Why I Sold Better WP Security

Before I get into the meat of this post I want to point out that I’ve written and re-written this post a few times over the last eight months in order to better reflect on the whole thing myself.

The Beginnings of Better WP Security

Back in 2010 (which might as well be the stone ages in WordPress time) I was working for the Aviation programs at Southern Illinois University in a position that was primarily responsible for digital marketing but also included tech support, server administration, fixing flight simulators and basically being responsible for anything that ran on electricity. With hundreds of folks in the departments including students, faculty and staff keeping up on any one area with only a student worker was a difficult task at best.

One of our biggest issues was, as in any large bureaucracy, politics. Even with the minimal amount of time I had I still managed to build one of the largest web presences on campus eclipsing that of other departments, colleges and even that of the central university website itself. That didn’t win us any love and threats that would’ve otherwise received a slap on the wrist, such as a hacked website, could have been disastrous for what we were trying to accomplish.

You see, hacks were happening all over campus and with such a large presence and a director of communications who had been threatening to kill our websites for years I simply couldn’t afford to be another victim. At the time I felt fairly secure with our main website, a self-built CMS that I was converting to Drupal, but it was our WordPress MU network that I didn’t know the technical details of very well and, as at the time I wasn’t all that crazy about WordPress, I didn’t really want to have to worry about it.

Well, like any good webadmin I started installing a lot of plugins by other people which actually wasn’t a bad solution but after a while, with almost 20 security plugins alone, keeping up with them when I didn’t really care for all of their features just wasn’t feasible anymore. I needed to learn the platform anyway so it was time to try to put together the security stuff myself using techniques I had mostly learned as a Drupal developer.

Here’s where Better WP Security was born. I started mashing together features of some of the plugins I liked while adding in some of the functionality we wanted as a department (like “Away mode”) to produce something that I could manage myself and would make sure I kept off of anyone’s radar by not being hacked.

Fortunately it worked. We never were hacked (although just before I left there campus’ main websites were and they asked to “borrow” me “for a few months” to clean it up), I was able to learn something about WordPress and keep track of the solution myself and everyone was happy. By October of that year I decided maybe someone else could use it all too so I posted it to WordPress.org and named it “Better WP Security” as, at least for me, it was better than anything else I had tried to that point.

Three Years Later

Well, the solution I built for myself also translated well to the needs of other people and by March of 2012 the project hit 50,000 downloads and folks started to donate to my time spent developing the plugin (it made around $4,000 that year).

2013 was even better. It hit 1,000,000 and donations (even before support charges) jumped almost 5-fold. It was so big I was no longer able to keep up and had to implement premium only support for folks who needed. This was a new revenue stream and the first official revenue stream for the plugin. Even though donations were good (and those were just from a single banner in the plugin that asked folks to donate to me to continue development), now I had something that seemed even better, a real revenue stream. Things were looking up.

This might seem like a great problem to have but it sure had some drawbacks, particularly as I was also teaching classes, reviewing books for APress and working a full-time job at the same time. In the Fall of 2013 I hit my limit. By October I couldn’t even keep up with the paid support model and wound up contracting someone else to do all of it.

So now people were getting support but there was still another big problem. In a niche that changes faster than the weather I simply had no time left over for any further development on the plugin. Others were getting new features I was getting older bug reports. That can’t last long.

So here I am paying someone else to do support of a stagnant plugin in a situation that basically equated to putting the project on life support. I either had to find a cure or put it out of its misery.

Enter iThemes

Cory Miller of iThemes first started talking to me about the plugin in early October of last year. It seems he locked himself out and in the process he saw the possibility of what a good security plugin could be.

What started out as a rather simple conversation quickly lead to something more as I realized that the medicine the project needed to get off life support wasn’t necessarily something I needed to provide myself but could in fact come in the form of selling the plugin to a group who had the resources to make more of it.

In the talks with Cory I did also talk to a few other groups but iThemes had a few things no one else did. First, they had Cory Miller and a proven history of building great stuff. Second, they have BackupBuddy and Exchange, two projects which make a rather perfect compliment to a security plugin. Finally, they had the right atmosphere combined a set of goals that lined up almost perfectly with where I knew the plugin would go.

It was, for all parties, the perfect match. It gave me the opportunity to take the plugin to the next level while allowing iThemes to pursue their own goal of a premium plugin suite that no one else could compare to.

So on Dec 1st, 2013 Better WP Security and I officially joined iThemes to move forward on the iThemes Security project and, as they say, the rest is history.

Securing Your Code – WordCamp Maine 2014

Today I have the honor of speaking at the first WordCamp Maine. This time around I’m talking about more advanced security for WordPress developers including how code is compromised and some specific things to watch out for in WordPress itself. You can find my slides below. Continue Reading

What Does HTTP Mean?

We all know that there is something called HTTP when we go to a website, for most of us it’s the four (or five if you’re using https) letters in the beginning of a website address. For example, if you look at the whole address of this site it is https://www.chriswiegman.com. What does this really mean though?

Hypertext Transfer Protocol

In the simplest terms HTTP stands for Hypertext Transfer Protocol. This is a fancy name for a set of rules (also known as a protocol) that computers use to transfer a specific kind of information, in this case the HTML documents (and others) that make up a website.

In other words HTTP is a language used by a network to transfer information from a web server to your browser.

A Bit of History

HTTP is not a new thing. It’s actually older than what most of us know as the internet itself having first been created by Tim Berners-Lee in 1989 along with HTML as a way to convey textual information for the WorldWideWeb project. The original idea was to create a way to send text and style it (bold, headings etc) for which the two standards were perfect.

In 1991 HTTP was first documented as version 0.9 and the official standard was published in 1996 as version 1.0. Version 1.1 was then released in 1997 and, while it has undergone some revision, is still the current version of HTTP in use today.

Ways to Send and Receive Information

Typically when we request a webpage we expect to get some information back in the form of a webpage, video, etc and occasionally we’ll fill out a form or do something else that sends information back to the server.

To facilitate this data transfer HTTP actually has a number of request methods which server to specify how information is transferred and can be used in combination to perform various tasks. In HTTP 1.0 (which is still in use today) the request methods were GET, POST and HEAD and in HTTP 1.1 OPTIONS, PUT, DELETE, TRACE and CONNECT were added.

While these have various uses for the most part, particularly in an application like WordPress it is the GET and POST methods we use the most.

GET is how information is retrieved*. We put in a url and we get data back. On the other hand POST is how we send or post data back to the server. When you log into WordPress or another site your login information is, most likely, sent as a POST request back to the server.

What does this actually mean to me?

So that’s a lot of technical talk what it really means is that when you put http into a website address what you’re doing is telling the browser that you’re going to communicate with a server using the HTTP protocol. Today it’s expected. A few years ago there were other ways to communicate in the browser such as gopher, ftp and others. Perhaps one day we’ll have an alternative to HTTP and have to pay more attention to it again, perhaps not. In the meantime, whenever you see HTTP know that you’re telling the server you want a webpage or something related to a webpage that will be transferred in such a way that both your browser and the site you want to get can communicate effectively.

*Note: information can be sent via GET but it is not the standard. Developers should always use POST to send information to a server.

Speaking at WordCamp Maine

I’m proud to announce that next weekend, August 16th, I’ll be speaking at the inaugural WordCamp Maine in Portland, ME. I’m really looking forward to interacting with a younger WordPress community and sharing some of what I’ve learned about more advanced security topics in my talk “Securing Your Code: WordPress Security for Developers.” If you’re in the area come on out, there is plenty to learn and plenty to share.

NAMS – Some Thoughts On A New Experience

It’s no secret that the last couple of years I’ve been something of a WordCamp addict. I’ve attended about a dozen since the beginning of 2013 and I’ve even had the privilege of speaking at a few (with a few more coming up). WordCamps are wonderful but it is weekends like this that remind me that not only are their other shows out there but there are other shows that can, even for a WordPress developer, be just as important (if not more so) than any WordCamp I’ve attended.

For the last year or two Regina Smola of WPSecurityLock has been working hard to get me to a conference that, frankly, wouldn’t have otherwise peaked my interest. This new conference, a bi-annual marketing workshop known as NAMS (Novice to Advanced Marketing System) in Atlanta, that focuses not on the tools themselves (like WordPress) but how to leverage those tools towards a much bigger goal.

I finally attended this weekend as both an instructor and an attendee and not only have I been impressed but I’ve been flat out blown away by what what I was missing and, in many cases, what I had forgotten or simply taken for granted in my own work.

Tools Are Meant To Build With

WordPress is great. For the last few years WordPress has been a big part of my life as I’ve worked hard to make Better WP Security (and now iThemes Security) one of the largest plugins and the best security plugin in the WordPress ecosystem.

As wonderful as the journey has been one of the biggest things I’ve been forced to remember this weekend is that WordPress is, first and foremost, a tool to be used to do bigger things.

Really all I can say here is that I had forgotten this lesson somewhere along the way and in doing so I’ve lost site of the end goal not just of the tool itself but of what my own customers who use WordPress as a tool in their own businesses are trying to accomplish.

Whether it is a blog, a membership site or an online store people build things with WordPress while I’ve focused on building things for WordPress. This is a lesson I think many of us in the WordPress developer community have lost and as a result I don’t believe the work we do is as good as it can be.

I was a popular person here this weekend talking about a product that many of these folks use from a company many of them could benefit more from if they knew what we were doing and we knew what they were trying to do with our products. For example when I talk to WordCamps about iThemes Security I simply list what it can do. Here questions for the crowd forced me to think not just about what it can do but also why they would want that on large sites that already make them money.

For most WordPress developers doing client work I think this lesson is probably a little more apparent (at least for the good ones) but for those of us who are concerned only about the tool itself this lesson is something we need to be reminded of once in a while to make sure that the growth of the tool we build can best meet the needs of those who are going to use it.

Conferences Don’t Have to be Only About “Sharing”

The open-source world is great. Information and software flow without expectation of a return on investment directly from the act of sharing itself. For example, most WordCamp speakers are excited to be there to help someone else learn a lesson they’ve been forced to study themselves while at the same time talking about the latest lessons and techniques over a few meals and other networking opportunities.

Conferences don’t have to always be like this. People attend conferences as an investment of their time with hopes of a return, a fact that many developers who aren’t trying to meet client deadlines often miss resulting in an atmosphere at WordCamps of “sharing” with little regard for why or how such sharing can help us in the future.

NAMS is different. Here instructors invest their time with the full expectation that those in the audience are looking to not use their fancy new software tool but to use leverage such a tool to the tune of a hefty monetary return. From affiliate marketing to consulting and more people at NAMS are here to make money and help each other make money in one of the friendliest environments I’ve ever seen.

OK, not everything is like WordCamps. I spoke at South by Southwest this last Spring where everyone is there chasing money and parties. At South by Southwest I’ve often thought the very soul of the event has been compromised by the search for a quick buck and a few beers.

NAMS doesn’t work like either. If an attendee needs your services and you can help them a six figure sale on the spot isn’t out of the question nor is me asking a room of 80 people to go out and by my software during my session where I will then show them how to use it. On the flip side not a single person I’ve spoken with here has been here for the quick dollar or the party. They’re here to invest in their reputation and the future of their businesses by folks who really know what their doing and can offer more than a good story.

Don’t get me wrong. A lot of us have taken an awful lot away from WordCamps. Heck, I can truly say WordCamps are very much responsible for helping me get where I’m at today in my career. That said, the return on WordCamps is far different than NAMS and both make for very complimentary experiences that serve to help me further grow in my skills and remind me that where I can best apply those skills is as an investment in the future of my reputation and income potential.

WordPress Doesn’t Have a Lock on Community

Finally, NAMS has served as a reminder that WordPress doesn’t have a lock on community. Constantly we in the WordPress community cite its greatest strength as the community itself and refer to that strength as the reason many of us are here rather than in developing for more monetarily lucrative software tools that exist all around us.

The NAMS community of folks here to learn to make use of tools is just as strong and, in some ways, even stronger (probably due to its size). Like HighEdWeb (another group very dear to my heart) NAMS is a group that acts more as an extended family rather than a bunch of strangers. It is a place where best selling authors, millionaire marketers, mommy bloggers and security developers can join forces and share strengths to invest in each other and that is something I shall not forget.

In short NAMS has been one of the most rewarding events I’ve attended in quite a long time for reasons very different yet complimentary to the WordCamps I’ve grown to look forward to as much as I’ll be looking forward to my next NAMS experience