This weekend, May 27, marks the 15th anniversary of the first release of WordPress. It is an understatement to say that I am immensely proud of what this global community has become, and what it has created. More than 30% of the top sites on the web are now powered by WordPress, I’m writing this in our next-generation editor Gutenberg, and every day I meet someone who is building something interesting on WordPress or pushing our shared project in bold new directions. If you can believe it, growth has actually been accelerating.

There’s so much: A group of high school students bands together to build a national movement on WordPress; a president builds the foundation for his own next chapter on WordPress; the current WhiteHouse.gov switches over; or when someone like Hajj Flemings brings thousands of small businesses onto the open web for the first time, with WordPress.

To celebrate #WP15, hundreds of local WordPress communities around the world will be throwing parties. Go here to find a meetup in your area.

I am thankful to Mike for helping make WordPress a reality, many dedicated folks in the years since, and to all of you who are dreaming up the next 15 years. 😄

Many in the open source world are like Moses in that they speak of the Promised Land but will never set foot there. If I spend the rest of my life working and we don’t reach almost all websites being powered by open source and the web being substantially open, I will die content because I already see younger generations picking up the banner.

I am surprised and excited to see the news that Facebook is going to drop the patent clause that I wrote about last week. They’ve announced that with React 16 the license will just be regular MIT with no patent addition. I applaud Facebook for making this move, and I hope that patent clause use is re-examined across all their open source projects.

Our decision to move away from React, based on their previous stance, has sparked a lot of interesting discussions in the WordPress world. Particularly with Gutenberg there may be an approach that allows developers to write Gutenberg blocks (Gutenblocks) in the library of their choice including Preact, Polymer, or Vue, and now React could be an officially-supported option as well.

I want to say thank you to everyone who participated in the discussion thus far, I really appreciate it. The vigorous debate and discussion in the comments here and on Hacker News and Reddit was great for the passion people brought and the opportunity to learn about so many different points of view; it was even better that Facebook was listening.

In the WordPress world, when we look back an 2016 I think we’ll remember it as the year that we awoke to the importance of marketing. WordPress has always grown organically through word of mouth and its passionate community, but the hundreds of millions being spent advertising against WP has started to have an impact, especially for folks only lightly familiar with us.

I’ve started to hear about a number of folks across many WordPress companies and industries working on this from different angles, some approaching it from an enterprise point of view and some from a consumer point of view. There’s an opportunity for learning from each other, almost like a mastermind group. As the survey says:

Never have there been more threats to the open web and WordPress. Over three hundred million dollars has been spent in 2016 advertising proprietary systems, and even more is happening in investment. No one company in the WP world is large enough to fight this, nor should anyone need to do it on their own. We’d like to bring together organizations that would like to contribute to growing WordPress. It will be a small group, and if you or your organization are interested in being a part please fill out the survey below.

By working together we can amplify our efforts to bring open source to a wider audience, and fulfill WordPress’ mission to truly democratize publishing.

If this sounds interesting to you, apply using this survey.

There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

In terms of security, there are a two simple points:

1. Make sure you’re on the latest version of core and all the plugins you run, and update as soon as new version become available.
2. Use strong passwords for all user accounts. For extra credit you could enable a 2-factor plugin, use Jetpack’s WordPress.com login system, or restrict logged-in users to a certain IP range (like behind a VPN).

If your host doesn’t handle it, make sure you stay up-to-date for everything in your stack as well from the OS on up. Most modern WP hosts handle this (and updates) for you, and of course you could always run your site on WordPress.com VIP alongside some of the top sites in the world. If you use any non-core third party code, no harm in having a security firm audit the source as well (an advantage of using open source).

For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

If you wanted any help on this feel free to reach out to Automattic as well, we have a decade of experience now dealing with high-risk, high-scale deployments, and also addressing the sort of uninformed FUD you see in this thread.

If you’ve developed a major bank site in WordPress leave a link in the comments.

While at the D Conference last month I did an interview with Jason Calacanis for his This Week in Startups show, which I was actually last on in 2009. We went a little long so it was broken into two, here it is (WP Daily has an index of the questions):

Has it really been 10 years? It seems just yesterday we were playing around on my blog, and the blogs of a few high school friends. Two of those friends are married, one isn’t anymore, two are still figuring things out, and one has passed away.

You were cute before you became beautiful. Wearing black and white, afraid of color, trying to be so unassuming. I know you got jealous when I wore those Blogger t-shirts. They were the cool kids at SxSW and I thought maybe you could grow up to be like them.

You wouldn’t have shirts of your own for a few more years. We didn’t know what we were doing when we made them and the logo printed ginormous. People called them the Superman shirt and made fun of them. But, oh, that logo — the curves fit you so well.

You showed the world you were growing up, and how much you cared about design and typography and other platonic ideals. You knew that open source didn’t have to be homely. I stretched myself too thin trying to get you there, and I did a stupid thing to pay for it. I hurt you, but instead of casting me away you held me closer, supported me, gave me another chance. I will never forget that. Akismet made me feel less guilty. I wouldn’t change anything, because the mistake made me understand how important it is to fly straight and take your time.

You’re so beautiful… I’m continually amazed and delighted by how you’ve grown. Your awkward years are behind you. Best of all, through it all, you’ve stuck with the principles that got you started in the first place. You’re always changing but that never changes. You’re unafraid to try new things that may seem wacky or unpopular at first.

I see you all over the world now, glowing from screens, bringing people together at meetups and WordCamps — you’re at your best when you do that. You’re my muse; you inspire me, and I’ve seen you inspire others. You become a part of their life and they become a part of yours. I hope we grow old together.

Cheers to ten years, and here’s to a hundred more.

Love,
Matt

One of my favorite photographers, Neil Leifer, has a beautiful new WordPress.com-powered site. For the past few years I’ve had this photo in my office:

The story behind it is pretty interesting, taken from this interview with Larry Berman and Chris Maher:

Chris/Larry: It’s actually quite a different question to say what are your favorites verses what do you feel are your best photographs.

Neil: I know, and my best picture ever, in my opinion, is my Ali Cleveland Williams picture that I shot from overhead. I don’t usually hang my own photos, I collect other people’s pictures. But that picture’s been hanging in my living room as long as I can remember. I have a 40×40 print of it which is hung in a diamond shape with Williams at the top. That’s the guy that’s on the canvas on his back.

Chris/Larry: It’s remarkably abstract for a sports picture.

Neil: I think it’s the only picture in my career that there’s nothing I would do different with it. You look at pictures and think that you can always improve them no matter how successful the shoot is. Part of what motivates you to go on to the next shoot is every once in a while you get a picture, whether it’s the cover of the magazine or an inside spread, that’s as good as you think you could have made it. And then a week later you see a couple of things that you could improve slightly. A month later you might see a few more things. It doesn’t diminish the quality of that picture. It simply means that there’s always room for improvement.

Chris/Larry: You’re learning for the future?

Neil: Exactly. It’s sort of what motivates you to go on. If I were to do the Cleveland Williams Ali picture again, I would do it exactly the same. And more important is that no one will ever do it better because it can’t be done like that anymore. Today the ring is different and the fighters dress in multi colored outfits like wrestlers. Back then the champ wore white and the challenger wore black.  Today, when you look down at the ring from above, you see the Budweiser Beer logo in the center and around it is the network logo that’s televising the fight. Whether it’s Showtime or HBO, they have their logo two or three times on the canvas. The logo of promoter of the fight, Don King Presents, is also visible. That’s why that picture couldn’t be taken today. So not only did the picture work out better than any I’ve ever taken, but it’s one that’ll never be taken again.

Chris/Larry: Where are you in this picture?

Neil: I’m at 11:00 o’clock, as I remember it. I’m in a blue shirt leaning on the canvas with a camera in each hand.

It’s always an honor to have a great creator make their home on the web with WordPress.

Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes.* Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications. That, combined with the severity of the flaw, means that this is one of the more serious issues in the WordPress ecosystem in a while, even more than normal because it wasn’t in core.

It could have gone a lot of ways, but the incident brought out the best in the community. The core team sprang into action searching through the theme directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it. Mark Maunder, who originally discovered and broke down the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up. Forking is not usually ideal because it fragments the market for users but Mark soon connected with Ben Gillbanks, long-time WordPress community member, and they’ve teamed forces to release TimThumb 2.0, a collaboration that exemplifies Open Source at its finest. An updated plugin should be in the directory shortly.

It also illustrated the original vision I had behind VaultPress. In addition to reporting early and emailing customers with vulnerable code, the following morning they had devised a way to go in and surgically correct vulnerable code on over seven hundred affected websites. This fixing-problems-while-you-sleep delighted users and is exactly the kind of problem I hoped VaultPress would solve for people and it underscores the core value of the service. If you’re not using VaultPress for your most important websites yet, you should.

* I originally had a long rant here, but here’s the 13-word version: I’ve seen no correlation between how much something costs and its code quality. This is getting better as more people become familiar with the coding standards of core, and PHP in general, but there is still a long way to go. If you want to avoid this in your own code, check out Theme Check and Log Deprecated Notices to start. If you’re looking for code to base your own theme on, it’s best to start with something like 2010 or 2011.

As noted on TNW and Adweek, yesterday we passed over 50,000,000 websites, blogs, portfolios, stores, pet projects, and of course cat websites powered by WordPress. I had the good fortune to celebrate this milestone with a few hundred WordPressers at WordCamp Montreal yesterday. (During my Town Hall I wasn’t aware we had passed the number until someone shouted from the audience.) It’s always fun to pass a big round number and over the weekend many libations were consumed with friends old and new, but ultimately the press has always been more concerned with those top-line numbers than we have in the WordPress community. More sites being created is a good benchmark for our adoption, but ultimately WordPress matters not for the blogs it creates but for the lives it affects. We have some huge opportunities this year, particularly around making our software more accessible to the next 50 or 500 million people who want to have a voice online, something I hope to talk more about at WordCamp San Francisco next month.

The New York Times has a pretty prominent article today called Blogs Wane as the Young Drift to Sites Like Twitter. The title was probably written by an editor, not the author, because as soon as the article gets past the two token teenagers who tumble and Facebook instead of blogging, the stats show all the major blogging services growing — even Blogger whose global “unique visitors rose 9 percent, to 323 million,” meaning it grew about 6 Foursquares last year alone. (In the same timeframe WordPress.com grew about 80 million uniques according to Quantcast.)

Blogging has legs — it’s been growing now for more than a decade, but it’s not a “new thing” anymore. Underneath the data in the article there’s an interesting super-trend that the Times misses: people of all ages are becoming more and more comfortable publishing online. If you’re reading this blog you probably know the thrill of posting and getting feedback is addictive, and once you have a taste of that it’s hard to go back. You rode a bike before you drove a car, and both opened up your horizons in a way you hadn’t imagined before. That’s why blogging just won’t quit no matter how many times it’s declared dead.

Blogging (with WordPress) is the natural evolution of the lighter publishing methods — at some point you’ll have more to say than fits in 140 characters, is too important to put in Facebook’s generic chrome, or you’ve matured to the point you want more flexibility and control around your words and ideas. (As The Daily What did in their recent switch from Tumblr to WordPress.) You don’t stop using the lighter method, you just complement it — different mediums afford different messages.

Read more: Scott Rosenberg on “Another misleading story”; Mark Evans “Why I Still Love Blogging.”