Do you use WordPress (yes you’re in good company…57,337,325 sites use WordPress in the world!)?
But how to secure, optimize and speed up your wordpress?
Just watch this interview with Jason Cohen cofounder and CEO of WPEngine ;)
He took Smart Bear from start to multiple millions in profit, without debt or VC, then sold it for cash.
Jason is also a mentor at Capital Factory (like TechStars or Y-Combinator in Austin) and investor in a few companies.
He is the author of Best Kept Secrets of Peer Code Review, the most popular book (50,000 copies) on modern, lightweight methods for doing peer code review effectively without everyone hating life. He’s also the co-host of OnStartups Answers along with Dharmesh Shah.
Jason lives in Austin, Texas with his wonderful wife, a chef and entrepreneur who blogs about cooking healthy at home, and his precious baby daughter Abigail.
Marco: Hello everyone Marco Montemagno the Tech Alchemist and here
with me today is Jason Cohen, co-founder and CEO of WPEngine. Hi, Jason.
How are you doing?
Jason: Hey, thanks for having me.
Marco: All right, Jason. The reason why I wanted you on my show is
first I am a customer a WPEngine customer. This is always embarrassing on
one side, but very good, because you talk exactly of something you try and
test every day.
The topic generally is a very interesting topic. I have tons of people
asking about tapes and advice about Word Press and where to explore Word
Press, security and all of the problems around. In my experience, who
better than you could help us understand more.
Could you imagine if I was a totally unhappy customer and this was a trap
to talk badly about WPEngine? It would be genius. It would be a mess, but
no. I think the main problem here for me, I am running digital stuff for I
don’t know 15 years and for the last 10 years doing stuff on Word Press.
The big pain that WPEngine came to solve, or WPEngine allowed companies, is
to give managed hosting where I don’t have to think about upgrading
security and this kind of stuff. I think this is a good asset. Can you for
first explain in your words, what WPEngine does and why you are different
from any other hosting companies?
Jason: Sure. We host Word Press which means if you have a Word Press
blog, of course if a browser goes to your site, it has to go somewhere. We
run the servers that that browser is in fact connecting to.
What makes us different is that we are more expensive than Dream Host and
Blue Host. It does cost more, yes. What do you get for that? First of all,
the blogs go a lot faster. On average our customers see a four-times speed
Second, it scales under traffic. If you get some nice press your blog won’t
Number three we handle security and if in fact you are ever hacked, we will
fix it for free as a part of our normal tech support.
The fourth and probably most interesting one is that we have more tech
support members who know Word Press on staff than anyone else per thousand
customers which means we actually have the time and human beings to help
you with Word Press specific questions even down to things like which plug-
ins should I use for this and that sort of thing.
Our service by investing in human beings for our service our service can be
both really responsive but also deep. We have the time to get on the phone
with you. You get your monies worth.
Marco: Automattic, the founding company of Word Press, did they invest
also in WPEngine or I’m wrong?
Jason: They did and last year when we raised some money Automattic was
an investor in that round. You have to be careful, Automattic works with
lots of hosting companies. You shouldn’t read into that that we are favored
or read into any other hosting company as a result. That would be not true,
but certainly it is a vote of confidence in what we are doing, how we are
doing it, and whether it is something that they approve of or like or sort
of correct for Word Press. Obviously, it is a nod from them.
Marco: The Speed promise that WPEngine was doing, I was very
fascinated about. Also, checking around, I saw your fabulous t-shirt you
got written, “My blog is 4x faster than your blog”, so, I thought this guy
is very arrogant or he knows his stuff, you know. Let’s try to test.
The first question that I have for you is how about speed. How can you
promise and deliver, because then you do it to make a Word Press site
faster, because people and businesses are used with tons of cache plug-ins
or cloud flare or this kind of services cache CDN and this kind of stuff.
How can you handle this part of the hosting?
Jason: Sure. There are many aspects to making a site fast or scale or
secure. In the same way that you ask, how do you make a car fast? The
engine is important, but obviously it is not the only thing. Spark plugs
can be important. The size of the engine is important. The gas that you put
in is important. The oxygen mixture of the carburetor is important and so
forth, right? If you put a super charger that’s important.
Like that, it is not one thing. Everything from having superior hardware,
having those hardware resources dedicated to your site and not shared with
let’s say a thousand other blogs. Then having systems around your blogs to
cache pages and so on. You mentioned cloud flare.
Cloud flare for example caches static content, meaning things you’re your
images and CSS, but it does not cache pages like your homepage or a
particular other page or a post. Those are the things that are actually
typically the slow thing and the thing that doesn’t scale. The other stuff
is usually not the problem.
Though it does make it incrementally faster for the other stuff, it doesn’t
address the hard part which is dynamic stuff. There is also the database.
In the same way that there is many, many pieces that go together,
sometimes, it’s just in plug-ins that we say you should not use because we
know that those plug-ins slow your site down and we have alternatives for
There are many ways. What is interesting is again, I hate for this to just
turn into an ad for WPEngine, so maybe a story about speed which is not so
obvious but kind of fun.
We had a customer move to us and got instantly a 20% increase in revenue,
because he got a 20% increase in page views. He got that because people
stopped bouncing off the site as much or by 20%. Bouncing meaning, the
browser came to the site and then left.
Here is the interesting part, those statistics were not in Google
Analytics. This is why and this is the neat part. This is true of any
website anywhere so it’s kind of fun. You know, when you click a link in
Google search results, there’s a white page and it’s spinning and you get
tired of waiting and you hit back, right?
Obviously, you just bounced off the page. Obviously, that was a potential
page view that did not happen, right? But, here’s what’s interesting,
because the page didn’t load, Google Analytics didn’t load either. Which
means Google Analytics, or any tool that you might use won’t know that that
happened. That is a bounce rate that is invisible to tools, sort of by
When your page goes faster you get those kinds of bounces less, because the
pages does appear, so you do get it and even if they do run [it] right
away, at least you know it, right? It’s in a bounce rate you can see in
your tools. Of course, in general, this is common knowledge with all of the
studies that are out there, people tend not to bounce off of sites as much
when they are fast.
What’s interesting is that you can’t measure how many people are doing that
sort of by its nature. All you can do is make the site a lot faster and
see. That’s what happened exactly to this customer that I am referring to.
It’s an interesting effect that sometimes these things are hard to
quantify. There are things people know, like, faster sites get higher
search rank position.
Or, in general, people will stick around sites that are more responsive
stands to reason as well, besides the fact that there are studies. But
there are even, like, little holes like that which I think are also very
You ask, “How can we guarantee what will happen?” Well, we don’t. All we
know is there is some effect and it is what it is and it will depend on the
site and lots of things. We don’t. We just do many, many things to make the
site fast and those other things. More things than you’re going to do by
yourself just because who has the time? Even if you are technical, it’s
interesting, but who has the time?
Marco: What is the best tip that you can give to business owner that
OK, has to take a decision and is maybe not hosting on WPEngine or similar
web services? What is the most important thing? Just go on those kind of
plug-ins with cache and CDN and so on or any tip that you could give
Jason: Make sure you have a caching plug-in like W3 Total Cache or WP
Super Cache, something like that because it will cache the dynamic content
and that is the slowest part, number one.
Number two, there are very inexpensive CDNs like Max CDNs or Cloud Flare
which is free. I highly recommend that you go use Cloud Flare. It will
cache a whole lot of stuff for you and there are a lot of other controls
and its basic version is free. That also affords you some security. Which
is also very good so no reason not to get Cloud Flare.
Number three, you can use something from Yahoo called ‘Yahoo Smush It’. It
is a free tool that will make your images smaller without making the
quality less. We can go into why if you want to, but that’s what it does.
It gives it back to you in a format that’s very easy to then upload again
to your website so, that’s permanent.
You only have to do that once every time you change your theme, so no
reason not to do that, again, it’s free.
Another thing to do that is free, is to use a tool either like W3 Total
Cache or a plug-in like WP Minify and these are plug-ins which take all of
your style sheets and Java scripts so that means the stuff ending in .CSS
and stuff ending in JS and they combine them into one.
One style sheet instead of ten. One Java script file instead of four. Also,
it makes them smaller. Both of those actions, I could go into detail if you
want, but both of those things make your site download much faster and that
cache plug-in, W3 Cache plug-in, and again, it’s free. Again, there is no
reason not to do it.
Those are three things that you could do on any hosting provider that will
make Word Press faster. The final thing I will say about that is there is
an online tool called WebPageTest.org, also free, where you can put in your
blog URL or really, any URL and get a very detailed analysis of what is
fast or slow.
If you do that first, then do some of the things I said, you will literally
see the difference. Also that tool may be able to help point out other
things that you may be able to do to increase speed.
Marco: Right. A few years ago, I launched a web network in Italy and
finally did 3.5 million visitors a month. The funny thing is the biggest,
biggest problem, it was before the cloud, so one of the biggest problem was
going down. Every time that there was a peak of traffic everyone happy on
one side and one the other side every one very sad, because you know you
have to pay for additional service and so on.
Now, with cloud it is different. But, still, a website going down is
something that happens often. By the way, I think also, the right moment
when I migrated my website, the WPEngine went down. I say, gosh I just
changed providers, but it was just 10 minutes, something like that.
What can you suggest on this topic? Do you think it is related with
caching? If you cache good…
Marco: …then if the site goes down you still have the cache in place
or is it something else?
Jason: Uptime in data centers is rough. There is literally no hosting
provider that I know of and no WordPress provider that I know that has 100%
uptime in the last 12 months, not one. It’s hard.
When Amazon has their big data center failure at Virgina as they’ve had a
couple of times in the last couple of years, all kind of services that you
use just go down. You say, “Wait a minute, I thought it was cloud. I
thought it was high availability. I thought they had backups. I thought
they were redundant in various ways”, whatever.
Yet, all of these various players that invest countless dollars in
infrastructure on things like Amazon and Cloud and all that sort of stuff
fail anyway. It’s, very unfortunately, life in hosting is that it’s not
Now that doesn’t mean that you throw your hands up and say, “There is
nothing we can do about anything”. Not true of course. There are many
things. One thing it does point out that is interesting is it’s very, very
expensive to get high uptime. Even multiple servers isn’t enough, because
if they are all in one data center, the data center can have problems. Like
for example, I don’t know, a hurricane hitting the West Coast and taking
out your data center on the West Coast, which happened to a couple of data
centers, right. This happens.
You have to have multiple data centers. That’s tricky, because keeping your
data synchronized between them is a project. It’s hard enough that, again,
a lot of those tech savvy companies that have one application that they
have to keep running are unable to do it or there’s trouble. When you are
able to do it, it’s very expensive, because you need multiple servers in
one data center to survive single server issues.
Then you need multiple data centers, so you need servers everywhere, all
dedicated for you. You have to test that stuff. It is very complicated.
Honestly, for almost anyone, it’s not worth it. It’s a horrible thing to
say, because you hate to say, “Tough”. The truth is you pay for what is
necessary to get that. It is not the right cost benefit trade-off for most
Services like us or indeed our competitors, any of us, we have a lot of
measures in place for high availability, there are still going to be some
events. Fortunately, we did not go down with that storm even though we do
have hundreds of servers in Newark. We do have some high availability stuff
and so we did survive that.
There are other things, especially in our past when we were less
sophisticated, a couple of years ago where a data center failure did take
us down for a little while. Now we are more sophisticated, but even so, I
can still devise a scenario where we are going to go down, right?
Where there are lots of service providers. The other day GoDaddy’s DNS went
down famously. A ton of sites went down. Our phones rang off the hook, “How
come our site is down?” Of course we weren’t down, but their DNS provider
GoDaddy was down. So, their site was down.
There is a chain of service providers actually, that all have to be working
for your site to go down. So, failures anywhere in there will take your
site down. It happens, again, very expensive, in fact too expensive for
almost anyone to try to get, to design for 100% uptime.
Marco: Jason, do you think that this scenario will change sooner or
later as technology progresses around? Because as you say and I totally
agree, there are so many players in the chain and you can be great but the
DNS goes down or the DNS can be OK but the hurricane is coming so it is so
difficult to get everything together.
Do you think it will improve the situation or it will stay like this
forever and ever?
Jason: It will definitely improve. It has already improved. Cloud does
improve things. You can have a failure in a single piece of hardware and
not go down, because your thing can float over to another piece of
hardware. You could have built that 10 years ago and it would have been
much more expensive. Now, it costs money, but it is much cheaper and much,
In the same way, that all of this stuff will become easier and more
accessible and less expensive. At the end of the day, high availability
means redundancy. It means there are multiple things that know how to do
this and are doing this at all times, that’s what it means. There’s always
some expense for having resources allocated for you in multiple places.
That’s always going to be more expensive than not having those resources.
I think that the extra cost will come down, the difficulty of setting it
up, will come down. I do believe that it will be less expensive over time
to do that. In fact, there’s even an offering that we are working on right
now that will provide something like that very thing but in a way that is
more affordable. We are going to try to do that. Even so, in 10 years, it
will be a whole different story just like cloud is, but cloud doesn’t
automatically mean you go down. That is certainly not true as you can see
by things going down.
Marco: Jason, security, this is another hot topic, because on the one
side you are worried that the web site goes down, on the other side you are
worried about being attacked somehow. The two fears are what can I do with
my security? My password, my long password, this kind of stuff and what
does my provider do with security? Could you elaborate on that? I think
that there is a lot of confusion when we talk about security and Word
Jason: There is a lot of confusion with security and Word Press. I
think it is accurate to say that almost none of the security issues that
people have, almost none of the hacks that people have are due to Word
Press itself or the hosting provider. I include all of my competitors in
that. In other words, it’s very, very rare for one of my competitors for a
security vulnerability on their side to be the cause of an attacker
That is the same if you look at Word Press itself. There is of course a
third-party organization whose job it is to track security problems and fix
this. If you look at Word Press, you can see that there is almost none.
That is almost never the problem. Even the very, very few things that they
find, the attacker wasn’t successful in doing it. They patched it
themselves before anyone else had even found it.
In short, Word Press is about as ironclad as you can have for any web
application. In general the service providers don’t have problems. Again,
you can always pull out “Well, one time this happened with this one”. Yes,
one time, but people get hacked constantly all day long. If there was one
problem one time somewhere that obviously is not the main problem here.
Marco: The problem is the user in the end.
Jason: Well, sometimes it is the user. Word Press, remember, you can
install any theme and any plug-in. Well, that means that you can run any
code. That means all kinds of problems happen as soon as you say, I can run
anything. Well, OK. Guess what, then they are all potential security
vulnerabilities. Just like speed there is a myriad of things with
passwords that happen.
Here’s the biggest mistake that people have about security, they say every
day, “I won’t get hacked, because I have a little site where I sell lawn
gnomes and nobody wants to hack a site that sells lawn gnomes”, because who
cares. They are absolutely wrong. Those are exactly the sites that get
hacked. Not because they care about lawn gnomes, it’s because the hackers
want to do something else like send spam email or use your server to then
do something else to another machine but mask their identity, because it
comes from your machine.
In other words, the hackers have some other aim. They want to hack your
site in order to do that other thing that they really want to do. They
don’t care who you are. They just want to hack you so they can use you to
do stuff like a puppet. Everyone is vulnerable and people get scammed
constantly for these things, because hackers will literally write code that
runs around the internet looking for sites they can do this to. They don’t
know either who you are. They don’t care.
Marco: Do you agree, Jason, to give a practical tip, I’m thinking of
the most common way of hacking may be to get good passwords, changing
passwords, limit login at times, there is a plug in. By the way, I think
WPEngine has got it by default so that when somebody tries to look in your
WP admin dashboard after three logins or whatever that IP is blocked.
Is there anything else that somebody can do by themselves?
Jason: Yeah. There are a few things. Again, I would use Cloud Flare.
They do have a layer of security. We do have customers with Cloud Flare
that get hacked, but security is something where every little bit that you
do does help. If you use Cloud Flare some number of attacks will be blocked
not 100%, but whatever they are it’s a number. Who cares, it’s free. Do it,
Number two, use the fewest number of plug-ins possible. Use themes and plug-
ins that are generally well worn. Just because they are used a lot doesn’t
necessarily mean that they are safe. There have been some famous examples
like admin and a tool called ‘Tim Thumb’ which were vulnerable. However,
the ones that are often used when they are vulnerable, it’s big news.
There’s often a patch out quickly.
In other words, you’ll find out and you’ll be able to fix it. Ones that are
not used, if they are vulnerable, you’ll never know, all right? Using well
worn code and as little of it as possible. The same goes with themes.
Themes that are used by a lot of people, same thing. That is maybe the
number one thing that you can do to be safe.
I would suggest something that you talked about, it’s called ‘Login Lock
Down’. That’s a plug in. It’s free. If you see someone attempting to log in
a number of times unsuccessfully, it locks them out for a little while.
That prevents people who are trying to guess your user name or password.
So, that’s nice. Again, that’s just one little thing. One little piece of
your armor, right, but every little bit helps.
I would say finally on passwords changing the passwords is probably not all
that important, because that assumes that someone is getting your password
and knowing it and again they are not targeting you that specifically they
are trolling around, so just having a really good password that is long and
has some punctuation in it and stuff, that’s better.
If you are really paranoid, use two-factor authentication. For example,
there is a free plug-in from Google where to login to your Word Press blog,
you type in a password but then Google sends a number to your cell phone,
it texts you and you type it in. That’s something that of course a hacker
would have to be pretty amazing to get. That kind of thing you can use.
One more thing that is important, when you log into Word Press it is
insecure. That is, when you go to your login page it is http://, not https:
like when you go to your bank and so on. It is not secure. That means when
you type your name and password, when you are in a coffee shop, everyone
who is in the coffee shop who wants to, just got your name and password.
Now, again that is a hacker who is sniffing around a little bit more than
what I was describing earlier, but that absolutely happens.
Number one, two-factor authentications, fixes that. Number two use a
hosting provider in which that is secure like WordPress.com. We have that
option. A couple of our competitors do too though. It is not completely
unique. You are sending your password over completely unencrypted unless
that is not the case.
Marco: That is super interesting. By the way, I am a fan of double
authentication, Google I have been using it for a while I am super happy
with that. I didn’t know that there was a plug-in for Word Press, so I will
install it. When we finish, I will just install it. How about FTP hacking
for security, something to be worried about or not?
Jason: Again, strong passwords.
Marco: Can you imagine that when I launched my [Web Works] network,
I’ve been choosing movable type, because the Word Press community was not
there yet. I thought, “Well, not so much”. I think now, wow, there are so
many things. How about themes and designs? There is such a large choice, a
lot of times people start to change design and theme and then use a
framework and then us another theme. It’s a very chaotic situation. Do you
have any guidelines for themes and designs to do a good job?
Jason: Not really, in that there are a lot of really good players with
quality themes and support behind it as you say, frameworks with trial
themes. I would say if you’re developing a single blog you have a large
range of choices for what you can pick. I would say pick a theme where
there are people you know who have experience there so you can ask
questions of is probably the best thing, because there’s lots of different
If you are a designer and you are making lots of Word Press blogs and this
is your career, then you could learn a lot of different themes, but that is
probably not the best use of your time. As the designer of the blog you get
to pick more or less what the theme of the framework is, so it’s probably
best that you specialize in a couple or even in one framework and go super
deep in that framework.
So you become really competent in delivering sites quickly, especially for
the more simpler common stuff and also for a facility for yourself of more
complicated features. Some of these frameworks like Woo with Canvas,
Genesis, Thesis, and all these things. They are a whole thing unto
themselves. You can almost think of them as application or products in
themselves. They have tons of hooks. They have their own way of doing
things. You make child themes. There are plug-ins that work with them.
It’s a whole ecosystem within itself, each one is a little one. I think it
makes sense to specialize in one or two of those. A couple of these have
very large followings with lots of design and stuff behind them. Learning
that, probably allows you to generate websites faster and deeper rather
than just pulling random themes off the shelf and having to get inside that
theme author’s head each time. It’s probably best to specialize if that’s
Marco: I’ve be using Genesis and Thesis. I’m a big fan of framework,
because as you said, I think there is more stability and support and so on.
What would happen in the next year for Word Press? We recently watched Matt
talking, the founder of Word Press talking about how amazing Word Press is
going to be more and more. What are you expecting? What would happen from a
technical point of view? In one year, big changes, more or less the same?
Is there any particular thing that would be a game changer for Word Press?
Jason: I think you would have to ask the people at Automattic who are
literally making those decisions. Some trends that we are seeing, number
one, you could say that Word Press is getting some what you could say, some
software maturity. That is there are things like unit tests and
documentation and things like that which in the regular software
development world back into Java and .net and stuff, are part of what you
might call a software maturity process. That is sort of being back filled
into Word Press now which I think is very good.
I think you will see that being pushed into plug-in theme developers to
participate in that. That will help with things like Word press upgrades
where currently that can break lots of things and vice verse. That’s a
whole thing and with more process around that especially automated testing
and continuous integration and stuff like that, hopefully, you will see
There’s this goal of having Word Press automatically upgrade continuously
like Chrome. I feel like that is a very good thing to do, upgrades. ON the
one hand we want upgrades, on the other they are events every time for
everyone. Again, as part of the [type] process means that you can start
doing that as well. I think that is a terrific goal.
It will help Word Press grow in whatever way it wants to grow because it
will grow more easily being more continuous development and deployment.
That will enable Word Press itself to succeed in whichever way it wishes. I
think you will see more applications built on Word Press. In the old days
Word Press was “blogging software”, now, Word Press is websites or CMS.
It’s just anything. We see the same thing. I might actually say the
minority of our customers is just their blog.
It is their website whatever that means, the company website, the marketing
website and so on. That will not only continue, but I think it will move
into the realm where it is also a shopping cart. It’s got more dynamic
Applications which are currently built on Ruby on Rails, more and more
might be built on top of Word Press, because after all it’s got that CMS
stuff built in and so theming it is so much easier and having non-technical
people being able to edit text and behavior is so much easier.
It is kind of a logical place for certain types applications to go to. I
think you’ll be able to see it move into application.
Another trend that I think you will see is more enterprise level features.
Some of which means things like, performance and scale on internal stuff
which would matter if you had 100,000 posts or 100,000 users and wouldn’t
matter if you were smaller than that. Some of that is internal. I think you
will see some external features as well.
Most of the stuff that I am saying is speculation, because Automatic and
the Foundation of course together are the ones that in fact drive that
stuff. I am going kind of off what we are seeing, kind of off what they’ve
said, kind of what Matt said in the last ‘State of the Word’, is what his
goals were. I think that they are more or less in line with what has been
publicly stated as the direction of Word Press and we’ll see.
Marco: Excellent. Jason Cohen. Thank you so much. WPEngine, co-founder
is here. Jason, good luck for everything and keep in touch.
Jason: Thanks for having me.