WordPress professional: An interview with WP White Security’s CEO Robert Abela

Robert Abela, who are you?! Please, introduce yourself!

I’ve been interested in computers since I was a child. When I was around 8 or 9 my uncle brought home an Atari, and we used to play games on it.

Since then, my interest grew, and I got my first computer (Amiga 500+) on which I used to write some basic programs.

Then the PC came (I had a 486 DX4), and then the internet. After breaking my computer too many times, I dropped out of electronics engineering school and landed my first IT job as a software tester at an international software company. 14 years after landing my first corporate job, I founded my own company, WP White Security.

How have you started to use WordPress? When was it and what were you doing with it?

I got to know about WordPress during my last full time corporate job as a product manager at Acunetix. We needed a blog in order to document our research findings and started using WordPress.

Once we got to use WordPress, we noticed that there were a lot of opportunities in the WordPress security industry. Since we were a web application security software company, we even built a WordPress security service called Website Defender. Sadly the product never took off, but I considered it as a good opportunity for me to learn even more about the WordPress ecosystem.

All this was enough to get me hooked and that’s how the idea for WP White Security was born. Since my previous experience was in security, I started WP White Security as a security blog. We also offered WordPress security services such as cleaning hacked websites, auditing source code, hardening the security of WordPress websites and other similar jobs.

Later on, I began learning how to write code and I had the perfect use case: a WordPress activity logs plugin. I’ve always wished that website owners had such a plugin installed before their website was hacked. It would have made life much easier back then!

That was all the motivation I needed to start developing the first version of WP Activity Log. When the plugin started picking up steam we stopped providing security services and fully focused on developing WordPress plugins. The rest is history.

You have developed several security plugins. Why have you decided to focus on WordPress?

It all happened naturally.

Since my background was in application security, previously I’ve always worked for security software companies. When I discovered WordPress at Acunetix, I saw a good opportunity to get involved and do something on WordPress.

I never really looked at other CMS projects (such as Joomla, Drupal etc.) mainly because it just felt good to do something on WordPress, be involved in the community, and potentially make some new friends, which is exactly what happened.

What are the strengths and weaknesses of this CMS? Is WordPress safe? Why should people invest in a security plugin?

In my opinion, the strengths of WordPress are:

• It is very well-supported and documented
• It is backed by a big and amazing community
• WordPress core is very stable, frequently updated, and well maintained
• Thanks to the tons of plugins and themes you can build any type of website with WordPress

WordPress’s core is very secure. Most common security issues with WordPress websites are caused by the site owners / admins. For example;

• Websites are mismanaged and have unnecessary plugins installed, outdated software, wrongly assigned user privileges, weak passwords etc.
• Users without experience do not know about what is necessary to keep a WordPress site secure.

Quite frankly, keeping a site secure is not rocket science. Mostly it is about following some basic security best practices.

Could you share 5 quick tips to strengthen the security of a WordPress website?

• Keep everything up to date, including plugins, themes and of course the version of WordPress. This also applies to your computer, smartphone and any other device you own.
• Assign the right privileges. WordPress user roles have a significant part to play in the overall security of your website. The simple act of assigning too many capabilities to the wrong person can have potentially disastrous consequences.
• Research plugins before installing them. Also, only install the plugins that you need. Some things to keep in mind when choosing plugins for your WordPress website are: Plugin ratings, user reviews, number of active installations of the plugin, support, developer responsiveness, and documentation.
• Hardening – there is a lot that can be done when it comes to WordPress hardening. However, you can start with some simple steps, such as implementing 2FA, improving password security & disabling what you do not need.
• Security should be part of your daily tasks. WordPress security is not a one time fix, but a process of constantly testing your defenses and iterating on that to improve your website’s security posture.

Let’s focus on your plugins: Why did you create WP Activity Log?

I got the idea back in the days when I was cleaning hacked websites. I thought that logs are vital to manage a website, but are also useful during forensic work, where they can help you understand what happened and what was exploited.

Since WordPress does not have any logs, I started developing WP Activity Log. As of today we have six plugins, all of which focus on WordPress security and user management.

WP Activity Log:a comprehensive real time user monitoring and activity log plugin that helps thousands of WordPress administrators and security professionals keep an eye on what is happening on their websites.

Password Policy Manager: this plugin allows you to configure strong password policies for your WordPress website and multisite network.

WP 2FA: a dead easy to use two-factor authentication plugin with which you can harden the security of your WordPress user login within just seconds.

Website File Changes Monitor: a file integrity monitor plugin with an exclusive smart technology that recognizes WordPress core, plugins and themes changes, so it doesn’t raise false alarms of legit file changes.

Activity logs for MainWP: this is a MainWP extension which administrators & agencies use to keep an eye on what is happening on the child sites from one central portal – the MainWP dashboard.

Admin Notices Manager: this plugin manages the admin notices in your WordPress dashboard. The idea is simple, to have a distraction free dashboard and read the admin notices at your own convenience, and never miss an important WordPress core or developer message.

From time to time people ask us why we develop single purpose plugins instead of one “generic” security plugin. One of the reasons is for ease of use. Generic security plugins can be a bit overwhelming to users.

When you develop a single purpose plugin you can specialize in that area and focus on building more robust features, which of course is good for users with specific needs. This is the same with everything else. Let’s use the smartphone camera vs. DSLR analogy as an example; even though nowadays most phones have good cameras, you can’t compare such a camera to a DSLRs, because no matter how good your camera phone is, it will never have the versatility, features and options of a digital camera.

How do you see WordPress evolve in the future?

WordPress started as a humble blogging platform, and today it is used for blogs, websites, e-commerce solutions, and also as a backend solution for many web projects.

Its market share is also growing rapidly, so the future is definitely interesting.

The more widely adopted it gets, the more interest there is in it. This means more businesses will invest in the WordPress ecosystem, which typically leads to more innovation, new products and new ways of using it, more integrations and above all, a more secure WordPress.

What about WP Activity Log?

This year we are focusing on refactoring the core of the plugin and its features. On top of that, being an activity log solution we are also focusing on integrations, something that larger businesses require.

For example writing logs to third party solutions, integrations with solutions such as Splunk, and central logging systems.

On top of that, we also have an interesting roadmap for all the other plugins, especially WP 2FA. This year we will be adding a lot of new features, so stay tuned!