What is the biggest disadvantage of WordPress? If you know something about this CMS, you will probably answer “The security”. Indeed, WP is the most popular CMS which makes it a common target for hacker attacks. But is it the software weak itself of there’s another reason for sad security statistics? Today we’re going to talk about it and much more in our interview.
We are thrilled to introduce Robert Abela – the CEO and founder of WP White Security and a developer of high-quality niche WordPress security and admin plugins. Robert has over 18 years of experience in IT and the software industry and together with his team they have developed WP Security Audit Log, the most comprehensive WordPress activity log plugin with the broadest coverage.
Thanks for joining us today, Robert. Please, tell us a bit more about your career background and how long have you been working with WordPress.
Thank you for having me on this interview. I started working with WordPress back in 2013. Before that I worked at several security software startup companies. I started working in IT back in 1999. During the first 8 years I held technical roles, mainly software testers (QA), systems engineer and researcher. The following years I gradually moved into management and held several different roles including technical manager, product manager and sales engineering.
When was the first time that you really got excited about WordPress and at what point did you decide to make it your career?
I discovered WordPress in 2012 when the security company I was working with needed a blog. When using it for our website we also got interested in the security aspect of it, because we were surprised by how many security issues WordPress users had back then. That triggered my interest and I started experimenting with WordPress as a hobby, which gradually grew into a full time job.
Robert, you are a founder and CEO of WP White Security. Can you please share with us how the service was created and how you went about promoting it?
I’ve always wanted to have my own business but I was always afraid of trying. So when I saw a gap in the market and got encouraged by the amazing WordPress community.
I started cleaning hacked WordPress websites. I didn’t do any promotion because I didn’t have the budget for it. However, I was an active member on many forums (including the WordPress support forums) and Facebook groups. So I got most of my work through such platforms, which is a perfect example that it does pay off when you help others.
However, cleaning hacked websites and securing them was not what I really wanted to do. I liked the security and research aspect of the job, but was not a fan of the rest. I wanted to build plugins. Afterall I had more than 15 years experience working in software companies.
I started developing the first version of the WP Security Audit Log plugin with a friend of mine. I got the idea for the plugin while doing forensic work on hacked websites. The first version of the plugin got very positive response and within 3 years it became our flagship product. WP Security Audit Log allowed us to stop the WordPress security services and focus on developing more plugins.
Nowadays WP White Security has four niche WordPress security and admin plugins, and the portfolio is growing. Believe it or not, we have never done any active promotion and advertising. The organic growth is the byproduct of developing high-quality products, providing great customer service and the occasional guest blog post. Word of mouth is very powerful!
As the developer of the most comprehensive WordPress activity log plugin WP Security Audit Log, can you please tell us more about the purpose and benefits of logs? How is this plugin helping to manage activity logging?
Activity logs have many purposes and they are not used only in security and forensics. They are like reports. You refer to them when you need to understand what happened on your site.
- Who installed plugin X?
- When did user Y log in and from where?
- Who was the editor that approved and published the last post?
- Who was the shop manager that gave 50% discount to the new customer?
- What did the hackers do on my website when they gained unauthorized access?
Logs will answer all of the above questions and also allow you to:
Troubleshoot an issue: trying to understand what happened or what went wrong without logs is like looking for a needle in a haystack. Without logs you cannot track back what has changed on the site and what lead to the technical issue.
Improve user accountability: with logs you can find out who is making mistakes on your site or eCommerce store. This allows you to quickly address issues and help your users improve. Users who are held accountable for their own actions are less likely to make mistakes.
Have a compliant website: eCommerce websites need to be PCI DSS compliant, even if payments are handled by a third party gateway. PCI DSS, GDPR, HIPAA and other regulation bodies all require website owners to keep logs, which I think is good because it also helps them better manage their websites.
Improve the security of your WordPress site: logs also help you understand how attackers are trying to break into your website. Are they scanning your website? Are they trying to exploit a vulnerability in an old plugin you have installed on your site? Are they attacking a particular user?
There are several other benefits to keeping logs on websites, however the above should be enough to give you an idea on why you need them.
In regards to the plugin, it is important to point out that WP Security Audit Log generates the logs, so without the plugin, you won’t have a record of what happened on your site. I like to emphasise this because I am frequently asked if one can install the plugin and see what happened before they installed it. So the answer is no because WordPress does not keep any logs.
Though the plugin offers more than just logs because you can’t keep your eyes peeled on the logs 24/7. So we included a number of tools to help WordPress site administrators get a better overview and better manage their sites through the logs.
The plugin has SMS and email notifications, search and filters, reports, integrations with Slack and other communication systems, and much more!
So if you would like to know exactly what is happening on your WordPress site, and what your users and shop managers are doing, download our free activity log plugin from the WordPress repository.
Talking about security, the question of whether or not WordPress is safe is complicated. What is your opinion about it?
WordPress per se is a secure web application, and so are most plugins. Many had and will have vulnerabilities, however any other software had vulnerabilities, including the operating system you are using right now. As long as the developers release fixes on time there shouldn’t be any issues.
In my opinion, the biggest “WordPress security” problem is the untrained user. WordPress makes it very easy to build and own a website. This attracts users who have no experience in managing websites to have their own website. As such there is nothing wrong with this, however they do critical mistakes when running a website, such as using weak passwords and running outdated plugins, WordPress core and themes.
In fact, weak passwords and exploitation of vulnerabilities in outdated plugins are the two most common causes of successful WordPress hack attacks.
What is the most effective strategy for keeping the WordPress website protected?
There is a lot you can do to protect a WordPress website and improve its security. There are also many factors one should consider before deciding on what needs to be done. For example, a simple hobby website requires a different security strategy than a fully blown eCommerce solution. However, if you start following the below best practises your site will be already quite secure:
- Use difficult to guess passwords. Set up strong WordPress passwords policies.
- Keep all your software up to date, including the software on your computer and smartphone.
- Implement 2 Factor Authentication. It is very easy to do on WordPress with Two-Factor.
- Keep a log of user changes that happen on your website with WP Security Audit Log.
- Optional, but worth having, install a firewall (not necessarily a plugin firewall).
What three other plugins every WordPress website must have?
Apart from the security and logging plugin, I think every WordPress website should have a SEO, caching and backup plugin.
Where do you go first to get WordPress news, insights, and updates?
I do not follow any particular news websites. I have nothing against them, however I prefer to look for and read about what I need to know rather than being fed news. However I do follow these non news websites:
- The blog on WordPress.org – definitely a must follow for everyone who is involved or works with WordPress.
- Yoast’s blog – SEO is not my area of expertise. However, I like to learn about it, and it also helps me grow the business. I like to read about SEO when I need a break from the plugin / dev / testing / management / business issues.
- WP Security Bloggers – managed by yours truly, this is a curated WordPress security news aggregate. We run this website so WordPress users can keep themselves updated with what is happening in WordPress security without having to follow gazillions of websites and filter the content.
- Managewp.org – I like to browse this website during my free time hoping to find something interesting to read. This is like the Reddit for WordPress.
If you were interviewing a WordPress developer for a job, what question would you ask first and why?
During an interview I try to gauge how interested in the subject the developer is. I also try to understand their personality to ensure they fit in our team. I am not a big fan of asking a technical question – it is very easy to answer theoretical questions.
I prefer to give out practical tests to find out how good they are as developers. For example, I ask them to fix a bug or two that we have in a plugin of ours.
You have a life beyond WordPress. Tell us about your interests. How do you manage your work-life balance?
When I am not working I like to spend time with my wife and two children. I am also an outdoorsy person. So when I have time I go jogging or cycling. I also do occasional weekend camping trips, hikes, kayak trips, scuba dives, and the list goes on. If it’s in the outdoors, I am in.
Could you shoot a picture of your desk/working space? 🙂
Sure, here it is. I use a standing desk 🙂
Finally, have we missed anything? Here’s your chance to fill in the blanks and add something you want people to know about you!
I’d like to add something, but not about me or WP White Security; if WordPress security is not your cup of tea, try to at least learn the basic fundamentals, especially if you own a WordPress site. Security, or rather lack of, impacts everything we use and depend on nowadays, including your smartphones, computers, bank ATM, email accounts and anything that is online.
We want to thank Robert for sharing his memories and awesome insights with our readers. We wish you the best of joy and inspiration! 🙂
Latest posts by Yuliya Tsvihun (see all)
- Ektron CMS: It’s Time to Choose a New Platform - June 4, 2019
- The Interview with Robert Abela - May 31, 2019
- What is WordCamp and Why You Shouldn’t Stay Behind It - May 24, 2019