Category: WordPress

Posted On

This past Friday, I gave a 20-minute presentation on WordPress security, giving a high-level overview of things you can do to help keep your sites secure.

The Presentation

Here's a SlideShare embed of the presentation deck:

And you can download the Keynote source file for my presentation, including presenter notes.

Twitter Questions

As part of my talk, I asked attendees to submit any questions they might have had via Twitter using the hashtag #wpvipsec. Here are the questions I received, and some brief answers to them as best I can provide.

As we have been transitioning some of the WordPress.com VIP platform to our next-generation VIP Go platform, we've had to reinvent some of this stuff slightly. :) You'll be pleased to know that we have made the mu-plugins we use on VIP Go publicly-viewable on Github, and you can see our custom two-factor module here.

https://twitter.com/NelsonTheFresh/status/936659951711408129

I don't know very much about securing sites via VPN, but I'm assuming here that you have site access (even front-end) locked to internal IPs only based on that VPN connection. That should handle a large portion of your security from outside attack, assuming the VPN is using appropriate security precautions.

At this point, your chief enemy is likely to become human error. This is where portions of the talk surrounding things like limiting user capabilities and access to certain settings pages can really help you out. Making sure your users are following good account security processes for connecting to the VPN is also critical.

As I suggested in the Q&A after the talk, I highly recommend that user roles and capabilities be in your WordPress engineering toolbox. They are enormously useful.

Multisites are interesting because they have additional layers of user access. Let's look at the two admin roles:

Super Admin: This should be as limited as humanly possible. The only users who should have superadmin powers on a multisite IMO are system administrators, your development team, and support users who will be assisting other users with account-level actions regularly. (An additional user or two might be necessary if you have people who need to spin up new sites on-demand rather than contacting your support team.) You should certainly require two-factor authentication here, and if you can require proxy or VPN access at this level, you absolutely should look into that as an option.

Administrator: This is going to be on a site-by-site basis within the multisite. If you can craft custom roles and their capabilities finely enough for your needs so that non-development users who are "in charge" of a site can use those roles instead of full admin, you should absolutely do this. Ideally, this user group and the Super Admin user group are as close to identical (and as limited) as possible.

The remainder of the roles are easier to parse. I'd like to especially recommend here (as I did during the talk) the use of an audit trail plugin; as you will have many users working on sites, and some with superadmin powers, the helpfulness of knowing which users performed which actions increases.

Additional Questions?

If you have any questions that haven't been covered above or in the talk, please send me a reply on Twitter and I'll be happy to drop them in the post and let you know when I have updated it.

I'll be updating this post occasionally with new information, as well as a link to the talk's video archive when it's available. To be notified of this, please either follow my blog or follow me on Twitter.

Posted On

It’s time to look forward to WordCamp US at the end of the year: seeing lots of familiar faces, attending fantastic sessions by creative and knowledgeable people, and volunteering to help create a great event for every attendee.

Last year, I gave a lightning talk on code review that I thought went very well; it was an adaptation of a talk I gave earlier in the year at WordCamp St. Louis based on the experience I’ve had with code review as a culture-centric thing at Automattic and specifically on the WordPress.com VIP team.

The deadline for talk submissions for this year is tomorrow, and so far, I have submitted two talks (I’ll bring up the third in a bit here):

Security, the VIP Way

My VIP team colleagues suggested this topic. We deal with some pretty large sites with lots of users, and can be the target of attacks by unsavory people, so we have developed security policies and best practices that we have found to be successful. I think I could relay some of these practices and give good examples in an engaging way.

I submitted this as a 50-minute talk, but it could be adapted as a lightning talk. I think this talk is pretty straightforward and would need some creative slide deck management to make it my particular style of engaging.

User Support: Playing to Win

OK, so this one is a long shot—and to be honest, I haven’t written it yet, but it’s nearly-fully-formed in my head. Support has been my career for over a decade now.

I have also played fighting games for a huge chunk of my life, but only in the last few years have I taken playing them seriously and competitively.

Fighting games are about resource management, spacing, timing, and adaptation. It struck me at one point that a lot of that is very similar to how I approach support interactions. I want to find a way to bridge those metaphors in a talk.

This would almost definitely be a lightning talk, and I submitted it that way. The slide deck would be really challenging and enjoyable to create. I’m secretly hoping this one is chosen.

A Third Talk?

Just a bit earlier this evening, I considered submitting a third talk based on my blog post from last night, regarding advice for applying to Automattic. After I wrote it, it occurred to me that a lot of what I talk about in the back half of the post is less specific to Automattic and more interesting in the context of open-source-related companies, of which Automattic is one.

But when it came time to write the abstract, I couldn’t come up with a good way to frame the talk that wouldn’t come across as “hey, you should come work at Automattic.”

The concept I had: I would talk with some other people at other WordPress-ecosystem and maybe even other OSS-ecosystem companies, and gather some more information from them about their workplaces and what they like to see.

In the end, because of where I work, there are optics to consider. Does it come across as a recruitment effort? Some people might look at it and think that it does, especially since I would be referencing a post that’s specifically advice for people who might want to work here. What I would love to get across is that there are lots of great companies in WordPress orbit people can work for, or could start, and I suspect they share these open-source traits. It’d probably be interesting.

But I won’t be submitting that one. I feel comfortable talking on my own space here about the work culture of Automattic and why I love working there (and I do this often because it’s all true), but I’m not comfortable making that the subject of a talk at one of the two large-focus gatherings of people from all of the WordPress community. It could be interpreted in a way I’d rather not evoke if I can avoid it.

How’s The Third Talk Different from The First Talk?

(Thought I’d address it because I know someone will think it.)

To be concise: I think there’s a big difference between sharing best practices concerning the WordPress software and supporting users and giving a talk where my workplace is a focus. Bonus: at VIP, we work in partnership with various agencies and WordPress users, so many of those best practices have developed in active collaboration. I feel comfortable sharing those practices in a broader arena without making it overly Automattic-centric.

Posted On

I get about a half-dozen emails a year via my contact form asking me this question or asking related questions, like how to craft a resume, or what it’s like to work at Automattic. I thought I’d jot something down so I can just send a link the next time this happens, as my advice hasn’t changed much over time. :)

I’ve been here for seven years as of this writing, so I thought I’d share what I tell people who ask me this question (in a slightly expanded format). I’m not involved in hiring. This is not “official” advice of any kind. It’s just what I say to people, made public and repeatable.

First things first:

I love working at Automattic. You might not.

I will extol the virtues of my job whenever you ask me about it. It’s the best place I’ve worked, and I have found it to be very rewarding.

Not everyone will feel this way. The amount of freedom we have to get or not get our jobs done is unlike anything else out there. It can be very isolating and lonely to not see your team in person more than two to three times per year. I think even those of us who have embraced what we do struggle with this from time to time, and for some it can be significant.

But if you are willing to engage without having to be asked to do so, love working with people who are intelligent and come from all walks of life, and are down with being challenged often, you’ll probably fit in well.

So, how to get a job here? Let’s talk.

Read through our open positions and see if something is right for you.

You can find Automattic’s open positions here. Take a look and see if you spot something you’d enjoy doing and think you can do well. Read the job description and requirements to make sure you understand them and know how you would theoretically fit in the role.

Now, take a strong, focused look at the part of the job listing that talks about how to apply. This is going to be very important. :)

Follow the instructions regarding how to apply. Read them twice.

There are some things you will see in every job listing regarding how to apply. Take note of them and follow them. They are not there at random. Basically:

  • Make a resume/CV/whatever you want to call it. Prioritize and emphasize experience and skills that would directly impact the job role, but don’t ignore even side things that make you unique.
  • Attach it to an email sent to the address provided in the job description. The email is your cover letter. Introduce yourself. Be concise. This is your first impression, and it’s text-only. (As we are largely a text-communication-driven company, you should get used to this idea.) Make sure you include anything that’s specifically requested in the job description call for applications.
  • Double-check your spelling and grammar. Fix anything you need to fix.
  • Check it again.
  • Once more.
  • Send and wait. :)

You might get a trial; you might not. But putting yourself out there is the first step.

(Oh, and if you don’t know about how our hiring works with the trial process, where you perform contract work to see how that goes, you should probably read about that.)

I’m not lying when I say that’s pretty much it. When you boil down the process of applying for a job here, it’s pretty simple. That said:

Here are some focuses/traits I believe in based on my time at Automattic.

Again, let me stress this is my opinion and not in any way “official.” Nothing I say here is even remotely a guarantee, and I don’t have anything to do with hiring (really, I don’t), but these are things I will usually recommend to someone when they ask me personally what they can focus on.

These are mostly things I really like to see or admire in people I work with. :)

Be open to criticism.

It’s totally possible you’ll be rejected for the job, either before or during the trial process. When this happens, you may receive some reasons why you were turned down. Or you’ll receive some constructive feedback during your trial. Be open to it. Embrace the idea that you don’t know everything, because believe me—as a full-time employee for many years now, I still realize this often.

Be dogged in adapting to and implementing that criticism.

I applied to Automattic three separate times over a year-and-a-half before I received a trial. I had to change focus mid-trial before I was hired based on feedback. Some of the best colleagues I have at Automattic went through a trial, received feedback and a rejection, and then trialed again later with success. If and when you receive feedback, take it to heart and then apply it. Or apply again. Or both. :)

Be willing to say up-front when you don’t know something and be open to learning.

I would rather work a million times over with someone who is willing to admit when they don’t know something or are stuck on something and ask for help than someone who tries to fake it. Admitting you need help is not a weakness. It is literally impossible for everyone to be an expert at everything.

Be willing to help others.

I’m big on leading by example. Everyone has gifts and strengths, and everyone is at a different level. Just as you should be willing to let others help you, be willing to share your knowledge and experience with others. Be kind and instructive. Don’t always offer to just take charge of things—though on occasion, that’s necessary—but aim to level up your (potential) team.

Be yourself.

Automattic contains the most diverse and interesting group of people alongside whom I have ever worked. It is an amazing collection of individuals from whom I have learned much and with whom I have enjoyed spending time during meetups. Embrace this and be willing to commit yourself to it as well. (BTW, if the real you is introverted, that’s totally OK. There are lots of us here. If you have to take a break, we understand.)

Have at least a passing familiarity with the Automattic suite of products.

How much of this depends greatly on the job for which you are applying. Some positions might not require a lot of PHP or familiarity with WordPress. Others will be based almost entirely around this. I think it’s a good rule of thumb to at least know the core business of Automattic and what we do before wanting to work here. :)

Embrace open source.

An open source ethos drives Automattic and is core to our identity. Know what that means. Past and ongoing contributions to open source projects, whether it’s code, testing, design, documentation, or whatever, will give you valuable experience in what it’s like to work with those types of projects and is a bonus.

(Again, this will somewhat depend on your desired job role.)

Get comfortable with text-only communication. And in learning how your writing tone can be interpreted.

To be honest, I still have trouble with this sometimes. Text communication is hard. Without vocal inflections, facial expressions, and other body language, it’s easy to read something and get the wrong impression.

It’s a skill to craft your text communication in a way that others will understand your tone and intention. Dedicate yourself to learning that skill. (Yes; sometimes this means using emoji. They are very, very helpful for establishing tone.)

This space reserved.

I’m sure there are things I’m not thinking of, but I have been writing this blog post for three days and I should probably just publish it. If you are a fellow Automattician and reading this, and I forgot something obvious, ping me and let me know. If you are a reader and you have additional questions, feel free to contact me. I’ll edit some things in to this post later if needed.

I will never stop learning. I won’t just work on things that are assigned to me. I know there’s no such thing as a status quo. I will build our business sustainably through passionate and loyal customers. I will never pass up an opportunity to help out a colleague, and I’ll remember the days before I knew everything. I am more motivated by impact than money, and I know that Open Source is one of the most powerful ideas of our generation. I will communicate as much as possible, because it’s the oxygen of a distributed company. I am in a marathon, not a sprint, and no matter how far away the goal is, the only way to get there is by putting one foot in front of another every day. Given time, there is no problem that’s insurmountable.

Posted On

Howdy! I just finished giving this presentation at WordCamp US 2016 about code review: about why and how you should do code review on your projects.

The Presentation

Here’s a SlideShare embed of the presentation deck:

And you can download the source Keynote presentation file here.

References

I referenced a bunch of things in my talk and mentioned that you could find those sources in this post, so here’s the list in the order you’ll run across it in the presentation:

Have any questions?

If you have any questions, comments, corrections, or whatever, please contact me. I’ll be happy to hear from you.

Posted On

If you have worked with me in any professional capacity as a member of the WordPress.com VIP team, you’ll know that one of the things I have focused a lot of my time and attention on are data migrations using the WordPress import and export tools, and troubleshooting things along those lines.

I submitted a talk to WordCamp US regarding imports about which I have not yet heard, but even if I don’t get to make that talk, I’d like to work on a series of posts discussing things that can go wrong with imports or things that are challenging with them, just to raise awareness of these things.

At a certain scale, imports are usually done with SQL, but working with the WordPress import tools at scale has taught me some things that I believe will be valuable to WordPress imports at all levels. I have some topics already in mind that I want to approach, but for anyone who reads this or sees the tweet that I’ll push out about it, I want to ask and invite comments (or blog posts elsewhere you link me to!):

Are there any aspects of WordPress imports you’d like to see me address in these posts?

Posted On

If you have talked with me, my skepticism with regards to Avyd and what they are doing should not be much of a surprise at this point. (I hesitate to talk about it much because there are good people I respect who are doing business at and with Avyd and I am of course always worried about causing hurt.)

I need to say something about this, though.

Today, they are talking about the support they’ll offer as part of their service:

This reminded me of the job posting they’d put up a couple of weeks ago, about which I’d intended to say something more directly.

The listing is here, but I’m assuming that it will expire at some point, so I’ll put the pertinent bits below:

Responsibilities

  • Customer Service Representatives are responsible for handling our Client’s highest level of service issues to ensure customer issues are resolved in an efficient and timely manner. Agents provide knowledge and expertise to all online customers to effectively resolve any service-related, while balancing both the needs of the customer and the business.
  • Use empathy with the customer; allow them to vent frustrations, while staying in control of the conversation and maintaining focus.
  • Must be able to multi task
  • Follow up with customers to ensure issue has been resolved
  • Will be answering customer support tickets, inbound calls, and support chats.

Successful Candidates will have:

  • Previous Customer Service experience
  • Proficient in typing and computer skills
  • Energetic and motivated personality
  • Gaming knowledge
  • Available to work nights and weekends as needed
  • Be fluent in English
  • Team player
  • High School Diploma or equivalent

What We Offer:

  • Unparalleled work environment
  • Unlimited growth from within
  • Paid training
  • Continued development beyond entry level
  • Travel opportunities
  • Career advancement into management

On its own, that’s mostly fine. It’s a lot of attention-splitting, and the bit about nights and weekends without specifically stating what that means is a little concerning.

And then you get to the stuff about “growth” from the support position. It’s so much of a focus that it’s literally half of the bullet points in the list of “What We Offer.” It’s a red flag, especially when you hit this part:

Job Type: Part-time

Salary: $10.00 /hour

I don’t suppose I need to state that this is in an office and not remote, because the job posting should lead you in that direction on its own.

This is troubling because it doesn’t see support as a worthwhile career in and of itself. I am growing to understand that my current employer is somewhat unique in this, but I want to see the idea and the respect for support professionals continue to grow.

User support has been my full-time, salaried and benefited career for the last six years. It supports my entire household. I have had different responsibilities and been on different teams, but through the whole thing, I have been well-appreciated and been given the ability to build my career on having pride in the fact that I make our customers’ and clients’ lives easier, and that the ability to do so in an exceptional way is deserving of being a full-time employee.

The wage and (lack of) benefits in this Avyd job posting is sadly reflective of how a lot of tech sees support. Support is a place where you go to wage slave until you earn yourself a place as a supervisor, when you make a bit more and maybe get full-time, and then after even more time you might end up in charge of support for something and possibly get a salary and benefits. Or you have the (often just a) pipe dream of learning another skill and changing job responsibilities, which is seen as a promotion simply because you aren’t doing support.

I’m proud to work somewhere that prides itself on seeing professional support as a career, helping people build that career by supporting them and helping them develop, and giving those people good compensation, good opportunities, and good resources with which they can make the services we provide amazing experiences for the customers who pay for them. We make all employees who don’t work in support do a rotation in support every year, and every new hire regardless of position does front-line support for the first three weeks.

User support and respect for the people who work it is foundational to the culture here, and I wouldn’t have it any other way. No matter your industry, I encourage you to consider making it just as important to your company as well.

And yes; we are hiring.

Posted On

Howdy! I just finished giving this presentation at WordCamp St. Louis 2016 about code review: about why and how you should do code review on your projects.

The Presentation

Here’s a SlideShare embed of the presentation deck:

And you can download the source Keynote presentation file here.

References

I referenced a bunch of things in my talk and mentioned that you could find those sources in this post, so here’s the list in the order you’ll run across it in the presentation:

Have any questions?

If you have any questions, comments, corrections, or whatever, please contact me. I’ll be happy to hear from you.

Posted On

J Jennings Moss for the San Francisco Business Times:

Alignable, which is headquartered in Boston and has members across the country, started doing its SMB Trust Index at the beginning of last year but this is the first time the company has released its findings to the public. To do its analysis, Alignable relied on the Net Promoter Score approach companies use to gauge their own customer loyalty.

[…]

Most trusted: WordPress— The website creation tool had a NPS of 73 and the report determined that “WordPress proves ‘free’ doesn’t always mean ‘junk.'” Groves said he was surprised by how trusted WordPress was, which he attributed to its passionate following. “I knew it was a great platform, but I didn’t know that their following was that ravenous.”

mi14v4Gpm11rqkjmno1_500.gif

(h/t Matt)

Posted On

I had meant to write this much earlier in the day, but it’s been so busy that I’m just now sitting down to hammer it out.

Today was the sixth anniversary of my start date at Automattic. It’s hard for me to think that so much time has gone by and to consider all the things I have learned, accomplished, and even gracefully failed at (and learned from!) as an Automattician.

At six years, that means I’ve been around longer than a huge part of the company as it stands now. From the time I joined to now, the company is now almost 10x the size, which I could not have imagined when I started. And we keep finding amazing people to work with, who we can hire because we don’t make them move anywhere. :)

I’m constantly grateful for the opportunity I have to work with colleagues who are as thoughful, intelligent, patient, kind, and supportive as my friends at Automattic. And I get to work with an open source ethos and a dedication to improving the ability for people everywhere to have a voice. It’s humbling and sometimes even intimidating.

Think about all the things in my life I likely would not have had I not been doing this for the last six years:

  • Learn so much more about code and about how things just work, even though IMO I still have so much more to go and am nowhere near where I want to be
  • Gain the ability to leave a job and path I ultimately found much less fulfilling and satisfying to work and learn from and alongside fantastic people
  • And do it while now getting to spend more time with my wife and children than I could have otherwise, simply by eliminating my commute
  • Travel to places I never thought I’d see or experience
  • Help countless people with their WordPress sites so they can get on with making content and not worry about the technical bits
  • Be constantly challenged by new problems and questions that push me to my limits and nudge me to develop new skills and proficiencies
  • Help coordinate the migration of an entire platform (Live Spaces!) of sites over to WordPress.com
  • Launch some of the biggest websites on the planet with some of the coolest partners around
  • Re-discover my love of Doctor Who
  • Learn there are other smart people out there who think pro wrestling is rad
  • Overall, worry a lot less and just have fun with what I do, how I balance that with the rest of my life, and who I am

There are probably other things I am forgetting, but I have only five minutes left to publish this post. :)

I really do love what I do. Maybe you’d like to join me? We’re hiring.