WP Product Talk
WP Product Talk
Making WordPress Products Fast and Safe
Loading
/

Show Notes

Hello WordPress Product People! Get ready for a another fun episode of WP Product Talk! This week, we’re chatting with Remkus de Vries, WordPress performance and security expert. Remkus is a seasoned WordPress pro and cornerstone in the global WordPress community. Remkus will discuss tips and insights on “Making WordPress Products Fast and Safe”.

Remkus will share tips on developing your WP plugins with performance and security in mind. In this episode, Remkus shares his tips on making great WordPress tools. He uses real stories to help explain his ideas. Whether you’re new to WordPress or have been doing it for years, this chat with Remkus is sure to be helpful. Come join us for a fun talk about creating successful WordPress products! WP Product Talk is a weekly podcast designed with WordPress product owners in mind.

ep31-WPPT-2023-06-29-Security-Performance

[00:00:00] Katie: Well, welcome everyone. This is WP Product Talk, the place where every week we interview an experienced WordPress product owner on strategies, tips, experiences, failures, and successes of running successful and thriving WordPress product businesses. I'm Katie Keith, CEO at Barn2 plugins.

[00:00:38] Matt: And I'm Matt Cromwell, co-founder of Give WP and Senior Director of Customer Experience at Stellar wp.

[00:00:44] Katie: And today's topic is developing your WordPress product with performance and security in

[00:00:49] Matt: mind. I'm excited to talk about this subject because it has definitely been a pain point, uh, as a product owner for quite a while, and I hope, I believe that most [00:01:00] folks listening in probably can relate to that. Um, and I feel like it's something that we all should be talking about a lot more personally.

[00:01:07] Matt: So,

[00:01:08] Katie: yeah. And joining us today to talk about all that is rem. So, um, remember to comment on YouTube if you're watching there, and also you can comment on Twitter using the WP Product Talk hashtag. So please leave your comments live and then we can answer them as we go through the show.

[00:01:28] Matt: Welcome Ramm

[00:01:28] Remkus: Kiss.

[00:01:29] Remkus: Thank you.

[00:01:30] Matt: Great to be here. Thanks for being here. Hey, you know what, I've introduced you in a couple different formats, but how do you introduce yourself? What do you call yourself and what do you do?

[00:01:41] Remkus: , that's a good question. I try to avoid calling myself anything specific, to be really honest.

[00:01:46] Remkus: This is gonna get philosophical real quick, but, I'd like to be more than whatever role that I have. Um, but if you were to ask me like, what is it you do inside of WordPress and, and that sort of thing, that's an easier answer. [00:02:00] Um, I, I focus in on the performance side of, uh, any WebPress site, WooCommerce.

[00:02:07] Remkus: Uh, when I say performance, I, I actually mean business performance. So that's the actual web performance, but that's also technical seo. Um, that's things like conversion, security, um, all the things that help a site owner make, uh, more money with their site, essentially.

[00:02:27] Matt: Excellent. Well, that's why you're here.

[00:02:29] Matt: So thanks for being here.

[00:02:31] Katie: Yeah. And that's a wide definition of performance, so that's really interesting. Yeah.

[00:02:35] Remkus: Yeah. So I, I started with, um, web performance in as a, as a first thing because it's the most obvious one. But, um, upon reflection and talking it over with few other people in the, in the field that, um, The way that I look at it is, it, it's, it's not just one thing.

[00:02:55] Remkus: There are multiple facets to what is actually performance. And [00:03:00] I, I'd like to see that the hole is treated as a whole instead of, lemme just make it faster. Because you can make it faster and you can kill conversions. Um, you can make conversions a lot better and make it a a heck of a lot slower. Um, and technical SEO is, I guess, something that you'll always have to do.

[00:03:18] Remkus: Um, for those who don't know what technical seo it means, it is that part within SEO where you essentially take care of the, um, the, the, the technical health of the site, right? So no, 4 0 4 is not, no 3 0 1 s when, when it's not needed. Uh, but also make sure everything is loaded when it's supposed to be loaded.

[00:03:39] Remkus: And, you know, the, the whole thing that you present is, um, um, Uh, as optimal as it's supposed to be. Um, I, I got back cuz I saw Ryan Duff's comment, but, uh, trust me, Ryan, it's red, uh, on this side. Extremely.

[00:03:57] Matt: Is there a comment? Is that on Twitter? Yeah. Where are we [00:04:00] at? Um,

[00:04:01] Katie: he said, yeah, I just said that you must have beauty mode enabled.

[00:04:04] Remkus: Yeah, no, it's, it, the back of my head and the side is, uh, I'm scorched so.

[00:04:12] Matt: Yeah, thanks for being here anyway, despite the, uh, not so fun sun experience. Yeah, no worries. Which is ironic cuz Katie's in Myorca and she's in better shape than you. But what's going on in, uh, Netherlands? I, I spent

[00:04:26] Remkus: two days outside. Uh, you don't go

[00:04:28] Katie: outside all day. You just don't do it.

[00:04:30] Remkus: Yeah. Not enough protection.

[00:04:33] Remkus: Um, little, little caught by spouse. So my only, Slight, piece of happiness there is that I'm joined in this pain by my whole crew who were organizing with me. So we're all burned, we're all toast, we're all, have been seeing better days.

[00:04:47] Matt: Nice. Cool. Well, we like to kick off these discussions with why this subject is so important for WordPress product owners in particular.

[00:04:58] Matt: So, that's the [00:05:00] question, and I think, uh, Katie looks like you're up first. What's your thought on this?

[00:05:05] Katie: Well, I would divide it into the importance in terms of marketing to grow your own product company and to help with customer success for your customers. Because as product owners, we've got our own websites where we need to think about performance and security, and also the impact of our products on our users.

[00:05:25] Katie: So in terms of our own marketing and websites, , performances as, , Remkus already said is important for SEO and that side of things. And also any security issues with your own website can get you de ranked as well as causing reputational damage, um, which is hard to recover from. So, There's lots of direct business reasons of that, and with your customers as well, when they're using your products on their own WordPress sites.

[00:05:51] Katie: If a plugin slows it down, then you are likely to lose the customer, get extra support, tickets, complaints, bad reviews, all of those negative. Things.[00:06:00] , and also, , if it's slow, then the customer is less likely to, , renew in the future if indeed you've not refunded them initially. So customers really expect good performance and hate plugins or themes that slow down your site.

[00:06:13] Katie: And of course, if you have a security issue in your plugin itself or your theme, then that has a lot of, , implications as well as the risk it pa places on your customers. Sites and the damage to them, it damages you as a company, , because that needs to be reported and, um, all

[00:06:30] Matt: of that. Yeah. Yep. Oh, absolutely.

[00:06:35] Matt: Um, Remkus, what's your take? So

[00:06:38] Remkus: reputation management is probably the most important one. I'd go as far as saying that, , understanding what the actual full implications are, and Katie gave a good list of all the things that touch this topic. I would surmise them to the main bracket of reputation management because, ultimately you are selling products, right?

[00:06:56] Remkus: So your end client really depends on you to [00:07:00] know what you're doing. it's very important to understand that whatever you are offering as a product owner has to be working in an environment where there's lots of other different, solutions working alongside yours. So there's obviously compatibility sort of thing.

[00:07:14] Remkus: But the most important thing is to fully understand you are a cog in the larger wheel of somebody else's success. And it's easy to forget that that's the actual place that you have. So yeah, reputation management means you make sure that whatever you're putting out there is secure, is fast, as performance is thought out, and all of those things does what's advertised it's supposed to do.

[00:07:38] Remkus: Um, and, and I guess, um, I think, I think the whole, the whole point of this is understanding, uh, The full impact of what your service offers. So I'll give you an example of, of something, uh, I won't name it the, the plugin specifically, but there's a client of mine who has a, [00:08:00] um, a very large interconnecting plugin with WooCommerce and every other release there is a bug.

[00:08:09] Remkus: Mm-hmm. And sometimes the bug means I can't exclude products on this, or I can't do this, or, and it's weird little things. And. Yeah. Even though the plugin, when it works works wonderfully, those little bugs make it annoying. And, and then the nice thing is they are very conscious of performance. So that part works great.

[00:08:29] Remkus: There's a lot of stuff you can, um, you can screw up on the front end when you're adding stuff to WooCommerce, cuz it's, it's very easy to make a WooCommerce site slow. Um, and they're taking great care of that part. But then there's the little bugs that go, Hmm, why? It's a shame because for me, that's reputat reputation damaging.

[00:08:48] Remkus: Um, mm-hmm. And I, I, I feel for a lot of, um, I'm being very, uh, generic here, but there's a lot of, uh, product companies still not [00:09:00] fully understanding what their position is and what they actually need to do to make sure, um, what their, what their service is promising to do is not just the service itself.

[00:09:12] Remkus: It's the whole thing that. It falls into, hmm.

[00:09:17] Matt: I like that. Yeah, no, no, it's really helpful. I like that, um, the way you said it, uh, in terms of you're a cog in the wheel and the success of your clients or your customers. Um, yeah, I think that's a good way to couch it and think about it. Um, for me too, like it's definitely the best way to show that you are very customer-centric because of the way in which everything you do.

[00:09:41] Matt: Impacts, um, your customer websites and as like, like you're highlighting right now, the, you know, if whatever you have in your plugin or your theme or your product, one form or another, it negatively impacts your customer, they're gonna be the first one they come to for sure. Like no question [00:10:00] about it as a support person, it's like, Yeah, I hear about it all the time.

[00:10:03] Matt: Um, and, uh, I, I really do think that, um, being intentional about, uh, security and performance is what it takes, uh, in, or is one of the things, one of the most important things to show a customer centric, uh, mindset. Um, and I do think WordPress products in particular always have to be customer centric as much as possible.

[00:10:24] Matt: Yeah. Um, it's something I hope that we talk more and more about, uh, on the show here. So, Um,

[00:10:30] Remkus: if, if I'd like to, if, if, if I can hook into that. Um, yeah, there's, um, Uh, I forgot the name, but I, I guess it doesn't really matter. But there, there, there's a, um, there's a developer who started to develop plugins for the sake of I wanna start earning an income outside of what my current job is.

[00:10:50] Remkus: Started thinking about gaps in the market, figured out, uh, a couple of plugins, built them, sold them, and is doing great. And he said it wasn't until [00:11:00] like a couple of years in when he already switched from, Um, uh, being, uh, employed to being self-employed and, you know, the, the plugins were doing really well.

[00:11:10] Remkus: It, it wasn't until a couple years in that he realized that he started because he wanted to make money and, mm, less so about wanting to solve a problem. Helping the end customer. And he said when he made the switch in terms of, okay, I'm not just doing this to make money. Yeah, yes, of course I make, I wanna make money, I want to provide for my family and all of that.

[00:11:30] Remkus: Of course he said, but I then started to catch the bug of I want to solve the problem for my clients the best way I know how. Mm-hmm. And that was a, uh, if I, if, if the name pops me back up in my head, I'll, I'll, uh, I'll, I'll mention it. But, um, I, I heard that and I was like, of, of course that made a huge difference because mm-hmm.

[00:11:53] Remkus: Just providing a service is not the same as wanting to solve somebody's problem. Yeah. Uh, [00:12:00] and for a lot of people, performance and security and scalability, those are real problems. So, Yeah.

[00:12:07] Katie: Yeah. That mindset does really help because when you're thinking about the customer first, those things become priorities.

[00:12:13] Katie: Yeah. Even though they don't necessarily contribute directly to the bottom line. And that fits in with other, um, non-essential things that are really important, such as accessibility as well. If the customer comes first, you invest in all of this. If the profit comes first, you might do, but you are making a very different calculation.

[00:12:32] Katie: You're, you're,

[00:12:33] Remkus: you're gonna go for the 80% Right. And, and you'll miss out on the 20. And, um, um, uh, Mr. Pareto was, uh, was quite, was quite accurate, saying that the last 20% requires a lot of extra effort. But the, the yield is also quite big, right? Because the reputation management starts with the 20% extra.

[00:12:50] Remkus: Mm-hmm. Cause the bulk of the, of the clients are, she's gonna come anyway because you solved the largest problem for them.

[00:12:56] Matt: Yep. And one way in which this I think kind of played [00:13:00] out publicly in the WordPress space was um, when Google really started clamping down on performance as a key indicator for search results.

[00:13:08] Matt: And the one that got hit the hardest by that was Elementor. So, Um, Elementor really had to be like, oh my goodness. Like, we really are actually making sites really, really slow. Um, and it took them a long time to actually, uh, turn their product around so that it was more performant and started adding things in there that actually helped, uh, that, and it, it still, I honestly think they have still a ways to go on that front.

[00:13:34] Matt: I think they have very long, I think they got, yeah, I feel, I feel like for a long time though, they got. Hit negatively, uh, on the reputation management front. Yep. Because it just, they, nobody could see them taking that issue seriously. Nobody noticed any serious, they made designers happy.

[00:13:51] Remkus: Say it again. They made designers happy.

[00:13:53] Remkus: They made, mm-hmm. Um, whatever we call the category that installs. Uh, Elementor and then configures the site. [00:14:00] Um, inside Elementor, they made that crowd very happy cuz it was very easy to use. Mm-hmm. Yeah. But it's, it's missing out on a huge crowd. It's missing out on a lot of usability and it's missing out on a lot of opportunity.

[00:14:13] Remkus: Yeah.

[00:14:14] Katie: Yeah. And that's hugely important for page

[00:14:16] Matt: building. I think they made improve the biggest, but it's taken a while.

[00:14:20] Katie: All, all customers are thinking about performance with page builders in particular, aren't they? So if you're not performing as a page builder, that's a real issue, whereas some other plugins, maybe people don't directly think about it.

[00:14:32] Remkus: Yep. Well, it's, it's nice that if you, if you look at the performance side of things, of, of solutions happening in WordPress and injecting themself in, in your site, uh, if you run any, um, uh, lighthouse report, uh, then you'll see whenever you're having too many layers of diffs just narrowing down to that one little button that you're using.

[00:14:55] Remkus: You know, that doesn't make a lot of sense because ultimately that is a, a, [00:15:00] a performance thing that has an impact in your browser. Um, we can't ignore it. But the, the, the better approach is you don't, you shouldn't want to ignore it. You should want to fix it. Like, how, how can I do this smarter? And, uh, them switching to a flexbox, uh, approach is, is a, is a good switch, but there's still a lot of stuff that they can do to become more performant, to become the smarter solution.

[00:15:26] Matt: Yeah. Absolutely. I think, uh, I'll wrap up the important side with, uh, my only other take is it definitely is the biggest risk involved in being a distributed product, um, when you don't get this right, when you don't get performance or security, right? It. Goes badly, um, in really bad ways. There's lots of different aspects of distributed products that, that you might not have the perfect, um, uh, uh, implementation of.

[00:15:58] Matt: Uh, it might not have the greatest design or [00:16:00] whatnot, but when you get performance and security wrong, uh, it comes back to hit you really, really hard. Um, so yeah.

[00:16:09] Remkus: It it does. And, and it, it happens all the time.

[00:16:14] Matt: Yeah. Um, moving into story time, uh, we wanna talk a little bit about our personal experiences with this subject.

[00:16:23] Matt: Um, and, um, I'm up first it looks like, um, a couple different things. I feel like I have been on the. Receiving and often, uh uh, unfortunately, um, one of my favorite stories on this front though happened early in the Give WP History. Um, there was this instance where, uh, the make.wordpress.org um, had documentation for how to implement a certain filter.

[00:16:56] Matt: I'm not gonna remember what that filter was. Um, but, um, [00:17:00] Uh, it was, it was a common commonly used filter in a lot of plugins. Um, and the documentation, um, said, here's a snippet on how you can leverage this filter. And a lot of plugins give included, Yoast included, others included, uh, used that snippet, um, and, uh, distributed their products with it.

[00:17:20] Matt: And then it turned out that that snippet specifically, um, Had a security vulnerability that made a website vulnerable to uh, uh, hacking. Um, and it came out, um, to the the.org team. And what they did, I thought was really, really smart. They're like, this isn't a plug-in vulnerability. This is a, like a documentation setup.

[00:17:42] Matt: Like we, we all of a sudden distributed some vulnerable code to a whole bunch of users across a whole bunch of products, and how can we get a patch out, not just for one product, but for all of them that might be impacted? Mm. Um, And so they started reaching out to individual [00:18:00] plug-in owners, and the plug-in owners all started coordinating together, um, behind the scenes to launch their patches, um, all at the same time, uh, so that the vulnerability could then be discussed publicly.

[00:18:15] Matt: With the patches in place. Um, there were, I think over 30 different plugins, um, that all coordinated together, and I think there were a lot more than that, that were impacted. Um, but it was a really cool example of like in this specific, uh, youth case where we are all different companies with different products, um, having to coordinate around one.

[00:18:39] Matt: Particular vulnerability, um, how we all came together, um, in order to basically enforce a responsible disclosure, um, and, uh, and to be able to patch and release all, all responsibly as well. Um, it it, it is one of the, one of the fun little quirky highlights, I think, uh, personally. [00:19:00] So how

[00:19:00] Katie: did they know who was using it?

[00:19:02] Katie: Because it is just something you've taken from the documentation. You didn't have to register that you were using

[00:19:07] Remkus: it. No, you can scan the The directory. Yeah. There's ways to scan, yeah, scan

[00:19:11] Katie: plugin. So it's only the wordpress.org plugins that they would've known about then and premium ones they

[00:19:16] Matt: wouldn't.

[00:19:17] Matt: Yes, that's right. Yeah. Okay. And yeah, you're right. At that time, if you were a premium plugin that had that vulnerability, you probably wouldn't have found out about it until it was made public. Um, so, which, which is, you know, a bit of an issue too. So scary. But like what it was, there was no other way around it.

[00:19:37] Matt: Um, honestly, um,

[00:19:40] Remkus: reminds me a little bit about the, the Tim Thumb. Um, mm-hmm. Spectacle, I would always say. Mm-hmm. For those who don't know, THIM Timm Thumb was a, uh, drop-in library sold, or, um, shared in a lot of, uh, themes, uh, premium themes [00:20:00] mostly. Uh, and it would take care of, uh, automatic, um, featured image sizes and stuff like that.

[00:20:06] Remkus: Mm-hmm. Uh, and there was a huge vulnerability in it. Uh, actually a, a couple. Right after, uh, the next one. Um, and it had a similar problem, like it was mostly in premium themes. Yeah. How are you gonna solve that one? Um. Mm-hmm. It was a huge, huge risk, uh, to, to have it activated. Cuz essentially if you had it on your site, you were going to get hacked.

[00:20:30] Remkus: That is, yeah.

[00:20:32] Matt: Probably because it was easily scannable about whether or not you had that library. Yeah. Very easy. Yeah. I think it, honestly, Tim Thumb was one of the big things that gave WordPress a bad reputation for security. Honestly.

[00:20:46] Katie: It was so, so widely known, wasn't it? People were talking about that as the example.

[00:20:52] Matt: Yeah. Yeah. Another example is actually only happened this week, which is kind of a different, uh, [00:21:00] uh, issue. Um, it came to light. There was a, there's a woman, a blogger who recently had her Stripe API keys exposed publicly in one form or another, and somebody took her Stripe API keys and was able to leverage that to, uh, make charges against her account and even to like set up other accounts, which was a little bit, um, I was a little bit skeptical about some of the details of the story, but, um, she reported to have lost over $70,000 in revenue and Stripe would not do anything about it because it was her Stripe API keys.

[00:21:34] Matt: Um, and so some folks started asking around with different products who, um, who leveraged Stripe, like give WP like gravity forms, like WooCommerce, like whether or not we are storing. The Stripe unrestricted API keys in the database or not. Um, which generally speaking, we all do, uh, for sure. Yeah. Um, and, um, It's because that's the way you [00:22:00] communicate with Stripe.

[00:22:00] Matt: Now there might be other ways that we can leverage the Stripe, a p i, um, that might be different. Like we could try to do some sort of encryption of the a p i key. Um, but unencrypting it on the fly is a pretty challenging too. There's some things we're talking about and thinking through in order to improve that, but the.

[00:22:19] Matt: It's, we are not considering it currently super high risk because it requires that somebody hacks your whole entire site to get access to those keys in the first place. Um, and some of the folks reporting on it seem to feel strongly, um, that having the API keys in your database is, is a vulnerability. I don't believe it's actually a vulnerability.

[00:22:43] Matt: Um, technically it is. For the, I mean, your database is made Yeah. For storing this type of data. Sure.

[00:22:50] Katie: With theoretical vulnerability that is dependent on the existence of other vulnerabilities.

[00:22:56] Remkus: Yep. But the, to expose it, the only way to mitigate this is to hash, [00:23:00] to have it indeed, uh, hashed. That is the only way.

[00:23:02] Remkus: It's not a vulnerability, but having any type of credentials in, um, In your database is technically a risk. And I, I say this coming from, uh, having worked at a large insurance company, um, for mm-hmm. Many, many years. And, um, they look at, uh, what is the vulnerability a little bit more, uh, with a very sharp edge of this is, and this is not.

[00:23:24] Remkus: And this most certainly, it was one of those.

[00:23:27] Matt: Mm-hmm. Yeah. Like even like the WordPress user password is, is MD five hashed, for example? Yeah. Which

[00:23:34] Remkus: is, which is probably something that, uh, uh, we should consider as, uh, as a low entry, um, encryption.

[00:23:41] Matt: Mm-hmm. Yeah. I know there, there are MD five hash farms out there that are always trying to figure out Yeah.

[00:23:47] Matt: Um, their equivalent passwords and things like that, but still, yeah. And,

[00:23:52] Remkus: you know, understanding how fast things are going in terms of computer power, uh, available to us. Um, just a simple [00:24:00] example of, uh, if you have a MacBook, the latest version, what is it? The M two MAX Pro, I forgot the exact, uh, naming, but if you compare that to what was available three years ago, it is so much faster.

[00:24:12] Remkus: Mm-hmm. And if you extrapolate that to what the supercomputers are doing and all that, then it's just a matter of time there. The email of it, it to being guessed or, um, decrypted is just getting easier and easier. So, yeah. Um, but, you know, passwords is a whole nother thing that, uh, we need, probably need to solve better, but that's, that's a tough thing to solve.

[00:24:34] Remkus: Inside your plugin, what you can do is have, uh, large hashed, um, um, Ways of, of saving whatever credentials you have. But that's, that's a horrible story. Losing, losing 70 K over. Yeah. Exposing your, um, your payment provider's keys. Yeah.

[00:24:54] Matt: I think the, the point that you're highlighting as well is that security, let's just [00:25:00] say security performance is another one, but like, security is not an all or nothing.

[00:25:05] Matt: It's not a Yes no. Um, there's a scale or a, a, a wide range of, of, um, security concerns, um, or security risks. Um, and it's not like, oh, well, Now that means you're not secure, uh, or now it means you are. Um, no,

[00:25:23] Remkus: it, it highly depends on the, um, the skillset of the, of the perp. Like how much effort are they willing to put in?

[00:25:33] Remkus: Um, but finding vectors is surprisingly, uh, easy to do. And then it's just a matter of which one is the, the one I can find an entrance. And from that entrance, what can I then happen to make, uh, make happen on, on, on the next level. So if you, if you ever read, um, The day. Every now and then there's a, there's a security researcher who publishes how they discovered a, a certain bug, right?[00:26:00]

[00:26:00] Remkus: If, if you've never read those, uh, as a product owner within WordPress, um, It's an incredible eye opener in terms of the amount of layers they are stacking on top of each other, just to figure out if there is an entry. And sometimes that's buffering and sometimes that's just coming up with weird combinations of URLs that they're just gonna try and see if does something, allow something.

[00:26:25] Remkus: Um, but these write outs are, are a good indication to, um, To have, you know, good wrong word are, are a great way to trigger you into, oh crap, there's a lot more they can do that I've just never thought about. Which then helps you produce better code, because that's ultimately a why they, uh, they publish what they publish, what they do.

[00:26:50] Remkus: Um,

[00:26:53] Remkus: I think if you start looking into these, you'll be amazed of the. The stuff out there. Um, [00:27:00] oh, absolutely. It's scary. Uh, security is a very, very, very fluid concept in terms of, it just starts with the person trying to get into your site. How skilled are they? How much money and time they want to throw at it.

[00:27:15] Remkus: Mm-hmm. Um, Yeah, it's, it, it's, it's a little, you should treat it as a scary world cuz it is. Mm-hmm.

[00:27:22] Matt: Absolutely. Is that the

[00:27:23] Katie: most common way in, do you think people manually trying to, um, penetrate the site or, uh, cuz I, you kind of hear about people doing it in a more automated, um,

[00:27:34] Remkus: way. They're doing it automated because they are aware of, uh, of a plugin.

[00:27:38] Remkus: Uh, having a large security flaw, which if it's a zero day thing, it's, it's super, uh, super important. But there are small plugins that are just slow in releasing and somebody else is like, you're being too slow and they're publishing the route, how to get in. And once you have a route, you can script it. Um, and that's a, that's a, that's an easy way to, uh, [00:28:00] bulk scan sites.

[00:28:01] Remkus: Right. So you just. You just start with one site and just spider through, just like, uh, Google does, for instance. And, um, um, I, I, I learned from a researcher that it's, there's a surprisingly high number of hacks happening just because they happen to be on your system already. So just key logging and.

[00:28:23] Remkus: Nothing more than that. Um, if you're running old Windows machines and you haven't ever patched up, there's a very high chance you have a key logger on there. Now, the, the question is, how malicious are they? How, how far are they willing to go? So browsers, obviously, if you have those up to date, you, you already solve a lot of problems.

[00:28:42] Remkus: But stuff like that is just, um, uh, You know, if you're not aware of what those uh, options are, then there's no way you're ever gonna find solutions to mitigate that. So this is something you need to educate yourself on in terms of what are ways that I, you know, [00:29:00] unintentionally open the door or maybe just remove a couple of layers just by me being smart about something, which I am not aware of, what that impact is on, on a, on a different subject within coding.

[00:29:16] Remkus: It's a very interesting field, uh, for sure.

[00:29:17] Matt: Mm-hmm. Katie, what's your experience at Barn two with, uh, performance and security in your plugins? Yeah,

[00:29:27] Katie: I'm gonna talk about performance rather than security because. While we put security kind of as a priority in the coding and everything, we've never had a reported vulnerability amazingly, in any of our plugins.

[00:29:40] Katie: So I don't have any stories around that. Um, with performance, we have a plugin, which is interesting because almost by definition it can cause performance problems by the nature of what it does. So this is, um, Um, um, all time biggest selling plugin, WooCommerce product table, which takes your products [00:30:00] and puts them in a table or order form with many products per page.

[00:30:05] Katie: And normally in WooCommerce, you might have nine or 12 products on the page, but the product table plugin, we'll have more than that. And it will also have additional data, which isn't normally loading on the shop page, such as variations. And each product can have dozens or hundreds of variations. And in our product table, by definition, each of those is loading, and each variation takes roughly the same amount of time to load as a whole product, like a simple product.

[00:30:33] Katie: So even if you've got like a 20 very product table with five variations, Per product you've timed, you know, 20 times five, you've got a lot of products on the page, and that's the nature of the plugin and that's what people love about it because it's really quick way for the customer to buy lots of products and all of that.

[00:30:53] Katie: But of course, a lot of our support tickets are about performance because, By the very nature there, a lot of [00:31:00] data's loading in one place. So we've always had this kind of conflict and contradiction, um, as the authors of this popular plugin and, uh, people saying, oh, I want it to load faster. And we've introduced various things to speed it up.

[00:31:15] Katie: So, um, the main thing is we've. Introduced a lazy load option, which loads one page of the table at a time. So if you've got pagination with like 10 pages of a table, then only one will load and it loads after the rest of the page. Um, and so we advise people to do that, but that's not as good in many ways as the standard method of loading it with the rest of the page because there's some limitations in terms of how it retrieves data from the database and the searching is limited, for example.

[00:31:46] Katie: And so, There is some functionality that doesn't work in lazy load, so. We haven't come up with a perfect solution, which I think is a relevant point to make regarding performance that sometimes something does take [00:32:00] time to load and you have to do everything you can, but sometimes you do have to say to the customer, think about how you are using this product.

[00:32:07] Katie: You are telling it to display a huge amount of data, and maybe you need to kind of use it differently, which I kind of hate having to tell customers because you just want it to work. But we haven't found a. Perfect solution to that one. Um, and it's, we've been going through this for like, uh, seven years with this product and constantly looking for opportunities to improve performance, but we are never gonna get it perfect on that one.

[00:32:33] Katie: Mm-hmm. Which is a challenge.

[00:32:35] Remkus: There are ways.

[00:32:38] Matt: Have you asked Rimkus what do he thinks to hire him?

[00:32:43] Remkus: So this is a good example of something that happens, especially in WooCommerce, but it's, it happens with many plugins where they just need to retrieve large data sets all the time. Um, there, there are ways, uh, but it always comes with a cost.

[00:32:57] Remkus: And then, You know, [00:33:00] is the cost worth, um, the, the benefit. But, um, there's, there's ways of caching certain things in between. Uh, like breaking the process down into small pieces of what is cached, uh, is probably the direction I would look into most because at some level, You are, and I, and, and I have a similar, um, similar problem with a client where that sort of, sort of magic needed to happen where we just ha introduced, um, various levels of, uh, transients cash or just smarter ways of, of solving the big retrieve.

[00:33:40] Remkus: Um, cuz the big retrieve is just that you, you can never optimize that one. If it's big, it's big. There's just what it is. It's then how can you do it? Solve, throw more

[00:33:49] Matt: hosting at it basically is all you can do, right?

[00:33:52] Remkus: Uh, so the, the, the most logical thing to add in, in total, uh, if, if, if you can't solve it in code, would be having, [00:34:00] uh, uh, Redis, uh, and object cash Pro.

[00:34:04] Remkus: So those two just increase the, the amount of data that your WordPress site can retrieve from the database is that in itself already does so much that the perceived problem that you are having might just disappear if you're already are on good hosting. Hmm.

[00:34:22] Katie: Interesting. Yeah, we've got basic caching for the whole table.

[00:34:26] Katie: Uh, but sometimes we have to tell people to turn that off. For example, if they have stock data, they want that to be refreshed quickly. Yeah. Um, things like that. So, but we haven't.

[00:34:37] Remkus: Yeah, I think I understand which, which direction that's being solved. But the transient api, you can use it for one thing, but you can also use it for small things.

[00:34:45] Remkus: And yes, uh, chaining them doesn't necessarily make everything faster, but there is a, there is a benefit to be had, but these particular types of performance issues are, are tough because there's so many, like you said, there's so many variables and, and [00:35:00] versions of the types of data that you ask that you can go blanket like, okay, I'll.

[00:35:05] Remkus: Here, this is my, my solution, and now everything is fixed and wonderful. It, it just, it doesn't work that way. It depends too much on what the actual end, uh, end request is going to be. Mm-hmm. Which, if you have a flex flexible plugin is not ever a certain

[00:35:21] Matt: Mm. Yeah, I love that story though, or that experience, Katie, because, um, it is, you know, there are certain products where the issue of performance does become hyper-relevant, um, more than others.

[00:35:35] Matt: Um, and that's, that's a really good example, um, where it's clear that you all have really tried to be really intentional about it. Um, but it's nevertheless really complex problem having a, a huge data set that is maybe being updated regularly and being able to load that. Publicly on the front end dynamically.

[00:35:53] Matt: Like, that's, that's sounds super challenging no matter how you dice it. So it is, um, [00:36:00] MKA. So, um, in, uh, two or three, five minutes or less, like, uh, what's your, what's your experience with this subject? Can you distill it down for us? Probably

[00:36:12] Remkus: not. Excuse me. Um, I don't think I have a specific story without, uh, really deep diving into, uh, just issues and problems that I've, I've run into for clients and having to solve them and, and all of that.

[00:36:29] Remkus: But, um, in, in terms of, um, like a, a common theme that I see a lot is, uh, Folks not fully understanding the implications of, um, optimized code. And that doesn't necessarily mean, um, I'll, I'll, I'll give you gr I, I'll give you a good example. So [00:37:00] in p h p, when you, you have the ability to switch for, you know, there's 10 scenarios you need to run through.

[00:37:06] Remkus: You use switch and you go from the next and the next and the next and the next. Um, I've seen examples where, People made beautiful code, worked wonderfully, fantastically, even, but there was no early exit of the code. So there wasn't a check right inside the function saying, are we even supposed to do this?

[00:37:24] Remkus: So what happened on every single page load, um, that function was running and in itself is not necessarily not even a problem. But if, if you're running a site that has a million visits, uh, a million page views per month, then that quickly becomes a problem because you can see the resources. Just adding up unreasonably high versus the number of page views that you're seeing.

[00:37:47] Remkus: And sure, you can cash it, but if, if that happens to be a WooCommerce site and most people are, um, on your site having something in their cart, which by that, by by default, uh, [00:38:00] invalidates your cash, they're not in cash. So you can't optimize for that. So, um, if I combine a lot of stories, By just exa that, by using that example.

[00:38:10] Remkus: That's a good one to keep in mind as you are optimizing in your code, be aware of how much can you, should you, uh, early exit optimize in terms of, uh, in terms of just raw code. Like, am I supposed to be doing this right now? All the time on every single page load. That's a question you need to ask yourself.

[00:38:36] Remkus: The, the, the simple example is that you've, you, you probably all have seen, um, you, I'm sure as at one point in your WordPress, um, history, you've been in the dashboard and you saw the default fonts of WordPress being changed to something else. Hmm. Yeah, it's a great example because somebody en queued a style sheet, which was meant to do just something on the, either the plugin settings [00:39:00] page or on the front end, but they en queued it everywhere.

[00:39:03] Remkus: Everywhere. Yeah. That's a small example, but it's, it's the same principle, right? So you're not supposed to do everything at everywhere at all times. Um, be conscious of what you're doing, where, um, Is my, um, yeah, as, as condensed like as I could get it without really deep diving. I'll

[00:39:23] Matt: give a little backstory there, how that was applicable.

[00:39:26] Matt: I'd give a long time ago. Um, I will say that like when give first launched, um, Caching plugins were all the rage and they were all not created equal, or most, actually nine out of 10 of them were created badly. Yeah. Um, they were the bane of my support existence. Um, and, um, we honestly, we had, we had a lot of back and forth internally on like how we are going to cash or how we're going to load our assets on the front end.

[00:39:56] Matt: Uh, because technically we have the ability to limit [00:40:00] the JavaScript and CSS to only wear a give. Form existed on the front end, but we noticed that when we had that in place, uh, our caching plugins tended to break the donation forms almost every time. Um, and it was one of those situations where we wanted to do what was best and most performant for the website.

[00:40:22] Matt: Um, and this was also before, um, what is it, um, what is it called? The HTTP protocol that lets you do multiple things at the same time slash two. Uh, Yeah, exactly. Before all of that also. So we wanted to do it, but it, it, it just continued to be a major support burden. And so in the, at the end of the day, we were just loading our, our CSS and scripts throughout the whole front end of the site, which didn't feel very optimal at all.

[00:40:50] Matt: But the donation forms were working, um, be even with cash caching plugins enabled. Um, Some folks who are [00:41:00] astute, definitely didn't love that. Um, and I had to have a nice long support conversation about that. Hear, I don't love it either. Um, but you know, I'm trying to choose between, uh, two evils

[00:41:14] Remkus: here. So, yeah.

[00:41:16] Remkus: Yeah. Like I said, you've made a lot of friends,

[00:41:20] Matt: got a lot more contacts since then. Yeah.

[00:41:23] Remkus: Potential friends.

[00:41:25] Matt: Yeah. Uh, definitely a lot of folks who like to give me their strong worded opinion. For sure. Yeah. So, yeah. Um, nice. Well, we have, uh, only a few minutes left, um, and we wrap it up typically with talking about our best advice for anybody who's just getting into WordPress product ownership.

[00:41:45] Matt: Um, And, uh, Katie, you're up first. What's your best advice for folks on this, uh, topic?

[00:41:53] Katie: Uh, well, I'd say to make performance and security an integral part of the product design and review process [00:42:00] rather than an afterthought. And if possible, based on your company size, budget, et cetera, commission third party audits and support, because you don't have to be an expert in this area, but you do need an expert in this area.

[00:42:14] Matt: Excellent.

[00:42:15] Remkus: Good one.

[00:42:17] Matt: Mki.

[00:42:18] Remkus: Um, yeah, it, it's, uh, it's in this along the same lines, but it's, uh, uh, test small, test, big test, often, test weird scenarios, uh, and automate testing as much as you possibly can. Um, but assume you know nothing.

[00:42:38] Matt: Excellent. Those are both great advice. I really, honestly, don't have much to add to it, those, that's exactly the same advice I would give. Um, maybe the only thing I would add, um, is if somebody says that there's a problem, most likely they're right. So take everything that comes across your desk seriously and dig in and do your due diligence.[00:43:00]

[00:43:00] Matt: Um, I think sometimes folks, uh, product owners have a tendency to minimize. Um, feedback a little bit and say like, ah, it's not such a big deal. Um, you always think it's not such a big deal until it actually really bites you in the wrong way, so, yeah. Until it hurts you. Yeah, exactly. Um, actually in the chat I said, who has a horror story about a plugin, our theme that ruined your website performance?

[00:43:27] Matt: Uh, we got one comment here real quick that says, Tim Zak resulted in injection to our membership software. A member. Ah, I remember hackers were able to, uh, change the PayPal email in the configuration without us noticing. Oh my gosh, that's super smart. Um, and so that they received all of the sales, um, for a few days.

[00:43:49] Matt: Uh, oh man, that's. Horrible. That's a, that's definitely a horror story. Um, especially when it's like you're changing the setting. Like so much of the like malware scanner type things will scan [00:44:00] for changes in files and whatnot. Mm-hmm. And that one is actually a, a change in the database, um, that might easily not get caught.

[00:44:08] Matt: Um, so thanks for the comment. Um, Rem, thanks for being here. Really appreciate it. This was a great conversation. Um, sure. Happy to be here next week. We are having another F Friesland person. Friesian. Yep. Sorry. Uh, another. Another. Yeah, exactly. The only other one in WordPress, right? No, there's more. There's more.

[00:44:34] Matt: I know I keep joking with you about this. Uh, Boran is gonna join us. Uh, he's gonna be talking about, um, Dolly in particular, uh, but also, uh, the opportunity. WordPress products have to be distributed in a new fashion, uh, basically using, uh, a hosted version of your product, um, in, in new ways. Um, it's definitely things like n c WP and WP.

[00:44:58] Matt: Um, cs I've [00:45:00] really made this, uh, an interesting aspect, uh, and an interesting opportunity in the WordPress space. And, um, Bo is gonna come and, and talk with us about it. So I'm excited.

[00:45:10] Katie: So, yeah. Oh, and also that will be the first week of our rotating co-host. Uh, last week we announced that in addition to Matt and myself, we'll be rotating with Zack Katz and Amber Hines as co-host.

[00:45:24] Katie: So next week will be Matt and Amber, and then I'll be back the week after that. So that should be good too. Yeah,

[00:45:32] Matt: I'm excited for that too. It'll be a good time. So everyone have a great week and go out there and be secure and fast. Thanks so much.

Related Episodes