The Proposed WordPress Developer Code Of Honour

Over at WPShout Fred Meyer has published a proposed Code Of Honour for WordPress developers.

The article is address to developers of SME websites and is addressed to both developers and their clients. It addresses problems with SME website projects and puts forth a solution in the form of the code.

It’s a reasonably long read. And if you are either a business owner about to engage in a web project, or if you are web developer who builds out projects single-handedly – then it’s well worth reading.

Immediate Thoughts

After reading the code I had some immediate thoughts: the article and the post itself is timely. In fact, it’s overdue: many good developers have the experience of being pulled into an SME project to discover that the previous developer didn’t know his stuff. Consequently budget gets sucked into cleaning up unholy messes.

Web development professionals aren’t just in it for the money. We want our clients to be happy. We want the projects we work on to succeed. We want to create websites to return an investment. We don’t like seeing clients in pain because the previous team didn’t know what they were doing.

The code requests the developers use professional best practices. Best practices in technically building the project, and in client communication. It requests that developers be accountable to their clients.

The very existence of the code also creates a condition of accountability: accountability to a community that declares itself for the code.

I like this.

Unexpected Controversy

I’ve been in private discussions with people who are in the business of delivering web projects for SME’s. These people are both solo developers and agency owners. These people are good providers and all have records of delivering great projects and making their clients happy.

They largely agree in principle with the code itself. But to my surprise they had two objections to the article itself.

“The problem isn’t the developer. It’s the client”

According to this critique, projects don’t fail because of the developers own weaknesses. They fail because the of faults on the clients end.

There’s some truth to this. Some projects do indeed fail because the client makes unreasonable demands, micromanages the project and doesn’t trust the authority of the agency or the developer. Clients sometimes don’t understand the work that’s involved, and make unreasonable demands. Often clients fail to honour the process by which agencies and developers create good results.

I think that agencies can have good reasons for thinking these things. But I also think that ultimately it’s the responsibility of the agency or the developer to guide the client on these matters. Or to simply turn away clients that won’t work within the process of the agency.

Besides, in all fairness Fred links to content about how to avoid bad clients. And how to be a great client.

“The article is elitist. The author favours programmers over non-programmers”

Now as I mentioned above, the people I heard this critique from have histories of delivering great work. They’ve built many projects that make their clients money. I believe that these people are non-programmers themselves. And they seem to feel that the article shows a kind of hidden contempt for non-programmers the deliver WordPress projects.

But personally I think the critique is baseless.

Someone responsible for delivering an SME WordPress website can deliver without knowing how to program. They can simply hire a programmer.

But the reality is that the better someone knows how to program, and specifically how to program within the WordPress world, then they are in a better position to quickly solve the kind of problems that will come up within the project.

Non-programmers who build websites are spoilt silly by the WordPress world: there are extensions for pretty much everything. From creating real-estate listings, to assessing your content for search engine visibility. There are plugins that promise to make your website faster. Plugins exist for layout out page, for capturing leads, for social media…

There’s a huge amount that you can done without being able to program.

But ultimately if a provider doesn’t understand the underlying technologies then they are disadvantaged.

Understanding the underlying technology brings some significant advantages. Here are just a few.

  1. A programmer can anticipate problems before they happen
  2. A programmer can often solve these problems faster
  3. Cost estimates for projects will be more accurate
  4. When bugs rise from common extensions, programmers can find the cause
  5. … and probably fix them

To clarify: non-programmers can be competent and even excellent at delivering satisfying projects. And sometimes programmers don’t have non-programming skills that great results require.

But personally I think that everyone who is in the business of delivering an SME web project should at least be learning the underlying technologies.

My Endorsement

Personally I endorse Fred’s Code Of Honour 100%.  At this point I have zero reservations about it. If the code was “officially released” today in it’s current state then I would commit to it.

The “wild west” period of web contracting is coming to end. Even though cowboy agencies and developers still exist, their opportunities are fading.

Fred’s code is a an idea whose time has not only come: it may be overdue.

Speed Matters

Users of the web have ever-increasing expectations. These days users expect content to be delivered swiftly and smoothly, and with as few obstacles as possible. A slowdown measurable in microseconds can affect conversion rates and thus the profitibility of your website.

Google made speed an index ranking factor five years ago. Amazon discovered that a slowdown of 1 millisecond caused sales to drop immediately.

So if you want to keep visitors, improve your ranking and turn visitors into customers then you need your website to load fast and perform with excellence.

So how do you achieve this

Performance must be built in from the ground up

This is something that developers have know for a long time. If you have an existing site and you want it be faster, there are things that can be done. But if your foundations are poor then any improvements to speed and performance could be minimal.  If you are starting a website from scratch then you are in a great position: you can make decisions right from the beginning that will assure great performance.

Start With Solid Hosting

“Pay peanuts, get monkeys” applies here. Hosting is a commodity, and the cheaper you go the less performance you can expect. Furthermore, if you buy at the bottom of the market to get started with then you can expect trouble when attempting to migrate your site to a better host.

The solution here is to get hosting advice from someone with experience in the world of hosting.

Hosting is a complex world with many different types of hosts across many different vendors, including shops that offer hosting specifically for WordPress sites.

Use a well-engineered theme

Assuming that you are using WordPress then you need a theme that is built well.

Of the thousands of themes on the various marketplaces – many look great. The demos available through envato’s marketplaces or through the many theme shops will show themes that look great. But just because a theme looks great doesn’t mean that all is well under the hood.

Many themes come loaded with redundant, inefficient database calls, a zillion options which will go unused and poorly performing, poorly tested code. Showrooms are designed to make products look great. But only qualified programmers can tell what’s going on beneath the surface.

To get a performant theme you have three options:

Have a qualified programmer build your theme from scratch,  choose a theme from a good theme shop, or have a qualified programmer choose your theme for you.

Themes to avoid

There are some very popular, very well-marketed themes that are just going to slow down your content delivery. Not everyone is going to like hearing this. But some very popular themes simply shouldn’t be used by people who are ambitious about their project.

Avoid any theme built with many options. One such popular theme is Avada. Its only one example. Such themes are built for all all possible scenarios, and finely tuned for nothing.

Optional: use a Content Distribution Network

Using a good CDN can really speed things up. But to get this advantage you need to have the foundations sorted first. The advantages of a CDN will be minimal if you haven’t got great hosting and a well-engineered theme. Paul Irish, a chief developer at Google has said “CDN’s are the gluten-free of the web” when talking a lack of solid foundations.

Cloudflare is a CDN offers a free level of service that includes some protection from DDOS attacks.  It’s a great start. Amazon’s Cloudfront is a popular service that can store items of your content across it’s global network. There are many other such services.

Asset Management: minify images

This can be critical.

The file size of an image can be relatively independent of it’s visual quality. That is, you can have two versions of the same image on a screen. They can both look the same to the eye. But they can have very different filesizes. Your website should be using the version with a lower filesize.

A lower file size will result in faster delivery.

Before uploading images to your site: reduce the file size.

Photoshop has a filter for saving images for the web. So does Gimp. If you don’t have either of these programs then you can use an online service for reducing your image file sizes.

Use as few images as possible per page

You probably worked that out from reading the last point.

Images are important for web pages. Images should reinforce the message of the page. They can illustrating a point or draw the user to another related message. But the more images you have, the slower the page will be. Even if highly-compressed images are being delivered from CDN’s: more images makes for heavier pages.


Fine-tuning the speed and performance of website is something that developers are always working on. Every page should be built with speed as a consideration. Great developers have an arsenal of strategies and tactics to keep website performance as fast as possible. There are many things that site operators can do as well. But speed must be built in from the very foundations.

I’m often approached by people asking the questions “How much does a website cost?”. The questioner is often someone who has never owned a web property before. Sometimes the questioner has (or does) own a site. But they need to know how much it will cost to build a new site.

The answer is always “it depends”.

This post will give you a better idea of what the total cost will depend on. If you are planning on owning a new site that you intend to be a real asset to your business then this article will give you information that you need to know in order to make buying decisions.

What does the cost of a website depend on?

The cost will depend on many factors. And a worth web design agency or developer will never tell straight away what your site will cost. Instead they will ask you lots of questions first. The questions will include:

  • What is the nature of your business?
  • What is your websites role in your business?
  • Do you have existing branding?
  • Do you expect your designer/developer to create branding for you?
  • Will you selling products or services directly from your site ?

… and so on.

The critical thing is this: context is everything. A good developer or agency will want to remove all guesswork, all assumption before providing a figure.

The Discovery Process

The process of questioning that is required to occur before an estimate is given is called ‘discovery’. And it can some time. Often the conversation is broken into several sessions. In the end, the more the developer know about what you want, the greater the chance that you will get a great website. The developer that understands your needs most deeply is the developer who will deliver you the most value.

The business owner will sometimes be charged for discovery from the outset. Sometimes early discovery is not charged while the the agency or developer is still trying to work out whether they are a good fit for the project.

At this point the business owner is paying for the developer or agency to bring their expertise to bear on the challenges that the business owner is facing. A good process is worth paying for: it saves money.

External Costs

Developers and agencies have different ways of calculating the labour cost of website building. But outside of labour overhead there are some costs that the client will be expected to cover.

  • Web Hosting
  • Email Hosting
  • Domain Names
  • Website Software

The quality and cost of all of the above vary widely. Most often the developer will choose a combination based on the clients needs and budget. Website software can start from ‘free’ and go up to thousands of dollars. Web hosting cost and quality widely varies.

Labour Cost

An estimate will have the cost of the agency’s labour built in to it. Different developers and agency’s calculate this cost differently. If the discovery process was sufficient then the cost of labour becomes a lot more predictable.


By now you can see that the question “how much will my site cost” will not yield an immediate answer. It’s a little like asking “how much does a house cost”. The answer depends on many factors.

A while ago I posted a list of free sources of images for web design.

I’ll be using this post to maintain lists of free web design resources and assets.  There will be some commercial sources in this list as well. But I’ll be keeping the emphasis on free materials. The point is to find assets for quickly kickstarting web design projects. I’ll be keeping this list updated.

Selfy Market

Creative Market



Image from Bigstock can be imported into your WordPress site directly through the Bigstock official plugin.


Google has communicated very clearly that mobile-friendly websites will be advantaged in search results pages. Delivering to mobile is important enough that Google even offer easy-to-use tools to test how mobile-friendly your website actually is.

The Mobile-Friendly Test is provided as a part of Google’s website “Mobile-Friendly Websites”, a resource furnished to developers and people making decisions about the design of business websites. The resource has been around for a while and I’m surprised that I haven’t seen it linked to more often.

In February this year Google announced that it would be updating it’s indexing to improve the positioning of mobile-friendly sites. Today Google has finally rolled out the changes. From today websites that are not mobile-friendly will be punished in search results. Conversely, websites that are mobile friendly will be rewarded.

Of course merely being mobile-friendly isn’t enough by itself to assure favourable positioning in search results. Other factors are important. However  the change is significant enough that some industry experts are calling the change “mobilegeddon” in anticipation of the impact on websites right across Googles mobile-accessible indexing.


Summary: hosting WordPress on Openshift can be a great option for folk with a little tech confidence if you are looking for an cheap option but you don’t want to cut corners on site performance.

Choosing wordpress hosting is pretty important: options to consider include customer support from the hosting company, quality of infrastructure, administrative ease of use and pricing. Many people taking on their first site simply don’t want to take on the decision-making required for choosing a host and go with the loudest advertiser without understanding their options.

That’s fair enough. And some loud advertisers aren’t necessarily poor service providers. And most site operators are are best advised to offload choosing hosts to their consulting agency or  developer.

I’m constantly assessing options for wordpress hosting because the industry is fascinating. It looks like big changes are headed our way that could save a lot of money for consumers and make site-providers lives easy. It’s early days. But in the course of my exploration I discovered an option that could be great for small site operators who aren’t scared of learning new things.

Basically, its possible to use openshift to get free hosting for wordpress sites.

This probably isn’t what Openshift is aiming to provide. Site owners with relatively simple sites and low resource needs aren’t in Openshifts target market. But the Openshift’s offerings can be used for this purpose.


Openshift is Red Hat’s offering in the Platform As A Service market. It’s targeted towards business who have the skill at hand to build and deploy applications on Red Hat’s infrastructure and it provides a convenience layer on top of that infrastructure for developers.

One of the cool things about openshift is that they give a small (but very useful) amount of resources for free as an introduction to their services. These resources are not time limited (like amazons free tier which is limited to a year).

The process is simple: select either the free or bronze plan, log in and click on the ‘create an application’ button. Select the wordpress option. The application will be created for you. Credentials for wp-admin and for SSH will be given to you from the panel.

Thats it. You now have a wordpress instance running that you have complete control over.

The Difference

At this you have a running wordpress instance with a funny domain name generated by Openshift. Openshift even give you instructions for how to connect your desired domain name to your site. However by now you might have noticed that this kind of hosting of very different from  traditional hosting. You don’t have anything like a cpanel and you might have to think about managing things called “gears” and “cartridges”.  In reality, if all you want is a running wordpress site then you don’t have to worry about this (Unless you want to dive into the deep and complex world of PaaS and Openshift’s version of PaaS).

The Advantage

The first thing that I noticed was the front-end of the site is fast. The frontpage using the 2015 theme reloads in around 2s. The admin takes longer, at about 5s to 7s as measured by chromedev. But my personal perception is that the admin loads rapidly.

Free wordpress hosting on Openshift using the free and bronze tiers could be great for you if you don’t need technical support on the platform, you are confident enough to navigate the (very easy to use) panel and if you want SSH access to the deployment.

Wherein I compare those things called “frontend frameworks” and hopefully bring Bourbon to the attention of more developers.

Following is a light, comparative review of some frontend frameworks. I give a glimpse into the existing landscape.

Context: Bootstraps Dominance

Presently and for at least two years or so, the most popular “front-end framework” has been bootstrap. It’s everywhere. It’s an industry standard. Job postings all over the web ask for applicants to have “experience using bootstrap”, as if seasoned frontend developers don’t have skills that are transferable to any frontend framework.

Bootstrap has little appreciable competition for mindshare in the webdev world even though there are other frontend frameworks in existence. Zurbs’ Foundation is notable. It’s been around for a long time. It’s mature and people know about it. It’s thought of as “the alternative to bootstrap”.

Pros and (mostly) cons of Foundation

My opinion is conventional: that Bootstrap is easier to simply load and use, and that Foundation takes a little longer to learn. Where I’d stray from conventional opinion is that I don’t think that all bootstrap sites have to look the same. It depends how you use the framework.

zurb's yetiI’ve enjoyed using Foundation in the past. But going back to it, I simply can’t tolerate it’s installation processes. There are three options and all of them are… a bit icky. In theory you can just download the library and pull Foundation components into your project. But it’s not easy to figure out. It’s undocumented. And the installation paths that are documented are done so lightly. You can beat through the thorny path if you are a seasoned Ruby developer. But there’s no sane reason for way you should have to be a seasoned Ruby developer if you just want to install some frontend components.

Foundation promises to make development faster. But the complicated magic dance required to actually get started using it annuls that promised benefit.

Newcomers based on Googles Material Design

mdGoogle Material Design is a pattern language for design. The purpose of which is to encourage UI designers to create beautiful interfaces by using taking improved metaphors for web design into the realm of responsive design.

Google supports its Material Design language with its Web Starter Kit.

I have yet to experiment with Web Starter Kit. But I’m looking forward to it. Another project is Material CSS. It’s a student project out of Carnegie Mellon University. There is also LumX, a toolkit that includes and is geared forAngular.js. I haven’t tried these either, but may well do so in the future. Obviously a huge amount of work has gone into them and they look… delicious.

Bourbon provides sets of mixins for sass. That’s all. It’s really that simple.

Like Foundation, you have to the gem installed. Unlike Foundation, the installation of the Bourbon gem doesn’t require the same tightrope-walk and chicken-sacrificing. Combined with it’s sub-projects neat, bitters and refills, it provides most every component that either Foundation or Bootstrap do. And some that they don’t.

I’ve been using bourbon for at longer then I recall and I’m surprised it’s not more popular. It’s dead easy to pull it into an existing project or start your own project around it. My initial attraction was that earlier versions of Bootstrap didn’t have integration with sass, so the only way to use bootstrap was to clutter up the DOM with nonsemantic markup. Bourbon Neat let me use a grid system without cluttering the DOM.

Bourbon itself provides a range of conveniences documented here. It’s sibling libraries, dependent on Bourbon provide a grid system, typography and a collection of compents like headers, footers, navigation bars and tab systems.

Bootstrap also has a sass version, but I’ve found it more difficult to install then Bourbon. With Bootstraps Sass library, you have to pull in the deps with bower. And to tidy your project up before deployment, you’d probably have to handcode a Grunt task to move your files to the right place.

You don’t have to do that work with Bourbon.

In conclusion, Bourbon is easier to install then Foundation but you aren’t compelled to build your whole app around it. It has pretty much all the tooling of either Foundation or Bootstrap, but it’s much easier to get started with and you probably won’t really lose anything.

In my recent post on OWASP Day 2015 I remarked that itself takes security seriously. I mentioned the recently-released WordPress Security White Paper and pointed to the documents on hardening WordPress.

Of course doesn’t exist in a vacuum and has a tight feedback loop with its wider community. This in itself may be one of the secrets of success both of the CMS itself and the ecosystem.

The Problem

Due to it’s popularity in the shared hosting space self-hosted WordPress is capable of running on old, outdated versions of PHP, including version that haven’t been getting security updates for three years. This has been a result of a design decision by core developers: new installations should not break existing websites. It’s both a feature and a bug.

Of course running on old, unsupported versions of PHP creates security liabilities. A professional developer will, at the very least, raise these issues with site owners where such issues exist. But the reality is that some substandard hosts continue to provision older version of PHP. And many existing sites live on old hosts that haven’t been updated.

An Approach to a Solution

A community project called wpupdatephp exist. It provides a PHP library “… to be bundled with WordPress plugins to enforce users to upgrade to PHP 5.4 or higher hosting.” The project also aims to raise awareness of the risks associated with running insecure versions of php among site owners, and furnishes template email content for owners to include in requests to their hosting company.

The core functionality of the plugin can be seen in the readme viewable on github.


OWASP (The Open Web Application Security Project) is a volunteer-run, non-corporate global organization devoted to making the web a safer place. It provides resources for developers and business to help them secure their assets. It’s many notable projects include the Owasp Top Ten: the canonical list of the top ten most likely types of threat to web applications.

The New Zealand chapter organized another fantastic, amusing and enthralling OWASP Day, and event aimed mostly at Developers. But also of interest to anyone with responsibility for managing (securing) infrastructure.

If that sounds a little dry, you should have seen the metal-as t-shirts worn by the Insomnia crew.

Observations and Thoughts

Pedro Worcel’s presentation ‘CMS Hell’ made an interesting contrast with Nick von Dadelszen’s presentation.

Pedro discussed his own testing of NZ internet for CMS vulnerabilities. Pedro introduced droopscan, a vulnerability scanner for CMS’s. It looks like a really useful tool, and I’ll definitely be experimenting with it.

Nicks talk involved discussion of Section 252 of the Crimes Act, describing penalties for “accessing computer systems without authorisation”. Nicks was focussed on “passive” scanning for vulnerabilities, thus using techniques that can’t be described as possible violations of the Section 252.

One of my takeaways from these two presentations is that a lot of security research that I and others would consider ethically legitimate could be interpreted as violations of the Crimes Act. Even it the resulting research is capable of making the web safer.

The content of Nicks talk can be attained here. (warning: pdf)

Defending WordPress

Adam Bell from Lateral Security presented a case study that provided a cautionary tale about a failure of Defense In Depth. A notorious and very young system cracker had successfully attacked a site managed by the presenter. Adam introduced the log analyser Splunk and described his forensic strategy.

My takeway was that the weakest link will render the entire chain useless. Something anyone in who works around security already knows. But this can be sobering when we consider the possible effect on business. When customers pay for “security”, they tend not to understand that “security” is a thing that can’t be bought. It can be only be defended. But the old maxim holds true: any attacker with sufficient time and skill will always win.

WordPress itself takes security very seriously. has maintained a document for developers and admins on Hardening WordPress for many years. This week they released the WordPress Security White Paper which I read as overview of the security environment of the wordpress world. It applies the OWASP Top Ten to the wordpress world and is required reading for anyone serious about defending wordpress. (Or for that matter, attacking it)