This article gets technical. But I had to write to so I didn’t have to continually repeat the same points during internet discussions of a new WordPress Security Plugin. First, the background:

The New WordPress Security Plugin

Recently a slick marketing campaign has effectively promoted a new WordPress security plugin. A video promoting the plugin demonstrates a successful attack on a WordPress site. The voiceover claims that two popular security plugins Sucuri and WordFence do not effectively defend against this one particular attack type.

But the promoted product does. According to the promoters. So if you buy this one plugin (which I’ll name later in the article) then you can be assured of security for your WordPress site.

Not So Fast!

Like any good ad campaign this one speaks the to it’s audience in the language they understand. However, the campaign targets non-expert while covering a subject that requires expert knowledge. This factor allows the omission of valuable context. The omissions combined with misdirections and other FUD factors create the quality of outright deceit.

The campaign is deceitful.

What’s The Real Story?

Is it possible that Sucuri or WordFence could miss a vulnerability in a popular plugin? Sure it is.

Is it possible that a new entry to the WordPress security plugin market could defeat this vulnerability? Sure.

Do these facts say anything about the value of any of these plugins? Possibly. But only in a very limited sense.

We have to consider a few things:

  • The vendor of the new plugin doesn’t reveal any details about the vulnerability.
  • The vendor of the new plugin has no history of contribution within the WordPress community.
  • The vendor doesn’t specialise commercially in WordPress products.
  • The source code of the plugin hasn’t been released under the GPL license.
  • Since the video release WordFence and Sucuri most probably now provide protection against the vulnerabilty. It’s very unlikely that they don’t. But the original video is still in circulation.

So the claims in the video aren’t outright false. But they are still deceitful.

Vulnerabilities are discovered within any set of web technologies all the time. And every week new vulnerabilities are discovered by all vendors of defensive products who then update their products. I would be very surprised if the Big Scary Vulnerability shown in the video wasn’t fixed within a couple of days of the ad being launched.

WordPress Security Plugins And Community Contribution

Sucuri and WordFence compete. One of the domains of their competition is in their community contribution. They each have public blogs and newsletters. Every serious WordPress consultant consumes from at least one of these channels.

The new product is called ‘wp siteguardian’. If you find it on google you’ll find a very slick advertising page that produces a brilliant story complete with misdirection on the nature of the security, WordPress security, and the WordPress security plugin market.

What you wont find is any real information, substantial on security. The kind of information that other players in the market provide plentifully and for free.

You also won’t find real attempt at client education. Something that WordFence and Sucuri offer for free and in great quantity.

Consider: when WordFence have discovered new, high-impact vulnerabilites they have alerted the community.

What they haven’t done is hidden the details of the vulnerability while using them to scare the crap out of people until they open their wallets. Unlike the WP Site Guardian.

WP Site Guardian have displayed no affinity with the WordPress community. That doesn’t mean that their product doesn’t work. But having shallow roots makes for poor positioning. Especially in terms of technical expertise. And WordPress security requires technical expertise.

And You Won’t Find The Source Code

WP Site Guardian has not opened their code. Moreover the vendor has stated in facebook discussions that he has no intention to do so. He has stated that the code is not covered by the GPL.

That is to say: WP Site Guardian most probably violates the license of WordPress by failing to cover their own WordPress Security Plugin under the GPL. In doing so, they both hide the quality of their own code while violating the rights of their own customers.

Any complete conversation around this is nuanced and should be in detail. The opinion of Matt Mullenweg, the Lead Developer of the WordPress Foundation, and original developer of WordPress itself is that all themes and plugins are covered by the GPL.

Customer rights aside, refusing to apply the GPL to WordPress derivative works makes them less secure.

The Worst Thing About The Advertising Of The New Security Plugin

The target audience of the advertising campaign has a problem. They aren’t in a position to navigate the advertised claims. They don’t know the context. They don’t understand the threat model.

And that’s fine. Consumers shouldn’t be obliged to learn the fine details. That task is for expert consultants.

After purchasing the WP Site Guardian the customer will feel like they have “purchased security”.

But they haven’t. And they can’t. Because “buying security” is impossible. Genuine security for WordPress requires expert knowledge. And an application of the Defense In Depth principle.

WordPress consumers deserve better.

Speed Matters

Users of the web have ever-increasing expectations. These days users expect content to be delivered swiftly and smoothly, and with as few obstacles as possible. A slowdown measurable in microseconds can affect conversion rates and thus the profitibility of your website.

Google made speed an index ranking factor five years ago. Amazon discovered that a slowdown of 1 millisecond caused sales to drop immediately.

So if you want to keep visitors, improve your ranking and turn visitors into customers then you need your website to load fast and perform with excellence.

So how do you achieve this

Performance must be built in from the ground up

This is something that developers have know for a long time. If you have an existing site and you want it be faster, there are things that can be done. But if your foundations are poor then any improvements to speed and performance could be minimal.  If you are starting a website from scratch then you are in a great position: you can make decisions right from the beginning that will assure great performance.

Start With Solid Hosting

“Pay peanuts, get monkeys” applies here. Hosting is a commodity, and the cheaper you go the less performance you can expect. Furthermore, if you buy at the bottom of the market to get started with then you can expect trouble when attempting to migrate your site to a better host.

The solution here is to get hosting advice from someone with experience in the world of hosting.

Hosting is a complex world with many different types of hosts across many different vendors, including shops that offer hosting specifically for WordPress sites.

Use a well-engineered theme

Assuming that you are using WordPress then you need a theme that is built well.

Of the thousands of themes on the various marketplaces – many look great. The demos available through envato’s marketplaces or through the many theme shops will show themes that look great. But just because a theme looks great doesn’t mean that all is well under the hood.

Many themes come loaded with redundant, inefficient database calls, a zillion options which will go unused and poorly performing, poorly tested code. Showrooms are designed to make products look great. But only qualified programmers can tell what’s going on beneath the surface.

To get a performant theme you have three options:

Have a qualified programmer build your theme from scratch,  choose a theme from a good theme shop, or have a qualified programmer choose your theme for you.

Themes to avoid

There are some very popular, very well-marketed themes that are just going to slow down your content delivery. Not everyone is going to like hearing this. But some very popular themes simply shouldn’t be used by people who are ambitious about their project.

Avoid any theme built with many options. One such popular theme is Avada. Its only one example. Such themes are built for all all possible scenarios, and finely tuned for nothing.

Optional: use a Content Distribution Network

Using a good CDN can really speed things up. But to get this advantage you need to have the foundations sorted first. The advantages of a CDN will be minimal if you haven’t got great hosting and a well-engineered theme. Paul Irish, a chief developer at Google has said “CDN’s are the gluten-free of the web” when talking a lack of solid foundations.

Cloudflare is a CDN offers a free level of service that includes some protection from DDOS attacks.  It’s a great start. Amazon’s Cloudfront is a popular service that can store items of your content across it’s global network. There are many other such services.

Asset Management: minify images

This can be critical.

The file size of an image can be relatively independent of it’s visual quality. That is, you can have two versions of the same image on a screen. They can both look the same to the eye. But they can have very different filesizes. Your website should be using the version with a lower filesize.

A lower file size will result in faster delivery.

Before uploading images to your site: reduce the file size.

Photoshop has a filter for saving images for the web. So does Gimp. If you don’t have either of these programs then you can use an online service for reducing your image file sizes.

Use as few images as possible per page

You probably worked that out from reading the last point.

Images are important for web pages. Images should reinforce the message of the page. They can illustrating a point or draw the user to another related message. But the more images you have, the slower the page will be. Even if highly-compressed images are being delivered from CDN’s: more images makes for heavier pages.

Conclusion

Fine-tuning the speed and performance of website is something that developers are always working on. Every page should be built with speed as a consideration. Great developers have an arsenal of strategies and tactics to keep website performance as fast as possible. There are many things that site operators can do as well. But speed must be built in from the very foundations.

When it comes to self-hosted instances of WordPress security policies must be enacted. WordPress security is taken care of for user of wordpress.com or managed WordPress hosts.

However, when we are managing our own sites or client sites then we have to create our own security policies and deploy the right tools to implement those policies.

Wordfence is a great tool for this purpose. And today it announced it launched version 6. The announcement is here.

The new update maintains a free version of it’s offering while providing support for IPv6. The launch post describes the rational behind that decision.

I like Wordfence for it’s version of a lightweight Web Application Firewall and it’s built-in scanner. The scanner does automatic checks of core, plugin and theme files to test known file versions against the actual installed versions. Differences are flagged. There’s a much larger set of features in both the free and premium versions. But those are the features I particularly like.

Of course one tool does not a security policy make. Security depends on more then tooling and ‘defence in depth’ is key. WordPress security requires defence at the levels of the network, the server, the application and the user.

Having said that, WordFence is a great start for application-level security.

Summary: hosting WordPress on Openshift can be a great option for folk with a little tech confidence if you are looking for an cheap option but you don’t want to cut corners on site performance.

Choosing wordpress hosting is pretty important: options to consider include customer support from the hosting company, quality of infrastructure, administrative ease of use and pricing. Many people taking on their first site simply don’t want to take on the decision-making required for choosing a host and go with the loudest advertiser without understanding their options.

That’s fair enough. And some loud advertisers aren’t necessarily poor service providers. And most site operators are are best advised to offload choosing hosts to their consulting agency or ¬†developer.

I’m constantly assessing options for wordpress hosting because the industry is fascinating. It looks like big changes are headed our way that could save a lot of money for consumers and make site-providers lives easy. It’s early days. But in the course of my exploration I discovered an option that could be great for small site operators who aren’t scared of learning new things.

Basically, its possible to use openshift to get free hosting for wordpress sites.

This probably isn’t what Openshift is aiming to provide. Site owners with relatively simple sites and low resource needs aren’t in Openshifts target market. But the Openshift’s offerings can be used for this purpose.

Openshift

Openshift is Red Hat’s offering in the Platform As A Service market. It’s targeted towards business who have the skill at hand to build and deploy applications on Red Hat’s infrastructure and it provides a convenience layer on top of that infrastructure for developers.

One of the cool things about openshift is that they give a small (but very useful) amount of resources for free as an introduction to their services. These resources are not time limited (like amazons free tier which is limited to a year).

The process is simple: select either the free or bronze plan, log in and click on the ‘create an application’ button. Select the wordpress option. The application will be created for you. Credentials for wp-admin and for SSH will be given to you from the panel.

Thats it. You now have a wordpress instance running that you have complete control over.

The Difference

At this you have a running wordpress instance with a funny domain name generated by Openshift. Openshift even give you instructions for how to connect your desired domain name to your site. However by now you might have noticed that this kind of hosting of very different from ¬†traditional hosting. You don’t have anything like a cpanel and you might have to think about managing things called “gears” and “cartridges”. ¬†In reality, if all you want is a running wordpress site then you don’t have to worry about this (Unless you want to dive into the deep and complex world of PaaS and Openshift’s version of PaaS).

The Advantage

The first thing that I noticed was the front-end of the site is fast. The frontpage using the 2015 theme reloads in around 2s. The admin takes longer, at about 5s to 7s as measured by chromedev. But my personal perception is that the admin loads rapidly.

Free wordpress hosting on Openshift using the free and bronze tiers could be great for you if you don’t need technical support on the platform, you are confident enough to navigate the (very easy to use) panel and if you want SSH access to the deployment.