The WordPress Fire Drill
Remember when you were in school and there would be the occasional fire drill? When the alarm went off, everyone would line up and file outside while the Fire Department watched. Those fire drills served a purpose: to make sure that we knew what to do in the case of an emergency.
In modern slang, there is another usage of the phrase:
modern slang – fire drill: a task you have to perform, often repetitive, that is a waste of time.
Are you ready to spin up a new WordPress site? You are in good company. By my guesstimate, there are almost 120,000,000 WordPress websites active (WordPress powers 34% of all websites / 181,000,000 active sites). Think about the tasks you need to perform when configuring that site, or post in Facebook and ask what you should do, or do a Google search on it, and you will discover checklists of important tasks.
In this post, there are three tasks that I want to focus on: security, backups, and setting up a contact form. These are functionalities (is that a word?) that virtually ALL WordPress sites need. It is safe to say that these tasks have been performed more than 120,000,000 times!
Installing security, backup, and contact form plugins is what I’m calling the “WordPress fire drill.” It is not a waste of time, because we have to do it … or do we? The WordPress guiding philosophy states:
The core of WordPress will always provide a solid array of basic features. It’s designed to be lean and fast and will always stay that way. We are constantly asked “when will X feature be built” or “why isn’t X plugin integrated into the core”. The rule of thumb is that the core should provide features that 80% or more of end users will actually appreciate and use.
Bingo! This should be in Core. Before you pause reading this post and run off to send a pointed email or tweet to Matt Mullenweg, let me provide just a little bit more perspective. How long does it take to install those three plugins? Well, that depends. If you are a new user you have to learn about the need for them, perhaps after getting hacked, and then you need to figure out which ones to install. Check any WordPress related group or forum and you will find the question being asked by a newbie. Or, if you are an experienced site builder then you already did your fire drill training and picked three, but of course, you want to keep up with current trends and so you are devoted to “lifelong learning” … i.e. keeping up with the best options.
OK, you’ve got three picked out and you have installed them before, so you know what you’re doing. I think it would be very conservative to say that it would take you half an hour. For most people who are not expert site builders, it could easily take a couple of hours. Anyway, going with 30 minutes then we have spent only about two and a half million days doing the WordPress fire drill (30 minutes * 120,000,000 = 3,600,000,000 minutes, divided by 1440 minutes in a day, to get 2,500,000 days)!
What Could Be Added to Core?
If you look at the plugins with the most active installs you will see that security, backup, and contact form plugins are in the top tier, along with SEO and page builder plugins. In fact, there are dozens available in each of the three categories. There are lots of choices. It’s good that there are lots of choices, right? The WordPress guiding philosophy states:
Decisions, not Options … Every time you give a user an option, you are asking them to make a decision. When a user doesn’t care or understand the option this ultimately leads to frustration. As developers we sometimes feel that providing options for everything is a good thing, you can never have too many choices, right? Ultimately these choices end up being technical ones, choices that the average end user has no interest in. It’s our duty as developers to make smart design decisions and avoid putting the weight of technical choices on our end users.
OK, so anything we can do to cut down on the confusing choices facing new site owners is a good idea.
It would be a huge boon for WordPress owners and the Internet at large if WordPress added Two Factor Authentication. 2FA directly addresses brute force login attacks and does away with the need for reCaptcha. The WordPress Trac ticket for 2FA was “closed, won’t fix,” with the comment that there are plugins for that. The Trac discussion regarding limiting brute force login attempts was a bit more extensive and there were several patches offered. Ironically, discussions began with how difficult this is and one of the last comments was “Many plugins have this, including Jetpack. Since this ticket was opened, passwords are strong by default. Two-factor login support in core will further address this issue.” There is a bit of circular fail in the logic: core won’t add 2FA, but 2FA added to core will solve the brute force login attack problem! Adding 2FA to core would not eliminate the need for site hardening, but it would check off one big security issue. Apparently Matt Mullenweg agrees that 2FA is the way to go for addressing brute force login attacks. As long ago as 2013, when brute force botnets were relatively new, his suggestion for people being attacked was to use strong passwords and:
… turn on two-factor authentication
Backups are more complicated because they take up space and people use different locations for offsite storage. This was discussed in Trac in relation to making backups before a core update. The idea was well received but was again closed with the comment that there are a lot of plugins that provide this functionality. I think that we would be well severed with an automatic database backup before updates are run and the option to manually download it. This functionality could include hooks so that third party plugins could provide off-site storage options, but a minimum would be available in core and a best practice would be to build on top of that.
Of the three plugin areas identified in this article, adding a basic contact form to WordPress core would be the easiest to implement. By all means, create it with hooks so it can be customized and extended. Please put us out of our misery and add something like Contact Form 7 to core.
What About JetPack?
It is worth noting that JetPack was originally created for the paying customers on WordPress.com so that these types of common needs could easily be addressed. It was generously offered to all WordPress users. When I started with WordPress back in 2013 I installed JetPack and used it. However, JetPack has increasingly become a megalithic Swiss army knife of features that are somewhat difficult to navigate. More concerning, JetPack clearly has the purpose to serve as an entree for premium services. With JetPack you are installing a premium market place inside your site. It still offers a number of useful free services, but most people now agree that, where ever the line actually is, JetPack has crossed it and is not a recommended option (pick your reason), though apparently a number of hosts have incentives to pre-install it on new WordPress accounts.
In the Meantime
While we are waiting for WordPress to wake up and save us from yet another needless fire drill, if you setup WordPress sites regularly then you have a few choices for saving time. You can use the free WPCore Plugin Manager plugin to create sets of plugins for quick installation. Many site builders create a “starter site”, a site with your theme and plugins of choice pre-installed and kept up to date, and then clone that when creating a new site. Or, otherwise gather your favorite security, backup and contact form solutions. I use a number of options in each category because I like to experiment to see how they work and because for some sites I’m willing to pay for a solution while on others, that I host as a free service, I may want to only use free options. Any who, these are the ones I’m using:
Security – Free
- WordFence – Pros: WordFence does a good job of providing basic security. At it’s core is its firewall and brute force protection. It has over 3 million active installs, free support on WordPress.org is good, it is regularly updated, and has more than 3,100 5 star reviews. Cons: WordFence is known for using a lot of server resources and can slow down your site. It heavily pushes upgrading to the premium version.
- Antispam Bee – Pros: Antispam Bee is a wonderful plugin for managing comment spam. It is totally free, has more than 400,000 active installs, and is easy to setup. Cons: Some users report conflicts with other plugins.
All In One WP Security & Firewall – This plugin supplies a well rounded set of security options and generally “just works.”
I’ve run WordFence with Antispam Bee together on a site for several years without any security issue. I’ve run All in One WP Security and Firewall on a site for over a year without any security issue.
Security – Premium
- iThemes Security Pro – Pros: iThemes Security Pro is probably the gold standard when it comes to an all-in-one security plugin. It covers a lot of bases well, including 2FA, almost every WordPress lock down option, and logging. The pricing is reasonable. Cons: The number of options can be overwhelming and it takes a while to go through the setup configuration. If you need some help figuring it out you can watch the 1 hour 20 minute setup video or read the 25 page setup guide. When looking at the list of options, it defaults to “most common” instead of showing all options, with the result that it might be easy to overlook some important settings. Curiously it does not include a firewall, though it seems to get by OK without it.
- BBQ Pro – Pros: BBQ stands for “block bad queries” and it is a simple PHP firewall. There is a free version in the WordPress directory that is the same as the premium version, except that it does not allow for making changes. In most cases the free version is probably sufficient. This plugin just works and is very lightweight. It makes sense to me to pair it with iThemes Security Pro. Cons: There are no cons, but it should be noted that it is not focused on WordPress in the same way other firewall solutions are. Its rule set seems generic and is a response to common website scanners. The All in One WP Security & Firewall uses the same rule set, that was created and maintained by the BBQ author Jeff Starr.
- BlogVault / MalCare – Pros: I use this plugin / service for backups and it includes “MalCare.” In addition to the plugin, there is an administrative dashboard with some functions, options and reports. MalCare is a firewall and malware scanner. The nice thing about the scanner is that it scans your offsite backup files, so there is no load on your site. Also, the service can often automatically clean some malware infestations. The firewall handles brute force login attempts and provides a few hardening options. Cons: I sometimes feel that in its attempt to avoid false-positives, the firewall is not very aggressive and allows more tries than necessary. I wish it was a full comprehensive solution so I wouldn’t feel the need to also use iThemes Security Pro.
- WebARX – Pros: WebARX is a relative new-comer to the WordPress security space. It provides an onsite firewall and an offsite admin panel. It seems to do a pretty good job of protecting the site and I like that you can manually enter firewall rules when using the offsite dashboard. There are a number of hardening options, including 2FA. It has some update and backup functionality (currently under development). Cons: It is still being built out. It would be nice if there were more hardening options so that I didn’t feel the need to also use iThemes Security Pro.
Backups – Free
- UpdraftPlus – Pros: This is a nice backup plugin that allows you to backup to a number of offsite locations in the free version. It works well. Cons: A minor point is that the backup files are divided into 5 categories so there are a number of files to shuffle when doing manual backup and restores. The free version bombards the user with adds for premium products.
- WPVivid – Pros: This is a very new plugin but is noteworthy because not only does it allow you to backup to a number of offsite locations, it also includes site migration features. This is currently my go-to for free backups and migrations. Cons: None at this point.
Backups – Premium
- BlogVault / MalCare – I really like the BlogVault backup solution. It is very straightforward and just works. It does incremental backups once a day. Restores are very simple. It includes temporary staging sites and site migration to a new host (assuming both sites are on the Internet). It has a site management dashboard for applying updates. Cons: As far as I know there are no cons with the backup functionality. The site management dashboard is somewhat self limited as the status of site updates is based on the last backup, which could be about 24 hours behind.
- All in One WP Migration – Pros: I use this for quick manual backups when I want to bring a site down to local for development or when I’ve made big changes and want to make those live on production. It is very easy to use and works well. Cons: It supports a small backup file size limit in the free version, so you have to purchase an extension to use it for a site of any size. The backup archive file is a proprietary format that cannot be opened with regular archive utilities. I’ve used this for several years. We’ll see if I switch over to WPVivid.
- Contact Form 7 – Pros: I use Contact Form 7 on sites where I don’t use any page builder. I use it with the free Flamingo addon that lets you keep a copy of the contact form submission on site and the Honeypot addon for combating spam submissions. It has worked fine for years. Cons: None as far as I’ve experienced.
- Page Builder Contact Form – Pros: I’m not a purist. I want a quick, easy solution and when I’m using a page builder (Beaver Builder Pro, Elementor, Brizy, Divi) I use the supplied contact form module / widget to quickly add a contact form. Cons: I suppose if you change page builders then you need to recreate the contact form. Also, they don’t save a copy of the form submission onsite.
I dramatized the amount of wasted time spent on these three tasks because I want to make the point that WordPress core can do better. The official WordPress philosophy correctly identifies the attitude needed to help users make the most of WordPress and cut down on as much confusion and frustration as possible. The somewhat laissez-faire attitude of the people reviewing these issues in Trac, on the other hand, assume that because there are a lot of plugins that do these things that core additions aren’t important.
Although some people seem to think that Matt Mullenweg is the anti-Christ, I believe that he has the best interests of WordPress at heart. However, he is in a difficult position as his decisions are pulled by a lot of competing interests. I’m not trying to call out Matt or anyone else, but rather to make the point that these types of functionalities should not be “closed, won’t fix.”
Security and backups are complex but the comments that there are lots of plugins that provide this functionality shows that it is not too hard. In fact, I would not be surprised if the authors of some currently free plugins in the WordPress directory would be willing to donate them to core. Some plugin with 100s of thousands or millions of active installs surely fulfills the requirements of WordPress feature plugins that are core candidates.
I hope you found this discussion thought provoking. Let me know what you think in the comment section.
Affiliate Disclosure: Some of the links in the post above are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission. You will still pay the standard amount so there is no extra cost to you. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”