Regular security audits: taking our responsibility

Yoast SecurityToday, we’re announcing that we have partnered with Sucuri, in the interest of pro-actively securing our plugins. As our plugins run on more and more sites, we have a responsibility towards our users and the web at large to make sure that we do our utmost to make sure our code doesn’t make them vulnerable.*

We’ve been preparing this release for over two months. In that time, Sucuri has identified vulnerabilities in plugins across the WordPress ecosystem affecting over 20 million downloads. This shows the need for users and web hosts to update plugins promptly on security updates. If you look at it, it beckons for a more “forced” way of updating plugins. It also places additional scrutiny on us, plugin and theme developers, to ensure that we are not only focused on features but place additional emphasis on good, secure, code.

Once a security problem is public there’s no stopping the bad guys in any other way than to update. To us, as authors of plugins that all combined have more than 20 millions downloads and run on over 5% of the top 1 million websites, it made even more clear the need for more scrutiny in our code writing. We could think of no one better than the guys working in the trenches, Sucuri.

Improved security, so we can sleep better

Let me be honest: there’s no such thing as 100% safe software. Ever. But we can strive. From now on, Sucuri will review all the code in our major plugins at least four times a year, on top of our own testing and development best practices. They will work with my team to ensure that the patches we push are adequate and work with us to get the word into as many hands as possible. For all intents and purposes, they will be an extension of my development team, focused strictly on security. We are not foolish enough to think that this is the end all be all to security, no, we realize this is a process and will continue to evolve.

Like all of you, we’re not perfect. We’re sure though, that having the pro’s at Sucuri review our code regularly will lead to our plugins being among the safest out there, which is how we want it. It’s how we, as the good web stewards we strive to be, will take responsibility for what and how we do it – providing our users the best, and most secure, options available. Not just because you sleep better because of it, but because we sleep better because of it too.

But you said “partnered”?

Yes. This will be a relationship in which we reciprocate the service by being an extension of their online marketing team. Sucuri will review our plugins, we’ll help them by reviewing their online practices from a website optimisation point of view. Let’s face it, we can’t all be good at everything, they are great at (WordPress) security, but could use some help at online marketing and website optmization, and they recognize this, which is why we are going to help them get better.

To start, they have already received our diamond review, our ultimate review package in which we provide a thorough review of their SEO practice, website usability and conversions. Have you seen their latest changes?

In a similar fashion, we’ve made the first improvements to our plugins based on their reviews, luckily showing no critical issues yet.

Additionally, they will be working with us beyond just the code we ship. They will be working with us to improve our overall security posture as an organization and we’ll be leveraging their Website AntiVirus and Firewall products to ensure a safe online experience for all our online visitors. They are the premiere Website Security company and we rock at what we do, it’s only right we make full use of each others services.

Lead, not follow

When I was on the Dradcast 2 months ago, I hinted at some of this. We should lead by showing how people can improve their products and processes. I personally think every premium plugin / theme company should have a process for regular independent security reviews of their product(s). This is an example which I’d love for every company in the WordPress community to follow and document.

We’ll be as transparent as possible about all of the things we do, both Sucuri in how they improve their site as we in how we improve our code. As you can see, we’re very excited to be working with the team at Sucuri and we look forward to making the web safer together!

* For the record: from a purely juridical point of view, the GPL basically disclaims all warranty.

Tags: , ,


Check out our WordPress SEO Premium plugin

24 Responses

  1. Brian JacksonBy Brian Jackson on 4 August, 2014

    Great news! We use your SEO plugin on every one of our client’s sites and are always happy to see improvements, especially when it comes to security. Keep up the great work.

  2. UlcoBy Ulco on 4 August, 2014

    Set up a responsible disclosure program, usually yields way better results than a security audit (even though it’s a pretty good start).

    • Joost de ValkBy Joost de Valk on 4 August, 2014

      Planning to do that, as said, first step in our partnership and Sucuri will help us go further :)

  3. David SilverBy David Silver on 4 August, 2014

    This is a great step to take and I am happy that you are sharing this so openly. Most would not want to admit they might have security issues. Just another reason to love Yoast!

  4. LisanderBy Lisander on 5 August, 2014

    Good news Yoast, I use a couple of your plugins.. Not that I ever doubted them, but this gives me an extra reassurance that you’re doing everything you can to keep things secure.

    Btw, I came here a couple of times last few weeks to read some new posts, I almost thought that you guys weren’t going to update us on what you are doing anymore.

    • Joost de ValkBy Joost de Valk on 5 August, 2014

      Hey Lisander,

      most of us have been on holiday for a few weeks which is why it was rather slow here :)

  5. Brandon HimpfenBy Brandon Himpfen on 5 August, 2014

    Excellent news and great work. End users will be happy to read this.

  6. Jake MartinBy Jake Martin on 5 August, 2014

    Top notch, Yoast and team. It’s really refreshing to see people be pro-active — hopefully more WordPress authors will take note.

  7. Ranjana SharmaBy Ranjana Sharma on 5 August, 2014

    Great news and excellent work Yoast. This is one of my favorite plugin in WordPress…

  8. Nilesh ShiragaveBy Nilesh Shiragave on 5 August, 2014

    Excellent news and great work. So from now on we don’t have to worry about securities.. As all your plugins will be secure..

  9. Brittany Rae JohnsonBy Brittany Rae Johnson on 6 August, 2014

    This one of good news ive ever read, lately i usualy change 4rd different plugins. i see Yoast must invented a new plugin for any security threat.

  10. Anchit ShethiaBy Anchit Shethia on 6 August, 2014

    It does not matter how great the plugin is. If it is not secure and does not plaster security loopholes in our blogs, its a vain. Its great to see you taking all the necessary steps to secure your plugins. I possible have most of your plugins installed and you always give us good news :) Thank you!

  11. Susan MillerBy Susan Miller on 7 August, 2014

    I use wordfence premium plugins, i found high level security could cause indexing problem. what do you think Joast ?

    • Joost de ValkBy Joost de Valk on 7 August, 2014

      In general, the two have no connection whatsoever. If you get hacked though, your search rankings usually suffer immensely.

  12. AnjaniBy Anjani on 7 August, 2014

    Excellent news, Yoast plugins are more secure now. Another solid reason to use Yoast plugins. I have been using WordPress SEO plugin for past several years, always got great results and it also saved plenty of time. Thanks!

  13. PorterBy Porter on 8 August, 2014

    On the note of security, Google apparently confirmed that using SSL is now a benefit for SEO (source – http://community.namecheap.com/blog/2014/08/07/official-using-ssl-https-helps-seo-ranking/?utm_source=facebook&utm_medium=ppc&utm_content=SEO+SSL+Competitors&utm_campaign=SEO+SSL&utm_nooverride=1)

    On that note, can you recommend any shared hosting that would support SSL? I’ve been looking into Namecheap for hosting, but I’m not finding too much as far as reviews go, since they’re new to that field.

  14. SanjibBy Sanjib on 10 August, 2014

    Website security is very important. I feel more secured now with Yoast. Thank you for giving another reason to be happy. Happy Blogging.

  15. MithunBy Mithun on 10 August, 2014

    I am using WP SEO on my blog. After the recent update, it kind of freezes when I change the SEO post title and meta description. In the earlier updates, it used to run smoothly.
    Now I have to wait for 2 seconds to get the remaining met-description/keyword limits.

    Other than that, it is cool. I also wanted to point out that WP SEO should have a function which could show keywords used in images and post separately.

    I don’t know if this is relevant or not but I think it would be kicka$$ thingy for everyone.

    You are doing an amazing job with the security. I hope things work like a charm.

    Wishing you Good luck.
    Regards,
    Mithun

    • Taco VerdonschotBy Taco Verdonschot on 11 August, 2014

      If you have a valid license for WordPress SEO Premium, please contact support via http://kb.yoast.com so we can help you solve the freeze. Otherwise you can post it in the free support forums.

      I’m sure you’ll understand we cannot give support here in the comments, as we’re trying to keep the comments on-topic.

  16. louieBy louie on 11 August, 2014

    improved security, another great reason to use Yoast for SEO, well done guys

  17. Harpal SinghBy Harpal Singh on 11 August, 2014

    You guys are awesome, when it comes to providing a vigorous service. MORE SECURITY MORE RELAXATION.

  18. ErinBy Erin on 11 August, 2014

    This is great news to hear! Thanks for sharing.

  19. Stephen McCanceBy Stephen McCance on 13 August, 2014

    Great news! We are big fans of Yoast, it is the standard SEO choice for any WordPress site.

Trackbacks