Regular security audits Taking our responsibility

Today, we’re announcing that we have partnered with Sucuri, in the interest of pro-actively securing our plugins. As our plugins run on more and more sites, we have a responsibility towards our users and the web at large to make sure that we do our utmost to make sure our code doesn’t make them vulnerable.*

We’ve been preparing this release for over two months. In that time, Sucuri has identified vulnerabilities in plugins across the WordPress ecosystem affecting over 20 million downloads. This shows the need for users and web hosts to update plugins promptly on security updates. If you look at it, it beckons for a more “forced” way of updating plugins. It also places additional scrutiny on us, plugin and theme developers, to ensure that we are not only focused on features but place additional emphasis on good, secure, code.

Once a security problem is public, there’s no stopping the bad guys in any other way than to update. To us, as authors of plugins that all combined have more than 20 million downloads and run on over 5% of the top 1 million websites, it made even clearer the need for more scrutiny in our code writing. We could think of no one better than the guys working in the trenches, Sucuri.

Improved security, so we can sleep better

Let me be honest: there’s no such thing as 100% safe software. Ever. But we can strive. From now on, Sucuri will review all the code in our major plugins at least four times a year, on top of our own testing and development best practices. They will work with my team to ensure that the patches we push are adequate and work with us to get the word into as many hands as possible. For all intents and purposes, they will be an extension of my development team, focused strictly on security. We are not foolish enough to think that this is the end all be all to security, no, we realize this is a process and will continue to evolve.

Like all of you, we’re not perfect. We’re sure though that having the pro’s at Sucuri review our code regularly will lead to our plugins being among the safest out there, which is how we want it. It’s how we, as the good web stewards we strive to be, will take responsibility for what and how we do it – providing our users the best, and most secure, options available. Not just because you sleep better because of it, but because we sleep better because of it too.

But you said “partnered”?

Sucuri.net

Yes. This will be a relationship in which we reciprocate the service by being an extension of their online marketing team. Sucuri will review our plugins; we’ll help them by reviewing their online practices from a website optimization point of view. Let’s face it; we can’t all be good at everything. They are great at (WordPress) security but could use some help with online marketing and website optimization, and they recognize this, which is why we are going to help them get better.

To start, they have already received our ultimate review package in which we provide a thorough review of their SEO practice, website usability, and conversions. Have you seen their latest changes?

Similarly, we’ve made the first improvements to our plugins based on their reviews, luckily showing no critical issues yet.

Additionally, they will be working with us beyond just the code we ship. They will be working with us to improve our overall security posture as an organization, and we’ll be leveraging their Website AntiVirus and Firewall products to ensure a safe online experience for all our online visitors. They are the premier Website Security company, and we rock at what we do, it’s only right we make full use of each other’s services.

Lead, not follow

When I was on the Dradcast 2 months ago, I hinted at some of this. We should lead by showing how people can improve their products and processes. I personally think every premium plugin/theme company should have a process for regular independent security reviews of their product(s). This is an example which I’d love for every company in the WordPress community to follow and document.

We’ll be as transparent as possible about all of the things we do, both Sucuri in how they improve their site as we in how we improve our code. As you can see, we’re very excited to be working with the team at Sucuri, and we look forward to making the web safer together!

* For the record: from a purely juridical point of view, the GPL basically disclaims all warranty.

Coming up next!


24 Responses to Regular security audits: taking our responsibility

  1. Stephen McCance
    Stephen McCance  • 10 years ago

    Great news! We are big fans of Yoast, it is the standard SEO choice for any WordPress site.

  2. Erin
    Erin  • 10 years ago

    This is great news to hear! Thanks for sharing.

  3. Harpal Singh
    Harpal Singh  • 10 years ago

    You guys are awesome, when it comes to providing a vigorous service. MORE SECURITY MORE RELAXATION.

  4. louie
    louie  • 10 years ago

    improved security, another great reason to use Yoast for SEO, well done guys

  5. Mithun
    Mithun  • 10 years ago

    I am using WP SEO on my blog. After the recent update, it kind of freezes when I change the SEO post title and meta description. In the earlier updates, it used to run smoothly.
    Now I have to wait for 2 seconds to get the remaining met-description/keyword limits.

    Other than that, it is cool. I also wanted to point out that WP SEO should have a function which could show keywords used in images and post separately.

    I don’t know if this is relevant or not but I think it would be kicka$$ thingy for everyone.

    You are doing an amazing job with the security. I hope things work like a charm.

    Wishing you Good luck.
    Regards,
    Mithun

    • Taco Verdonschot
      Taco Verdonschot  • 10 years ago

      If you have a valid license for WordPress SEO Premium, please contact support via https://yoast.com/help/ so we can help you solve the freeze. Otherwise you can post it in the free support forums.

      I’m sure you’ll understand we cannot give support here in the comments, as we’re trying to keep the comments on-topic.

  6. Sanjib
    Sanjib  • 10 years ago

    Website security is very important. I feel more secured now with Yoast. Thank you for giving another reason to be happy. Happy Blogging.

  7. Porter
    Porter  • 10 years ago

    On the note of security, Google apparently confirmed that using SSL is now a benefit for SEO (source – http://community.namecheap.com/blog/2014/08/07/official-using-ssl-https-helps-seo-ranking/?utm_source=facebook&utm_medium=ppc&utm_content=SEO+SSL+Competitors&utm_campaign=SEO+SSL&utm_nooverride=1)

    On that note, can you recommend any shared hosting that would support SSL? I’ve been looking into Namecheap for hosting, but I’m not finding too much as far as reviews go, since they’re new to that field.

  8. Anjani
    Anjani  • 10 years ago

    Excellent news, Yoast plugins are more secure now. Another solid reason to use Yoast plugins. I have been using WordPress SEO plugin for past several years, always got great results and it also saved plenty of time. Thanks!

  9. Susan Miller
    Susan Miller  • 10 years ago

    I use wordfence premium plugins, i found high level security could cause indexing problem. what do you think Joast ?

    • Joost de Valk

      In general, the two have no connection whatsoever. If you get hacked though, your search rankings usually suffer immensely.

  10. Anchit Shethia
    Anchit Shethia  • 10 years ago

    It does not matter how great the plugin is. If it is not secure and does not plaster security loopholes in our blogs, its a vain. Its great to see you taking all the necessary steps to secure your plugins. I possible have most of your plugins installed and you always give us good news :) Thank you!

  11. Brittany Rae Johnson
    Brittany Rae Johnson  • 10 years ago

    This one of good news ive ever read, lately i usualy change 4rd different plugins. i see Yoast must invented a new plugin for any security threat.

  12. Nilesh Shiragave
    Nilesh Shiragave  • 10 years ago

    Excellent news and great work. So from now on we don’t have to worry about securities.. As all your plugins will be secure..

  13. Ranjana Sharma
    Ranjana Sharma  • 10 years ago

    Great news and excellent work Yoast. This is one of my favorite plugin in WordPress…

  14. Jake Martin
    Jake Martin  • 10 years ago

    Top notch, Yoast and team. It’s really refreshing to see people be pro-active — hopefully more WordPress authors will take note.

  15. Brandon Himpfen
    Brandon Himpfen  • 10 years ago

    Excellent news and great work. End users will be happy to read this.

  16. Lisander
    Lisander  • 10 years ago

    Good news Yoast, I use a couple of your plugins.. Not that I ever doubted them, but this gives me an extra reassurance that you’re doing everything you can to keep things secure.

    Btw, I came here a couple of times last few weeks to read some new posts, I almost thought that you guys weren’t going to update us on what you are doing anymore.

    • Joost de Valk

      Hey Lisander,

      most of us have been on holiday for a few weeks which is why it was rather slow here :)

  17. David Silver
    David Silver  • 10 years ago

    This is a great step to take and I am happy that you are sharing this so openly. Most would not want to admit they might have security issues. Just another reason to love Yoast!

  18. Ulco
    Ulco  • 10 years ago

    Set up a responsible disclosure program, usually yields way better results than a security audit (even though it’s a pretty good start).

    • Joost de Valk

      Planning to do that, as said, first step in our partnership and Sucuri will help us go further :)

  19. Brian Jackson
    Brian Jackson  • 10 years ago

    Great news! We use your SEO plugin on every one of our client’s sites and are always happy to see improvements, especially when it comes to security. Keep up the great work.