Interview with WordPress security team lead Aaron Campbell [Video]

15 min read
Will Stevens

How do we keep the web secure? It's a huge question and one that matters a great deal to both users and developers.

WordPress, one of the people in charge of ensuring things stay secure is Aaron Campbell. He's WordPress security team lead and at WordCamp Europe 2018, GoDaddy caught up with Aaron to talk security, all things WordPress and succeeding as an introvert - the subject of his talk at the event.

Here's a burning question I've had for a long time and I haven't asked this to you personally before and so this is a good opportunity for us to discuss it. And it's on the minds of WordPress professionals all over the world. So here's the question. What can WordPress professionals do or site owners do to secure their website?

AC: Ah yes. So. We can put in a lot of work into making WordPress as secure as possible, and we do. The security team puts in a lot of effort to make that happen. The biggest thing that I'm seeing across the board which, we get a pretty good picture of kind of what's going on on WordPress sites from big to small, still tends to come down to users being the weakest link in security. Not a chunk of software, not some sort of vulnerability that was even just discovered and released or whatever. It still seems to be the basics that people are missing. So for the smaller sites, where it's you and you own it and you run it, the best things that you can do are look at your own practices. Your password practices, whether they're good or not. We tend to sort of start cheating on the basics because…

So asdf one two three pound sign that's not… I'm gonna have to change my password.

AC: But you know, I mean you know, good passwords are long, random and unique. Those three things. It should be long at least 20 characters, randomly generated, unique, only ever used in one place and so you need a password manager to be able to pull that off. So good password practices include a password manager. If it's your site you can do that, but if you're running a bigger site the best thing that you can do for that is really advocate to your users to do the same thing. You see a lot of sites where good password practices aren't really enforced across the way and that's where we see a lot of that happening.  And the second biggest thing is update, update, update, update. Like as often as you can. And for security updates, core pushes those out automatically but only for core, not for plugins those kinds of things. So keeping on top of your site paying attention to it. Everybody thinks it's going to be some sort of you know plugin they need to install or some code issue they need to fix but really it tends to be kind of the humans not staying on top, not putting in the effort to be as secure as they could be.

A couple things I learned from what you just said. One is making the password unique and making it long and what is the third one? Random.

Don't don't use phrases that people can figure out.

And the second thing is updating frequently now I understand updating frequently it happens automatically through core. Why hasn't WordPress as a project created different enforcement policies for the admin login?

AC: For like password practices and those kinds of things?


AC: WordPress takes an approach, kind of the 80/20 rule of thumb, where the stuff that's going to go in core needs to be useful to roughly 80% of the sites. Now obviously some of that is us estimating how many people it's actually useful for, but that's the general rule of thumb that we try to use. But it needs to be flexible enough that the other 20% can still do what they need to do through plugins, add-ons, modifications those kinds of things. And for a huge percentage of WordPress sites there really aren't multiple levels of users. There are a lot of them that are single user sites, or a couple users but they're both admins those kinds of things. So it doesn't really make sense in core but as you scale up it does make sense to have some of that added enforcement and that's available in a lot of the security plugins that are available for WordPress.

Okay so talking about security practices and best practices, who do you think should be responsible for educating the regular user maybe a non-technical user on these best practices?

AC: Everyone. Like seriously everyone needs to be passing along the knowledge that they have that other people don't around security on the web. It's something we're sure, I think, the security team should be advocating for better security practices. Yes I think that the core team and those things should be advocating for it as well, but so should everyone that's using WordPress. Everyone's got varying levels of knowledge around these things and can help the people that aren't quite at their level yet. And it's such a big issue, right. Talk about educating WordPress users about security and you're talking about millions and millions of people to educate and so no one small group can handle that. I think that if everybody helps out as many people as they can that's how we can raise the bar across the board.

So at every WordCamp there should be a security talk?

AC: Absolutely.

And at every meet up there should be a security focused Meetup? And every time you drink a beer with another WordPresser you should probably also chat about security for at least five or ten minutes?

AC: Talk to them about their long random unique passwords and make sure that they are…

And verify them by asking them exactly what they are right

AC: Right.

Okay all right so being on the WordPress security team, of being the WordPress security czar as you are…

AC: Team lead.

Sure well it's funny you should mention team lead so I'm curious what you've learned from being the team lead about leadership and about managing a team.

AC: Yeah. I mean I've learned that you know it's… It's a challenge to manage a team, especially a, you know, a volunteer team. It's more of a challenge to lead a volunteer team than any other team that I've ever led before.

Why do you think that is?

AC: Um because you have to be more conscientious of people's other things that they have to do and… Everybody else on the security team's got a job that they have to do as well that's outside of the security team stuff they have, maybe even other areas of the project that when they're giving volunteer time, they don't only want to volunteer on security issues they've got some other pet project that they want to do. But you know really my biggest job…To be honest, it's a fantastic team, it's really good people that are really smart about security and have a lot of historical knowledge of WordPress and its security practices. It's pretty great in that way. The biggest thing that I try to do as team lead is pick up the stuff that sucks up a lot of time that not everyone has full paid time to work on it so I try to take up those things.

Okay, all right. So let's talk about somebody taking their first steps as a web developer. Let's move away from security for a bit. What do you think the first steps are when somebody decides hey I want to be a web developer? Maybe they don't know a lot about it. Maybe they just know that they enjoy looking at websites. Where should they get started and how should they hone their skills?

AC: Wow. This is kind of a tough one for me to answer, because I feel like the landscape has changed so dramatically since I was there. Like I remember being there but the way that you can learn now is so much different there's…

Well tell us how you got started.

AC: I mean I got started just by being curious and viewing source on webpages and trying to copy and make my own. And it was a lot of.  Well there's a lot of trial and even more error I guess. But you know you sort of slowly work your way through it and you learn terrible practices because you copy the wrong people. And you know, right, there's this whole thing that you slowly work through as you begin to up your knowledge that way. But now there's lots of online training that's available you know, if you want to go the way of something like WordPress, which definitely can be a good first step in that gives you some structure, some tooling, but still a lot of flexibility and freedom, you know. There are companies that are doing webinars and training and all kinds of stuff - to help you do that. It's just been a while since I've used those but looking around for those it's definitely the way to start. Learn from the people that are actually doing it regularly.

Cool so it's no secret that you're a big fan of the open web. You happen to be as I mentioned before the security czar for a project that is open-source so tell me I'm sure you have some sort of opinion as to the future of the open web or where things are going and kind of what's trending.

AC: This is a dangerous question to ask me in a short interview because sometimes I get going and I don't stop. But yes. So I think that a lot of us, just people in general, when I say us I just mean people that use the web, tend to look at the web as this fun place, this… almost a toy and it is neat and shiny and exciting in a lot of ways and it is chock-full of fun and funny things, you know the cat videos and the memes that abound and the social networks and all these things. But to me the real importance of the web comes down to sort of what it actually started for, which is the ability to share information between people. And historically every time humans have gotten better at sharing information it's been followed by a large spike in growth of knowledge, and invention, and those kinds of things. And so we can see the importance of sharing information and the Internet is the most efficient, most effective information sharing tool that has ever existed. We can share information practically instantly all over the world and it can hold as much information as we can create. And so it has taken us, over the last twenty eight years or however long, it's been, roughly three decades. It's taken us through huge innovations in medications and science and technology and all these things, this ability to share information. And protecting that, the open ability to share information back and forth, is why I think the open web is so important. The more closed systems that we start to rely on the more control we give them over what information can and can't be shared around. And I think sometimes the bright and shiny exciting of the web makes us miss how important it is as a tool for humans to make progress forward. And that's why to me the open web is something well worth my time to advocate for, to push for, and yes it's why I work on a project like WordPress because I think that it's important to the health of the web.

So to sum up what you just said you think that the open web is important for the evolution of humanity

AC: Yes. And that sounds huge but, yes, I think that exactly.

Cool. All right. So I have one more question for you it kind of goes in a different direction but you've spoken a bit about being an introvert. And I'm curious, maybe it's a two-part question, I'm curious how that's played a part in your client work when you used to do client work, and also the way you interact both within the project but also at the company you work for.

AC: Yeah. I think that being an introvert and understanding that I'm an introvert and, kind of both accepting that, and kind of learning what that means has been really helpful to me. And part of that is understanding that introvert doesn't mean shy and it doesn't mean anti-social, those are those are different things. I'm not a shy person, but I am an introvert. And so basically what that comes down to, and I like kind of digging into the brain science behind why it comes down to it, but basically what it comes down to is it takes a lot of energy for me to interact with people. It's just my brain is more stimulated than it would like to be when I'm around a lot of people and so it takes more energy to function, and that's okay. Like, I still like being around people, I like talking to people I like going to the, you know, events and speaking at conferences. But it takes energy to do it and so in as far as client work, which you asked about, one of the things that, once I realized this about myself, one of the things that I did is start to change from doing lots and lots of little projects that required interacting with lots of people all the time, to try to turn into fewer, bigger projects that had me interacting with fewer people. And it let me expend less energy on just interacting with people and more energy on doing the things that I wanted to accomplish.

That's cool. Like that's a cool lesson I wouldn't have thought about that but you're almost optimizing for your introversion.

AC: Right I'm trying to optimize for the way that my brain works best and everybody's brain works a little bit different but, learning how yours works and working with it instead of against it… I spent like six or seven years basically trying to be an extrovert because I thought that was the way to succeed in business, and I tell you what it was terrible for me. Like, it was so hard. And it looked successful on the outside because my business was succeeding, it was growing and whatever. But the amount of energy and effort that that took made me kind of grumpy Aaron all the time. And as I started to just kind of accept that that wasn't me, and turned and work differently, my business still succeeded it still grew, has still got better. But I was also happier in expending way less energy for the same kind of growth.

Yeah so I promised you a second part to that question, but hopefully this one is a bit easier than digging into the psychology of introversion, and that is what sort of advice would you give to an introvert as they look at really wanting to become a part of a community, but understanding them becoming a part of a community makes you flex that that socialization muscle.

AC: Yeah. I think the biggest thing is to just stress that it takes energy to do that, to interact with people, and so just understanding that and giving yourself time to rebuild that energy. If you're going to be interacting with a lot of people give yourself some time before, not just after, so that you have that energy sort of built up. Be okay with just stepping away for a break, away from people. No one is going to notice if you're gone for 30 minutes during a, you know, eight hour conference or whatever. And it will be so much better for you and it takes sort of the amount of effort and stress that that may cause you and drops it so dramatically if you just kind of give yourself that leeway to tend to your own mental health.

Well, hey I really appreciate you taking the time to chat and thanks a lot for all of your advice.