Regular security audits: taking our responsibility

Yoast SecurityToday, we’re announcing that we have partnered with Sucuri, in the interest of pro-actively securing our plugins. As our plugins run on more and more sites, we have a responsibility towards our users and the web at large to make sure that we do our utmost to make sure our code doesn’t make them vulnerable.*

We’ve been preparing this release for over two months. In that time, Sucuri has identified vulnerabilities in plugins across the WordPress ecosystem affecting over 20 million downloads. This shows the need for users and web hosts to update plugins promptly on security updates. If you look at it, it beckons for a more “forced” way of updating plugins. It also places additional scrutiny on us, plugin and theme developers, to ensure that we are not only focused on features but place additional emphasis on good, secure, code.

Once a security problem is public there’s no stopping the bad guys in any other way than to update. To us, as authors of plugins that all combined have more than 20 millions downloads and run on over 5% of the top 1 million websites, it made even more clear the need for more scrutiny in our code writing. We could think of no one better than the guys working in the trenches, Sucuri.

Improved security, so we can sleep better

Let me be honest: there’s no such thing as 100% safe software. Ever. But we can strive. From now on, Sucuri will review all the code in our major plugins at least four times a year, on top of our own testing and development best practices. They will work with my team to ensure that the patches we push are adequate and work with us to get the word into as many hands as possible. For all intents and purposes, they will be an extension of my development team, focused strictly on security. We are not foolish enough to think that this is the end all be all to security, no, we realize this is a process and will continue to evolve.

Like all of you, we’re not perfect. We’re sure though, that having the pro’s at Sucuri review our code regularly will lead to our plugins being among the safest out there, which is how we want it. It’s how we, as the good web stewards we strive to be, will take responsibility for what and how we do it – providing our users the best, and most secure, options available. Not just because you sleep better because of it, but because we sleep better because of it too.

But you said “partnered”?

Yes. This will be a relationship in which we reciprocate the service by being an extension of their online marketing team. Sucuri will review our plugins, we’ll help them by reviewing their online practices from a website optimisation point of view. Let’s face it, we can’t all be good at everything, they are great at Security, but could use some help at online marketing and website optmization, and they recognize this, which is why we are going to help them get better.

To start, they have already received our diamond review, our ultimate review package in which we provide a thorough review of their SEO practice, website usability and conversions. Have you seen their latest changes?

In a similar fashion, we’ve made the first improvements to our plugins based on their reviews, luckily showing no critical issues yet.

Additionally, they will be working with us beyond just the code we ship. They will be working with us to improve our overall security posture as an organization and we’ll be leveraging their Website AntiVirus and Firewall products to ensure a safe online experience for all our online visitors. They are the premiere Website Security company and we rock at what we do, it’s only right we make full use of each others services.

Lead, not follow

When I was on the Dradcast 2 months ago, I hinted at some of this. We should lead by showing how people can improve their products and processes. I personally think every premium plugin / theme company should have a process for regular independent security reviews of their product(s). This is an example which I’d love for every company in the WordPress community to follow and document.

We’ll be as transparent as possible about all of the things we do, both Sucuri in how they improve their site as we in how we improve our code. As you can see, we’re very excited to be working with the team at Sucuri and we look forward to making the web safer together!

* For the record: from a purely juridical point of view, the GPL basically disclaims all warranty.

This post first appeared on Yoast. Whoopity Doo!