#35 – Akshat Choudhary on the State of WordPress Security

[00:00:00] Nathan Wrigley: Welcome to the Jukebox podcast from WP Tavern. My name is Nathan Wrigley. Jukebox is a podcast which is dedicated to all things WordPress, the people, the events, the plugins, the blocks, the themes, and in this case, the state of WordPress security.

If you’d like to subscribe to the podcast, you can do that by searching for WP Tavern in your podcast, player of choice, or by going to WPTavern.com forward slash feed forward slash podcast. And you can copy that URL into most podcast players.

If you have a topic that you’d like us to feature on the podcast, I’m very keen to hear from you. And hopefully get you or your idea featured on the show. Head over to WPTavern.com forward slash contact forward slash jukebox and use the contact form there.

So on the podcast today we have Akshat Choudary. Akshat is the founder and CEO of BlogVault, Malcare, WP Remote and Airlift. These WordPress plugins allow their customers to build, manage and maintain their WordPress websites.

He’s based in Bangalore India, and we begin the podcast talking about the state of the WordPress community there. We know that there’s a lot of WordPress products and services coming out of India, but are there events and meetups, like we find elsewhere. We also talk about why Akshat sees it as useful to bring himself and other members of his team so far to attend WordCamp Europe. What’s in it for them, and what’s their approach to the return on this investment?

We then move on to talk about Akshat’s journey creating products in the WordPress space. It’s interesting to note that whilst Akshat is clearly great at creating products people wish to use, he’s also willing to admit that much of his success can be attributed to serendipity.

We then get into a discussion of the security landscape and how the products that Akshat and his team make enable site owners to rest more easily. It’s all about backups, site monitoring and firewalls. We go into some of the technical details of how the products work and how they fit neatly into an agency, wishing to sell care plans to their website clients.

Are there any downsides to adding additional plugins to WordPress websites? And do we run the risk of thinking that if we’ve installed some security and backup plugins, then there’s nothing to worry about. Is this a sensible position to take?

It’s an educational episode with a warm and very amiable guest.

Typically when we record the podcast, there’s not a lot of background noise. But that’s not always the case with these WordCamp Europe interviews. We were competing against the crowds and the air conditioning. And whilst the podcasts are more than listable, I hope that you understand that the vagaries of the real world we’re at play.

If you’re interested in finding out more, you can find all of the links in the show notes by heading over to WPTavern.com forward slash podcast, where you’ll find all the other episodes as well. And so without further delay, I bring you Akshat Choudary.

I am joined on the podcast today by Akshat Choudary.

[00:03:52] Akshat Choudary: Hi, Nathan. Thank you for having me here.

[00:03:53] Nathan Wrigley: You are so welcome. We’re sitting in the Super Bock Arena, in a cavernous space underneath the arena. And we’re gonna talk today a little bit about Akshat, his products, why he’s turned up to WordCamp EU. First of all though Akshat just give us a little bit of a background. Who are you? Which company, companies I should say, do you represent?

[00:04:11] Akshat Choudary: Hi, I’m Akshat, I’m the founder of BlogVault, actually that’s the main company. And then we have multiple products. Some of you might have heard of BlogVault is our original product. And then we since then built Malcare. We are also associated with WP Remote, which is for agency, and we have a brand new product coming out called Airlift.

[00:04:31] Nathan Wrigley: Oh, okay. Tell us what Airlift is.

[00:04:33] Akshat Choudary: So, you know, speed is such an important aspect of a website and making a website fast is, it’s a time consuming and often difficult task. So, we are using technology to make a website really fast with the click of a button.

[00:04:46] Nathan Wrigley: That sounds amazing. So there’s four products that you’ve got. Presumably you’ve come to WordCamp Europe to find customers, mix, network and all of those kind of things. So I’m gonna ask you a series of questions about that. Really, it boils down to this. What is the purpose? Why have you come all the way to WordCamp Europe?

[00:05:02] Akshat Choudary: It’s interesting that you mentioned that you’ve come for customers and acquire customers. And I remember the very first WordCamp I attended so many years ago, and I was in this mode of trying to acquire customers and it was miserable, like the worst possible experience. then I had to step back because WordPress and WordCamps are not, are not suitable.

The community, the event is not, it’s not your traditional trade conference. When you attend it to just be a part of the community and try and meet people, and over time you can connect the dots, looking back that it has worked out well. So today I’m here actually, to reconnect with all the friends that I have, after three years.

[00:05:41] Nathan Wrigley: It is very much a social experience for you?

[00:05:43] Akshat Choudary: Absolutely. Yeah. And that’s the most important aspect of it.

[00:05:46] Nathan Wrigley: What is the main thing that you find yourself doing? So do you attend the talks and sit and chat with colleagues, or do you tend to find yourself on the hallway track, just chatting to random strangers?

[00:05:57] Akshat Choudary: Yeah. Hallway track, I wouldn’t even say chatting to random strangers because now so many of the folks are just such good friends. Yeah, we go back so many years, so. It’s mostly about just meeting them again and, hopefully finally in person.

[00:06:12] Nathan Wrigley: Do you bring many people from your team or teams I should say? Or is it just you? Is that a difficult decision? Who gets on the plane and who doesn’t?

[00:06:19] Akshat Choudary: We try and have a couple of people join me. In fact, a few times I have also not gone and people from the team have come, so we do it on a, on a round robin basis. So we try and get the entire team to participate in the community and meet the different folks here. Because just again, sitting in India, it’s very difficult to understand what the community is about. Coming here and interacting and volunteering. Those experiences really give you a sense of what WordPress is about.

[00:06:47] Nathan Wrigley: Just before we pushed the record button, I mentioned some of the things that we may be talking about, and one of them was the community where you are based. So, first of all, where are you based?

[00:06:56] Akshat Choudary: So I’m based in Bangalore in India.

[00:06:59] Nathan Wrigley: And tell us about the community that may or may not exist there.

[00:07:03] Akshat Choudary: So we do have a small community, but it’s not a very, very active community. And it also makes you realize that while Bangalore is the tech hub of India, you know, it’s called the Silicon Valley of India. And there are so many people doing tech and I’m sure there are a lot of people doing WordPress. But we’ve never really been able to kickstart a healthy community there.

[00:07:22] Nathan Wrigley: Do you have any insight into why that is? Is it just that it just never took off or nobody took the responsibility to organize it?

[00:07:28] Akshat Choudary: It makes you appreciate the work that the folks who are building these communities are doing, because it’s a commitment. I think people spend a part of their lives to make this thing happen at each of these local chapters.

I guess, somebody needs to come up with that passion to make it happen.

[00:07:46] Nathan Wrigley: So it is a different experience here than it would be over there?

[00:07:49] Akshat Choudary: Yeah. Significantly different.

[00:07:51] Nathan Wrigley: In terms of the event itself, what do you make of this venue? I mean, when I showed up and saw it, I mean I’d seen pictures, and I thought that looks pretty large.

That looks pretty impressive. And then when I actually got here, this is beyond anything I imagined. It’s truly enormous.

[00:08:06] Akshat Choudary: Yeah, it is an extremely large, really large venue. And I actually still didn’t know what to expect until I entered, and the organization is, the way they have organized it with one section going to sponsors another with the tracks, with the actual talks. It’s a very, very large venue and with a lot of space all around to meet people and to talk with people.

[00:08:24] Nathan Wrigley: I was looking at a WordCamp and I can’t actually summon up which one it was, but it was a State of the Word address from. I’m gonna say it was about 10 years ago. I was watching the video recently and it looked like a cottage industry. It looked as if they were basically in a theater and the signage was all very thrown together. And you compare that to what there is out there, a few yards away from us, it’s Incredible how WordPress has grown.

And at the moment, as of recording this we’re in the low forties. So 42, 43% of all websites. You’ve obviously strapped yourself to the bandwagon of WordPress, which historically has been an amazing decision. I mean, I’m guessing that you’re just jubilant about that.

[00:09:08] Akshat Choudary: Yes, no, I’d consider myself extremely lucky. I wouldn’t say it was a, it was a well thought out decision as to, yes, I’m going to get onto this rocket ship. We are extremely fortunate to be a part of the success story that WordPress is.

[00:09:20] Nathan Wrigley: Very recently, and I don’t know what your thoughts are on this, because it feels a bit like a Chicken Little story. Recently some statistics came out to show that for the first time ever, the market share for WordPress had actually taken a teeny tiny, nevertheless, a teeny tiny decline had occurred.

And there was lots of people writing commentary about this and saying, well, that’s interesting. Maybe the growth of a WordPress is over. What’s your thoughts on all of that?

[00:09:45] Akshat Choudary: Yeah, I think numbers, you know, they can be very confusing and especially the number around market share. It’s a lot of marketing more than anything else. So, when it’s going up, it sounds really nice and you know, 45%, but the way you calculate it. I think if you are today creating a business website, or if you’re creating a personal website, WordPress is the go to place.

You do have a lot of other technologies coming up. So you will see and you’ll see different things take off. Honestly, I tend to ignore it. I don’t worry too much about it. And also, I don’t worry too much about what’s going to happen with WordPress. So I think every technology has its own cycle it has to follow. And my favorite examples are like Nokia and Blackberry. Those were iconic, massive companies and they disappeared in five years. So when the time comes, it’ll come, and you can’t do really do much about it, but until then, yeah, until then let’s do the most of it.

[00:10:37] Nathan Wrigley: Yeah, I think you’ve probably hit the nail on the head. Nothing is imutable. Everything in its time will cease to be as popular as it once was. Like you said, certain companies like Nokia, I don’t even know if you can buy a Nokia phone anymore, but certainly in the day they were the only things that you could buy.

Your businesses, the ones that you mentioned earlier, they fit into the sort of client side, client management piece, a little bit. So you’ve got the ability with BlogVault to be able to migrate your sites. And you’ve also got the ability to back them up and do security, and all of that Is that the bit where you’ve pitched your business? Are you sort of aiming them at agencies who are then selling that services, perhaps packaged up in a care plan or something like that? Is that where you are pitching?

[00:11:18] Akshat Choudary: Yes. So we actually have two segments of customers. And in fact, we are sponsoring this WordCamp under WP Remote brand, and that’s the brand which is targeted towards agencies. Where we take all our products, we are selling that product to agencies. And agencies then who have, which again, is something we have seen over the past few years, the concept of maintenance plans. So agencies manage WordPress sites for the clients, and then they, they use our products to manage large number of sites. And we make it really easy with the backup security, updates and more.

And our job really is to make that job easier. So if you’re running a business critical website, we make it easy to run that website and make the most out of it. And, we sell to two customer segments. You have agencies who are buying large number of sites, and then you have individual site owners, like small businesses or en enthusiast, so marketing teams. And they are buying it for small number of websites. So yeah, there are two customer segments essentially that we target.

[00:12:13] Nathan Wrigley: You mentioned security there. Since the last time I met you, which is probably three or four years ago, I think it was probably in WordCamp London or like that. Yeah. It seems like an age ago now. The amount of security news has been truly stratospheric. Every single week there seems to be something. Now whether or not that’s hype, or it’s written about because people are interested in, I don’t really know. I don’t really have any insight into that.

Obviously the market share of WordPress paints, a bigger target, you know, 42, 43% of the web people are gonna invest time into figuring out what’s vulnerable there. Have you noticed that? Is that a trend? Do we need to be more concerned this year than we were last year about the security of WordPress? And do we need to have things to mitigate? Obviously I’m sure you would say yes, because you’ve got all the solutions provided for that, but what’s your thoughts of the state of security in WordPress?

[00:13:03] Akshat Choudary: Yes. So, I think the security is obviously a moving thing and there’s never, there’s no such thing as absolute security. Right. So it will never be in a state where we’ll be like, okay, fine. Everything is secure. Everything is good. You’ll always need to be wary of it. And especially when you look at something like WordPress, which has such a thriving ecosystem around it. So then security is not limited to one small thing, but it’s spread all over the ecosystem, right?

So every aspect of it needs to be secure, and which becomes so much more difficult to do. As you have more plugin, more themes, and as this ecosystem also expands it adds a lot more complexity to the whole WordPress security concept. So that’s, that’s very, very important to understand.

In fact, if you go back to Windows, days when Windows was considered extremely insecure and while Windows also had its own challenges, a lot of the security challenges came from drivers and all the stuff that you were built using on top of Windows. That’s a similar concept or we can draw similar analogy to WordPress.

So while WordPress, the core itself gets more and more secure over time, and we have seen that evolve, and I think there’s so much noise around, you know, like people get offended like, oh yeah, WordPress is insecure. No, no WordPress is actually secure, but then the plugins are insecure. But you open a website, you go into the WP admin and you see they have 20 plugins and there’s somebody willing to add a 21st plugin because you need to get something done.

So at the end of it, when you’re using WordPress with all these plugins and yeah, I would venture to guess that what, some of the reasons why some of the biggest websites use WordPress is also because of the plugins. Because it gives you that flexibility. So there’s always going to be more plugins added to websites, more complexity added there. And that means security is always going to be a challenge. You can’t take it for granted.

[00:14:40] Nathan Wrigley: What with 50,000 plus plugins in the repository, plus all of the commercial ones, which are countless, I’m sure there’s a number equal to that, possibly bigger. How do you even begin to keep on top of that? Is this just a case of your reading other blog posts about security and your getting information from databases? How do you on the BlogVault side of things and the Malcare side of things, how do you know what needs to be patched and when it needs to be patched?

[00:15:09] Akshat Choudary: So we do keep a close eye on what’s happening in the security space. Our approach to security is not to be on top of everything that’s happening in the security. We look at it from a first principle perspective. As to how do sites really get hacked? What happens when they get hacked? What causes them to be hacked? What do vulnerabilities look like? So not specific vulnerability, because there are so many plugins.

And you’ll see this so often, you know, you’ll see a vulnerability getting declared. Suppose a vulnerability gets declared today. You’ll see that it’s been exploited for years before that or months before that. So declaring vulnerability versus where with announcement is made was the actual exploit. So that, that we believe is not the right way of securing. So we don’t really try and be on top of every single news. Obviously we do it out of interest, but not as a mechanism to secure websites. So we take a more fundamental approach as to why do websites get hacked? What happens when they get hacked and then try and patch it or try and secure it from that principle.

[00:16:05] Nathan Wrigley: Okay, let’s drill down into that a little bit more then. So what does that mean? Because, it may be confusing to people listening. So if you’re not finding the vulnerabilities and setting up. I presume there’s like a firewall piece in all of this. So tell us about that, how it works, how does it stop traffic getting into the website?

[00:16:21] Akshat Choudary: This is actually a very, very fascinating topic and this is something which is close to our heart. And, I would venture to say, I mean, like we know that things can be improved significantly, and we are far from reaching the final vision. We can always, we can see month by month we are moving towards this final vision.

So WordPress security, again, there’s so much noise out there, you know, and I may dare to say there’s a lot of snake oil being sold also. And that just makes it so much more difficult because you will find some of the most credible people out there, unfortunately spreading misinformation, not willfully. Just because the whole space is so noisy, and so confusing..

Having said that, we believe firewall is one of the best ways of protecting a site. Let’s look at like different ways sites get hacked and there are numerous. I’ll just take a few examples to show you what happens. For example, one type of exploit, and this is actually happens much more often than you would think, is it lets you change the URL within the database of the site.

And it’s actually a very simple operation. One way you can block it is you look at any request that caused that specific operation to get updated and just block it out. If it is not done with appropriate privileges. And that’s one example of how you can mitigate an attack type. So that just shows you that that’s one way.

There are others. Like we, we know the famous OS SQL injection attacks, which try and exploit vulnerabilities while accessing the database. There’s a whole amount of literature out there as to how to block SQL injection attacks and we can tap into those rules to block out SQL injection attacks. So as soon as you do that, you have saved yourself from a whole bunch of vulnerabilities that affect a lot of websites.

[00:18:02] Nathan Wrigley: Just before we keep going, I’m curious because a lot of people who listen to this may have only a glimer of an understanding of how WordPress works. So, how does a firewall in fact work? How do you get in front of things before it hits the website and sniff it and say, okay, this is clearly not supposed to happen. Let’s just drop this. Let’s make this not happen. How does that even work? What’s the process that you are interrupting that would normally happen if there isn’t a firewall there?

[00:18:26] Akshat Choudary: All right. So firewall again, there are multiple types of firewalls and multiple levels at which firewalls get deployed. You have cloud based firewall, something like Cloudflare or a Sucuri, which is a very popular WordPress plugin, WordPress security. solution. They have, basically they have a cloud based solution where when someone visits your website, it reaches their servers first. And then it passes through their firewall servers.

Ours is more of a plugin based solution. So, we attach yourself inside your website through a plugin. And what we do is we, and there are multiple ways of doing it, but, depending on the type of hosting you in, we’ll be the very first set of, scripts or code to load even before WordPress loads. What we are doing is common with, Wordfence does also a similar takes, a similar approach.

Right, so every request is then parsed. Identified. We classify the request as to look at all the parameters that happens in the request. We classify, what looks like a good request versus a bad request based on rules. And we have a whole number of rules, which evaluate, and we see, okay, that looks funny. That should not happen. That looks like a SQL injection attack. That looks like a XSS attack. And we identify using patterns. And then we block them.

There are some more complex ones. Like the one I spoke about where a URL gets updated. There we actually sit deep inside WordPress and we let WordPress load. But in case an operation to modify WordPress takes place, which it should not happen normally, then this piece of code will kick in. And that’s the advantage of having a plug-in based solution because, you now understand how WordPress functions and then tap into that knowledge.

There are other solutions, maybe like a Cloudflare where they don’t really understand WordPress and they have taken a more of a generic, good, best practices of blocking attacks. And they’re also effective. But I think when you understand WordPress, when you understand this application so well, you can do things in a manner which, yeah which can improve the security of a WordPress website.

[00:20:32] Nathan Wrigley: You mentioned that you’re getting in the way sometimes, you’re the first thing that’s happening and so on. People, again, listening may thinking, oh, okay, that sounds like an extra step. And if there’s an extra step, is that gonna slow things down? Because there’s something that’s got to be inspected before it’s passed through the firewall and allowed to happen. Typically, are you pretty confident about if you put these things in place, you’re not really gonna see a significant drop in the amount of time it takes to get the first bite or whatever.

[00:20:57] Akshat Choudary: Right, we take a great deal of care to make sure that it doesn’t really slow it down. But again, you need to go deeper into how WordPress functions and you realize that there are so many layers to what causes a WordPress site, what impacts the performance of a WordPress site. And you will see that the PHP pieces and especially the kind of operations we deal with is multiple order of magnitudes faster than the slowest operation, which might be a database query. And while a WordPress request is served. There are numerous database queries being made.

So in comparison to that, this might be, so if that takes a thousand milliseconds, let’s assume, this operation might take one millisecond, two milliseconds. So it just dwarves in front of everything else that’s happening. Obviously we need to always make sure that this thing does not exceed one or two milliseconds or a few milliseconds, but the difference is so large that you will never notice the impact of it.

And again, there’s so much confusion around it. That having a working model around this is not straightforward, and it’s very easy to be like, oh, this will slow down my website, but how will it slow down what’s happening? And that complexity is, I think the communication around that has not been great.

[00:22:08] Nathan Wrigley: Another concern that people may have is because you said, your setup, it has to make judgments about whether this should be passed through or not. This is malicious, or this is not malicious. How easy is it for that system to fail and throw false positives and to erroneously apply the ban hammer to things which should be allowed to pass through. Typically, I’m guessing that, you get better at that over time.

[00:22:29] Akshat Choudary: It does happen, but it’s fairly rare. So again, pattern matching is not an exact science, right? It’s like finding, you know, on a street finding a, a rogue character or a thief by looking at typical characteristics. Yeah, that does happen, but it’s fairly rare and we try and take a lot of steps to always improve our rules around it. And it’s a work in progress. I wouldn’t say it never happens. I almost think that nobody should promise it that way.

[00:22:54] Nathan Wrigley: So four products in the suite. You’ve got WP Remote, Malcare, BlogVault, and…

[00:23:00] Akshat Choudary: Airlift.

[00:23:00] Nathan Wrigley: Airlift the brand new one that you mentioned at the beginning. All kind of representing security and client management and what have you. Tell us about what you’ve got planned? If we were to come back, WordCamp Europe, what may we see? What exciting new things have you got up your sleeve?

[00:23:16] Akshat Choudary: First we are heads down focused on these four things and they’re each actually very big products just by themselves. Our overall aim is to keep doubling down on these and spend a lot of energy making them perfect. When I started BlogVault a few years ago, I thought it was like a six week project. And even today I’m finding ways of improving it. So at least we want to make sure that we are focused on these four things and making it work seamlessly and just keep improving it, because it’s a very time consuming process to build a great product.

[00:23:46] Nathan Wrigley: Yeah. So the roadmap is more about getting it more refined rather than adding feature upon feature upon feature?

[00:23:52] Akshat Choudary: Yes, it’s always about, and that’s my learning over time, that you need to focus on just improving the functionality, existing functionality instead of adding new things. And it’s so easy to, you know, as builders, it’s so easy to get distracted and be like, oh, well there’s this nice little shiny thing a customer’s asking for it. Let’s just build it out. Which is almost how Airlift got started, because we also had so much to do on Malcare and WP Remote, BlogVault. But we are like, okay, that looks like an interesting problem, which we can solve. But hopefully we are going to be focused only on these four things.

[00:24:22] Nathan Wrigley: Yeah, it does feel as if there is quite a lot of that. What I mean by that is that features get added year on year. That seems to be the email that comes through is that we’ve got this great new feature. That’s why you need to check us out. It’s quite an interesting and different approach for you to reject that and say, actually the product that we’ve got is pretty solid. We just wanna make it more solid and there probably won’t be a great deal of new features going in, yeah.

[00:24:43] Akshat Choudary: Yes, and you know, customers, the best customers, really value quality over the number of features. So the, the best website they want, like, okay, fine. I need it to be as reliable as it gets. And that’s actually been the biggest selling point for us. And, it’s easy for me to talk about it like this. The thing is the monkey in the head is always like, let’s chase this new feature. But the learning is that you need to keep improving it. And the best customers, the people who pay us the most people who, who we want to put on the website, you know, on our marketing site, like the logos, they want the most reliable, the most efficient, the best product out there.

[00:25:19] Nathan Wrigley: Just before we wrap it up, a few minutes ago, you said something about the fact that you thought that, maybe it was BlogVault, I don’t know which one you were working on, was gonna be a six week project. So let’s rewind. Akshat, your life to that moment where you thought you were gonna build it and to where you are now and how life has changed. It must be quite an exciting thing to look back on. You’ve had a really remarkable journey from building a product that you had no particular expectation would take off. And then it really, really did take off and, and here we are now sat in a room in WordCamp Europe in Portugal, 2022. It’s been a very good journey.

[00:25:53] Akshat Choudary: Absolutely. Like I just look it, I consider again, and I have mentioned this so many times to different people, is I consider myself extremely, extremely fortunate. Especially like we spoke earlier, the WordPress bandwagon, the, and if I may call it that, but the success story of WordPress. I was so lucky to latch onto it at that point of time and just grow with it. And I’ve grown as a person also through this journey. Because the person I was then versus the person I am now are vastly, vastly different.

[00:26:23] Nathan Wrigley: Mmm. Akshat Choudary we’re gonna end it there. Thank you for joining us today. I really appreciate it.

[00:26:28] Akshat Choudary: Thank you, Nathan.