The Proposed WordPress Developer Code Of Honour

Over at WPShout Fred Meyer has published a proposed Code Of Honour for WordPress developers.

The article is address to developers of SME websites and is addressed to both developers and their clients. It addresses problems with SME website projects and puts forth a solution in the form of the code.

It’s a reasonably long read. And if you are either a business owner about to engage in a web project, or if you are web developer who builds out projects single-handedly – then it’s well worth reading.

Immediate Thoughts

After reading the code I had some immediate thoughts: the article and the post itself is timely. In fact, it’s overdue: many good developers have the experience of being pulled into an SME project to discover that the previous developer didn’t know his stuff. Consequently budget gets sucked into cleaning up unholy messes.

Web development professionals aren’t just in it for the money. We want our clients to be happy. We want the projects we work on to succeed. We want to create websites to return an investment. We don’t like seeing clients in pain because the previous team didn’t know what they were doing.

The code requests the developers use professional best practices. Best practices in technically building the project, and in client communication. It requests that developers be accountable to their clients.

The very existence of the code also creates a condition of accountability: accountability to a community that declares itself for the code.

I like this.

Unexpected Controversy

I’ve been in private discussions with people who are in the business of delivering web projects for SME’s. These people are both solo developers and agency owners. These people are good providers and all have records of delivering great projects and making their clients happy.

They largely agree in principle with the code itself. But to my surprise they had two objections to the article itself.

“The problem isn’t the developer. It’s the client”

According to this critique, projects don’t fail because of the developers own weaknesses. They fail because the of faults on the clients end.

There’s some truth to this. Some projects do indeed fail because the client makes unreasonable demands, micromanages the project and doesn’t trust the authority of the agency or the developer. Clients sometimes don’t understand the work that’s involved, and make unreasonable demands. Often clients fail to honour the process by which agencies and developers create good results.

I think that agencies can have good reasons for thinking these things. But I also think that ultimately it’s the responsibility of the agency or the developer to guide the client on these matters. Or to simply turn away clients that won’t work within the process of the agency.

Besides, in all fairness Fred links to content about how to avoid bad clients. And how to be a great client.

“The article is elitist. The author favours programmers over non-programmers”

Now as I mentioned above, the people I heard this critique from have histories of delivering great work. They’ve built many projects that make their clients money. I believe that these people are non-programmers themselves. And they seem to feel that the article shows a kind of hidden contempt for non-programmers the deliver WordPress projects.

But personally I think the critique is baseless.

Someone responsible for delivering an SME WordPress website can deliver without knowing how to program. They can simply hire a programmer.

But the reality is that the better someone knows how to program, and specifically how to program within the WordPress world, then they are in a better position to quickly solve the kind of problems that will come up within the project.

Non-programmers who build websites are spoilt silly by the WordPress world: there are extensions for pretty much everything. From creating real-estate listings, to assessing your content for search engine visibility. There are plugins that promise to make your website faster. Plugins exist for layout out page, for capturing leads, for social media…

There’s a huge amount that you can done without being able to program.

But ultimately if a provider doesn’t understand the underlying technologies then they are disadvantaged.

Understanding the underlying technology brings some significant advantages. Here are just a few.

  1. A programmer can anticipate problems before they happen
  2. A programmer can often solve these problems faster
  3. Cost estimates for projects will be more accurate
  4. When bugs rise from common extensions, programmers can find the cause
  5. … and probably fix them

To clarify: non-programmers can be competent and even excellent at delivering satisfying projects. And sometimes programmers don’t have non-programming skills that great results require.

But personally I think that everyone who is in the business of delivering an SME web project should at least be learning the underlying technologies.

My Endorsement

Personally I endorse Fred’s Code Of Honour 100%.  At this point I have zero reservations about it. If the code was “officially released” today in it’s current state then I would commit to it.

The “wild west” period of web contracting is coming to end. Even though cowboy agencies and developers still exist, their opportunities are fading.

Fred’s code is a an idea whose time has not only come: it may be overdue.

This article gets technical. But I had to write to so I didn’t have to continually repeat the same points during internet discussions of a new WordPress Security Plugin. First, the background:

The New WordPress Security Plugin

Recently a slick marketing campaign has effectively promoted a new WordPress security plugin. A video promoting the plugin demonstrates a successful attack on a WordPress site. The voiceover claims that two popular security plugins Sucuri and WordFence do not effectively defend against this one particular attack type.

But the promoted product does. According to the promoters. So if you buy this one plugin (which I’ll name later in the article) then you can be assured of security for your WordPress site.

Not So Fast!

Like any good ad campaign this one speaks the to it’s audience in the language they understand. However, the campaign targets non-expert while covering a subject that requires expert knowledge. This factor allows the omission of valuable context. The omissions combined with misdirections and other FUD factors create the quality of outright deceit.

The campaign is deceitful.

What’s The Real Story?

Is it possible that Sucuri or WordFence could miss a vulnerability in a popular plugin? Sure it is.

Is it possible that a new entry to the WordPress security plugin market could defeat this vulnerability? Sure.

Do these facts say anything about the value of any of these plugins? Possibly. But only in a very limited sense.

We have to consider a few things:

  • The vendor of the new plugin doesn’t reveal any details about the vulnerability.
  • The vendor of the new plugin has no history of contribution within the WordPress community.
  • The vendor doesn’t specialise commercially in WordPress products.
  • The source code of the plugin hasn’t been released under the GPL license.
  • Since the video release WordFence and Sucuri most probably now provide protection against the vulnerabilty. It’s very unlikely that they don’t. But the original video is still in circulation.

So the claims in the video aren’t outright false. But they are still deceitful.

Vulnerabilities are discovered within any set of web technologies all the time. And every week new vulnerabilities are discovered by all vendors of defensive products who then update their products. I would be very surprised if the Big Scary Vulnerability shown in the video wasn’t fixed within a couple of days of the ad being launched.

WordPress Security Plugins And Community Contribution

Sucuri and WordFence compete. One of the domains of their competition is in their community contribution. They each have public blogs and newsletters. Every serious WordPress consultant consumes from at least one of these channels.

The new product is called ‘wp siteguardian’. If you find it on google you’ll find a very slick advertising page that produces a brilliant story complete with misdirection on the nature of the security, WordPress security, and the WordPress security plugin market.

What you wont find is any real information, substantial on security. The kind of information that other players in the market provide plentifully and for free.

You also won’t find real attempt at client education. Something that WordFence and Sucuri offer for free and in great quantity.

Consider: when WordFence have discovered new, high-impact vulnerabilites they have alerted the community.

What they haven’t done is hidden the details of the vulnerability while using them to scare the crap out of people until they open their wallets. Unlike the WP Site Guardian.

WP Site Guardian have displayed no affinity with the WordPress community. That doesn’t mean that their product doesn’t work. But having shallow roots makes for poor positioning. Especially in terms of technical expertise. And WordPress security requires technical expertise.

And You Won’t Find The Source Code

WP Site Guardian has not opened their code. Moreover the vendor has stated in facebook discussions that he has no intention to do so. He has stated that the code is not covered by the GPL.

That is to say: WP Site Guardian most probably violates the license of WordPress by failing to cover their own WordPress Security Plugin under the GPL. In doing so, they both hide the quality of their own code while violating the rights of their own customers.

Any complete conversation around this is nuanced and should be in detail. The opinion of Matt Mullenweg, the Lead Developer of the WordPress Foundation, and original developer of WordPress itself is that all themes and plugins are covered by the GPL.

Customer rights aside, refusing to apply the GPL to WordPress derivative works makes them less secure.

The Worst Thing About The Advertising Of The New Security Plugin

The target audience of the advertising campaign has a problem. They aren’t in a position to navigate the advertised claims. They don’t know the context. They don’t understand the threat model.

And that’s fine. Consumers shouldn’t be obliged to learn the fine details. That task is for expert consultants.

After purchasing the WP Site Guardian the customer will feel like they have “purchased security”.

But they haven’t. And they can’t. Because “buying security” is impossible. Genuine security for WordPress requires expert knowledge. And an application of the Defense In Depth principle.

WordPress consumers deserve better.

When it comes to self-hosted instances of WordPress security policies must be enacted. WordPress security is taken care of for user of wordpress.com or managed WordPress hosts.

However, when we are managing our own sites or client sites then we have to create our own security policies and deploy the right tools to implement those policies.

Wordfence is a great tool for this purpose. And today it announced it launched version 6. The announcement is here.

The new update maintains a free version of it’s offering while providing support for IPv6. The launch post describes the rational behind that decision.

I like Wordfence for it’s version of a lightweight Web Application Firewall and it’s built-in scanner. The scanner does automatic checks of core, plugin and theme files to test known file versions against the actual installed versions. Differences are flagged. There’s a much larger set of features in both the free and premium versions. But those are the features I particularly like.

Of course one tool does not a security policy make. Security depends on more then tooling and ‘defence in depth’ is key. WordPress security requires defence at the levels of the network, the server, the application and the user.

Having said that, WordFence is a great start for application-level security.