Tony Perez - Sucuri SecurityThis Friday, I’m talking with Tony Perez, the guy behind much of the security protecting top WordPress sites in the industry, but he’s not limited to WordPress. Tony’s company, Sucuri Security, Founded by Daniel Cid and Co-Founded by Dre Armeda, manages security on sites across the interwebs. Tony’s background is the Marines, and after he left the corps, he traveled internationally as a defense contractor, including stints in Afghanistan and as a subject matter expert to NATO.

Tony got engaged with WordPress as much because of the Community he saw driving it, as well as the software platform itself. Turns out his brother-in-law was this dude named Dre Armeda and was pretty excited about this thing called “WordPress” and was organizing an initiative to focus on a simple concept: remove malware from websites. When we talked, Tony explained that WordPress’s greatest strength is its ease of use. And it’s greatest weakness is also its ease of use. At WP Engine, we’re glad to work with Sucuri because of how accessible they make security to the average WordPress user.

In Tony’s Own Words:

“I’m Tony, if you have never talked to me you know that I live and breathe Website Security. I spend a good amount of my time remediating malware cases, troubleshooting sites and web application penetration testing (yes, website hacking). I am a very young White Hat but have the opportunity that most don’t have, the ability to see live hacks and techniques on a daily basis.”

And now onto Tony’s Answers:

When was the first time that you really got excited about WordPress and at what point did you decide to make it your career?

It was in January 2010, but it wasn’t because of love it was because of greed. At the time I could care less about the community, I just knew that I could push the platform into the enterprise and with a background in enterprise I knew the financial rewards would be there. For those with backgrounds that stem into the closed markets like Windows based products you know what I mean. The emphasis was never community.

It was not until I helped organized WordCamp San Diego 2010 that I really fell in love with the platform and its community.

Where do you go first to get your WP news, insights, and updates?

Honestly, it’s twitter. It used to be WPCandy but they seem to be having ups and downs as of late, some of the others. I also like WPForce, but my first stop is usually Twitter, get a lot of great info there. I also prefer reading personal blogs more over reading news from media outlets, they are often more forthcoming and insightful.

What WP consultants deserve more love than they get? Who should we be paying attention to?

I like me some Mark Jaquith, mainly because of what he’s about and what he does and more importantly how he’s engaged in other communities. Also because of his emphasis on WordPress security. Also a quick shout out to Pippin for his recent disclosure, if you’re not aware he went back through some old code found he had opened his application to serious vulnerabilities and quickly disclosed it after patching. Doesn’t always work like that so he deservers some serious props.

The other person is Brian Mess with WebDevStudios, he’s a bit spastic and if you have ever talked to him you know what I mean. If you have the opportunity to drink with him I encourage you to do so, but just make sure he leaves his camera at home. He’s doing some really phenomenal development extending the application into areas that most only talk about. So kudos to him and his team.

What performance tips would you give to other pros (as related to speed, scalability, security, plugins, backup, etc.)?

I can’t say much about anything but security, but what I can say is that more emphasis needs to be put on educating developers and designers alike around theme and plugin vulnerabilities. Big theme and plugin shops have no excuse, they need to be getting their code reviewed.

If we weren’t seeing the problem every day, I wouldn’t be saying it. Also, WordPress makes available some very good functions designed to help you escape your code, use them. Here is an article that better articulates what I’m talking about: http://blog.sucuri.net/2012/10/wordpress-themes-xss-vulnerabilities-and-secure-coding-practices.html

The biggest issue affecting WordPress Themes and Plugins is XSS, RFI, LFI, SQLi attacks. These are all things beyond the end-users control, so check yourself before you wreck yourself.

If there is nothing you take away from this, take this:

Never trust your users, validate all inputs coming and escape everything going out.

Confess to us your biggest moment of WP fail?

It was not until 2012 that I installed my first WordPress install manually.. sniff sniff

If you were going to spend this weekend creating a plugin that doesn’t exist, what would it be?

Man, if I could I would built a plugin that easily allows a user to force a password reset for all users. This is a key function post hack and it’s always the one thing that never gets done. Very frustrating.

Do you use Themes & Child Themes, Roll your own, or both?

I’m about as incompetent as it comes when comes to themes so I usually rock a child them to one of my preferred frameworks.

What’s your favorite theme or theme framework? Why?

I’m not e developer or designer so I like to rock Genesis and their themes. Another favorite is WooThemes, just depends on my mood.

Favorite plugin?

Have you heard Sucuri has a premium plugin that is offered free to its customers? No..?

In all seriousness, I like it because it doesn’t do much it’s simple and its designed to be so. Its most powerful features is two-fold, it’s auditing and it’s built-in Web Application Firewall (WAF). Still has a lot of work to be done, but with time it’ll get better.

Outside of my own, I like auditing plugins and plugins that focus on access authentication. Specifically I like Duo Factor and Google Authenticator for access authentication.

I like auditing plugins it’s very important, you need to stay on top of what is going on with your site, especially if you’re the so-call “webmaster”.

Least favorite plugin?

Oh man all the security plugins that are offering 150 different hardening tips. If I could outline the number of sites that are infected running these plugins it’d be very disturbing.

That being said, it might be a little unfair I am sure they do protect some; they are just so overwhelming sometimes.

What’s the coolest thing you’ve ever done with Custom Post Types?

This one time, in band camp.. yeah I have done nothing with CPT’s..

What do you think is the biggest challenge that WP consultants will face in 2013?

Surprise surprise, web security. Consumers are getting smarter, Google and Bing blacklisting are not helping, the various media outlets bashing on WordPress are also slowly making waves. The idea that security is someone else’s problem is no longer the case, as developers and designers it has to be part of your thought process.
Also, not doing so is only giving the platform you love a bad name. Frankly speaking, almost nobody knows you but millions know WordPress. Think about paying it forward, you can do that by developing more secure code.

If you could change one thing today about WP, what would it be?

I would change the way WordPress uses an antiquated approach around access and roles. I remember having a conversation where the response I got was, “they didn’t want to make it like Microsoft”, but that’s the problem. Our approach is already the Microsoft, the 1990’s way. Every user by default is an administrator, the platform can write to itself on the server, it’s all very dangerous and it facilitates the issues presented by the weakness in themes and plugins.

It’s going to be an issue that we’re not going to be able to avoid for much longer, it’s that or we deal with the increase in compromises.

Where do you see WordPress going in the next 2-3 years?

It’s pretty obvious that it’s targeting the CMS market and with every build it leans further in that direction. I worry though about its back-end complexity; remember complex things break in complex ways. I do think however that we’ll continue to see significant refactoring occurring and the core of the platform will be nothing like what it was when it first started. I do worry though if it’ll isolate the everyday blogger in the desire to better penetrate the enterprise and larger organizations. If that perception continues you’re likely to see splintering within the community and what are nothing more than rumblings will turn into realities. So the next few years will be interesting for sure, and whichever direction it takes it’ll be successful and the community will be 5 times its current size.

Tell us a story where you saved the WP day for yourself or on a client project.  What made the difference for you?

Oh man, this is a hard one because everyday I work on remediating cases. That’s right, I have a team of 15 and with my business partners we run a pretty good size organization, but we all remediate cases. This is intentional, it keeps us in touch with reality and reminds of what we we’re doing, it’s how we build our products.
What’s very exciting about what I do is the sense of satisfaction you get, it pales in comparison to any of the software projects I have ever managed. People come to us when they are the most vulnerable and many have no idea what is happening. The ability to service them quickly, retain all functionality, harden the environment and remove them from Google blacklisting is priceless to me.

What’s the biggest misconception you encounter about WordPress, and how do you clear it up for your clients?

The biggest misconception is its insecure. I hear this from developers and designers too, which really infuriates me. The platform core is actually very secure, even the issues found as of late are very low priority. The biggest is the environment, themes, plugins and the user. That’s what I tell people.

If you were interviewing another WordPress developer for a job, what is the first question you would ask and why?

Tell me, and show me, the things you do to ensure you are developing securely. Do I really need to explain why this is important to me?

What did I miss?  Here’s your chance to fill in the blanks and add something you want people to know about you!

The thing I want people to understand is that WordPress does have vulnerability, but it’s a double-edged sword. It prides itself on its ease of use and its extensibility, unfortunately for every good there is a bad, and that same ease of use and extensibility is its biggest weakness.

As for me personally, I am married and have three kids. I am also a Harley riding, tattoo wearing, foul mouthed; gun carrying, Columbian Cuban with a hot-temper. I am not known for keeping my mouth shut and am often quick to offer my unsolicited opinion, it’s just in my DNA.

Thanks Tony!

If you’ve got a website, WordPress or otherwise, head on over to Sucuri.net to do a free malware scan and make sure your site stays squeaky clean. And if you ever need some security help, Tony is your man.