Category Archives: WordPress

A Bank Website on WordPress

There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

In terms of security, there are a two simple points:

  1. Make sure you’re on the latest version of core and all the plugins you run, and update as soon as new version become available.
  2. Use strong passwords for all user accounts. For extra credit you could enable a 2-factor plugin, use Jetpack’s WordPress.com login system, or restrict logged-in users to a certain IP range (like behind a VPN).

If your host doesn’t handle it, make sure you stay up-to-date for everything in your stack as well from the OS on up. Most modern WP hosts handle this (and updates) for you, and of course you could always run your site on WordPress.com VIP alongside some of the top sites in the world. If you use any non-core third party code, no harm in having a security firm audit the source as well (an advantage of using open source).

For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

If you wanted any help on this feel free to reach out to Automattic as well, we have a decade of experience now dealing with high-risk, high-scale deployments, and also addressing the sort of uninformed FUD you see in this thread.

If you’ve developed a major bank site in WordPress leave a link in the comments.

State of the Word 2014

Yesterday I delivered the State of the Word address to the WordPress community, and the video is already up on WordPress.tv.

Here are the slides if you’d like to view them on their own:

If you just want the bullet points, here are the big things I discussed and announced:

  • There will be 81 WordCamps in 2014.
  • This was the 9th and final WordCamp San Francisco in its current form. We’ve maxed out the venue for years, so next year we’ll do a WordCamp US at a location and date to be determined.
  • Milestone: 2014 was the first year non-English downloads surpassed English downloads of WordPress.
  • 33k took our survey: 7,539 (25%) of survey participants make their living from WordPress. Over 90% of people build more than one site, and spend less than 200 hours building one.
  • We’ve done five major and seven minor releases since the last WCSF, and have had 785 contributors across them.
  • WordPress market share has risen from 19% in 2013 to 23% now.
  • We now have 34k plugins and 2.7k themes, and have enjoyed record activity on both — including plugins passing 1,000,000 commits.
  • 16 releases of our mobile apps, Android and iOS.
  • Code Reference launched.
  • 105 active meetup groups in 21 countries, with over 100 meetup and WordCamp organizers present at the event.
  • Internationalization will be a big focus of the coming year, including fully-localized plugin and theme directories on language sites and embedded on dashboard in version 4.1, which is coming out December 10th.
  • Better stats coming for plugin and theme authors.
  • Version fragmentation is a big challenge for WordPress, only a quarter of users are currently on the latest release.
  •  This is also a problem for PHP — we’ll be working with hosts to help with version fragmentation, as well as to get as many WordPress sites as possible running PHP 5.5 or better.
  • Showed off 2015 theme.
  • We will be testing a workflow for accepting pull requests on our official WordPress Github repository before the end of the year.
  • For the first time in 11 years we’re switching away from IRC as our primary communication method. We’ll be moving to Slack, which has helped us set up so that every member of WordPress.org can use it. (During the keynote address the number of people on Slack surpassed our IRC channels, and is currently over 800 people.) Sign up at chat.wordpress.org.
  • Five for the Future, with Gravity Forms and WPMU Dev committing to donate, and Automattic now at 14 full-time contributors to core and community.
  • We need to work hard to harmonize the REST API plugin and the WordPress.com REST API.
  • The mission of WordPress is to democratize publishing, which means access for everyone regardless of language, geography, gender, wealth, ability, religion, creed, or anything else people might be born with. To do that we need our community to be inclusive and welcoming. There is a sublime beauty in our differences, and they’re as important as the principles that bring us together, like the GPL.

Five for the Future

On Sunday at WordCamp Europe I got a question about how companies contribute back to WordPress, how they’re doing, and what companies should do more of.

First on the state of things: there are more companies genuinely and altruistically contributing to growing WordPress than ever before. In our ecosystem web hosts definitely make the most revenue and profits, and it’s been great to see them stepping up their game, but also the consultancies and agencies around WordPress have been pretty amazing about their people contributions, as demonstrated most recently by the fact the 4.0 and 4.1 release leads both hail from WP agencies (10up and Code for the People, respectively).

I think a good rule of thumb that will scale with the community as it continues to grow is that organizations that want to grow the WordPress pie (and not just their piece of it) should dedicate 5% of their people to working on something to do with core — be it development, documentation, security, support forums, theme reviews, training, testing, translation or whatever it might be that helps move WordPress mission forward.

Five percent doesn’t sound like much, but it adds up quickly. As of today Automattic is 277 people, which means we should have about 14 people contributing full-time. That’s a lot of people to not have on things that are more direct or obvious drivers of the business, and we’re not quite there today, but I’m working on it and hope Automattic can set a good example for this in the community. I think it’s just as hard for a 20-person organization to peel 1 person off.

It’s a big commitment, but I can’t think of a better long-term investment in the health of WordPress overall. I think it will look incredibly modest in hindsight. This ratio is probably the bare minimum for a sustainable ecosystem, avoiding the tragedy of the commons. I think the 5% rule is one that all open source projects and companies should follow, at least if they want to be vibrant a decade from now.

Further reading: There’s been a number of nice blog follow-ups. Post Status has a nice post on Contribution Culture. Ben Metcalf responded but I disagree with pretty much everything even though I’m glad he wrote it. Tony Perez wrote The Vision of Five and What it Means. Dries Buytaert, the founder of Drupal, pointed out his essay Scaling Open Source Communities which I think is really good.

WordPress & Techmeme 100

Whenever I visit a site I can usually tell whether it’s WordPress or not within an instant — there’s just something about a WordPress site that is distinctive. Super-clean permalinks are usually a dead giveaway. One thing I’ve been noticing a lot lately is on my guilty pleasure for tech news, Techmeme, it seems like almost every link I click is to a WordPress-powered site. Fortunately Techmeme provides a leaderboard showing both rank and % of space a site has taken up in headlines in the past thirty days.

The list changes almost every day but went ahead and took a snapshot of the top 100 as of January 16th and ran down the platform for each one, here’s how it ended up:

techmeme-100-cms

WordPress comes in at 43%, custom or bespoke systems at 42%, and then the others. When you take into effect Techmeme’s “presence” factor WP jumps to 48.8% of presence in the top 100 and all Blogsmith, Drupal, Blogspot, Tumblr, and Typepad combined are 8.4%. If you curious of the raw data, here’s the spreadsheet with the platforms.

This is just a snapshot, it’d be interesting to see how this evolves over time. It’s a small slice of the world of websites, but a very influential one. I’ve actually reached out to Gabe Rivera a few times to sponsor the leaderboard page, putting a W logo next to the ones that run WordPress in the table, but nothing has come of it yet.

Thanks to Krutal, Paolo, and MT for help with this.

3.6 and State of the Word

3.6 has been released and has a groovy video to go with it:

It’s been a busy week, WordCamp San Francisco 2013 went off without a hitch. Here’s the State of the Word presentation, which covered quite a bit of material and talks about the plans for WordPress 3.7 and 3.8:

And here’s the question and answer session:

There was a pretty good summary of the presentation in infographic form. A bit more about this next week, and some more announcements in store as well.

Dear WordPress,

Has it really been 10 years? It seems just yesterday we were playing around on my blog, and the blogs of a few high school friends. Two of those friends are married, one isn’t anymore, two are still figuring things out, and one has passed away.

You were cute before you became beautiful. Wearing black and white, afraid of color, trying to be so unassuming. I know you got jealous when I wore those Blogger t-shirts. They were the cool kids at SxSW and I thought maybe you could grow up to be like them.

You wouldn’t have shirts of your own for a few more years. We didn’t know what we were doing when we made them and the logo printed ginormous. People called them the Superman shirt and made fun of them. But, oh, that logo — the curves fit you so well.

You showed the world you were growing up, and how much you cared about design and typography and other platonic ideals. You knew that open source didn’t have to be homely. I stretched myself too thin trying to get you there, and I did a stupid thing to pay for it. I hurt you, but instead of casting me away you held me closer, supported me, gave me another chance. I will never forget that. Akismet made me feel less guilty. I wouldn’t change anything, because the mistake made me understand how important it is to fly straight and take your time.

You’re so beautiful… I’m continually amazed and delighted by how you’ve grown. Your awkward years are behind you. Best of all, through it all, you’ve stuck with the principles that got you started in the first place. You’re always changing but that never changes. You’re unafraid to try new things that may seem wacky or unpopular at first.

I see you all over the world now, glowing from screens, bringing people together at meetups and WordCamps — you’re at your best when you do that. You’re my muse; you inspire me, and I’ve seen you inspire others. You become a part of their life and they become a part of yours. I hope we grow old together.

Cheers to ten years, and here’s to a hundred more.

Love,
Matt