Start With the Experience, Not the Feature List

Product teams love feature lists.

Features are concrete. You can estimate them, assign them, build them, and put them on a slide. They give everyone the satisfying feeling that the product is moving forward.

Unfortunately, a team can deliver every feature on the list and still build the wrong product.

The problem usually starts before the first line of code. The team begins by asking, “What should this product do?” when the better first question is, “What should the customer be able to accomplish, and what should that experience be like?”

Those questions sound similar. They’re not.

I laid out this model in a talk for the WP London Meetup in March 2025, and am looping back to expand on the parts that matter most when putting it into practice.

Define Success First

Before deciding how to build a successful product, you have to decide what success means for this product.

Sometimes the answer is paying customers and profit. Sometimes the product fills a gap in a larger offering, improves retention, solves a costly support problem, or makes another product more useful. Success may mean adoption, ease of use, happier customers, or some combination of those things.

Those products won’t all be built or prioritized the same way.

This matters in hosting because the industry has shifted. Customers increasingly expect a complete solution, not simply space on a server and a list of tools they have to assemble themselves. A host may build a product to generate direct revenue, but it may also build one to help customers succeed, reduce churn, or make the rest of its services more valuable.

Name the intended outcome before debating the features. Otherwise the team may deliver exactly what it planned without knowing whether any of it worked.

Features Aren’t the Product

Imagine you’re building an onboarding flow for a security product.

The feature list might include account creation, domain verification, a scan, an alert, and a dashboard. That’s enough information to describe functionality. It isn’t enough to describe a useful experience.

What does the customer understand when the first alert arrives? Do they know how serious it is? Do they know what to do next? Can they tell whether the problem has been resolved? How much expertise does the product expect them to have?

If you don’t answer those questions, the product will answer them for you, usually through whatever was easiest to implement.

That’s how teams end up with technically complete products that confuse the people they’re supposed to help.

Work From the Outside In

I use a simple sequence when planning a product:

Product planning pyramid showing Experience, Flows, Interface, Design, and Functionality, with an arrow directing planning from the top down.

Engineering may build the pyramid from the bottom up, but product planning needs to move from the experience down.

This isn’t a waterfall process. These layers inform one another, and teams will move back and forth between them. The order is about where the product gets its direction.

A pyramid is normally built from the bottom up. Products often are too. The code, databases, infrastructure, and functionality support everything above them.

Customers experience the other end of the pyramid.

They care about whether the product helps them accomplish something, whether they understand it, and whether using it feels worth the effort or money. The top may be the smallest part of the picture, but it’s the part that gives everything underneath it a purpose.

You may build from the bottom up. You have to plan from the top down.

Experience

Start with the outcome and the customer’s state of mind.

What are they trying to accomplish? What do they know when they begin? What should they understand and be able to do when they’re finished? Where are they likely to be uncertain, frustrated, or afraid of making a mistake?

This is broader than whether the product is pleasant to use. A security customer may need to feel confident that taking action won’t break their site. A hosting provider may need to understand how a product affects support volume before enabling it for thousands of customers.

The intended experience includes the practical and emotional conditions required for the product to be useful.

Flows

Once the experience is clear, map the steps that make it possible.

What starts the process? What decisions does the customer have to make? What information do they need at each point? What happens when something fails?

Flows expose assumptions early. A product that sounds simple in a feature list may require the customer to jump between systems, wait for another person, or understand terminology they’ve never seen before.

It’s much cheaper to discover that while mapping a flow than after building the interface.

Interface

The interface is the set of controls, messages, and information the customer needs to move through those flows.

This is where you decide what belongs on a screen, what needs emphasis, and what can wait. The interface should reflect the customer’s decisions, not the internal structure of the software.

Customers shouldn’t have to understand your architecture to use your product. They have their own work to do.

Design

Visual design gives the interface hierarchy, consistency, and clarity.

It matters. A lot. But visual polish can’t rescue a confused flow, and a beautiful screen can’t answer a question the product never considered.

Design works best when it has a clear job to do.

It also works best when it respects what customers already know. If nearly every table puts search and filtering at the top, that’s where people will look for them. Moving those controls somewhere more creative doesn’t make the product more innovative. It makes a familiar task harder.

There are good places to differentiate. Common interaction patterns usually aren’t one of them.

Functionality

Now the team has enough context to make better decisions about what to build.

Functionality is still critical. The difference is that it now serves an intended experience instead of defining one by accident.

Engineering should be involved throughout this process. Engineers understand the systems, constraints, and opportunities that shape what’s possible. Early technical input can prevent a team from designing an elegant fantasy.

That doesn’t mean implementation should lead the product. Feasibility should inform the experience, not silently replace it.

Build the Team Around the Questions

Different stages require different kinds of depth.

Early on, product, research, design, and engineering need to agree on the problem, the people affected, and the constraints. As the experience and flows become clearer, interaction and visual design can go deeper. As the team moves toward delivery, engineering and quality work naturally expand.

That doesn’t mean each discipline waits outside the room until its turn. Handoffs create their own problems. It means the team’s focus and staffing should match the questions that need answering.

On one product team, our user researcher also served as the UX designer. I owned quality control. Two people divided the UI work between visual design and implementation, a dedicated project manager kept the work coordinated, and a development team built the product with help from other engineers as needed.

That wasn’t the only team structure that could have worked. It fit the product and the people we had. More importantly, the responsibilities were visible. We knew who was learning from customers, who was protecting the intended experience, who was coordinating the work, and who was making it real.

Clarity should drive growth.

Research Has to Become Direction

User research isn’t simply talking to customers.

The harder work is taking what customers say, separating the recurring needs from individual preferences, and turning that information into something a team can use. Good research doesn’t hand engineering a stack of interview notes. It helps the team understand the problem well enough to make decisions.

Research should continue after the first plan. Prototypes, moderated testing, unmoderated testing, and small beta groups can show whether the product works the way the team thinks it does.

Beta groups need care. Participation fades, people get busy, and the group may need to be refreshed. That’s still cheaper than discovering after a broad launch that customers can’t find the thing you thought was obvious.

UX and UI Aren’t the Same Job

UX and UI are often treated as interchangeable labels. I don’t find that very useful.

UX is primarily an advocate for the person using the product. It focuses on research, scenarios, information architecture, flows, wireframes, prototypes, and whether the experience makes sense.

UI turns that structure into the visual and interactive system people will actually use: layout, controls, typography, color, branding, and implementation details.

There is overlap, and one skilled person may handle both. The distinction still matters because a polished interface doesn’t prove that the underlying experience is sound.

Give Quality a Clear Owner

Before the team starts building, decide who has the final say on whether the product is good enough.

Larger teams create plenty of opportunities for individual pieces to be acceptable while the whole product feels inconsistent. Someone needs the authority to say the edges are still too rough, the experience doesn’t match the intent, or the product is ready to ship.

This shouldn’t be arbitrary control or personal taste dressed up as quality. It should be accountability to the experience the team agreed to create.

Project management matters here too. Even a small team benefits when someone owns coordination, documentation, and the reasons behind decisions. That work lets specialists focus on their jobs and gives the team something to return to when the next iteration begins.

Stakeholders and marketing also need to be involved without replacing the customer as the center of the product. Product leadership includes keeping those groups informed, earning the necessary support, and translating their needs into the same set of decisions.

Plan for Change Without Moving Everything

Most products don’t end at launch.

They gain customers, new use cases, new requirements, and ideas nobody had during the first planning session. A team that plans only for version one can paint itself into a technical corner, but architecture isn’t the only concern.

Customers learn where things are.

Moving a familiar control or reorganizing a workflow can frustrate people even when the new design is theoretically better. The team may see an improvement. The customer experiences the loss of something they already understood.

You can’t predict every future feature, and trying to do so will create its own kind of overengineering. You can leave conceptual space for the product to grow. Think about where likely capabilities could fit, which parts of the experience need to remain stable, and how new work can be introduced without forcing customers to relearn the whole product.

Plan for the future without building all of it today.

Must-Haves Before Wow

Every product has a list of features that would be impressive in a demo.

Some of those ideas may become real differentiators. The danger is building them before the product has earned the right to be interesting.

Customers need the basics to work first. They need to understand the product, complete the central task, recover from mistakes, and trust the result.

The “wow” can build loyalty. The must-haves earn trust.

This doesn’t mean innovation always waits. Sometimes the differentiating idea is the simplest route to the customer’s outcome. But when a feature competes with the core experience, the core experience wins.

The balance continues after launch.

Marketing naturally wants visible features it can show in an advertisement, capture in a screenshot, and give customers a reason to talk about the next release. Those features matter.

The product also needs work that won’t earn an exciting announcement: performance improvements, confusing flows that need cleanup, maintenance, and expected capabilities that every credible competitor already has.

In a hosting control panel, activating and deactivating plugins isn’t a headline feature. It’s still something customers expect to be able to do.

On one team, we labeled roadmap work as “wow” or “must-have” and deliberately interspersed the two. The labels weren’t a scoring system. They made the tradeoff visible so the roadmap could keep the product dependable while still giving customers something new to be excited about.

A roadmap made entirely of must-haves becomes stagnant. One made entirely of wow features becomes unreliable.

A Better Starting Conversation

Before creating the feature list, get the team together and answer six questions:

  1. What does success mean for this product?
  2. Who is the customer in this situation?
  3. What are they trying to accomplish?
  4. What do they know, fear, and expect when they begin?
  5. What needs to be true for them to trust the outcome?
  6. How will we know the experience worked?

Then map the flow. Identify the decisions. Bring in the technical constraints. Decide what interface the customer actually needs. Only then turn the answer into functionality.

You’ll still end up with a feature list.

It’ll simply describe a product worth building.

Hanging My Hat at Monarx

I’m excited to share that I’ve joined Monarx as their new Vice President of Product.

For me, this feels like coming home. I’ve spent more than 25 years in the web space and over a decade working directly in hosting. Along the way, I’ve seen firsthand the challenges hosts face when it comes to protecting their customers. Security is hard, and it’s only gotten harder as threats have become more automated, more obfuscated, and more persistent.

That’s why I’m so energized to dig into security again—because Monarx is solving this problem in a way that actually works.

Monarx isn’t just another scanner or add-on. Their platform takes a fundamentally different approach: using AI and code de-obfuscation to analyze how code behaves, not just what it looks like. That means they catch things others miss—including zero-days and hidden attacks—while keeping false positives remarkably low. Even better, they’ve built it to run in the cloud, so it’s lightweight for hosting environments, and it integrates everywhere: Linux distros, control panels, you name it.

From a product perspective, that’s exciting. From a security perspective, it’s a leap forward.

What makes Monarx especially compelling, though, is how they’ve aligned their business with the hosting world. Whether a host wants to save money (through reduced support costs and server overhead) or make money (by selling security directly to customers), Monarx has built the tools, integrations, and even white-glove services to make that possible. As someone who deeply understands what both hosts and end users need, I see the potential here—and it’s big.

My role as VP of Product will be to shape the product strategy, ensure we’re building the right things the right way, and help Monarx continue to lead as the only cybersecurity platform designed for hosting companies and resellers.

It feels good to be back in the trenches of web security—helping solve one of the hardest, most important problems on the internet.

The Introvert Brain

Everyone’s brain, introvert and extrovert alike, has what I call a peak efficiency zone. When your brain is operating in this zone, it’s easy to be productive; you’re motivated, focused, thinking clearly, and getting things done. Your brain is performing like a sports car and using fuel like a subcompact. Everyone has this peak efficiency zone, but it’s not the same for everyone – it’s in a different place, if you will.

Understanding Your Peak Efficiency Zone

For me, this zone often emerges when I’m alone, surrounded by predictable or minimal noise, and reasonably relaxed. Engaging in tasks like planning, problem-solving, or coding allows me to capitalize on this highly productive state.

Others might find their peak efficiency in social settings—perhaps brainstorming with others in a bustling coffee shop, bouncing ideas off each other and feeling inspired. The ideas are creative, high-quality, and coming easily.

Regardless of where you find it, operating within your peak efficiency zone feels invigorating. But what happens when you’re outside of it?

The Stimulation Spectrum

Our peak efficiency zone lies along a spectrum of stimulation, ranging from under- to overstimulated. The optimal point on this spectrum varies for each individual. Notably, introverts tend to find their sweet spot on the lower end, while extroverts thrive with higher levels of stimulation. This isn’t just anecdotal—it’s backed by science.

Under-stimulated

When under-stimulated, you might feel lethargic, unmotivated, or mentally sluggish, even after adequate rest. It’s important to note that it’s not impossible to be productive even when your brain is under-stimulated, it just takes more effort – more energy – to force yourself to get things accomplished in spite of your lack of motivation and seemingly sluggish thoughts.

Over-stimulated

Conversely, over-stimulation can make your mind feel hyperactive yet unfocused. Thoughts race, but none settle long enough to be actionable. Again, productivity isn’t out of reach, but it requires significant energy to channel this mental chaos effectively.

The Neuroscience Behind It!

Obviously we want our brains to be operating at peak efficiency, but how? Understanding how this stimulation spectrum works in your brain is the first step. Our brains are amazingly complex but to simplify it as much as I possibly can, stimulation levels are basically controlled by two chemicals in our brain: acetylcholine and dopamine. Both are neurotransmitters, with dopamine being dominant when we are more stimulated and acetylcholine being dominant when we’re less stimulated. Together they have a heavy effect on the way blood flows through our brains which dramatically affects our ability to be productive.

Acetylcholine: The Introvert’s Ally

Acetylcholine is our brain’s default neurotransmitter, associated with focus and attention. If you’re an introvert like me, you love acetylcholine, even though you likely have never heard of it.

It’s stored in the Laterodorsal Tegmental Nucleus (go ahead, try to say that ten times fast) and travels through the Cholinergic Pathways to various areas all over the brain. For introverts, acetylcholine dominance facilitates deep thinking and sustained attention in low-stimulation environments.

Dopamine: The Extrovert’s Driver

Dopamine, often linked to pleasure and reward, becomes dominant in more stimulating situations. It’s more popular (read: widely known), which seems fitting since it’s an extrovert-favoring chemical. (Although it’s probably most well known for it’s association with addictive drugs and behaviors, which is outside the scope of our interest in it.)

Dopamine is used in various ways all over our body, but what we care most about is that it’s created in the Ventral Tegmental Area, travels through some pathways in the brain, and arrives at the Nucleus Accumbens. This is all part of the “rewards system” in our brains (more on this to come). When the Nucleus Accumbens processes dopamine it stimulates our brains, moving us further up that stimulation scale. And in introverts, who already want to be a little lower on that scale, our Nucleus Accumbens is much more sensitive to dopamine.

Blood Flow

I said that acetylcholine and dopamine have an effect on the blood flow of the brain, and that introvert brains are more sensitive to dopamine. And this is where it gets fascinating. The difference between an introvert and extrovert brain can be physically observed by doctors and scientists! That’s right, it’s not just a preference, it’s an observable difference in your brain!

Lets look at the extrovert first. Imagine an extrovert is relaxed – laying down, listing to calming music, reading, etc – so that the dopamine levels in their brain are low and acetylcholine is in control. A radioactive isotope is injected so that their blood flow can be traced through their brain, and the flow looks something like this:

The flow is fairly centralized. It travels through the areas that control our senses – taste, touch, sight, sound, hearing – as well as the autonomic functions like heartbeat, breathing, etc.

Now imagine an introvert goes through this same test, with the same dopamine levels as the extrovert. The flow of blood would look more like this:

As you can see it flows along a much longer path, flowing all the way out to the prefrontal cortex. Now it’s flowing through the areas of the brain that control empathy, self-reflection, memory, planning, and rational thought. This is what blood flow in a brain is like when your brain is at or near it’s peak zone.

Hacking The Rewards System

Understanding the brain’s reward system—especially how dopamine is involved—gives you more control than you might think. Dopamine plays a central role in motivation. It’s what pushes you to act, nudges you to try again, and gives you that “good job” signal when something goes right. But even though this is part of the “rewards system” it’s not about the actual reward—it’s about the anticipation of reward. Dopamine is released to tell you that a reward is possible and to encourage you to pursue it.

This is where things get interesting for introverts.

Because introverts are more sensitive to dopamine, we’re more likely to push ourselves beyond our peak-efficiency zone in environments where external dopamine cues are loud, rapid, or unpredictable. That could mean a chaotic office, a packed conference, or an overcrowded meeting. These settings might energize an extrovert—but for an introvert, they can quickly become draining.

One of the most important things I’ve learned as an introvert—especially one who genuinely enjoys meeting new people and learning from their perspectives—is this: every time you meet someone, there’s potential for a reward. Your brain recognizes that, and releases a bit of dopamine to encourage the interaction.

So what if you could harness dopamine on your terms?

You can. Once you understand how the reward system works, you can intentionally trigger as much or as little dopamine as you need—rewarding yourself in ways that keep you in your peak efficiency zone rather than pushing you past it.
At a conference, for example, I’ll meet and talk with as many people as I can—because that’s what I want to do, that’s the goal. But I seek out individuals or smaller groups, where the social stimulation is more manageable and the dopamine doesn’t flood in all at once. When I start to feel my energy dip or my focus fray, I’ll step away to somewhere quiet and let my dopamine levels settle. Because I’ve found that a 15-minute break followed by 45 minutes in my peak zone is far more effective than spending a full hour outside of it.

In short: when you understand how the reward system works, you stop hoping that you’ll be “in the zone” and you start navigating yourself into it—deliberately and on your own terms.

Embracing Your Neurological Blueprint

Understanding your brain’s wiring empowers you to create environments and routines that align with your natural tendencies. For introverts, this might mean seeking quiet spaces for deep work, scheduling downtime after social engagements, or engaging in solitary activities that recharge your energy.

Recognizing that introversion isn’t a flaw but a distinct neurological configuration allows you to leverage your strengths effectively. By working with your brain’s natural inclinations, instead of against them, you can better achieve the success you’re looking for.

Understanding and embracing your introverted nature isn’t just about personal growth—it’s about unlocking your full potential.

For a more in-depth exploration of this topic, watch my “Succeeding as an Introvert” and “Leading as an Introvert,”

Looking Back at 2021

Forgive me internet, for I have sinned. It has been 351 days since my last post on here. Here’s a short one on 2021 to try to get me back into the habit.

Last year was one of self-assessment and struggle for me. I’ve heard several people refer to it as a roller coaster, but I love roller coasters and can’t claim the same affection and appreciation for 2021. I can say it had a lot of ups and downs. You could take a graph of weekly average COVID infection rates in my state of Oklahoma, mirror it on the vertical, and relabel it “Aaron’s Mental Health and Happiness”. It would be alarmingly accurate.

While most of the biggest challenges of 2021 were personal for me, professionally there were some significant changes and encouraging progress as well.

Self-Assessment

Starting even before 2021, in the latter half of 2020, I took some of my own advice and sat down to write out what was important to me, what I enjoyed, and, just as importantly, what I didn’t enjoy. It was overdue. I tell people it’s a practice you should do quarterly, yet I hadn’t done it in a year – and so much had changed in that time!

Setting aside the personal and family parts of that list, because those are for me, there were a lot of similarities to years past in the things that were important to me – the open web, making enough money to provide the lifestyle I want for my family, feeling like I make a difference, helping others to succeed beyond just the company I’m at, traveling (I have to admit, I miss this), etc.

Then came the hard part – applying these things to my life to cause changes and bring my life more in line with what I want it to be. I don’t think I fear change, but I’m certainly wary of it. I like to know all the things, and change makes that hard but it was worth it.

The biggest professional change happened very early in 2021. I was tired of pushing so hard to steer a company toward embracing and building on the basic principles of the open web and to drive home the importance of open tooling and standards. Especially as reorganizations began to reduce my ability to effect the change I saw was needed. I don’t think I even realized how exhausting it was or how much it affected my happiness, until I stepped back and eventually left.

I didn’t dramatically change what I was doing, but I moved to a company that sees the importance of the open web as I do. Even considering the massive merger that that birthed Newfold from EIG and Web.com, pushing toward the open web with a company full of people that are pushing the same direction was definitely one of the better parts of 2021.

Exploring Professional Interests

The move to Newfold was strategic for another reason as well – to further distance myself from the “developer” label I’ve long been tagged with. I was absolutely a developer – for many years that was my primary marketed skill and it’s what really kick-started my career and brought me into WordPress. I still write code for personal projects and even professionally from time to time, but it’s been a while since I considered myself a developer. Breaking free of that label has been tough, but I think 2021 finally put that to bed.

There is nothing wrong with being a developer, but the skills I most enjoy employing are guiding products and the strategies around them, bridging the gap between developers and non-developers, and building and maintaining relationships. I’ve spent all of 2021 doing those very things.

I’ve been able to split my time, running product while also being involved in partnerships and acquisitions. I even went to my first ever CaboPress, and I have to say – you’d be hard pressed to find a conference anywhere that better facilitates the building of relationships.

A Happier Path Forward

Looking ahead at 2022 the thing I hope to focus on is personal happiness even with regard to my professional life. There’s a niggling little voice inside me telling me that’s selfish, but I’m working to ignore it. For me personal happiness will mean more time with family, less stress about work, and focusing on continuing to employ and improve the skills I truly enjoy.

Hanging My Hat Somewhere New

Last week was my final week at GoDaddy. It was a little over four years ago, when I joined GoDaddy as a full-time WordPress contributor. I went in with a goal to help make WordPress better, and GoDaddy really empowered me to do that during my time there. It was truly great and I’m going to miss it in so many ways!

What’s Next?

I continue to be passionate about the open web and open source software, like WordPress, as a part of it. I still strongly believe that the internet is the single most effective information sharing tool in all of history, and keeping it open and accessible to all is critical to humanity’s ability to make forward progress. And I’m still as excited as I’ve ever been to be a part of that.

But I’ve also become increasingly focused on the sustainability of the open web and the open products that make it up. If you look at the time and resources required for these things to exist, it’s expensive! Which is why in successful projects like WordPress, we see so many people who are paid in some way or another to work on it. Without those people WordPress would not be where it is.

And it’s good when companies do this as a social good or as something tangentially related to what they do, but I think true sustainability here requires more than that. I want to help companies align their products and services, their success, with the health and success of open source software and the open web. I want to help build symbiotic relationships that bring sustainable, ongoing benefit to the WordPress community and the web as a whole.

Where?

I’m super excited to be joining Endurance and the Bluehost family, to do just this. Endurance has already shown their commitment to the WordPress project and community. I look forward to helping them continue to align with that commitment in an effort to build toward the sustainability of the open web.

HackerOne Update

WordPress officially launched the WordPress bug bounty program on HackerOne May 15 of this year, almost six months ago. The goal was to leverage the tools HackerOne provides to improve the quality and consistency of our communication with reporters, and to reduce the time spent on responding to commonly reported issues in order to free our team to focus more time on improving the security of WordPress as well as our sites and other properties.

Success

Since that launch, we have paid out approximately $14,000 in bounties for thirty-nine unique reports – an average of more than $350 for each valid report – from twenty-two different hackers (researchers). This part is exciting! People are helping keep WordPress secure.

Struggles

It's amazing that we've been able to resolve these valid reports (not all were eligible for bounties, some were sent swag as a thank you), but there's more to the story. Those valid reports only account for roughly 16% of the overall reports. About five out of every six reports are invalid. These invalid reports still take time to process, test, etc.

Time is always valuable, but when working with a volunteer team it can feel even more so. Dealing regularly with invalid reports not only consumes a lot of time, but can also feel extremely useless – like a lot of work for no reason. We need to continue to focus on improving this process, but I'm extremely thankful to the people on the team that work to triage on HackerOne for us.

What Now

I would say that the program has been a success so far, so we want to continue it. We are actively working to address the biggest struggle we face, which are the invalid reports that take up so much time without yielding useful results. HackerOne offers some tools that we're trying to leverage to help.

  • Common responses – building up a repertoire of useful responses that can be easily sent to reporters takes time. We hope this will pay off in future time savings, as we no longer have to write the same basic response over and over.
  • Triggers – these allow us to automatically show one (or more) of our common responses to reporters as "Are you sure?" interstitials, based upon key words in the report. Adding some of these has helped and we hope to build a good collection of them as we go.
  • Reputation – HackerOne has both a reputation and a signal rating for all users. We can limit the ability to submit reports to only hackers with a minimum signal. There is a balance here. We don't want to miss out on valid reports, but we do want to reduce the noise.

We are also working with HackerOne to find other ways to might be able to improve our processes. Stay tuned!

The Open Web Matters

The internet is no longer a toy. It is no longer used only for fun or even simply for research. It is now an integral part of people’s lives, of businesses, and even entire economies. Comedian and science advocate, Bill Nye, was recently speaking about his new show Bill Nye Saves the World. Asked why he thought it was so important, he said:

I want clean water for everyone on Earth; renewably-produced, reliable electricity for everyone on Earth; access to the internet, or whatever the future of electronic information is, so that everybody in the world can participate in taking care of the planet.

Bill Nye to CNN

Water, electricity, and internet. It may sound crazy, but I would argue that the science guy is right. The internet is vitally important to the future of humanity. It needs to be protected, secured, and available. This cannot happen unless it is open.

History

CERN has restored a copy of the 1992 version of the site – the earliest copy researchers at CERN have been able to find.

The internet as we know it started around 1991. Tim Berners Lee, working with CERN, developed HTTP, HTML, and the first ever web browser. The internet was much more academic at that time and looked a lot like the pages of a research paper.

Around the same time, the Commercial Internet eXchange was trying to do something ground breaking. They were attempting to connect the various stand alone networks, mostly US governmental agencies, to allow traffic to be exchanged between them. The controversial thing at the time was that they wanted a no-settlement policy between the groups involved. We take this for granted, expecting to easily access any information or service on the web without caring where or how it’s hosted. Imagine an internet where this wasn’t the case. Where you could only access a small fraction of the available sites and services.

What if Amazon were on one network, Netflix another, Twitter and Facebook still another, and none of those networks would talk to each other without additional usage fees. Your sphere of information available to you would be incredibly different. Drastically limited. This is kind of Internet we could experience if we don’t keep the web open.

History of Modern Humans

Why is this so important? Why should I care?

To answer that we need to look at how the dissemination of information has affected the progress of humanity. Nine hundred years ago, in the early twelfth century, the French philosopher Bernard of Chartres spoke about the fast progress humans were making. He said that the moderns were like dwarves perched on the shoulders of giants (the Ancients) and thus were able to see more and farther than the latter. “And this is not at all because of the acuteness of our sight or the stature of our body, but because we are carried aloft and elevated by the magnitude of the giants.”

Never heard of Bernard of Chartres but the “shoulders of giants” phrase sounds familiar? Isaac Newton said the same thing over five hundred years later.

If I have seen further, it is by standing on the shoulders of giants.

Isaac Newton, 1675

It’s easy to see Isaac Newton as a giant. He gave us calculus and newtonian mechanics. We’ve used these as the basis for calculations to put people on the moon and to build skyscrapers that don’t fall over. The jet engine, a thing that in and of itself has forever changed the world, uses his principles and mathematics. Because people before Isaac Newton shared their knowledge openly with him, he was able to add to it and share that knowledge with future generations, who were able to leverage it to bring the peoples of our world closer in a way they never could have been otherwise.

Where the Danger Lies

Isaac Newton built on the works of those that came before him. Everyone since has built on his works. Shared information make this possible. It is integral to humanity’s ability to make consistent and rapid progress forward. The internet is the single most effective information sharing tool in all of history.

The internet is the single most effective information sharing tool in all of history. #OpenWeb

Isaac Newton was able to stand on the shoulders of those that came before him, whose work he had access to. With the internet, access no longer needs to be a limiting factor. Distance doesn’t matter. The implications for the progress of humanity are both serious and exciting!

There are two things that we need to look at to understand the threats against this open dissemination of information that the internet provides – net neutrality and closed systems.

Net Neutrality

What is net neutrality? You hear the term used a lot, especially when people are talking about legislation affecting the internet, but what does it really mean? Net neutrality, or the the Open Internet rules, cover three basic things according to the FCC:

  • No Blocking. Broadband providers may not block access to legal content, applications, services, or non-harmful devices.
  • No Throttling. Broadband providers may not impair or degrade lawful Internet traffic on the basis of content, applications, services, or non-harmful devices.
  • No Paid Prioritization. Broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for consideration of any kind—in other words, no “fast lanes.” This rule also bans ISPs from prioritizing content and services of their affiliates.

The dangers of all these really come down to the honesty, integrity, and motivations of the people enforcing these limitations. Blocking bad/inaccurate content or throttling services that are less important to give precedence to ones that are more so, both sound fine – but who makes that decision? What group of people can decide that certain information isn’t accurate? Can that control or influence the thoughts and understandings of whole generations?

Now involve money. What happens when companies are able to pay to control the flow of information? When one drink giant pays to limit access to accurate information about their competitors while spreading inaccurate information? Or when tobacco companies can interfere with the ability of people to discover the actual risks of their products?

Free and open access to information is absolutely critical to our freedom as a people. Taking away people’s ability to make their own decisions, whether by force or by limiting access to information, is wrong.

Closed Systems

Many people easily identify the risks in the loss of net neutrality, but most miss the threat posed by closed systems. A system that you use, feed data into, and rely on that is closed source and owned by a company, is a danger. Whether it’s Facebook, Twitter, or Instagram for your personal data or Shopify, Wix, or Salesforce for your business.

It’s not that these systems are bad, but they are certainly dangerous. When another company owns the platform you rely on, what happens when your goals or needs diverge from theirs? Companies controlling the dissemination of information is dangerous.

Companies controlling the dissemination of information is dangerous. #OpenWeb

What Can You Do?

When net neutrality legislation is on the table, take action! Inform yourself though, not all legislation is good. Spread the word about the dangers of a closed web. Vote with your dollars and your support. Use open platforms like WordPress and encourage others to do the same. Above all else be aware of the danger and watch for it.

Photo credit: Barefootliam.

In Support of Stronger Passwords – Not Secret Usernames

I can discover usernames in WordPress, which means I’m halfway to compromising an account.

It’s a common security report. The details vary – sometimes they find usernames through CSS classes, sometimes they’re using enumeration, sometimes it’s from a REST API endpoint – but the real problem is that the underlying logic is flawed.

WordPress has taken the stance that usernames aren’t secret.

From our handbook:

The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.

Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.

Instead of attempting to hide a public identifier, WordPress attempts to encourage users to choose strong passwords instead, through both user interface as well as education.

Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing.

Why? Because knowing a username doesn’t mean you’re halfway to compromising an account. Let me explain.

[bctt tweet=”Knowing a username doesn’t mean you’re halfway to compromising an account.” username=”aaroncampbell”]

Usernames Are Public

A username is an identifier, a claim to who you are, much like your actual name. When I go to the bank to pull out cash I identify as Aaron Campbell, but then they want to verify that by looking at my drivers license or passport. That required verification is your password. I share my name with anyone, but they cannot have my verification documents. Those are mine.

Moving back to the internet, my username on Twitter is aaroncampbell and every one of my followers knows that. My username on Gmail and Facebook is aaron@xavisys.com and anyone that ever E-Mails me knows this – it even used to be on my business cards. You could discover my username on this site, but you don’t need to – it’s aaroncampbell.

Even if I didn’t have two factor enabled in all those places though, you wouldn’t be “halfway” to compromising any of those accounts. Users know they need good passwords but usernames are generally simple, easy to remember, and alphabetic or alphanumeric. To put it simply, they’re already easy to guess.

But wouldn’t keeping them secret still help? Wouldn’t having to guess both the username and password make it twice as hard? Shouldn’t WordPress help with that?

No, no, and no. And it all comes down to entropy.

Entropy

Password strength is usually referred to in terms of information entropy, measured in bits. The idea is that a password with 42 bits of entropy would be as strong as a string of 42 random bits. There can be a lot of complexity in calculating accurate entropy. Dictionary words (including ones in custom dictionaries built for the target), patterns, dates, and many other things can be used to reduce the raw entropy of a string. Best case scenario though, your password isn’t susceptible to any of those, in which case the raw entropy (H) can be calculated using this formula, where N is the number of possible symbols for each character, and L is the number of characters in the password:

H = log2 NL

Let’s calculate the entropy of my username of aaroncampbell. It’s 13 characters long (L) and each character has 26 possible symbols (N), giving ~61.1 = log2 2613. Keep in mind that in a real-world scenario, my first and last name, along with many other words specific to me, would likely already be built into a dictionary, making this number much lower.

Given a very short (too short), ten character random password of yZ3#8gPI^0, the entropy is ~65.7 (log2 9510).

Assuming that you can try to crack the username separate from the password, the combined entropy is ~126.8. If you instead increase the length of your password to 20 characters, it’s entropy alone would be ~131.4. All my passwords are 50 characters or ~328.5 bits of entropy.

The Best Solution

Don’t worry about your username, but do focus heavily on your password practices. Use a password manager like LastPass or 1Password. You cannot have good password practices without a password manager. Good passwords should be long – 50 characters is what I use; random – not a “random phrase” you use, but actually randomly generated using a large character set; and unique – only used in one place.

[bctt tweet=”You cannot have good password practices without a password manager. Try @LastPass or @1Password.” username=”aaroncampbell”]

Bonus

If you really want to secure your account, use two factor authentication (2FA). Many sites offer this option, and I personally use it everywhere I can. I use Authy as my 2FA app because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator. To add 2FA to your WordPress website, you can use iThemes Security Pro (paid), which is what I use, or Two Factor.

Website Security – Simple Steps to Take

Website security is important. We all know it. For many though, it’s a topic they prefer not to talk or think too much about. They don’t really consider it in very many areas as they build or manage their site. Why?

Security is Scary

You know you want to be secure, so you start to check out this weird security thing. Brute force? You can handle that; good passwords, limit login attempts, maybe even two factor authentication. Then you suddenly become aware of cross-site scripting (XSS), SQL injection (SQLi), cross-site request forgery (CSRF), remote code execution (RCE), and potentially so many more that you’re simply terrified. You begin to buy into “ignorance is bliss”. But website security doesn’t have to be scary.

[bctt tweet=”Website security doesn’t have to be scary” username=”aaroncampbell”]

Security is Something You Can Handle

When you start to research website security it’s easy to become overwhelmed as you’re slowly exposed to all the various forms of attacks. Each can be nuanced, complex, and confusing. The good news is, you don’t need to know how every vulnerability works in order to increase your security. Many of them can be prevented by following some relatively simple best practices. With a little added effort and by making a few smart decisions along the way, you can drastically increase your online security.

[bctt tweet=”A little added effort and a few smart decisions can drastically increase your online security.”]

When most people think about securing their site, the first thing they think of is their password. And passwords are important. They aren’t where you should start though.

Security and Your Host

The security of your site needs to be managed all the way down “the stack”. The stack is all the software that sits on top of each other in layers to become your website. The tip of this is likely all you really interact with – WordPress and your plugins. Below that is your database, PHP, caching tools, web server software like Apache or nGinx, and an operating system. There’s probably also a firewall somewhere either inside that stack or outside as a separate appliance.

Every part of this software stack needs to be properly configured, managed, and continually kept up to date. It’s integral to the security of your website. It’s also a lot of work and quite complex. Thankfully, you don’t have to worry about it if you choose a good quality host and let them worry about it for you.

Consider security when you choose a host. If you haven’t checked to see that your host has good security practices, take the time to do so. If you haven’t yet chosen a host, make sure that security is one of the things you evaluate when you do.

Choose Quality Software

Most of you are here because you use WordPress. I’m obviously biased, but I think that was a good decision for security. The WordPress security team works very hard to make sure that WordPress is as secure as possible. However, WordPress isn’t the only software you’re using to run your site.

You need to make good decisions about what plugins and themes you use as well. Did you consider security as you selected your plugins and themes? Did you look into the security practices of the companies or developers behind them? Don’t expect to find plugins or themes that have never had a security issue, but do look for those that have handled them well and have implemented good security practices into their development processes. You want quality plugins and themes with reputable people or companies that stand behind them.

Take the time to consider other software you’re using as well. Are you using a reliable and reputable SFTP client? Are you running good virus protection software on your computer? With the pervasiveness of the Internet, many modern computer viruses work to harvest login details from websites and send them to someone for later use. Learning to think about security at every step of the way, getting into the “security mindset”, will really help. You’ll start to see places that you can increase your security that you had never before realized even affected your website.

Great Password Practices

Everyone knows that it’s important to have good passwords, but what makes a password good? A good password is long, random, and unique.

How long should a good password be? I tell most people that it should be a minimum of twenty characters. All of mine are at least fifty unless the site or service has a lower limit (which usually leads to me whining lots and often reaching out to them to discuss better password practices).

What do I mean by random? Well…I mean random. Not a snippet from a poem you like, not a favorite verse, not a seemingly random combination of things you know or easily remember, and not a pattern on the keyboard. The best passwords are completely randomly generated.

Unique means that the password is only used in one place. The password to log in to my website is different from the one for my E-Mail, which is different from the one for my computer, which is different from the one for my back, etc, etc. I don’t use the same password in two places and neither should you.

How can I possibly have that many different fifty character passwords that are completely randomly generated? Do I have a super human mind? Not at all. I use a password manager. You can’t have good password practices without a password manager. I use LastPass. Lots of people love 1Password and it’s a great option as well. I don’t care which you use, but you need to use one.

[bctt tweet=”Passwords should be long, random, and unique. You need a password manager to do it right.”]

This is one of those areas where you have to put in that added effort I mentioned. A password manager will take some time and effort to set up and get used to using. Eventually though, you’ll probably find that it makes things easier not harder. It’s a fantastic investment into your online security.

Two Factor Authentication

When you try to log into your site you fill in a username field. On this site for me, that’s either my E-Mail address or “aaroncampbell”. That’s me saying “I’m Aaron”. My site wants proof of that though, as it should. There are three basic ways you can prove you are who you claim to be.

  1. Something you know – A password for example. With your bank this might be a PIN. As a kid with a fort, it was a code word.
  2. Something you have – For your car, house, hotel room, etc this would be your key. “Let me in if I have this.” For your website this is probably your smartphone with an app on it.
  3. Something you are – Many phones are starting to support fingerprint access for example. Some data centers use retina scans.

Two factor authentication (2FA) simply means that in order to verify you are who you claim to be you must supply proof from at least two of these groups. For websites this is almost always something that you know – your password, and something that you have – your phone with an authentication app on it. I use Authy because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator.

There are two plugins that make easy to add 2FA to your WordPress website.

  1. iThemes Security Pro is a paid plugin that also does many other great things for your site. If you want to invest a little money in the security of your site, invest in your host and in this plugin.
  2. Two Factor is a free plugin by George Stephanis that adds two factor authentication to your site simply and effectively.

Like your password manager, some additional effort is required for setup and to get used to it. However, the added effort here will continue forever. Every time you log into a site you use two factor authentication on, it will take you an additional fifteen to thirty seconds. It is absolutely worth it though. Using multiple factors for identity verification increases security so much that it’s honestly hard to quantify.

Bonus: Once you get used to using two factor on your WordPress website, start using it everywhere else too. I use it on GMail, Github, Slack, Amazon AWS, Mailchimp, Mandrill and more!

SSL Certificates

Encrypt all data sent between your website and the computer or device that’s accessing it with an SSL certificate. It’s the thing that changes the URL from http:// to https:// and adds a lock and/or a green color to the URL bar of the browser to let the user know they are browsing safely.

SSL Certificates add a visual cue to browser bars, reinforcing a user's security

At this point, there’s no reason for any site to not have an SSL certificate. They used to be quite expensive but cost is no longer an excuse. Many hosts offer them for free and the ones that don’t offer them cheaply. Often you can install them yourself through your control panel, but if you can’t opening a ticket with your host should take care of it.

Is Security Really That Important?

People want to know “why would anyone want to attack my website?” They think that because they don’t process credit cards or store personal information, that no one would care to hack into their site.

It’s not if you get attacked, but rather how you prevent it from being successful.

There are two basic types of attacks that try to compromise sites.

Targeted attacks are the kind that people tend to think of first. A person or persons work to compromise a specific site for some sort of payout. Often they’re trying to get credit card numbers, identities, etc. They want a good payout and put in a concerted effort to get it.

The second, and far more prevalent, are scripted attacks. Programs written to crawl the internet and try to compromise sites. Pushing for sheer numbers they look for simple to break passwords, out of date software with vulnerabilities, and other known weaknesses that can be exploited in an automated way. Instead of a large payout from one targeted site, the script attacks hundreds of thousands or millions of sites, compromises thousands, and makes a little bit from each. These attacks aren’t only more prevalent, but are indiscriminate. Anything attached to the internet will be attacked. It’s not if, but when.

Make it Hard on Them

Attacks on your site will happen. You can drastically improve your security, and thus your ability to fend off these attacks, by following these best practices. They’re not overwhelming. They are all things you can do.

  • Use a Security Conscientious Host – Keeping the stack your site is built on secure helps keep your site secure.
  • Choose Quality Software – Starting with WordPress is great, but also look at your plugins and themes as well as software on the computers you use to build or access your site.
  • Use Great Passwords – Great passwords are long, random, and unique. You can only do this correctly with a password manager.
  • Use Two Factor Authentication – Two factor authentication will use something you know (password) as well as something you have (your smartphone) to verify you are who you claim to be. This is a massive leap forward in the security of your user account.
  • SSL – Every site should have an SSL certificate. Inexpensive or even free, SSL certificates encrypt all data sent between your website and the computer or device accessing it.

 

Open Source Got Me Started

I started writing computer code about 26 years ago in 1991. At that time it wasn’t easy to teach yourself how to code. The Internet existed but not in the way we know it now. It was much smaller, contained far less data, ran at much slower speeds, and the first graphical browser didn’t even exist until two years later. So how did nine year old me learn? Open source.

Games Get Me

Windows didn’t gain popularity for another year or so. MS-DOS 5.0 released that year though, with a couple life changing games. Nibbles was a classic snake game where the snake grows with each thing it eats and you work to avoid running into obstacles, the wall, or yourself. Gorillas was a turn based combat game of sorts, featuring banana throwing gorillas on a skyline. I played both games as most nine year olds might, bordering on obsessive, but it was the mathematics in Gorillas that really caught my interest.

Screenshot of Gorillas game
The original Gorillas in action. I admit it, I’m feeling quite nostalgic

Each player took turns entering an angle and a velocity. Their gorilla would then throw an exploding banana accordingly. The goal was to hit the other gorilla, although the city scape could get in the way. You might have to explode though a building to get your opponent, or throw extremely high and hard to get the right angle to hit them without hitting a piece of the environment. Creativity was a part of it, but it was the numbers that really made it what it was to me.

After a while though, the novelty wore off some. I got surprisingly good at judging angles and velocity and fewer and fewer people wanted to play against me anymore. That’s when a fun game became life changing.

Open Source

Screenshot of the Gorillas open source code
This is what you saw each time you played the game. “Press Shift+F5” to play was as user friendly as it got.

Gorillas and Nibbles were both written in QBasic, which is sort of a combination of the BASIC programming language, an IDE, a compiler, and an interpreter. Meaning you could write code in QBasic and it was capable of executing it right there inside the editor. As a curious nine year old I scrolled down to look at the code that powered the game that I enjoyed so much. And I learned.

There’s no way that I could have written either of those games at that time in my life. It took months before I could even convince my parents to take me around to book stores in search of resources. But I learned a lot from the code itself. I broke a lot of things, but succeeded in making the bananas behave differently, adding invisible obstacles, spawning the gorillas inside the buildings, and more. It was practically intoxicating! The POWER! It hooked me completely. Because of open source.

Leveling Up

In the early nineties I got into BBSs. First just logging into them to play “door games” (sorry young people, you’re going to have to Google some of this yourself) and eventually running my own. One of my favorite games was a MUD called Legend of the Red Dragon (L.o.R.D.). Being highly competitive, I found value in tracing through the code of the game and the in-game modules to find the secrets and tricks to be able to level up faster. My ability to understand code was now an asset to ten year old me.

I learned a scripting language called “lady” in order to build my own modules. Existing modules, and their code, were my teachers. My BBS started to stand out as I added my own unique tweaks to a popular game. Enough that my parents noticed. And were none too happy with having three phone lines in our house, all of which were constantly busy. My leveling up in games through code didn’t end though.

Chip’s Challenge was all the rage when I was twelve. My seventh grade class went nuts over it. It was a puzzle solving game wherein you overcame obstacles to collect keys. When you completed each level you were given a code to write down. You could use that code to start up where you left off. Everyone was in on the challenge and the codes were proof. I immediately tried to turn to the source code as a solution and was horribly disappointed to find out that I couldn’t.

Open source had been so amazing, but it took a closed source application to really make me appreciate it. In order to do what I thought should have been easy, I had to learn about hex editors, earn codes manually, and use each new code I earned to slowly reverse engineer a compiled file. I was the first of my class with a full set of codes, but I was also now enamored with open source software. And it was a closed source game that pushed me that way.

My Mentor

For anyone that knows what hex editors are or what it takes to reverse engineer compiled code, that last bit might have sounded a little crazy. For those of you that have no idea what any of that is, the correct response is roughly “how could you learn how to do that as a twelve year old in 1994!?” The answer is that I had a mentor now. The summer before seventh grade, my parents connected me with the person that ran the computers for the school union I was in.

I spent that whole summer learning under him. I continued to work with him through all of junior high. Even then, much of my learning happened from “open source”, although in most cases it was his source code. I learned the basics of Novell Netware scripting, more BASIC, C, and more. All by having the chance to look at various sources of code and ask him questions.

Back to Open Source

As the Internet became more ubiquitous, I pushed back into open source. It was easier now. In 2000 I started developing websites for money and used only open source platforms. I knew better now. I knew that the easiest way to have the control I wanted was to be able to view and modify the code. In 2005 I made a pivotal decision; I moved to WordPress development. In 2007 I started to contribute back to the project. It hooked me again, and I’ve been happily contributing to and advocating for open source ever since.

Twenty six years later and I still love open source. More than ever. 💗