Think about the most recent conversations you've had about WordPress security.
Now, if you're someone who's deep into WordPress security, I'm not talking about you. I'm talking about the everyday folks that use WordPress, and the developers and designers who talk to their customers about WordPress and security.
Another way to think about this, to get a handle on the conversations that are happening around WordPress security, is to do a little search on Slideshare.net – where people upload their presentations. If you filter it to presentations uploaded in the last month or two, and look thru them, you'll see what I'm talking about.
People are talking about security
I'm not saying that we're not talking about security. We are. But if you look at the slide decks, and listen to the meetups, and attend the WordCamps, you'll hear a lot about:
- The admin account
- Stronger passwords
- Files like wp-config.php
- Security plugins
- Companies to help you clean hacked sites
Now to be clear, there is nothing wrong with fantastic security plugins, or a company that fixes your hacked website. Those are wonderful and awesome things.
People should know about them.
Here's the challenge
Like I said, all of those things are great. But there's a challenge with that approach – at least with that approach as the main point of the discussion.
Because what it means is that every single person is going to learn all of these lessons on their own.
Every person is going to learn the hard way about each of those items – backups, passwords, and plugins.
Additionally, plugin developers are also doing the same thing – learning every lesson on their own.
So we're all learning individually, where every lesson learned is seriously painful.
The security conversation should shift
When I first signed up with WP Engine, one of the reasons I liked their service was that they had integrated their offering with Sucuri.net.
That kind of collaboration was good for everyone – because the lessons that Sucuri was learning were being applied at the hosting provider level to all of its clients at once.
It also meant that WP Engine didn't have to learn its own lessons the hard way – which would mean pain for a lot of customers at once.
In short, our conversations about security should shift from passwords and plugins to companies and collaboration.
Look at Sucuri & Yoast
Recently you might have noticed this announcement. It highlights the kind of collaboration I'm talking about.
Security is too important to hope that every single plugin developer out there is going to learn everything they need to know before they start writing plugins that may get downloaded by millions of users.
And we both know better- developers won't wait until they know everything, because there's no way to know everything.
That's not their fault. They want to solve a business problem for their clients. They should.
But the companies creating these plugins should seriously consider a kind of collaboration like the one between Yoast and Sucuri – to ensure that their code is reviewed.
That's not the only kind of collaboration that's out there
In my day job (which I'll only have for a little bit longer) we do a lot of acquisitions. And before joining Emphasys, I was part of several startups that we sold. So I've been on both sides of the table.
(Side note: if you want to learn more about this stuff, read yesterday's post.)
About a year ago, Cory Miller and I were talking about how things were going. I was remarking how well BackupBuddy was doing. It's when we started talking about security. After all, backups are just one part of the larger security landscape.
He could have grabbed a few of his guys and started building a security plugin. Instead he took a different approach and brought new talent onto the team.
Again, I'm sure Chris could have continued on his own way as well. After all, he'd already had over a million downloads of his product.
But the two decided to go further together. And this kind of collaboration is a big win for everyone!
Our goal, after all, should be a safer web.
That starts with hosts doing all that they can. And we already know that contributors to core are making sure that WordPress is as secure as possible.
It also means theme and plugin providers need to do all they can – and that may mean partnering with a company like Sucuri.net, or it might mean merging.
The point is that we shouldn't all have to learn every single lesson on our own. There are ways we can make the web a safer place faster than that.
Which is why I think our conversations should shift. What's your take?