Interview: Robert Abela – WP White Security, CEO

WP WhiteSecurity comes in where you are looking for high-quality security & admin utility plugins to help you manage & secure your WordPress or WoCommerce websites. We’ve made an interview with Robert Abela, CEO of WP White Security about the history of the company and details of the security plugins they develop. Abela also shared his opinions and advice regarding WordPress/Web Security.

What made you set up WP White Security company? What were the difficulties you had?

I learned about WordPress back in 2012 during my last corporate job. I was working as a Product Manager for a web security software company and we needed a blog for our website. Back then there was not much awareness about WordPress security, and there weren’t many good solutions either. So I decided to leave my corporate job in 2013 to try to set up my own WordPress business.

In the early days of WP White Security, we cleaned hacked WordPress sites and helped businesses keep their sites secure. However, I was never keen on providing services. I’ve always preferred to sell software because that’s what I’ve always done. So I started developing our first plugin, WP Security Audit Log. It was quite a challenge to get started. To start off with, I am not a developer and back then WP White Security was still a hobby/part-time.

So the first five years I’ve worked as a freelance based consultant and paid developers to develop the plugin for me. Many thought I was crazy because I was paying programmers to develop a free plugin! After a year we released the first premium add-on. Over the years the plugin started generating revenue and in 2018 I joined WP White Security as the second full-time employee.

Which plugins does WP White Security offer? WP Security Audit Log seems the flagship of the company. What differs from the others in the market?

We have five plugins:

WP 2FA: This is our latest plugin. It is a free two-factor authentication plugin for WordPress. We developed this plugin because we wanted a solution that allows website administrators to make two-factor authentication compulsory via policies. It is also very easy to use. This is another important feature because most other plugins that we have seen cannot be used by non-technical users.

Password Policy Manager: weak passwords are one of the top causes of successful WordPress hack attacks. WordPress notifies the users when they use weak passwords, but there is no enforcement. So we developed this plugin with which administrators can enable password policies and ensure all their site users use strong passwords. With this plugin, administrators can configure a variety of password policies, such as password complexity and expiry policies.

Website File Changes Monitor: this is a free file integrity monitoring plugin for WordPress. It basically advises you of files that have been added, modified, or deleted from your website. This plugin stands out from the rest because it does not report false positives, which lead to false alarms. It keeps a record of when a plugin or theme is installed or uninstalled, or when WordPress core is updated. So it knows exactly if the file changes were legit or not.

Activity log for MainWP: this is an extension for MainWP that keeps a log of the changes that happen on the MainWP dashboard. With it, users can also see the activity logs of all the child sites on the MainWP network from one central location – the main WP dashboard.

WP Security Audit Log: as you said, this is our flagship plugin. It is an easy to use activity log plugin for WordPress. It has quite a lot of features that make it stand out from the competition. For example:

Very comprehensive logs: all the other plugins I’ve seen only report that a user or a post has been updated. Our plugin keeps a log of what was updated, if it was a password change or email change in a user profile, or if it was a URL, author, or content change on a post.

Extensive coverage of WordPress changes: our plugin can keep a log of more than 500 different types of changes on a WordPress website, and the list is growing with every release.

Fully blown logging solution: the plugin also has a number of tools that make it a full-blown logging solution. You can configure it to send you emails and SMS messages about critical site changes, you can generate automated weekly and monthly reports, you can integrate it with Slack or send the messages to syslog, and much more. If anyone is interested, they can see the complete activity logos plugin feature list here.

Today WP Security Audit Log is used by more than 100K users and the number is growing every day. What makes it very popular? What is the ratio of the individual users and the enterprises of your clients?

WP Security Audit Log has quite a few features that make it an attractive solution for many WordPress site owners.

• It is very easy to use, yet it keeps a very comprehensive log.
• Our plugin and its features are tailored for businesses. For example, we added features that businesses need such as the ability to configure the retention policies, send the logs to Slack or other third party services, configure automated reports, fully configurable email and SMS notifications, and the list goes on!
• It is a security solution. This is a continuation of the above. Big businesses need a reliable and comprehensive logging solution because of compliance, and for user accountability. So the details of the logs and all the other features (such as the ability to enable/disable specific logging, configure the retention policies, etc.) make it a great business solution.

I do not know exactly what is the ratio of users vs businesses. However, the majority of our user base are large enterprises and businesses, universities, hospitals, financial institutions, and development agencies.

What future plans do you have for WP Security Audit Log and other plugins?

We have a never-ending “to-do” list! The plan is to keep releasing frequent updates featuring both new features and improvements. We plan to do the following in the next few months:

• Develop activity logs solution for many other third-party plugins in WP Security Audit Log. Right now we have an activity log for WooCommerce, Yoast SEO, WPForms, and a few other others.
• Add more two-factor authentication methods in WP 2FA and continue developing this plugin into a fully-fledged two-factor authentication solution.
• Further, develop the dormant users’ feature in the Password Policy Manager plugin.
• Improve the file changes scanning technology and maybe keep a track of the actual changes with the Website File Changes Scanner plugin.

What is your main advice for users when choosing the most convenient plugins for WordPress?

Tricky question! I see a lot of articles about this subject. For example “the 10 must-have WordPress plugins” or the “10 plugins you must have on your website”. It is also a common question that users ask. For example “Which plugins should I have on my website?”

There is no definitive list of must-have plugins. The list of plugins you install on your website depends on what you want to do. For example, if you plan to build an online shop, you need an e-commerce plugin. If you want to build a membership website you need a membership plugin.

There are a number of “fundamental” plugins the majority of websites should have, such as an SEO plugin, two-factor authentication plugin (to harden the login pages), and a backup plugin. But as for the rest, it all depends on the requirements that you have.

As a web security professional, could you please share some security tips for our readers they can apply on their WordPress sites?

There are a lot of things you can do to improve the security posture of your WordPress website. And as a website grows more complex and the number of users/members increases, the more you should do. However, if you start with the below security best practices your WordPress site will be very well secured:

• Always use up to date software. This applies to the WordPress core, plugins, themes, web servers, and the software on your computer.
• Delete all the software that you do not use. Deactivated plugins should be deleted and you should only have one theme on your website (unless you have a child theme). Disable all the services you do not need on your computer and web server.
• Use strong passwords. Here are some tips on what makes a strong password.
• Enable two-factor authentication on WordPress, and also enable it on all the other services where it is available.
• Keep a log of all the changes that happen on your site, computer, etc. Most WordPress web hosts have logging enabled by default on the webserver. For your website, you need a plugin to keep a WordPress activity log.

On top of the above, you can also install a firewall plugin or use a firewall service, install a website file changes plugin, and do much more. However, the above should be more than enough for the majority of the WordPress sites.

Today most of the companies are affected by the COVID-19 pandemic. How does WP White Security follow in this process? What are the countermeasures you take?

We are a remote company. All our employees work from home. I’ve been working from home for the last 7 years, so I am an expert on social distance 🙂 As such nothing really changed for us apart from the fact that now our children are at home all day long. So I consider myself and my team to be very lucky during these hard times.

Do you have any additional comments or recommendations for our readers?

Many still think that WordPress is a very “insecure” system and avoid it at all costs. I see this a lot, especially on forums and Q&A websites such as Stack Overflow and Quora. They couldn’t be more wrong.

It is true that WordPress had its fair share of security issues. However, even the operating system and the browser you are using right now to read this interview had its fair share of security issues.

No software is perfect. Actually, the more security issues that are discovered and fixed, the more secure the software gets. What really matters here is that the developers fix the issues on time, and that was always the case with WordPress.

The main problem with WordPress, if you can call it a problem, is that it is very easy to use. Therefore many people with no technical knowhow use it to set up their own website. More often than not, these websites end up hacked because inexperienced users can’t maintain a website. In fact, the two most common causes of hacked WordPress websites are user problems; weak passwords, and outdated software.

If you maintain your WordPress site, you will not have any problems. WordPress is not perfect, it has its issues. However, it is also as secure and as reliable as the alternative solutions many recommend.

You may be interested our other interviews:

• Bulent Sen – Regional Director for Turkey, DE-CIX
• Brad Litwin – Marketing Manager of A2 Hosting
• Endrit Muca – NameSilo, Chief Marketing Officer