Categories
WordPress

WordPress Websites Now Only $499

Early this week Automattic launched “Built by WordPress.com Express,” an awkwardly named “webdesign” service.

Here’s the sales video:

The tagline “Real sites, built by real people.” is a good one. It acknowledges that most people who need a website are not web designers. It positions their service as an alternative the steep learning curve to doing-it-yourself (with WordPress or elsewhere).

It feels a little like WordPress VIP lite (very lite!). In fact, I’m fairly certain some of the screenshots in the video are from VIP clients.

Reading between the lines, the service seems to be a layout service. You pick a pre-existing theme, provide the content and US$500 and then they’ll “do it for you.”

This is bad on so many levels! (well at least 4 I can think of off the top of my head)

Easy To Replicate

Some are speculating that this service is a desperate attempt to increase profitability for an upcoming IPO. I find this plausible.

Unfortunately, if this service proves to be a hit, is incredibly easy for Elementor, Wix, Squaresquares, etc to replicate. Set up a network of “experts” poached from fivrr and some minimal organization to manage the workflow.

Whether A8C’s competitors could pull it off as well with good templates, solutions that work and great support is almost besides the point. This segment of the market is just looking for a solution to the basic problem of “I need a website.”

Hard to Support

A $500 WP Express customer is going to expect the same level of support as a $500,000 WP VIP customer. Period. If the goal is raising profit, the support costs are sure to challenge that goal.

Solves Half The Problem

The design — as in the visual appearance — is only half the problem you need to solve when building a website. Maybe even less than half in many cause.

A beautiful website is useless without a cohesive content strategy. Professionally written, thoughtful content will always give you a leg up on the competition… the competition who whipped together a website for $500 without a second thought.

The marketing copy on the sales page strongly implies that your content is unimportant. Providing content is simply the 3rd item on a 5-item list, equal weight to providing your business address and sitting back and relaxing.

oof.

Devaules WordPress

This is the biggest problem.

The popularity of WordPress is built on the hard work and goodwill of freelancers. Passionate people who’ve spent the past 2 decades spreading the Gospel of Matt.

Any of these freelancers will tell how hard it can be to convince a potential client that their website is worth more than approximately $500. Imagine how much harder this becomes when wordpress.com is setting the going rate at $500! Why would they ever hire you?

To quote @briancoords on twitter “a massive private company and also the sole entity allowed to commercially profit off the WordPress trademark devaluing WordPress could be harmful for anyone trying to earn a living anywhere at any price point.”

Not to mention that the templates themselves are kind of ugly.

This feels like a gut punch.

I’m always rooting for Automattic. But I hope this goes nowhere fast and we never hear about it every again.

Categories
WordPress

Huge Vulnerability in WordPress 4.8

Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.

The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.

It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).

WordPress has made great strides in modernizing  and hardening core. I really had no idea WPDB was still in the dark ages! For shame!

Read his post for all the gory details.

Categories
Tips & How To's Web Development WordPress

How to Keep Your New WordPress Site Running Smoothly

So you just launched a WordPress site for your business, everything is up and running. Pages load quickly, SEO is better than ever, you paid your development team. Now you’re all set for the next few year, right?

In an ideal world, this would be true. Unfortunately, the Internet is a dangerous place and software is not perfect. With WordPress presently powering 1/4 of the Internet, it is a huge target for hackers and internet miscreants. Left untouched, your site is almost guaranteed to become infected by malware at some point in the future.

Click “Update!”

Clicking that “update” button in the WordPress admin is the single most important thing any WordPress site owner can do. In Windows or macOS these types of security updates can seem like a pain, annoying nag messages that you always dismiss immediately. While these updates are important for desktop computers, in reality, your desktop machine is typically removed from outside attackers by 1 or 2 levels of routers. Your website on the other hand has to be accessible to the broader internet in order for the public to have access to it.

One fact that might be overlooked if you’re unfamiliar with software development is that the vast majority of security patches are in response to a reported issue. What this means is that, potential attackers already have the information to create mass exploitation tools by the time you see the update notification in WordPress.

To put it another way: In my time working with WordPress, I’ve never see a compromised WordPress site that is totally up to date with all updates.

Is It Safe?

One concern that causes many computer users to put off software updates is the fear that something will break. While this fear is not totally unfounded, most software updates are safe, most of the time. When dealing with WordPress updates, you’re looking at new code from different sources. Core updates come from the WordPress open source project, these updates are all vetted by professional developers. Plugin updates are submitted by the plugin author. The experience level of these authors varies widely, they could be hobbyists working on the weekend or large teams of professional developers.

So is it safe?

Minor WordPress Core updates are safe. The minor updates are the updates where the main version number (ie. 4) does not change. The WordPress team takes great care to ensure that updates do not break anything.

Major WordPress updates are probably safe. Again, the WordPress team has a great track record of building in backwards compatibility. So, your site probably won’t break. However there are two caveats. 1) Major features in the WordPress admin will likely look and/or act differently; 2) Some plugins may stop working.

Plugin updates should be safe, but it depends. With a few notable exceptions, most well written plugins will update without issue.The same rule of thumb about major and minor updates apply to plugin updates, a major version update is more likely to break something. A good WordPress site developer will only install plugins that they’ve individually vetted, I never install plugins for my clients that I do not trust.

Be Proactive

A number of plugins and security solutions have started to become available for WordPress over the past few years. They are essentially virus scanners and firewalls for WordPress. By setting these up, you should be able to fend off additional threats or at the very least disable malware if it happens to make it onto your site. A Google search will reveal many good options. My current go to plugin is Wordfence security, I install it on all new sites. I like it because it works well out of the box and it typically does a better job finding malware than the other plugins I’ve tried.

Conclusions

As developers, I think we often do a bad job communicating the importance of ongoing maintenance and security. After all, it’s a little embarrassing to have to concede that this great product you just spent weeks of time and a good chunk of money on, is a giant bullseye for internet miscreants. It can seem like a slimy up-sell to suggest a maintenance contract.

In reality, if you’re comfortable reading and digesting release notes, you should be able to handle keeping WordPress up to date. If you’re less of a tech-DIY person, you may want to get in touch with a developer.

One more thing: Backups

Backups are always a good last resort. I didn’t mention them in this post because backups are typically a poor malware recovery solution. Two main reasons: 1) The type of malware that affects WordPress rarely corrupts content; 2) it can be difficult to pinpoint when a malware infection started, so you won’t know which backup to restore to.

Categories
Web Development WordPress

Dear WordPress Get Your 💩 Together

Dear WordPress.org,

Get your shit together!

It is 2016, there is no excuse for allowing any plugins with insecure code to make their way into the plugin directory. Full stop.

The story about Custom Content Type Management stealing admin credentials and other shenanigans, is utterly pathetic. I’d bet this incident is just the tip of the iceberg.

If there is a plugin review process, I have seen no evidence of it. In my experience, plugin updates are made live immediately after updating the repo, regardless of if the plugin has a site crashing bug or a security issue.

The plugin directory situation has gotten so bad that people are starting to avoid installing free plugins.

Fix it. Please.

Sincerely,
Everyone who loves WordPress

PS. I stole the emoji graphic from the great article on The Oral History of the Poop Emoji.

Categories
WordPress

The Role of Developers in the WordPress Community

Earlier this week, influential British designer Sazzy wrote a blog post entitled The Elephant In The Room about the depressing state of freelance web design. While not directly related, her post got me thinking about the current plight of the back-end developer inside the WordPress universe.

Over the past 3 or 4 years I’ve focused my work around custom WordPress development. In that time, in spite of (or maybe because of) WordPress’ meteoric rise to popularity, I’ve found interesting backend development work in WordPress to have almost completely dried up.

I believe this is largely because WordPress is mature, stable and has little need for serious back-end developers.

Core Contributions

Earlier this year, I took it upon myself to get a patch into WordPress core. I logged into the WordPress slack daily, watched conversations and dug around TRAC to find something I could contribute back to the community.

In doing so, I came to learn that the core contribution team seems to be a well defined clique of developer who have been there a long time. Breaking into the little club is not easy. Based on my digging around in TRAC is looks like most feature requests are met with bureaucracy and bickering, as tends to happen in nerd forums. More serious issues are already adequately handled by long-time core contributions. The slack conversations are dominated by a few voices who really know what they’re talking about.

Don’t get my wrong, the core contribution community is not unfriendly and none of the things I encountered are bad, per se. I simply got the impression that there’s little room and little need for the average developer in the core contribution team. WordPress is mature and stable, so is the development team.

Plugins

Simply put, most common and many uncommon features/problems/use-cases have been solved by well-established, mature, stable plugins. Most of the more popular plugins are supported by businesses that have sprouted up around them. Not only that, but Automattic seems to be spending even more resources developing plugins — as saw just this week with their AMP plugin.

A few years ago it might have been possible to start a cottage business surrounding a custom developed plugin that solves a popular problem. Something you could implement on all your development client’s sites, while selling support or premium services to the general public.

Today, those unsolved problems are few and far between.

Themes

The theme marketplace is bananas. There… are… just… so… many… themes and a lot of them are technically quite bad. But all that clients need are pretty pictures, slick demos and a low price point. It’s very difficult to sell the average mom & pop on the merits of a custom designed theme. To be honest, a lot of the time there is little value to be gained.

At the end of the day, custom themes are a non-starter for a large portion of the potential clients-base that the average freelance developer could expect to encounter. There are certainly cases where a custom template could be part of an overall design/branding strategy or something to that affect.

WordPress as a CMS

WordPress has always been and still is a bad choice as a general purpose CMS. But that’s a post for another day.


So, what’s left?

In my experience over the past couple of years, there are two related roles being filled by professionals who make their living in the WordPress universe.

The Expert

The WordPress Expert is someone who stays up-to-date with WordPress. They know about key features in the latest release; they maintain a personal list of goto plugins to solve various problems; they have preferred theme vendors and know how to spot a bad theme just by looking at it and they’re just really good at using WordPress.

The WordPress Expert can set you up with a website from start to finish, without ever touching a line of CSS or a PHP template. They act as a liaison between a clue-less client and the confusing world of websites. They can troubleshoot most issues, if not, they’ll know who to call.

The Customizer

The WordPress Customizer has all the skills and knowledge of The Expert and on top of they are usually a skilled front-end developer, with some basic back-end knowledge. They know what a child-theme is and aren’t afraid to use one.

When an off-the-shelf template doesn’t quite fit a client’s needs, the client will end up hiring a Customizer. The Customizer is able to wrangle the theme, bending it to meet he needs and wishes of a particular client.

At the end of the day, this type of customization can often be hard to maintain. Being a good customizer is not always an easy task. But The WordPress Customizer can be a reasonable solution to provide budget conscious clients a more customized website.


 

Over the years, my roll has morphed into that of a customizer. I enjoy the work, but it doesn’t really scratch my programmer itch. Calling it “web development” seems like a stretch.