Since the news of Yahoo’s acquisition of Tumblr, users of the CMS are migrating their blogs over to WordPress like African Swallows unladed with coconuts. There are quite a few ways to migrate, so we figured we could save you the trouble and share a quick and simple way, which can be done in a few easy steps.

1. Create a WP Engine account

You gotta have an awesome place to host your site. Once you have your domain name, create an account with WP Engine to help with all your WordPress needs.

2. Authenticate with Tumblr

Inside your WordPress dashboard, go to Tools → Import and look for the Tumblr Importer. Click on it. You will be prompted to enter the email address you used to sign up for Tumblr and your Tumblr password. Now click the Connect to Tumblr bar, below.

3. Import into WordPress

The importer will fetch and list your blogs and give you the option to import as many as you’d like by clicking Import This Blog. You will be able to watch the progress of the imports on the import page and you will also be sent an email with the import is completed. Your videos will either be imported to your server or embedded. Your embedded content will be converted to easy-to-use shortcodes. If the importer comes across an embed it can’t convert, WordPress will provide this information in your import completion email.

There’s one extra step if your Tumblr site has a custom domain, i.e. “skateordie.com” instead of “skateordie.tumblr.com.” In this case you must make sure to disable the custom domain while the import is being processed (you can change it back later if you’d like). To do this, go to the Tumblr dashboard, click on Settings, and then un-check the Use a Custom Domain checkbox. Now set up Domain Mapping so users can find you at the same domain you had before.

4. Get to Stylin’

While you’re waiting for all your content to import, you might as well play around with the different looks you might want for your new blog. WordPress even has a ton of themes that are meant specifically for tumblelogs. There are seriously so many themes for WordPress. You might also want to visit WooThemes or themeforest for ideas.

Before you know it, all of your content will be imported and you’ll be experimenting with new looks, tools and features. Your blogging is about to get a whole lot more personalized and dynamic. Welcome to WordPress!

In a bold attempt at an image makeover this week, Yahoo acquired Tumblr for a cool billion dollars. The acquisition of the CMS slash social network has shaken up the world of blogging and created some uncertainty for folks who have build an audience on the Tumblr platform. Despite Yahoo!’s promise “to not screw it up,” folks are worried that they may lose their content if Yahoo decides to shut Tumblr down altogether. Yahoo’s track record with companies they acquire is spotty.

The outcome of Yahoo’s goal to acquire relevancy with the younger set remains to be seen. So what’s happening to all of the clever content creators and zeitgeist influencers of Tumblr as we know/knew it? Well, many of them are holding out and staying loyal to the platform where they built their audience, and many signs point to that being a good move. Dance with the one that brung ya, and all.

But there’s also been a huge spike in pages imported from Tumblr to WordPress over the last weekend. Tens of thousands have already made the migration. Tumblr bloggers are now flocking to WordPress.

Whirlwind of Importing

WordPress’ co-founder Matt Mullenweg posted some the numbers on his blog. Within a single hour last night, 72,000 new blog posts were imported into WordPress. Though it’s a small percentage of Tumblr’s 50.9 billion posts, it’s still way, way more than WordPress’ Sunday evening average of 500 posts total.

Let’s think about why this might be a smart move for certain bloggers. Is WordPress a viable option for your blog?

Yes, the acquisition is nudging independent Tumblr bloggers to consider their options, but even without Yahoo’s interference, there’s a valid argument that the migration to WordPress is a natural progression for anyone serious about blogging. After getting their audience and their content started on Tumblr, some users will be looking for more control over their site, as well as their content.

Own Your Content

WordPress means ultimate freedom and ownership. Everything you publish on WordPress you own. And, since WordPress is open source, you can manage, tweak, control, and design virtually every aspect of your blog, front-end to back-end. As well, since WordPress is open-source software, and not “owned” by a company, WordPress can never be acquired and no one is ever going to serve you ads.

The knock-out combo of freedom and ownership is a big reason why WordPress makes up 17% of the Internet and 48% of the top 100 blogs are WordPress. It’s free, it’s open-source, and it’s all yours.

WordPress Ease of Use

WordPress gives you dramatically more control of your site. But, if you can navigate Tumblr, basic WordPress is not much of a stretch as far as learning curve goes. But it’s a huge leap as far as capabilities go.

WordPress’s richer functionality adds much more creative freedom and variety. Customizable themes and tons of plugins from places like WooThemes and Themeforest (to name two) make it possible for your blog to be literally one of a kind. Add WordPress meetups in cities all over the globe, WordPress has an amazing community to follow, interact with, and become part of!

Friends Forever

It also helps that WordPress and Tumblr have always been friendly with each other—complimentary even. They are not mutually exclusive in the least. In fact, Tumblr’s own blog used to be on WordPress. Migrating only takes a few clicks and you’ve imported your entire Tumblr site to a fresh WordPress install. Also, with Publicize, WordPress users can share their posts instantly to a number of social networks, including Tumblr – with a single click.

That really just scratches the surface of how WordPress and Tumblr are complementary, and why WordPress would be a solid option for your blog to graduate to.

With the mission to contribute to the democratization of publishing, Matt Mullenweg is pretty much the opposite of a corporate sellout. So however you decide to handle the news about Tumblr’s acquisition, bringing your Tumblr content into WordPress is a surefire way to ensure ownership of your content and creative freedom for your blog.

This was an awesome weekend.

WordCamp Austin officially came to a close Sunday afternoon after record-breaking attendance and a diverse group of attendees and speakers from all over the planet. Thanks again to the organizers for all their hard work to organize the event. The Austin WordPress Meetup continues to grow each year, thanks to the dedicated work of organizers.

Attendees came from all over the Continental U.S., from Portland to Phoenix to Tampa, Florida. But, the “I traveled farthest to come to WordCamp Austin” award goes to one of my favorite developers and bloggers, Konstantin Kovshenin. His transatlantic flight from Moscow to Austin definitely takes the cake. And the award for the best beards goes to Jared Atchison and Bill Erickson.

WP Engine sent everyone possible to WordCamp and developer day. Co-Founders, Jason Cohen and Ben Metcalfe brought our new COO, Heather Brunner, and our awesome VP of Dev/Ops, Chris Errett to the day. Representing support was Tony Fox and Christian Thompson. Shayda was running around with a checklist to keep everything running smoothly (like always).

Everyone spent time talking with attendees who stopped by the WP Engine booth, handed out our classic WP Engine T-shirts (super-soft cotton!), stickers, and let everyone know the positions that we’re hiring for!

We’re Hiring!

Pardon this slight detour, but if you haven’t seen our new careers page, or the number of jobs that we have open currently, you should check those out. At WordCamp, we met a number of amazing people who have already sent in applications. Future WP Engine employees will have the opportunity to go to WordCamp in their job description!

CigarCamp 2013

The second iteration of CigarCamp, the unofficial after-after party for WordCamp Austin that Pat Ramsey, Shawn Hesketh of WP101 and yours truly organize, was an amazing success. Last year it was a casual gathering of about 10 folks on the roof of the Omni by the pool. This year, more than 45 people came out to Easy Tiger. WP Engine covered the bar tab, and Shawn Hesketh brought 3 boxes of cigars with custom WP101 labels. The whole group stayed out till later than I care to admit. There might also have been a game of Cards Against Humanity that Chris Lema instigated (more photos below).

Dev Day

Dev Day was hosted in the WP Engine offices inside of Capital Factory in the same room that the Austin WordPress meetup is hosted. Mark Kelnar, one of our original developers, gave his presentation on using Git for version control on a self-hosted install of WordPress, and stayed to answer questions after.

Thanks again to all the organizers for an amazing WordCamp. Attendance smashed records with 450 attendees, which is huge for any WordCamp. We were even graced with the “kind but firm” presence of Andrea Middleton, all the way from Portland. As the city of Austin keeps growing, WordPress keeps gathering more and more share of the internet, the Austin WordPress meetup will keep expanding!

See everyone next year!

-Austin Gunter

Photo Credits: Shawn Hesketh

Alex is a Pacific Northwest-born dude, who has made his way down to the OC to get out of the rain. He literally picked up and moved away from Oregon 2 weeks after graduating high school. WordPress came into his life, at first as side gigs, but then gradually allowed him to pay all his bills, and then some.

In Alex’s Own Words:

The things that have made me happiest in life were the things that I knew I “belonged” to. Something that I could take ownership of in some way and do good. Community is what I’m talking about. The WordPress community just blows my mind nearly every day with the number of people taking to it, forging their own path and really just supporting one another. Having worked in tech for over a decade, I’ve never seen a community its equal. I’m proud to be a part of this WordPress thingy.

Now, onto Alex’s Answers!

When was the first time that you really got excited about WordPress and at what point did you decide to make it your career?

Well, I don’t know that I was so much excited as I had an “oh shit” moment. “What are you going to do, Alex?” Is what I’d asked myself. You see, I’d been laid off at the time. I had only just moved in with my girlfriend, and there was also a baby coming. I panicked and I was stressed… I hated what I did, as a Storage Engineer. It made my mind go numb and my eyes bleed. It truly was soul sucking work.

I did WordPress stuff on the side, never fulltime… Then it slowly began to creep into my entire work day; before I knew it I was able to pay actual bills doing what I was doing… Freelancing. I was making a living. On MY terms. When I realized that, I truly began to appreciate WordPress not only as a development platform, but also something changed my life.

Where do you go first to get your WP news, insights, and updates?

WPDaily.co is a pretty indispensable resource; make.WordPress.org and any number of the topics there from theme/plugin dev to core discussions. It’s the place to go to stay up to date on the WP ecosystem. Also, chatting with the folks at the Orange County WordPress Facebook Group  - The people there are up on their stuff, always willing to lend a hand and are pretty damn cool. (Ed: The OC Facebook group is one of the most active forums we’re part of.)

What WordPress Consultants deserve more love than they get?

Without a doubt, Jeffrey Zinn and Brandon Dove at PixelJar. I want to be like them when I grow up. They not only work with some awesome clients, and give back to the community, while also making awesome products like AdSanity, but they’re just stand up guys. I truly look up to what they do. They really do inspire me to do more in the community and also to improve my skills.

What performance tips would you give to other pros (as related to speed, scalability, security, plugins, backup, etc.)?

Be aware of what your plugins are doing. A prime example are the plugins that bundle a number of shortcodes together. Often these plugins produce calls to scripts you’re not using, such as a jquery slider (Nivo Slider, for one), and other such things that can cause your site to load just a bit slower.

Get familiar with testing your site’s load times on sites like WebPageTest.org and be willing to refine, refine, refine. Optimize them images losslessly. Enigma64 is a new tool I recently added to my toolbox. It’s ridiculous how much it optimizes assets within PSD files; the designs I work with primarily are in Photoshop format in the first place.

Confess to us your biggest moment of WP fail.

I pushed an update to a functionality plugin I made for a University and managed to take out all the links on the home page. Each time a link was clicked, it just redirected users to the home page… It sat like that for almost a day. The plugin was responsible for a large number of custom post types. Yeah, I forgot to re-activate it. =-/

If you were going to spend this weekend creating a plugin that doesn’t exist, what would it be?

I like BIG ideas. Since education is something I work closely with these days, I’d want to create a plugin suite that manages parent/student information, provides a method of class progress and manages input of student scores/grades… You know. All in a day’s work. =0

Do you use Themes & Child Themes, Roll your own, or both?

For long time, I was a big Genesis Framework user. I still love it, but I’ve been rolling the Underscores Starter theme for my most recent projects. It’s made me more of a control freak. I kinda like it. It’s easy to create a solid base to start from.

What’s your favorite theme or theme framework? Why?

Even though I use it very little, Headway is pretty amazing in terms of what it can do. It’s about as powerful and intuitive of a drag and drop framework I’ve ever seen. Not that I’ve seen many, but it is, in my opinion, tops that category. Also, as I said, Genesis is tops, too. It’s solid; I don’t feel it suffers from ‘bloat’ and is really easy to customize for any type of project

What’s your favorite WordPress plugin and why?

DB Migrate Pro. I love this plugin because it makes db migration as simple as clicking a couple buttons and kaboom. You just pushed from local to stage; or pulled from prod. to your local dev. It’s amazing. It’s a great example of doing one thing really super well. Backupbuddy is a great tool that I’ve used on a number of sites, had very few problems with it, but it’s a really more than what I need most times. WB DB Migrate pro is just awesome at the thing it does: Migrate Databases. If you’re a dev and you’re not using this plugin, you’re losing time.

What’s your least favorite plugin?

Up until Jetpack rolled out their Enhanced Distribution feature, I used the Ultimate Facebook Plugin from WPMUDev. I like what it does when it works, but I’ve had so many issues with that plugin. I’d rather play with a sharp stick to the eye.

What’s the coolest thing you’ve ever done with Custom Post Types?

I recently did a project where we created a rolled out a Simple LMS solution for online course managment and test taking. We had posts for tests, courses and the course learming materials. When students passed a test, it updated their progress in the course as to what they had taken already and what still needed to be taken and what their previous scores were. All of this was visible to the course admin. The test meta was handled through custom fields.

What do you think is the biggest challenge that WordPress consultants will face in 2013?

Balance. While true balance doesn’t exist, we need to work harder at it. I talk to many of my fellow consultants and they’re working their asses off, myself included. Day/Night and very little time off for our own things. On one hand it’s a good sign, on the other hand people are going to get burned out. I think them’s the brass tacks of freelancing/running your WordPress biz today.

If you could change one thing today about WordPress, what would it be?

Create installation profiles. WordPress can do so much out of the box. It’s friendly to use, but, man, it can be overwhelming for new users. I’d like to see profiles that really trim out unnecessary items from the Admin and really provide a streamlined experience for people to get “just what they want” and nothing they don’t…

Where do you see WordPress going in the next 2-3 years?

I see no signs of slowing down. I really see the platform becoming more adept at providing a mobile integrated solution for publishers. I think we’re going to see a major overhaul in the WordPress mobile strategy. I also hope to see some innovation come from John O’Nolan’s Ghost project surrounding a better Admin UI.

Tell us a story where you saved the WP day for yourself or on a client project. What made the difference for you?

I worked with a client that had a static website with declining visits and business to their site. Everything they did was over the phone; they relied on ads and online traffic to get calls.

I switched them over to WordPress, did some basics, such as set them up with WordPress SEO by Yoast, got them blogging their newsletter content and literally within two months, their traffic quadrupled for their keywords and their business slowly began to pickup.

That I could take an open source tool and essentially “save” someone’s business in less than 90 days is pretty f*cking amazing. Suck it Joomla!

What’s the biggest misconception you encounter about WordPress, and how do you clear it up for your clients?

People that know “enough” about WordPress often complain that all WordPress sites look alike. I often tell people that the look and feel of a WordPress site is up their own imagination and the skill of their designer and developer

If you were interviewing another WordPress developer for a job, what is the first question you would ask and why?

I’d ask them what WordPress means to them. It’s important for me to know that the community part matters to them. Code standards are the next bit I’d ask about. I don’t expect anyone to be an expert; but I do expect you to know enough to know that you could find different ways to accomplish things, and seek alternate answers or means of doing something.

I think the other thing I’d ask would be to ask them about how they’d solve a particular problem; something that would be particularly difficult to answer right off the bat. I get this from Chris (Don’t call me BrOprah) Lema. Knowing how people approach problems and how they troubleshoot them is also critical.

What did I miss? Here’s your chance to fill in the blanks and add something you want people to know about you!

There’s this thing we’re working on in the OCWP group. It’s kind of a big idea. It’s called WordPress For Good. We’re getting the wheels spun up on this project. We’re looking to pull from the community designers, developers, marketers, project managers and more to help local charities, non-profits be more effective in their communities by providing them a robust online presence.

We’re still in the infancy stage here, but this is something near and dear to me. The quote “Nobody can do everything, but everybody can do something” is one of the things that instantly makes me think of the WordPress community. It’s built upon doers, thinkers, creatives, leaders, followers and people with big hearts. It’s inspiring and I want to get people excited about taking WordPress and doing real actual good in the community. Stay tuned, y’all.

Thanks Alex!

Higher education folks should take a look at Alex’s portfolio, DigiSavvy. He’s doing some great work with institutions of higher ed, amongst a few other places. You should definitely work with him.

Three weeks ago we held our quarterly “All-Hands” event where every WP Engine employee travels to our Headquarters in Austin, TX for a week to spend quality time together as WP Engineers. Everyone from San Francisco to Philadelphia gathers for a week of face to face meetings and fun shenanigans that help build relationships and strengthen our company culture as we continue to grow.

While many of our teams are used to working remotely with each other, regularly conducting meetings via phone or Google Hangouts, nothing can really replace a week of face to face meetings and events. It’s important to our culture to have the shared experiences from spending time together as a company in meetings, collaborating on support tickets, and yes, bonding over some of Austin’s delicious food.

The last all hands was in November 2012, and there were about 30 folks at WP Engine. At this All-Hands, we were rounding 50 WP Engineers.

The idea for All-Hands (or All-Hangs, as we like call them) started at the SF WordCamp in 2012. We traveled as an entire company to the WordCamp, and it was a huge experience for us as a company. Jason and Ben led exciting “state of the company meetings,” and we all got to spend quality time co-working and doing support tickets together.

A lot gets done during All-Hands weeks, both from a “making progress on our strategy and tasks” perspective, and also from a “having an awesome company culture” perspective. I’m on the team that spends weeks organizing, and there is a lot of planning that goes into it, but All-Hangs one of my favorite things we do as a company.

Every All-Hands has a big finale. This time around, we planned for everyone to kick back and relax at a video game arcade bar on 6th Street followed by a company-wide dinner at a local landmark, Opal Divine’s. It was a blast to let everyone loose in the arcade to compete against one another. You could tell who the real gamers are!

Of course, we continue to solve support tickets the whole time. You can see in the picture that we’ve got techs set up with their laptops in the arcade, solving tickets while the games go on in the background. We’re always on-duty to solve support tickets!

Then, the whole company set out across downtown Austin on the way to Opal Divine’s for dinner. Imagine 40+ people walking down 6th street at 4PM in the afternoon. There was a surprise before dinner: we got the chance to visit our new office space!

WP Engine has been growing quickly, and we’ve outgrown our office space in the Capital Factory. Inside the new offices, our CEO, Jason, took a few moments to address the team. He talked about how many people we’ve added since our last All Hands, how each and every one of us owns a part of what we’re building. Every time Jason stands up to address the company, he covers something very personal that he believes the company can mean for each of us personally in the years to come. Those talks are always a highlight for us.

This post is about WP Engine’s culture, but it’s probably impossible to sum up a company culture in a blog post or a few photographs. It means something unique to each of us, and we all bring something to the company culture at WP Engine. Culture is something we all focus on and curate. Culture is a big reason I’m proud to be part of WP Engine.

From all of us at WP Engine, thanks for being part of the journey. And, by the way, if all this sounds like something you want to be part of, we’re hiring more people every week. We’d love for you to join the company. Maybe next time your face will be in the All-Hangs photos!

To see more from our week, make sure you check out the rest of the photos on Facebook.

]]> http://wpengine.com/2013/05/how-wp-engine-spent-our-april-all-hands-week/feed/ 0 http://wpengine.com/2013/05/how-wp-engine-spent-our-april-all-hands-week/ http://feedproxy.google.com/~r/wpengine/~3/K6Owy98NY5Q/ http://wpengine.com/2013/05/our-message-to-president-obama-creating-jobs-that-are-worth-having/#comments Tue, 14 May 2013 13:15:26 +0000 Jason Cohen http://wpengine.com/?p=2687

Last week, WP Engine was very proud to have The President of the United States, Barack Obama, visit the Capital Factory startup offices. As an Austin entrepreneur, I’m very proud that President Obama chose to visit Austin, and our offices in particular. It’s an exciting time for the city of Austin, as well as for WP Engine, and the President’s visit provides a unique opportunity for us to comment on WP Engine’s approach to job creation.

WP Engine has benefitted from the community and resources in Capital Factory for the past 3 years as we’ve grown as a company. Our growth has been so exciting that we’ve just signed a lease on new office because we’ve outgrown the Capital Factory.

As Todd Park, the CTO of The United States noted, “the innovative spirit of Austin [is] a model for the rest of the country.” I believe that Austin is a repeatable model for the rest of the nation, not only for our technological innovation as a source of job creation, but also for the types of meaningful jobs that Austin startup companies, like WP Engine, are known for creating.

The President’s visit to Austin highlights the strong economic growth and job creation that come out of Austin’s culture of creativity and entrepreneurship. Since we founded the company 3 years ago, WP Engine has grown from our first 3 people, to now nearly 50 (and we’re hiring more every week!). We’ve not only created dozens of jobs, but I believe we’ve created jobs worth having.

Let me be specific. A startup founder has the privilege of deciding what kinds of jobs to create. As their startup grows from the first few employees to the first few dozen, the founder can evaluate the positive impact the jobs will have on their community, on their customers, and on the people who will fill those jobs.

There is a series of questions we ask every time we decide to open up a new job description to maximize the meaningful impact of each position.

For example, we ask, are the jobs designed to empower customers? How will each job we fill help our customers achieve their own goals? After all, the startup should be doing something valuable for our customers, otherwise why are they paying us? With that in mind, how does each job track back to helping customers achieve their goals?

We also ask, how will each new job serve internal company metrics? Startups track a number of things from sales to website traffic to customer happiness.  But, unless we’re careful, running a company purely on metrics can miss the human element of job creation as well.

Furthermore, what kind of jobs will we create from the perspective of our employees? What will their work environment be like? Will it be comfortable and generous or spare and intense? When there’s a conflict between customer and employee, how do we resolve it? When things are going well, how do we celebrate? When they’re not, how do we knuckle down? What aspects of personality and behavior will we tolerate, and which are unacceptable? What does it mean to celebrate diversity in individuals and backgrounds, but unity in our culture and mission?

Each of those questions gets at what it means on a personal as well as professional level for our employees to accept a job at WP Engine. Having clear answers will mean we attract the right employees – employees that come to work excited, and who leave every day with a sense of purpose in their work.

We also hope that, even as employees leave WP Engine for their next opportunities, they’ll take these values and their training with them to their next job, or better yet, incorporate them into their own startup company! The goal is to create a virtuous cycle of startups and job creation.

As a part of the Capital Factory and the greater Austin startup ecosystem, we hope WP Engine can be a model for startups in cities across the nation to build companies that matter, not only for their founders, but for their customers, and for their employees as well.

Photo Credits: Nate McGuire and Alex Jones

This guest post is a technical  by Brad Williams, a leading WordPress developer and security expert, as well as a co-founder of WebDevStudios, one of the top WordPress agencies. He is the author of Professional WordPress, and also co-hosts the DradCast.

One of the most important steps when writing code, regardless of what platform the code will run on, is making sure it is secure from hacks and exploits. Running a plugin with a security hole could open up the entire WordPress website to malicious hackers. WordPress features some built-in security tools that you should always take advantage of when creating custom plugins and themes in WordPress to verify your code is as secure as it can be.

Trust No One

The golden rule when writing code is to trust no one. That is, consider all data invalid unless it can be proven valid. Any data that can be manipulated by a third party should be validated and sanitized prior to processing that data. Forgetting this simple rule could end in disaster for anyone running your code.

Data Validation and Sanitization

Any and all data that comes from somewhere external to your code, like user input, needs to be scrubbed to verify it’s free from illegal characters and potentially unsafe data. WordPress contains a set of escaping functions that you can use to verify that your data is escaped properly when displaying it to the screen.

• esc_html() – Used for escaping data that contains HTML. The function encodes special characters in their HTML entities, making it safe to display on the page.
  Example: <?php echo esc_html( $text ); ?>
• esc_attr() – Used for escaping HTML attributes. This function should be used whenever you need to display data inside an HTML element
  Example: <input type="text" name="name" value="<?php echo esc_attr( $text ); ?>" />
• esc_textarea() – Used for escaping HTML <textarea> values. This function should be used to encode text for use in a <textarea> form element.
  Example: <textarea name="bio"><?php echo esc_textarea( $bio); ?></textarea>
• esc_url() – Used for validating and sanitizing URLs. This function should be used to scrub the URL for illegal characters and encodes HTML entities. Also see esc_url_raw(), which uses esc_url(), but does not replace entities for display.
  Example: <a href="<?php echo esc_url( $url); ?>">Link</a>
• esc_js() – Used to escape text strings in JavaScript.
  Example: <script>var bwar='<?php echo esc_js( $text ); ?>';</script>

If you are working with integers there are two functions you should be using:

• intval() – PHP function to verify that the value is an integer. If the variable is a string, and therefore not an integer, it will return a 0.
  Example: <input type="text" name="number_to_display" value="<php echo intval( $number ); ?>" />
• absint() – WordPress function to verify that the value is a non-negative integer. If the variable is a string, or a negative number, it will return a 0.
  Example: <input type="text" name="number_to_display" value="<php echo absint( $number ); ?>" />

As important as escaping is when displaying data, sanitizing is when saving data. Let’s look at some of the common sanitization functions that WordPress includes.

• sanitize_text_field() – Used to sanitize standard text data. This function will remove invalid UTF-8 characters, convert single < characters to entity, strip all tags, remove line breaks, tabs and extra white space, and strip octets.
• sanitize_email() – Used to sanitize an email address. This function will strip out all characters that are not allowed in an email address.
• wp_kses() – A very powerful function for sanitizing untrusted HTML. This function verifies only defined HTML tags and attributes are allowed and everything else is stripped out.
• wp_kses_post() – Very similar to wp_kses(), but you do not need to provide an array of allowed HTML tags and attributes. That list is already set based on the allowed HTML tags for regular post content in WordPress.

Let’s look at an example using the wp_kses() WordPress function:

<?php
$allowed_tags = array(
    'strong'    =>    array(),
    'a'	        =>    array(
        'href'      =>    array(),
        'title'     =>    array()
    )
);

$html = '<a href="#" class="external">link</a>. This is <b>bold</b> and <strong>strong</strong>';

echo wp_kses( $html, $allowed_tags );
?>

The first step is to define an array of all HTML tags and attributes that are allowed. In the code above you are allowing the <strong> and <a> tags. The <a> tag is allowed to include the href and title attributes. Next, you build an $html variable to run through the wp_kses() function. Let’s look at the output:

<a href="#">link</a>.  This is bold and <strong>strong</strong>

Notice the <b></b> tags have been completely removed. The function also removed the class attribute from the <a> tag because you didn’t specify that as an allowed attribute. It’s easy to understand how powerful and important the wp_kses() function is in WordPress.

To learn more about escaping and sanitizing in WordPress visit the Data Validation Codex page.

Nonces

Nonces, which stands for number used once, are used in requests (form submissions, ajax requests, saving options) to stop unauthorized access by generating a secret key. This key is generated prior to generating a request, like a form post. The key is then passed in the request to your script and verified to be the same key that was generated. If the key does not match, or does not exist, the entire process will be killed. Let’s look at a basic example:

<form method="post">
    <?php wp_nonce_field( 'williamsba_settings_form_save', 'williamsba_nonce_field' ); ?>
    Enter your name: <input type="text" name="text" /><br />
    <input type="submit" name="submit" value="Save Options" />
</form>

As you can see we have a very basic HTML form with a single text field for the user’s name. We are also using the WordPress function wp_nonce_field() to generate a secret key. This key is generated as a hidden form field and passed through the form when it is posted.

Now that you have generated a nonce field in your form, let’s look at the process of verifying the secret key upon form submission:

function bw_update_options() {

    if ( isset( $_POST['submit'] ) ) {

        //check nonce for security
        check_admin_referer( 'williamsba_settings_form_save', 'williamsba_nonce_field' );

        //nonce passed, now do stuff

    }
}

Verifying that the nonce is valid is as simple as calling the check_admin_referer() function. Simply pass it your unique nonce action and name that you defined earlier. If the secret key does not match WordPress will stop processing the page and issue an error message.

Nonces can also be used on links that perform actions in the form of a querystring. Here’s an example:

<?php $link = 'http://example.com/wp-admin/my-url.php?action=delete&ID=15'; ?>
<a href="<?php echo wp_nonce_url( $link, 'williamsba_nonce_url_check' ); ?>">Delete</a>

In this example you’ll use the wp_nonce_url() function to generate a unique secret key in the URL. The function accepts two parameters: the URL to add the nonce to and the unique nonce name you are creating. You can verify the nonce is correct just like you did with your form using the check_admin_referer() function:

function bw_update_options() {

    if ( isset( $_GET['action'] ) ) {

        //check nonce for security
        check_admin_referer( 'williamsba_nonce_url_check' );

        //do stuff
    }
}

Understanding how to write solid secure code in WordPress is an absolute necessity in this day and age. One single user-submitted value that is unsanitized could potentially destroy your entire site. Scared? You should be! Now go update your code to be as secure as possible!

Aaron currently lives in Phoenix with his wife and son, where he has plenty of space to be outdoors. “Snob” is a work that fits Aaron’s obsessions with coffee and beer. But if you say that to his face, he won’t mind.

In Aaron’s Own Words:

I got into WordPress just before 2.0 was released. I started working with some big online publishers and got known for being able to handle large-scale sites, and for solving really tough problems that went through a few people before they got to me. That’s how Range started.

Now, onto Aaron’s Answers!

When was the first time that you really got excited about WordPress and at what point did you decide to make it your career?

Sometime around WordPress 2.0 I saw WordPress as a great tool, but I didn’t really get excited about it until my first contribution was put into Core. That’s when I realized that I could help make WordPress better, and that got me excited!

Where do you go first to get your WP news, insights, and updates?

Honestly I don’t use the WordPress news sites that often. I spend a lot of time in the #WordPress-dev channel on Freenode on IRC, I frequent (and subscribe to) all the make.WordPress.org sites, and I follow Trac pretty closely as well. If I’ve somehow missed something after all that, I also talk to other WordPress community members on a daily basis.

What WP consultants deserve more love than they get? Who should we be paying attention to?

Sometimes it seems like the glory all goes to the guys that are doing the really huge stuff with WordPress. The ones working with really big name clients, etc. However, there are some people out there like Bill Erickson or Jared Atchison, that are helping small businesses get web presences on WordPress at a rate that you wouldn’t believe. Market share is a big benefit of WordPress, and these guys are making that happen.

What performance tips would you give to other pros (as related to speed, scalability, security, plugins, backup, etc.)?

For security, learn to use nonces and make liberal use of the esc_* functions. Also follow people like Mark Jaquith and Jon Cave. Just reading what they say will help you better understand the real-life issues you need to secure against.

For speed, look at the front end not the back. The vast majority of the time speed issues are coming from excessively large images, slow loading scripts, or too objects being loaded. Don’t assume you know what’s slow. Profile the site and use the facts.

For scalability, learn to cache properly. There are lots of different caching methods and types, and you need to know what you need and when you need it. Learn about database caching, object caching, page caching, and fragment caching. Cache as close to the user as possible and for as long as possible. Only invalidate cache when you need to.

Confess to us your biggest moment of WP fail?

I’ve had my fair share of fails, but usually I just learn from them and move on. It’s the ones that happen on live sites that make your heart skip a beat. If I have to list my biggest, I’d say it was the time I brought down part of the harvard.edu site by accidentally deploying part of an update that wasn’t complete. The site was only down for a couple minutes, but it’s not a mistake I’m likely to make again.

If you were going to spend this weekend creating a plugin that doesn’t exist, what would it be?

Right now, I think I’d like to build a decent plugin for creating a slide deck for presentations. All my slide decks right now are WordPress posts that use deck.js, but a plugin with a good UI for creating slides, rearranging them, etc would be really nice.

Do you use Themes & Child Themes, Roll your own, or both?

I use _s a lot now. It’s solid, clean, and bare bones. It keeps me from having to undo a lot of stuff I don’t want, and lets me start building right away.

What’s your favorite theme or theme framework? Why?

I’m going to have to go with _s here too. The code behind it is clean and efficient, which is super important to me.

Favorite plugin?

This is a tough one. There are a ton of great plugins, each doing a specific task well. For today I think I’ll have to go with Shopp. I’ve been using it a ton recently, and it’s definitely my favorite E-Commerce plugin. Jon Davis and team are great, which makes all the difference in the world.

Least favorite plugin?

I’m going to tweak this question a little because my least favorite plugins are the hundreds that flat don’t work, the hundreds that are insecure, the thousands that have sloppy code that interferes with other plugins. It’s impossible to choose one. Instead, I can answer what my least favorite plugin is that I still recommend to people and even use. That would be Jetpack. As a developer, and specifically a long-time WordPress developer, I really dislike it. It’s all the things I DON’T want in a plugin. It’s huge, it does WAY too many things, it relies on a connection to a third party for many of those things, and it’s pushy. However, even though I dislike it so much as a developer, I still recommend it in certain cases and even use it on a few of my personal sites…because it’s good. It’s got some amazing tools in it, some that you can’t find elsewhere.

What’s the coolest thing you’ve ever done with Custom Post Types?

That’s a tough one. I’ve done a lot of things with custom post types. I’ve made directories for looking up doctors, I’ve used them to ***. I suppose my favorite was actually for a site that I used to do reviews of beers. I haven’t had the time to keep up on the site, but it used Custom Post Types for both the beers and the reviews.

What do you think is the biggest challenge that WP consultants will face in 2013?

I think it’s much the same as it was in 2012. There’s an extremely low bar to calling yourself a “WordPress Consultant”. The market is flooded with people. Potential customers can have a hard time telling the difference between the good ones and the bad ones, and the bad ones can scar a customer. I can’t tell you how many people that we talk to that have already been burned by another consultant. The biggest challenge I think most of the good consultants face is separating themselves from the bad ones.

If you could change one thing today about WordPress, what would it be?

There are a ton of things I’d like to change. I think WordPress is amazing, but there’s certainly plenty of room for improvement. I’m going to cheat here a little and name two things. One as a developer and one as a user. As a developer, I really want to attack the Admin Menu. The code around that thing is scary and rigid. Not the flexible, extensible code you’d expect from WordPress. As a user, I’d like to change the dashboard. I don’t find anything there very useful. It either needs to be more useful, or it needs to go away.

Where do you see WordPress going in the next 2-3 years?

I think WordPress will grow a lot, but I don’t know that I really see it “going” anywhere in the next few years. It’s already a giant in the blogging sphere, it’s being used as a CMS for a ton of sites including some very large and very interesting ones, and it’s also being used to power apps and as a back end for many non-WP front ends. It’s spread a lot in the last few years, and I think it’s more likely that the next few years will strengthen it in all these areas.

Tell us a story where you saved the WordPress day for yourself or on a client project. What made the difference for you?

My best friend had an ecommerce site on Magento. The site was EmberArts.com and the company is a socially proactive business doing amazing things for ladies in Uganda. They do a ton of good, but their Magento site was seriously inhibiting their ability to do business. James, my friend, came to visit for a couple weeks and we completely rebuilt his site using WordPress and Shopp. It’s not the biggest site, it’s not the most technically difficult, or even the flashiest, but it’s helping to do good in Africa and it felt like saving the day.

What’s the biggest misconception you encounter about WordPress, and how do you clear it up for your clients?

The biggest one continues to be that because WordPress is free it’s lower quality than the expensive alternatives. At this point all you have to do is start listing companies or people that use WordPress and give the client links to the sites to prove it. Listing companies like Ebay, Tech Crunch, Harvard, Sony, Nasa, CNN, NFL, MLB, or Time, will usually take care of this.

If you were interviewing another WordPress developer for a job, what is the first question you would ask and why?

“How do you give back to WordPress?” Partly because we want to continue to make contributing back to WordPress a core tenet of our company, but also because I think that you can make someone a better programmer but it’s WAY harder to make them a better person. Contributing back is a good marker that says they’re the type of person we want.

What did I miss? Here’s your chance to fill in the blanks and add something you want people to know about you!

I’ve been living in Phoenix for the last nine years, which is longer than I’ve been involved in WordPress. As of the beginning of June this year, that’s all going to change. My family and I will be moving to Oklahoma. I love having a job that’s location agnostic. I bet most people I work with regularly won’t even notice a change!

Thanks Aaron!

You guys can roll on over to Ran.ge to learn more about Aaron’s work, and take a look at some of the companies that he and his team have done work for.  See what they can do for your organization!

It’s time to clear up the debate once and for all. Despite all the doubts (and some haters), WordPress core is without a doubt one of the most secure platforms you can choose to put a site on. Of course, a WordPress install is only as secure as the plugins it leverages — but that’s another post for another time.

Recently, there were even stories about a large botnet that was trying to “brute force” its way into WordPress sites, but wasn’t able to touch sites where site owners set strong passwords, were running the latest version of WordPress core, and were vigilant about security.

But, if you’re still skeptical, that’s ok. I’m going to make a case and change your mind.

Fair Criticism

During the summer of 2009, WordPress took some knocks in the web publishing community for a series of security vectors that were exploited. The internet realized WordPress could become huge, and aimed some criticism and blog posts in the hopes of making sure WordPress would be secure enough for the crowds of end-users it was attracting.

In many ways, the internet was saying,

“Hey there, WordPress, we know you’re ambitious, and we love you for that, but we gotta know your security is bulletproof for your end-users before you get too popular.”

WordPress core developers responded, and in the months that followed, collectively added patches and tightened up security across the board to make WordPress one of the most secure CMS’s on the internet. That was four years ago. An eternity in terms of technological innovation.

The Summer of 2009

Within a span of a few weeks in 2009, the WordPress core team released a series of 4 security patches. The team was rapidly and systematically closing off remaining security vectors in WordPress core. And by the end of the summer, the WordPress codebase had begun to look like Fort Knox.

However, if you owned more than one WordPress site at the time, you had to update WordPress as often as a security patch was released. In total, six versions of WordPress were released, starting with 2.8.1 on July 9th, and ending with 2.8.6 the week before Thanksgiving. That’s a lot of updating.

Updating WordPress isn’t hard. But, new updates every few weeks can quickly become a pain. Each new security update means testing the update against plugins and themes before pushing it live. Then the next update meant doing that all over again. But software is only as secure as the latest version, so you have to update every time a version is released.

But, imagine having to do that every 2-3 weeks. For every site you own.

That might create some lingering emotion.

Fun like a root canal

In the span of just 34 days, four security updates were released for WordPress 2.8. This was before managed hosting or WordPress management tools made maintaining installs easy. No, each of the updates was done manually.

Honestly, this whole run of updates ranked between “standing in line at the DMV” and “having a root canal” on the fun scale.

And, not everyone was updating. And some of the out of date sites got hacked. I know, because that year I was doing a ton of the cleanup work from hacked sites that had been running old versions of WordPress. This is why we harp on the importance of keeping WordPress up to date, and why WP Engine automatically updates customer sites. Up to date software is secure. Out of date software is a target.

Hacking is newsworthy

WordPress installs were already ubiquitous in 2009, so this whole saga was fairly newsworthy to boot. A constant stream of bloggers, posted, about the security of WordPress that year. We got so used to seeing those blog posts, that they remained in the internet’s collective memory.

Now, four years later, you can’t have a discussion about WordPress without someone chiming in to ask, “Wait, isn’t WordPress insecure?” HackerNews, I’m looking at you.

WordPress suddenly had a reputation, fair or not, for being a platform that always needed to be updated, and might not be secure.

In reality, by the end of 2009, WordPress had become secure enough for millions of end users to use it without problems, not to mention massive sites like The New York Times, and AllThingsD. WordPress’s popularity is even reflected in the growing trend of large organizations and the enterprise moving to WordPress in droves.

Shared Responsibility with WordPress Users

WordPress users must be responsible for their own security, maintain strong Passwords, and keep plugins and themes up to date, as well as WordPress itself.

The user’s responsibility will never go away. Many users who understand the value of extensive security host with WP Engine because we add additional security layers, like forcing strong passwords, and performing routine security scans. We also back up our security with a guarantee.

Secure enough to be the most popular

I hate to go with the “most popular” argument, but it’s the final bit of evidence.

With 64 Million installations and counting (17% of all sites are built with WordPress), the math is compelling. No other technology (Ruby on Rails, Python, etc.) even comes close to having as much adoption.

WordPress core is secure enough to support that massive user base, so it always puzzles me when brilliant developers are unaware how secure WordPress core has been for years.

At that scale, even the .1% security vectors should become downright common, and yet WordPress is doing nothing but grow without any major problems.

Looking at the evidence, it’s time to put the debate to rest. Maintaining security is an on-going process, and constant vigilance is essential. But, the core team has done an amazing job to ensure the security of WordPress, and will continue to do so as the platform continues to grow.

But, we’ve reached a point in the history of the internet where WordPress has earned a reputation for its security. It’s time to act like it.

As soon as our team realized the emails were being spuriously sent, and took steps to prevent further emails being sent out, while also reaching out to Mailchimp engineers to resolve the issue immediately.

This afternoon we received the following message from Mailchimp in response to our queries:

Last Friday, we performed some maintenance on our Autoresponder feature. During the maintenance, about 1,500 of our users’ Autoresponder campaigns got paused, and we were unable to un-pause them until today.

You’re one of the 1,500 users affected.

This is a notice to let you know that:

1. We feel awful about this.
2. The campaigns are now un-paused and sending. If you send daily, some recipients might be getting emails that were backlogged for the last 3 days.
3. Again, we feel awful. So if this has inconvenienced you in any way, please contact our customer service team so we can make this right.

- The MailChimp Team

If you received the succession of emails, you know that they were for a drip campaign that contains strategies we recommend for developers interested in further speeding up WordPress performance. The emails are useful, but the way they made it to your inbox is not consistent with WP Engine’s email policy.

Thanks for your understanding.