Julio Potier is the developer behind SecuPress, the WordPress plugin that makes it possible to easily secure your WordPress websites and blogs. Julio is based in France and is very active in the WordPress security scene. He is also a security consultant and teaches developers to write more secure code through his lecture and audits . Julio has contributed to WordPress core and was one of the co-founders of WP Media, the company behind the popular caching plugin WP Rocket.
In this interview Julio talks a bit about how he got started with WordPress, the REST API and its security issues, and he also explains why he developed SecuPress when there are already a few WordPress security plugins available on the market.
What got you interested in security?
Back in 2000, I created my first static HTML website and 2 years later in 2002, I developed my first PHP/SQL website. It was full of security issues. A friend showed me how to exploit and fix vulnerabilities. It was the “aha!” moment for me.
What got you interested / hooked on WordPress?
Back in 2009 my first daughter was born and I wanted to create a gallery website to post three photos a day to share with our distant family members. I didn’t want to start from scratch this time, CMS were famous enough to try one of them. I tried Joomla!, Drupal and WordPress. I chose WordPress because of the simplicity of plugin creation for me.
It has been almost a year since you launched your WordPress security plugin SecuPress. Since there are already many security plugins out there, what inspired you to work on another security plugin? What makes SecuPress different than the others?
Competitors or not, I wanted to share what I’ve learnt through all these years now and because I am focusing on WordPress since 2010. The idea of creating a WordPress security plugin was on my mind since 2013. My goal is to provide maximum security to as much people and websites as possible because I want the web to be more secure than it is today.
You have a number of plugins on the repository, most of which are underrated. They are really good plugins, such as Post Views Count, Login Logout Menu, Manual Related Posts, Move Login, …
Well, it’s complicated to maintain these old plugins, even if they are quite famous. Doing free support, free coding when you’re running a business with the same kind of product it’s very difficult. But I promised myself to update them, one day!
When WordPress included the REST API in core many were concerned about security. A few months ago there was a WordPress REST API vulnerability through which thousands of website were hacked. What’s your take on including the REST API in WordPress Core and should people be really concerned about security?
Since I knew that the REST API will be included in the WordPress core, I included the possibility to deactivate it in SecuPress, and sadly I was right. Also, this is the beginning. We will find other security issues in the REST API, we just don’t know when. The good thing is, the more vulnerabilities we find and patch, the more secure it will be!
As a security best practise it is recommended to add two-factor authentication. When it comes to WordPress security you can also go to the extreme of removing all users with admin roles and only add one when needed, for example to upgrade the plugin. Security is good, but sometimes is impractical. For example many users complain that two-factor authentication is too much, especially if you need to login several times a day to the website. What’s your take on security vs practicality?
This is a very interesting subject for me because I’m interested in human behaviour and how our brain works. So, for example you already use a 3 digits lock right? You choose a number between 000 and 999 so you have 1000 possibilities. What if this lock has 5 digits, it’s even more secure with 100 000 possibilities. Now, what if this lock has 20 digits, is it more secure? I would say NO because you don’t want to remember 20 digits, so you’ll write them somewhere, or you’ll only set 3 or maximum 5 of them. See what I mean now? Just because you add more secure features it does not mean that we, humans, will use it properly, and this leads to bad security practises.
So, for example in the SecuPress plugin, I listened to my users and carefully built the plugin (and will continue to modify it) to let users enjoy maximum security without annoying them. For example SecuPress’ double authentication “PasswordLess” can be set for only a few roles, so it’s not annoying. At the same time, if the confirmation email from PasswordLess takes time to arrive, you’re hindering users from working. So it can be hard to be very practical when you need to secure stuff, it is just a matter of trying to find the right balance between security and practicality.
Thank you for participating in this interview. Before we close, anything else you want to share with our readers? Do you have any interesting news about what’s next in SecuPress?
I want to share you one of my favourite comic pages from CommitStrip; Security too expensive? Try a hack. It happens every day, so please, take the Web Security seriously!