This week we have an interview with Robert Abela. He is a fellow Maltese, like myself and Jean, and also the founder of a great WordPress plugin, WP Security Audit Log.
Robert has grown the plugin to over 80,000 active installs and an average rating of 4.8 out of 5 stars on wordpress.org. That’s no mean feat, so we decided to ask him a few questions about where he came from, how he grew the business, and what’s to come of Robert and WP Security Audit Log in the future.
Read on to learn about Robert’s journey and take inspiration from the lessons he has learnt over the years.
Hey Robert, tell us a bit about yourself and how you got into WordPress.
Hello and thank you for having me on this interview. I am the founder and CEO of WP White Security, the developers of the most comprehensive WordPress activity log plugin WP Security Audit Log, and Password Policy Manager for WordPress, a plugin we launched in late 2018.
I started working in IT when I dropped out of school. I was 20 and had some basic knowledge of computers. I started working in software testing. Through the 18 years of corporate career I worked for a few security software startups and progressed through several different roles including Support, Systems Engineer, R & D, Sales Engineer, Project Manager, Product Manager and VP of Marketing.
I was lucky that I held all these different roles because they allowed me to get a good grasp of how every department functions. Today I am using the experience gained to run my own plugin business.
I got into WordPress in 2009, when I was a product manager for Acunetix, a software company that develops an automated web vulnerability scanner. We wanted a blog for the website and chose WordPress. We had also built an online WordPress security service, which unfortunately was not a hit. I’ve learnt a lot from our mistakes and kept experimenting with WordPress since then. In 2012 I started blogging about WordPress security and in 2013, when I left the corporate world I started developing WP Security Audit Log as a side project while freelancing.
How did you get started with WP Security Audit Log, and how has that been going?
Back in 2013, when I was doing hack cleanups and security hardening of WordPress sites I was surprised that there was no decent WordPress activity log (audit log) solution for WordPress, considering it is such a popular multi user platform. So I started developing the WP Security Audit Log plugin as a side project.
I am not a developer but I managed to develop the first beta. Thankfully, it never made it to the public! The first released version was developed by a friend of mine. The public response was very positive so I continued developing it. For the next two and a half years I didn’t have a developer and worked with several sub contracted ones. I was paying them with the earnings from my freelancing and hiring different developers for different updates.
In 2015 I released the first premium add-on which was the email notifications. I had a few sales but they didn’t even cover the expenses. I didn’t give up because even though sales were very low, I saw the potential in the project. In 2016 I started working with a development agency. They were able to dedicate a few hours of development every week for the plugin. During 2016 and 2017 I released another 4 premium add-ons. And by the end of 2016 the plugin project was self sustainable.
I wasn’t making any profits and was not getting anything in return for the long hours I was working on it. At least I could pay the agency without forking out money from my own savings. To ensure growth I needed someone who was more readily available than the agency. So in the beginning of 2017 I started looking for a developer. After a long 6 months search, in mid 2017 I dropped the agency and started working with Ashar Irfan. I’ve been working with him ever since. He is a very good and trustworthy developer and with his help, we really ramped up the development and by the end of 2017 the plugin was a profitable business.
In January of 2018 I took the leap and started working full time on the plugin. Now things are looking much better. We are two full time employees and I also work with a lot of subcontractors. So very soon I will need to recruit more full time employees.
So far it has been a great experience, but also a very challenging one. It is hard to work 80 to 100 hours a week for years and get nothing in return. However, this is a marathon and not a sprint, and the few sales I did every month were very encouraging. I knew that if I held on longer, the project had a lot of potential. Today I am happy to say that finally I created the opportunity I always wanted to have – to run my own software company.
How does the WP Security Audit Log plugin help users keep their WordPress sites safe?
There are several benefits to keeping a WordPress activity log, and improved site security is one of them. In fact lack of logging and monitoring in web applications was listed in the 2017 OWASP Top 10 list of most critical security risks.
Security is not a one time fix. It is a continuous process in which you harden, log and monitor, test and improve. Our plugin fits in Log and Monitor. Once you harden your WordPress site with a security plugin or security service you must keep a log of what is happening on the site. From the log you can learn what your users are doing and also how your attackers are trying to hack into your WordPress site. Logs are also used for accountability, compliance and several other security related projects and tasks.
We want to give our users more than just an activity log plugin, so we have developed a number of features around the WP Security Audit Log plugin with which you can build a WordPress Intrusion Detection System (IDS).
So to recap, our plugin helps WordPress site administrators stay on top of their game by showing them what is happening on their site in real-time and notifying them instantly of important changes. It can also be used for forensic work to find out how malicious hackers managed to hack into the website in the unfortunate case of a successful hack.
What do you see as the biggest threat to WordPress security and why?
The biggest threat to WordPress security are its users and their lack of awareness and knowledge of what it takes to run a website. WordPress has had its fair share of vulnerabilities, though any other software has had that. As long as vulnerabilities are fixed in a timely manner, all is well.
Since WordPress is very easy to use it allowed many, who in some cases do not even own a computer, to have a website. All is well and good with that, but with no experience, many neglect the basics – they use weak credentials and outdated software. Kinsta published an interesting blog post about this, highlighting this issue with numbers.
If you could introduce one security feature to the WordPress platform, what would that be?
I like the idea of having a bare framework that is very modular, as it is now. Every business has unique needs and requirements, especially when it comes to security, so you cannot really enforce security features in WordPress for them. It is good that WordPress users have so much to choose from so they can tailor-build their website without the need to know how to code.
I would definitely promote more security through the platform and make sure users are exposed to the security options available out there, but not necessarily push any specific feature into WordPress core.
What measures do you think every WordPress user should take to improve their website’s security?
There is a lot one can do in terms of WordPress security, especially when dealing with complex and enterprise solutions. Regardless of the size of your setup, the basic security principles always apply:
- Harden: enforce strong password policies, keep software up to date, change the defaults and use a firewall or protection service.
- Log & Monitor: use a WordPress activity log plugin to keep a log and setup email notifications and frequent reports.
- Test: Whenever you make a change, including installing a new plugin or changing some settings, make sure you test.
- Improve: Use what you have learnt from the logs and testing to improve your setup. Keep all your software up-to-date.
How do you feel about the new GDPR guidelines? What would you change/improve?
I am in favour of GDPR. The regulations are not perfect but they will be improved as we go along. It is good to raise awareness in regards to privacy and how users’ data is used. Many businesses certainly need regulations.
I myself hate it when I contact a company via a contact form, and without subscribing to anything or giving a consent I am automatically subscribed to several of their newsletters, and contacted by several of their business partners. I have a right to know where my data is being used and have a right to choose and know to what I am subscribing to.
This behaviour also hurts ethical businesses like ours because people are no longer receptive to emails and calls. You can send ten newsletters to your users to advise them about breaking changes in a plugin update, yet once you release the update everyone starts complaining because they were not advised.
So the General Data Protection Regulations are not perfect, but they are certainly a much needed change in the right direction.
Does your plugin help users to also be GDPR compliant?
In very basic terms, GDPR is all about two things:
- Telling the website user what information you collect, why, how will it be used and for how long it will be kept.
- Protecting and ensuring such information is not accessed by anyone who is not authorized.
The WP Security Audit Log plugin helps site admins with step number two – keeping a record of who is accessing the data and making sure it is not accessed by unauthorised users. We have written how to use WordPress activity logs as part of your GDPR toolkit which is a more detailed explanation of how a WordPress activity log plugin fits in GDPR compliance.
How is WP Security Audit Log performing at the moment (users, revenue, traffic, etc.)?
We are nearing the 90,000 active installations and have more than 1,000 paying customers. I am proud to say that some of our customers are world renowned brands such as Bosch, Disney and Nginx. To me there is no better seal of approval than having these companies using my WordPress activity log plugin.
The launch of the new website early last year has certainly helped a lot We took SEO seriously and it is paying off. We do get a lot of organic traffic and nothing converts better than organic traffic. Growth is certainly there and it is promising. In the last four years we have recorded 100% growth year on year. For the first time since the business started, last year we generated a six figure revenue.
In regards to the plugin, currently we are focusing on ease of use. It is a very comprehensive plugin with the best coverage. However, not every WordPress site administrator is interested in all the detail and features, and we understand that. So we are making a lot of changes to make the plugin easier to use, making sure it can be adopted by a wider range of site owners. We have already started – we added a setup wizard, created different log levels, re-organised all the plugin settings and added more help text. These changes have already had an effect because we are seeing more end-users using the plugin now, and not just big businesses.
What are the core values driving your business decisions?
When I started the plugin I never thought it would be my full time job. It all started as a hobby because I wanted to learn more about development and WordPress and I needed a WordPress activity log plugin for myself. The positive public response, to which I am very grateful, is the byproduct of building a great solution.
So I’ll always stick to this main core value; to build a good product that I can use. In fact I do not add plugin features which I think I or my users wouldn’t need. Some people say that a business needs a lot of luck to succeed. I agree. Though you also need a solution that addresses a pain point that people have, that can make their daily jobs easier. And that is exactly what we are doing.
We also make sure we are transparent, honest and responsive. If there is an issue with the plugin we try to solve it and get back to the user as quickly as possible, even if they are using the free edition. And if we do not support something, we say it as it is. We do not try to bend the truth. Yes, sometimes you will lose a potential user and a sale, but better one less customer than an unhappy customer.
What are your main marketing channels to bring in customers? What have you tried out in the past years?
The main marketing channel is the WP Security Audit Log plugin page on the WordPress repository. As you can see we try to use it as a landing page by giving the user an overview of the plugin. It used to be much longer, though we have rewritten it and used a more straight to the point approach, which is more effective.
We also use our WordPress security blog as a marketing platform and free advertising website. We always write good and relevant content that attracts a lot of readers. Last but not least, we also invest in other common marketing channels, such as writing guest posts and articles on websites which attract potential plugin users, run some banner ads and similar campaigns.
What were the biggest lessons learned (failures, aha moments, pivots) so far?
The first one is that if you do not ask, you do not get. You’d be surprised how much people are willing to give when you ask. I did a lot of outreach for marketing campaigns but I only used to contact businesses and websites which I thought were the same size as my plugin business, thinking the big players will ignore me. I was wrong. Actually many do get back to you, especially if you have a good product. The same applies for discount and bargaining. Do not try to take advantage of the other party, but if you are working on a joint marketing campaign make your voice heard.
The second one is that business is a marathon and not a sprint. Training for marathons takes much more time and requires more long term effort than that of sprints. So if you are expecting an instant success, you’re going to be disappointed. It’s a lot of hard work, and if you are patient and ready to commit to your dream, it will happen.
Are there any other companies in your industry that you admire, and why?
There are two particular companies in the WordPress ecosystem who I really admire:
BlogVault: I have known Akshat, BlogVault CEO, for more than five years and he has genuine interest in what he is doing. Because of this, his business has the same core values as ours. They are transparent, honest, give the best they can and obviously, have a great product.
Yoast: These guys excel at what they do. And that is something to be admired. Many businesses are good at what they do, but very few excel and lead like Yoast. Their attention to detail is impressive. Even the auto follow up emails they send when you purchase a plugin from them are very well written. I also like Yoast because they are a people’s company, which is not typical for a company of that size. Once I reached out to them with some recommendations for a blog post. They got back to me and showed genuine interest in my plugin and in my recommendations. We also kept the conversation going and even helped me with non work related matters! Big kudos to them for keeping their feet on the ground.
What can we expect from WP Security Audit Log in the upcoming months and years?
An even better WordPress activity log plugin! It sounds cheesy, but it is true. Our main focus is to continuously improve the plugin. We have been doing this for more than five years. We have learnt a lot about the plugin and the market and now we are at a stage where we have taken care of the basics, and are ready to progress to the next stage. As in we are over the common issues new plugin have such as performance, product design and similar issues.
We want to support many other plugins and keep increasing our coverage. We are also focusing on more integrations with centralized logging systems typically found in enterprises, like we did with Slack. Right now we are busy improving the integration with WooCommerce. We will also be announcing an integration with Twilio, so you can configure SMS notifications! So stay tuned to the WP Security Audit Log plugin blog.
Thank you, Robert, for taking the time to answer these questions. Congratulations on what you have built so far with WP Security Audit Log, and we look forward to seeing it grow even further in the coming years.
If you’d like to get in touch with Robert, leave a comment below or visit the WP Security Audit Log website.