

Again, I'm sure Chris could have continued on his own way as well. After all, he'd already had over a million downloads of his product.

But the two decided to go further together. And this kind of collaboration is a big win for everyone!

Our Goal

Our goal, after all, should be a safer web.

That starts with hosts doing all that they can. And we already know that contributors to core are making sure that WordPress is as secure as possible.

It also means theme and plugin providers need to do all they can – and that may mean partnering with a company like Sucuri.net, or it might mean merging.

The point is that we shouldn't all have to learn every single lesson on our own. There are ways we can make the web a safer place faster than that.

Which is why I think our conversations should shift. What's your take?

About Chris Lema

Chris Lema has been working with WordPress since 2005. Over the years he's been a blogger, a speaker at WordCamps, a coach for WordPress product companies, and the founder of the conference for WordPress business owners, called CaboPress. Today he's the VP of Products at Liquid Web, where he manages the world's first managed platform for WooCommerce stores.

Chris Lema

Chris Lema has been working with WordPress since 2005. Over the years he's been a blogger, a speaker at WordCamps, a coach for WordPress product companies, and the founder of the conference for WordPress business owners, called CaboPress. Today he's the VP of Products at Liquid Web, where he manages the world's first managed platform for WooCommerce stores.

Join more than 7,500 others

My posts. Your inbox. Beautiful.

Chris Lema Speaking

Do You Want To Pick My Brain?

Over the last few years, through private consulting, coaching, and using the pay-by-the-minute Clarity service, I've helped hundreds of folks like you solve their WordPress problems and overcome their technical challenges.

“In 18 minutes Chris was able to save me months of lost time and tens of thousands of dollars by directing me to the right technologies to create my course marketplace. The value was 100x what I paid.” — Josh

Have a question right now? Most of my Clarity calls last less than 20 minutes.