Welcome to Press This, the WordPress community podcast from WMR. Each episode features guests from around the community and discussions of the largest issues facing WordPress developers. The following is a transcription of the original recording.
Powered by RedCircle
Doc Pop: You’re listening to Press This, a WordPress Community Podcast on WMR. Each week we spotlight members of the WordPress community. I’m your host, Doc Pop. I support the WordPress community through my role at WP Engine, and my contributions over on TorqueMag.Io where I get to do podcasts and draw cartoons and tutorial videos. Check that out.
You can subscribe to Press This on Red Circle, iTunes, Spotify, your favorite podcasting app or you can download episodes directly at wmr.fm.
Today, we’re diving into the critical world of website security with a spotlight on SSL certificates. SSL cert is like a virtual shield that encrypts data and protects your user’s data. Now, if that’s not enough to keep you listening, imagine pouring your heart and soul into making a beautiful website only to have Google slap a big “Not Secure” label on your site when visitors try accessing it through Chrome, simply because you aren’t using HTTPS or SSL.
Here to talk to me today is Rogier Lankhorst, the lead developer of Really Simple Plugins, the makers of the extremely popular WordPress plugin, Really Simple SSL, Rogier, thank you so much for joining us today.
I’d love to hear about your origin story and how you got into WordPress.
Rogier Lankhorst: Well, thanks for having me in the show. Originally, I think in 2016, a customer asked me to get his website onto SSL as quickly as possible. So I installed a plugin that was popular at that time and the whole site went down. So at that moment, I thought I can do this more lightweight and easier, with just one click install.
And I published it on WordPress and it really was a rollercoaster coaster after that.
Doc Pop: Absolutely. And, this was not your first WordPress plugin, right? This was the first one that really took off in such a massive way, but you had some other Really Simple plugins before that.
Rogier Lankhorst: Some really small experiments, things I thought of at the time and published them and they didn’t really take off, as you said. So Really Simple SSL was the first, big hit you could say.
Doc Pop: I always like that analogy about buying lots of lottery tickets. Like you put out a lot of experiments and one of them caught on and you’ve been able to build a business from it. And since we’re talking about SSL, can you tell the listeners what an SSL certificate is? And why is it important for a WordPress site to have one?
Rogier Lankhorst: With SSL certificates, the website encrypts all data before it’s sent to the website visitor and the other way around as well. So it helps secure the web and not only for web shops, but also for any website that otherwise could be impersonated by attackers. And it’s also great for ranking in Google.
And it just looks a lot better in your browser if there’s a lock on your website. SSL is free, so why not install it?
Doc Pop: I mentioned at the beginning of this show, how the first time I ever thought about SSL was when I was using Chrome and came across a site that was not secure and that site was mine. So I was scared by my own site. And had to learn about installing SSL certificates in order to hopefully have a better experience when users come to my site and see it. Once you install SSL and you have an HTTPS address, then Google won’t show that warning anymore on Chrome visits, but does it also affect SEO?
Rogier Lankhorst: Yeah, sure. Google has a lot of powerful tools to get users to do what they want. And the most powerful tool they have is the ranking. So if they want website owners to do something, they just put it in the ranking mechanism and the website will follow.
Doc Pop: And you mentioned that SSL certificates are free these days. I believe when I first signed up for them, that was just beginning to happen, it seemed like it was a painful process and maybe cost some money and then services like Let’s Encrypt came around and really made it easier. On top of that, a lot of web hosts, mine included, started offering free Let’s Encrypt, they started building it into the process to make it as simple as possible, which is really helpful.
So with these alternatives out there now for being able to install, maybe from my host, is there a reason that someone would still be using Really Simple SSL instead of if their host offers it?
Rogier Lankhorst: Well, Really Simple SSL was not originally built to generate SSL certificates. That’s just something we added two years ago, because I thought, well, if we are Really Simple SSL, we should be able to generate a certificate as well, but it’s not the main reason people install Really Simple SSL.
When users have SSL, they don’t often they often don’t know what to do with it. And in WordPress, you need to do a few things; add redirects, fix mixed content, stuff like that, add security headers to really get all out of the secure SSL you can get out of it. So I think that’s still the main reason, people install Really Simple SSL for just the quickest method to get SSL configured on your website.
Doc Pop: Yeah, and there are some added security features that aren’t, I don’t think of them necessarily as SSL related that are part of Really Simple SSL. Can you tell us about some of the other advanced features that a Really Simple SSL includes?
Rogier Lankhorst: We noticed a lot of people already thought of us as a security plugin. So, that’s when I thought we have to fulfill those expectations. We started with adding some hardening features, like blocking user registration. A lot of website owners are not aware that user registration is opened and things like the debug log location, which can contain important information, like user email addresses or license keys or stuff like that. File editing, feedback on the login screen.
If you log in and WordPress says, the username is not correct, the attacker knows, I can try again. So all those things are really the start for us to broaden into a full security plugin eventually. And the last feature we added was the vulnerability detection, which is really a great tool to really secure your website as most issues in WordPress websites with security are caused by plugins with a vulnerability, which are not updated. So if users are more aware of that, I think WordPress will become a lot more secure.
Doc Pop: Everything you mentioned, I think, are little pet peeves that people have about WordPress security. And it is really interesting that Really Simple SSL has kind of evolved into this easy way to install an SSL certificate, but also like these things should be patched. Here’s a really easy way to fix that.
I’m kind of curious if bloat is a concern of yours, when you have a plugin called Really Simple SSL. Are you worried sometimes that by adding these extra features, you might be making it a little more difficult. And then I guess on top of that, are you also thinking about changing the name of the plugin as you add more features?
Rogier Lankhorst: Yeah, well, eventually that is the goal that it will become Really Simple Security. I think that will be the beginning of next year. But while talking about bloat, that’s a difficult thing. You want to keep things as simple as possible. So we have worked hard to make it still possible to just do the SSL activation.
And all other things are modular and not loaded when you don’t use it, but at the same time, I think we’re really good at making complex stuff really simple.
I think that’s where our power is what we can really do for people to make it really simple for non technical users. And for more advanced users, they can dive a bit more into the settings.
Doc Pop: That’s wonderful. I think that’s a good spot for us to take a short break. And when we come back, we’re going to keep talking to Rogier about Google’s push for SSL. And I guess just, we’re going to talk a little bit more about what it’s like having one of the most popular plugins in the WordPress repository.
So stay tuned for that.
Doc Pop: Welcome back to Press This, a WordPress community podcast. I’m your host Doc Pop. Today I’m talking to Rogier Lankhorst, the lead developer at Really Simple Plugins. And we are talking about SSL because Really Simple plugins makes an extremely popular plugin called Really Simple SSL. Rogier before, before this break I mentioned that a large reason that we’re talking about SSL certificates these days is largely because Google made a push on the web for this to happen.
I’m also seeing that Google is pushing for maybe shortening the term. So some SSL certificates are for like two years, and Google’s talking about pushing for 90 day SSL certificates. Did you have any thoughts about how Google encouraged people to get SSLs?
Do you think that worked out great for everyone?
Rogier Lankhorst: Well, I think it’s a good thing. At the time that Google started with this, a lot of users still thought SSL isn’t important for me because I have just a small blog. I don’t have any user data on my site, but there are a lot of other ways attackers can use that kind of connection between websites and maybe show wrong information to users, pretending to be there with another website.
So I think it’s very important that all websites will have an SSL connection eventually. So I think although Google always has its own reasons for doing things like this. In this case. It’s a good thing.
Doc Pop: And the 90 day limits, did you have thoughts on that?
Rogier Lankhorst: Well, I’m not very familiar with the reasons behind it, I have to admit, but I know a bit about it and that it’s more secure to have shorter lifetimes of certificates. And I think it won’t make that much difference because the most used SSL certificates from Let’s Encrypt are already for 90 days, so it wouldn’t have much impact anyway.
Doc Pop: So let’s go back to talking about Really Simple SSL. There’s a version on the WordPress repository, the plugin repository, the free version with 5 million. I know I keep saying that, but it’s such a shocking number, 5 million active users or more.
What is the difference between the free version of Really Simple SSL and the pro version that I know that y’all offer?
Rogier Lankhorst: The pro version mainly contains a lot of security headers and I think most users are not really familiar with security headers. But these are some very important headers users can set on their websites, which will also increase security. And not only for their own website, but also for the website visitors, which I think is often forgotten in security.
We make it really easy to configure security headers and we are currently working on vulnerability detection for example. We have a feature which automatically handles the updates or current time, if a vulnerability is detected. We also have some cool new features coming up, which will prevent creation of admin users by any other methods than the WordPress user profile update or creation.
So if you look at recent vulnerabilities, you will see a big problem is when admin users are created. So if you lock that, you prevent a lot of vulnerabilities.
Doc Pop: We had talked about the ranking of this plugin and the WordPress repository. I’m on the popular page on wordpress.org/plugins right now, and I don’t know if these are ranked in terms of order, but these are all plugins with 5 million active installs or higher. I see that just on this list, Really Simple SSL is the ninth down. I think that might actually be meaning that it’s the ninth most popular plugin at the moment in terms of active installs.
Rogier Lankhorst: Absolutely. Yeah.
Doc Pop: Wow. That’s incredible. It’s not a big surprise to see Yoast and WooCommerce and Akismet here. I don’t get to talk to people who created such popular plugins.
I don’t get a chance to talk to them too often. I’m just kind of curious while you’re here, what is that like? I mean, I guess here’s my first question is when you have such a crazy popular free plugin, I imagine it makes it really difficult to, you probably get a lot of requests, a lot of comments, a lot of questions and help requests.
How do you handle that for a free plugin?
Rogier Lankhorst: I think it’s not as many support requests as people often think. During the development of the plugin and the past like seven, eight years, I’ve always tried to either create an article on the website when there was a question or create a solution in the plugin itself, or make it more clear in the plugin.
So that approach has really kept support down. And we are now with a company of 10 and with just two support reps. We also have two other plugins, with I think in total, over six and a half million installs. So I think the support load is not as big as many people think looking at the numbers of the installs.
Doc Pop: Can you talk about the business model of a free plugin like this? How does a company like yours enable 5 million active installs on Really Simple SSL and still be a company?
Rogier Lankhorst: Well, of course, for every 100 free users, there’s someone who buys the premium plugin. That’s where we can build a company from the upgrades. Sometimes free users complain about the upgrades. And we want to tell users what we offer.
And they always say, well, I think it’s a great deal because the premium plugin allows us to develop for free for 5 million users.
Doc Pop: And in terms of balancing what goes in the free and what goes in the pro versions, do you have thoughts on how you sometimes determine how things get charged or how things stay free to help promote the larger product. Is it tough to decide when new features get added if they’re pro only, or if they’re free?
Rogier Lankhorst: Yeah. That’s always a difficult discussion to think about, what should be in the free and what should be in premium. And we usually give away a lot, I think. Our main approach is like with the vulnerabilities, the detection is free and everybody can see if they have a vulnerable plugin, but the automatic solutions for that are premium.
So that’s how it’s divided. And with the last of the coming updates, I think we will add more in the premium plugin like login protection, two factor authentication, and limit login attempts, stuff like that. That’s also because we think there’s already so much in the free plugin that we want to keep the balance right. We want to start putting more in a premium right now.
Doc Pop: And I think that’s a good spot for us to take our free episode of the podcast into commercial break, which helps keep it free. That’s a nice segue.
Stay tuned for after this short break, we are going to come back and wrap up our conversation with Rogier from Really Simple Plugins about some of the other plugins that Really Simple are offering right now.
So stay tuned for more.
Doc Pop: Welcome back to Press This, a WordPress community podcast. I’m your host Doc Pop. Today, I’m talking to Rogier Lankhorst, the lead developer of Really Simple plugins. We’ve been talking about SSL certificates and Really Simple SSL. We also talked about the fact that Rogier, you have several other plugins out there.
What are some of the other plugins that you’re currently focusing on at Really Simple plugins?
Rogier Lankhorst: We have Complianz, which is a privacy solution. And it’s the fastest growing plugin apart from Really Simple SSL. And, it offers a cookie banner, and also blocks services that require consent, according to local privacy laws like the GDPR in Europe. Canada is creating an opt in privacy law as well. So a lot of things are changing in privacy legislation. So the plugin offers a way to handle that automatically.
And we also have a statistics plugin, which is pretty new. It recently hit 100,000 installs, and the goal there is to provide a privacy friendly statistics solution, so you don’t have to use Google Analytics, which requires consent in most countries, so you lose data there.
Doc Pop: It’s really interesting you’re talking about this because I have been thinking a lot lately about Google and the web’s relationship with Google. And I’m thinking, I don’t really need to have Google analytics on my site anymore. I don’t need to have people opting out of the cookies if the only thing really there is Google analytics.
So I’m like, you’re talking about burst statistics and you’re talking about it being an alternative to that. I’m all ears. I’m definitely interested in that.
Rogier Lankhorst: Yeah. It’s pretty cool because I think most users only know Google Analytics and they don’t know there are more solutions. And most users are also not aware of the privacy issues that Google Analytics raises, especially in more strict privacy legislations.
Doc Pop: Well, thank you so much for coming on the show today and talking about the work that y’all are doing and about SSL in general. It’s been very interesting chatting with you. If people want to find out more about what you’re working on, what’s a good way to keep track of Really Simple plugins and maybe what you’re working on.
Rogier Lankhorst: Follow me on Twitter. Or sign up for our newsletter on ReallySimpleSSL.com we’ll be sending newsletters on our latest news every few weeks.
Doc Pop: Well, that’s great. I really appreciate having you on the show. Uh, thanks to everyone for listening to Press This, a WordPress community podcast from WMR. We’ve had a lot of great episodes lately, and soon we will be going to WordCamp US, which hopefully we’ll come back from there with a lot more interesting stories and interviews with folks.
Doc Pop: Thanks for listening to Press This, a WordPress community podcast on WMR. Once again, my name’s Doc and you can follow my adventures with Torque magazine over on Twitter @thetorquemag or you can go to torquemag.io where we contribute tutorials and videos and interviews like this every day. So check out torquemag.io or follow us on Twitter. You can subscribe to Press This on Red Circle, iTunes, Spotify, or you can download it directly at wmr.fm each week. I’m your host Doctor Popular I support the WordPress community through my role at WP Engine. And I love to spotlight members of the community each and every week on Press This.
No Comments