June 26, 2014

Episode 20 gets into a discussion about how our failures as developers can hugely influence how we work now and the processes that we use in our day to day development. We also touch briefly on a new plugin from Andrew Norcross called Airplane Mode, the “commoditization” of WordPress themes, and the recent security vulnerability in the popular TimThumb script.

This episode was sponsored by WP Ninjas, a leading WordPress plugin development team that is constantly innovating and building excellent tools for the rest of us. WP Ninjas just recently launched NinjaDemo, the only complete demo solution for WordPress. Screenshot from 2014-05-29 17:59:36 Show Notes:

Image credit: Tomasz Stasiuk

Transcript
INTRO: Welcome to Apply Filters, the podcast all about WordPress development. Now here’s your hosts, Pippin Williamson and Brad Touesnard.

BRAD Yes, I am Brad Touesnard. And joining me, as usual, is my co-host Pippin Williamson. Say hello, Pippin.

PIPPIN: Hello.

BRAD: This is Episode 20, and in this episode we are going to be talking about our biggest failures in our WordPress development or just development in generally, really. And then we’re going to get into some news items. Let’s talk first about what we’ve been up to. What have you been up to, Pippin?

PIPPIN: Well, first of all, I took a vacation recently for the first time in a while, like a true vacation where I actually shut down and didn’t do any work or very little work. I went up to Canada to visit some family.

BRAD: Dear God, Canada!

PIPPIN: Yeah! I know there are some crazy people up there.

BRAD: Yeah.

PIPPIN: But I was right there on Lake Ontario outside of Toronto, and it was a beautiful little area. But it was really nice to kind of shut down for a little bit. And then I came home after being up there for about five or six days and immediately started working on a new add-on for Affiliate WP for tracking recurring referrals.

Ever since Affiliate WP was launched, one of the biggest feature requests we’ve gotten was the ability to have recurring referrals so that you can reward affiliates commissions on a lifetime of a customer. So if a customer signs up for your membership, and then they pay you a monthly fee or a yearly fee, that affiliate can gain a referral on every payment that they make for the lifetime of the customer.

BRAD: Right, because right now they only get the first, the very first sale.

PIPPIN: Right, they would get the first one.

BRAD: Yeah.

PIPPIN: So let’s say they sign up for a $20 monthly payment and you get a 20% commission, so you get —

BRAD: $4.

PIPPIN: Yeah, exactly. You get $4.

BRAD: And that’s it.

PIPPIN: Well, so now instead, if somebody signs up for a $20 monthly payment and is a member for 4 years, that affiliate has now just received a much larger earning.

BRAD: Right, whatever that comes out to. I’m not that quick at math.

PIPPIN: Yeah. I’m not going to try and do the math in my head. I’ll fail. But anyway, so I was working on that add-on for it, which is an add-on available to our developer license holders that adds support for that for WooCommerce subscriptions, my Restrict Content Pro plugin, the membership add-on for Easy Digital Downloads, membership add-on for iThemes Exchange.

BRAD: Wow!

PIPPIN: And then we’ve got a couple more that it’s going to support. It will support Gravity Forms, MemberMouse, Pay Memberships Pro, and maybe a couple of others. But anyway, so all of that add-on, that was built as one add-on, and we got that pushed out the door two days ago.

BRAD: That’s awesome!

PIPPIN: So I’m pretty pleased with that.

BRAD: Yeah.

PIPPIN: Yeah.

BRAD: You must have been getting quite a few people requesting that stuff. Were you?

PIPPIN: We had a couple of requests every single week for it.

BRAD: Wow!

PIPPIN: And so we had a pretty long list of customers that had either purchased or said that they were waiting for that to purchase it.

BRAD: Right. Did you have anybody basically offer to like fund the development of it? I get that sometimes.

PIPPIN: We do see that a lot. I mean, I’ve seen that with everything from EDD extensions to custom plugins to Affiliate WP. And I think we did have a couple of users that mentioned that they would be willing to fund the development. I didn’t take anybody up on it, for one, because I was already going to build it and I knew that it wasn’t an issue of having the funds to develop it. It was mostly figuring out when I’m going to sit down and actually build it.

BRAD: Right.

PIPPIN: The cool thing about the add-on is it’s actually pretty simple. It’s not a complex system at all to build as long as each of the membership plugins that are tracking these recurring payments. As long as they have the necessary hooks in place when a recurring payment is logged, it’s actually not difficult to build.

BRAD: Right. Gotcha.

PIPPIN: So I found that it works based on what we call integrations. Each integration, like Restrict Content Pro would be an integration. WooCommerce subscriptions would be an integration. And so each one of these integrations for each of these plugins is a class that extends a base class. Each one of them is, on average, 40 or 50 lines of code maximum.

BRAD: Right, it’s pretty small. Yeah.

PIPPIN: I managed to add in support for WooCommerce subscriptions in about 15 minutes.

BRAD: Right.

PIPPIN: For example, I’m going to add in MemberMouse here in the next week or two, and it’s probably going to take maybe 30 minutes to add in and test. Now the extension, the add-on took far longer than that to build because I had to lay the framework for it and build some stuff around it. But now that it’s built, adding support for additional systems is usually pretty simple.

BRAD: Right, because you built it properly.

PIPPIN: Right, which is the same way that Affiliate WP is the base plugin work too. If there’s a new e-commerce plugin that comes out tomorrow, as long as they have the proper hooks, I could add in support to it for Affiliate WP in 30 minutes.

BRAD: Right. That’s awesome. So I heard that when you were in Canada there was basically no cell service whatsoever for your carrier.

PIPPIN: For me there wasn’t because I completely neglected to think about the fact that my current plan would not work in Canada because I don’t have an international plan.

BRAD: Oh, it’s your plan. So it would have worked if you had an international plan.

PIPPIN: It would have worked. Honestly, I could have gone to Verizon and said, “Hey, I’m going to be in Canada. I want to purchase a temporary plan.”

BRAD: Right.

PIPPIN: It probably would have cost me $50.

BRAD: Right.

PIPPIN: And I could have done it really easily.

BRAD: Yeah.

PIPPIN: But I completely forgot about it.

BRAD: Every time I go to the U.S., I shell out $45 for like a data plan for 150 megs, which is completely nuts.

PIPPIN: Yeah, that’s exactly what I would have done. So I completely forgot about it until I got there. And, at that time I just decided, “You know what? I’m going to take it as more of a reminder that I should take a break more often and just say, ‘I’m not going to worry about it.'”

BRAD: Yeah.

PIPPIN: I’m disconnected. And it was awesome.

BRAD: Yeah, but it’s weird at first though, isn’t it?

PIPPIN: Oh, it was so weird because I’m so used to having my phone with me, whether I’m using it or not, that if I need to, I can jump in and look at something.

BRAD: Yep.

PIPPIN: And I couldn’t do that suddenly, and it was strange because it was so different from what I was used to, but it was very refreshing.

BRAD: It’s then that you realize that your phone has become kind of an extension of your mind and body, right?

PIPPIN: Oh, very much so.

BRAD: You don’t realize it until it’s gone.

PIPPIN: Yep.

BRAD: Damn.

PIPPIN: So what have you been working on?

BRAD: We launched — just two days ago we launched Migrate DB Pro 1.4 and the CLI add-on, so you can now run migrations from the command line, which his awesome.

PIPPIN: That’s awesome.

BRAD: And we launched a new design for our site that I did myself.

PIPPIN: I saw that. It looks fantastic.

BRAD: Thanks.

PIPPIN: I like that you didn’t — it didn’t radically change.

BRAD: It didn’t. It really didn’t, and I did that intentionally.

PIPPIN: When I first saw your tweet that says, “Hey, the new design is launched,” I was out mobile somewhere, and so I pulled it up on my phone real quick to look. Actually, at first I thought it was cached because, since it was mobile, I couldn’t see all the details to see that it was different.

BRAD: Right.

PIPPIN: And I thought about responding like, “Hey, it’s not actually live yet, by the way.” Oh, no — yes it is.

BRAD: Yeah, exactly.

PIPPIN: And I liked that a lot because it was very subtle and, to me, in some ways it’s almost more like an iteration and an improvement as opposed to a whole new thing.

BRAD: Yeah. I’ve heard people and, like, designers; they call this a realign rather than a redesign because you’re just really tweaking things.

PIPPIN: Sure.

BRAD: And making it maybe look a little bit more modern or something.

PIPPIN: Yeah.

BRAD: But, yeah, most of it is very similar. The big change is really the features page for the product.

PIPPIN: Right.

BRAD: So that’s the one.

PIPPIN: I did see that, and that was — that’s when I was looking at it, and at first I wasn’t completely sure I was seeing the new design. Then I went into features and went, wait, oh, this is completely different.

BRAD: Yeah, yeah, yeah, yeah.

PIPPIN: It looks great.

BRAD: I’d spent some time rewriting copy, just stuff that I’ve kind of picked up in the last 13, 14 months —

PIPPIN: Sure.

BRAD: — since the last time I redesigned it.

PIPPIN: Yeah.

BRAD: I’ve learned a lot in this year and a bit. Yeah, and also we are getting — Brian Castle and I are starting to organize Big Snow Tiny Conf, which is pretty far away. I mean, it’s the summertime right now, but we’re setting dates. We’re going to do it January 26th to the 29th, so that’s the week right after PressNomics, so if anyone is flying in from —

PIPPIN: Where are you doing that again?

BRAD: In Vermont.

PIPPIN: All right.

BRAD: Yeah, if anyone is flying in from away for PressNomics, they can just stick around for the next week and hit up some snowboarding with us.

PIPPIN: Yeah, well, I’m going to try and make it up for that because I was pretty sad I couldn’t make it last year because that sounds awesome.

BRAD: Yeah, man. I hope you can. I hope you can make it this year.

PIPPIN: Sorry to jump back with quick.

BRAD: Yeah.

PIPPIN: What’s new in WP Migrate DB Pro 1.4, aside from the CLI add-on?

BRAD: There’s quite a bit. Internationalization is complete, so you can translate the entire thing. That’s a pretty big addition as well. Then, yeah, obviously the CLI add-on is —

PIPPIN: Is this the version where you added in the ability to pause migrations, or was that already there?

BRAD: Yeah, we did. We did.

PIPPIN: That’s such a cool feature.

BRAD: You can pause, resume, and cancel. We wrote a whole blog post about that and about all the other features as well.

PIPPIN: Does the pause and resume feature allow you to start a migration, pause it, close the window, come back later and reopen?

BRAD: No, that’s —

PIPPIN: Or is it only while the window is open?

BRAD: It’s only while the window is open. That would be pretty crazy.

PIPPIN: It’d be amazing.

BRAD: Yeah.

PIPPIN: Well, I wasn’t sure if you were storing some sort of persistent data in the database that says this is where we are.

BRAD: Right. No, it’s really basic. It’s just using the ajax and JavaScript stuff to keep track of how far along it is and stuff.

PIPPIN: Yeah. Still very cool.

BRAD: It’s pretty simple and that’s a good thing because you don’t want things to be complex because it’d be more likely to break in the scenario, probably.

PIPPIN: Yeah, totally.

BRAD: But one of the things I’m most excited about for this release is the compatibility mode thing. I think this might be a first. I’ve never seen this before, and we spent a lot of time trying to figure out this problem of other plugins that are installed conflicting with our plugin.

PIPPIN: Right. Is this where you’re modifying which plugins can run during your request?

BRAD: Exactly.

PIPPIN: That is so cool. I played with that feature two weeks ago using the beta version, and it seemed to work perfectly.

BRAD: Right, exactly, so just today, for example, a customer was having problems with Polyglot. It was a plugin that does translations. I think that’s the name of it. What we did is, you just check off the box that says I want to exclude certain plugins for requests that Migrate DB Pro makes, and then you choose the plugins that you don’t want to run, which should be really all of them in most cases. The only ones you would want to run is if you’re hooking into Migrate DB Pro or something like that.

PIPPIN: Right.

BRAD: Right.

PIPPIN: Yeah, I think when I tested it I just disabled all of them.

BRAD: Yeah.

PIPPIN: And so for that customer, did being able to disable Polyglot fix the issue?

BRAD: Yeah, totally.

PIPPIN: That’s awesome.

BRAD: We already knew it though. We kind of cheated because we knew previously from debugging with them that that’s what fixed it, disabling that plugin, just manually deactivating it.

PIPPIN: Yeah, but it still enforces the need for that option.

BRAD: Oh, yeah, absolutely. And we’ve had problems with other plugins as well.

PIPPIN: Yeah, if you can take care a support request or a problem for a user with that feature, I think it’s absolutely worth it.

BRAD: Yeah. This is almost like a pilot the way we’ve implemented it because I could see this being just the way it works in the future, you know.

PIPPIN: Mm-hmm.

BRAD: And just not activate any plugins for our requests because it’s a huge improvement for performance if you have big plugins running like WooCommerce.

PIPPIN: Because WP Migrate DB Pro is such a specialized system and a specialized plugin —

BRAD: Right.

PIPPIN: — I wonder if it’d be, at some point, advantageous to automatically disable all other plugins for your request, but then have a way for plugins to register as WP Migrate DB Pro plugins in a way.

BRAD: Yes. Yeah, exactly.

PIPPIN: Basically a plugin would register support, and if that plugin registers it, you don’t disable that one.

BRAD: Exactly.

PIPPIN: Because what you don’t want to do is to automatically disable all plugins and then find out, oh, well, this plugin was supposed to run because it’s modifying the requests in a way it’s supposed to.

BRAD: Exactly. Exactly. And another step, sometimes themes conflict with our requests as well. For example, they might output some errors. Right?

PIPPIN: Sure.

BRAD: And that screws up ajax requests because the ajax requests —

PIPPIN: Oh, notices or errors of any kind in ajax are a real pain.

BRAD: Yeah, because ajax is usually returning json, right, and so it corrupts the json and game over.

PIPPIN: Yep.

BRAD: Yeah, we’re going to try to exclude themes as well. But, at the same time, we want to be careful because some people might be using hooks in their theme as well, so we just need to be a little cautious there.

PIPPIN: Sure. I think this is really, really cool, and I think it shows a lot of not just refinement and polish to the product, which it very clearly does, but I think it also shows that there’s a lot of experience with really small nuances in development and problems that have been encountered in development over however long you’ve been developing, so basically in your experience as a developer. I think that this level of a polish and these things that you guys are thinking about shows that there’s a lot of that experience.

BRAD: Yeah.

PIPPIN: A few weeks ago, we got a cool topic request from Sami from Foxnet Themes who, if you’re listening, you may remember he was kind enough to sponsor an episode a few months ago. He asked a question about if we would be willing to talk about some of our biggest failures in development as developers. I think this is a really good segue because having that level of refinement, thinking about those deeper issues in development to me indicate that you’ve had those experiences. You’ve had some failures where you learned the hard way, maybe, or you learned different things that can really make an impact.

BRAD: Yeah.

PIPPIN: Do you have anything that you would like to share about some of the things that maybe, whether they were failures in development, failures in technique —

BRAD: Yeah.

PIPPIN: — over the last few years, something, anything at all?

BRAD: Well, I’ve got a pretty good story. It’s from ages ago. I think it was 2000 or 2001, right, so I don’t know. Some of you might not have even been born then.

PIPPIN: I was not writing code then.

BRAD: I was on a coop work term at a company called Smart Force, and they were an e-learning company. I was on the team that was coding up the learning management system. I don’t know — my manager asked me to do something, and so I whip something up, and then I sent it off to him.

It was wrong, or didn’t work, or whatever, and he sent it back to me. And so I fixed whatever. I took another crack at it and then sent it back to him again. And then he sent it back to me again. And I did the same thing again, back it came, and that time he lost it at me. He basically reamed me out because I was using him as my tester. He was doing all the testing. I was doing none, right?

And so that, I learned — I still remember this. You know, it’s been over ten years, and I remember it very clearly that that’s when I decided, okay, from now on I’m going to test, you know, and then test again, and then test again myself, right? And I think that has helped me become a better developer, especially when I’m releasing code because, after that, when I’d release code and people would come back, it’s the same kind of thing, right? That’s a reminder, oh, yes; I should do more testing. Right?

PIPPIN: Absolutely. That’s not even necessarily just testing crazy edge cases.

BRAD: No.

PIPPIN: That’s just doing general testing of whatever it is you’ve built.

BRAD: Yeah. I think there’s almost an arrogance with developers sometimes. I know there was with me anyway where it’s like, oh, this is a simple, little fix. I’m just going to code it cowboy style and then ship it, and there’s no way there’d be a bug with that. Right? That’s the attitude that I used to have.

PIPPIN: Guilty.

BRAD: It’s a terrible attitude because there are a lot of times where you’re going to be wrong there. It may seem like it’s simple, but it may affect other things that you’re not thinking about.

PIPPIN: I learned that lesson the hard way for sure. I learned it mostly in doing plugin support for paying customers where maybe there was a bug in a plugin or I was doing a little bit of custom work for them or something. And so I would log into their site and fix it in line editor.

BRAD: Uh!

PIPPIN: And hit update. And guess what? White screen. And, unfortunately, when I was first learning that that’s just a terrible way to do it, especially if you have alternatives, was before WordPress would do a check and look for fatal errors.

BRAD: Right.

PIPPIN: And so if you fatal error a plugin, guess what? The site is dead.

BRAD: Yeah.

PIPPIN: I don’t know how many customer sites I killed by doing that. More than I care to think about.

BRAD: Right. Yeah. I mean that’s how you learn that it’s a bad thing. Right? You know, people are going to hear us saying these things, and this might be the way they operate right now. But at some point something is going to go terribly wrong.

PIPPIN: What’s interesting, I don’t think anybody is ever going to be — I mean, at least I hope. Most reasonable developers are not likely to go and try and claim that it’s smart to do it this way, to jump in with cowboy coding like that and just run untested code. But what I think a lot of developers that do do it, they fail to see where it’s really a problem. I think they’ll acknowledge that it’s probably not the best idea if they alternatives, sure. But is it really a problem?

But I think it’s something that people have to learn for themselves. You can have someone tell you over and over, “Don’t do it this way. Here is something better.” But it’s not really going to sink in until you have that unfortunate experience where your boss just reams you.

BRAD: Right.

PIPPIN: Or you have that experience where you kill a customer site and they’re furious with you.

BRAD: Right.

PIPPIN: In order for some of those practices to really set in, I think you have to learn trial by fire sometimes.

BRAD: Yeah. And there’s a really great way of doing that is by releasing code on .org or — yeah, I mean that’s a great way because if you update the plugin there and, you know, a few hundred people, maybe, let’s say, get the update, and it’s taken down their site, they’re not going to be happy. They’re going to let you know. Right?

PIPPIN: Yeah. I mean, unless you just don’t care at all, it’s going to affect you in some way.

BRAD: Right.

PIPPIN: And most likely it’s going to make you think, okay, I don’t want to repeat that experience, so what do I do now to ensure that I don’t?

BRAD: Exactly. Yep. And, I mean, if you’re selling something, if you’re selling a plugin, you release it, and it breaks, I think that’s even worse because there’s an expectation from customers that what you’re shipping is going to work that’s been tested really well.

PIPPIN: Yeah, absolutely.

BRAD: And might have even been released as a beta previously. So I think releasing code that you’re selling is also another good way to do this. There’s a different dynamic at work there for sure.

PIPPIN: Yeah, certainly. I know that I learned the hard way from, like, the importance of testing, and I’ve struggled with this with some people. Actually, I think any time that you work with other people, you struggle with it because if anyone ever commits something without testing it, and then you find a bug, you inherently want to say, like, “Well, why didn’t you just test this more?”

BRAD: Yeah, yeah, of course.

PIPPIN: And I think we have to be careful about maybe accusing other people of that because, if we look back on it, we realize I either do that or I did it that way for a long time.

BRAD: Yeah, exactly, exactly. I mean, sometimes the bug — maybe they did test it, right? Maybe they just missed it. That’s also a possibility.

PIPPIN: Absolutely.

BRAD: Yeah, you can’t be too quick to judge, for sure, when it comes to code. There are a lot of hang-ups, so anyways.

PIPPIN: Yeah. But I like the idea; I like going back and looking at mistakes that we’ve made as developers and looking at how they’ve absolutely influenced how we work today. I think, for you, some of that is very evident in the way that you build WP Migrate DB Pro and the level of polish, some of the things that you think about.

BRAD: Oh, yeah.

PIPPIN: And so if anybody else would like to share stories that they have, we would love to hear them. I know every developer who has built anything has a failure story at some point.

BRAD: Absolutely. And if you don’t, you’re lying. You’re a dirty liar.

PIPPIN: Yeah. That’s okay if you don’t ever want to talk about them.

BRAD: Yeah.

PIPPIN: I mean, I’m not going to lie. Some of the things that I did early on made me cringe so much that I would rather they never be known to the world, but —

BRAD: Well, I mean, you live and learn, man.

PIPPIN: Absolutely.

BRAD: Yeah.

PIPPIN: Go for it.

BRAD: Did you want to talk about Airplane Mode?

PIPPIN: Yeah. I’d like to give a little shout out to Mr. Andrew Norcross quickly. He wrote a little plugin recently called Airplane Mode. You can find it on GitHub if you go to github.com/norcross. You can also find it on Post Status. Brian Krogsgard wrote up a little post about it.

It’s a cool, little development tool if you do a lot of traveling, and you don’t have Wi-Fi on the plane, or you do a lot of local development where you don’t have Wi-Fi, or maybe your Wi-Fi goes out four days, as mine did recently. Whatever reason, if you don’t have an Internet connection, sometimes working in WordPress can be kind of painful because there are a lot of remote requests that run, actually, everything from Gravitar to Google fonts to a couple of other things as well like update checks to .org, for example. Sometimes they fail nicely, sometimes they don’t, sometimes they just slow down because they’re waiting for HTTP requests to time out.

But anyway, this is a little plugin that Norcross wrote that the idea is the same way that you turn your phone into airplane mode, which disables all of the outgoing and incoming signals. You can do the same thing with your WordPress by using this plugin, and it will deactivate certain HTTP requests, deactivate update checks, deactivate Gravitar and any remove resources. And so it’s a cool, little plugin, so go check it out. It’s one of the ones that I really like, not necessarily just because of what it does, but because it’s solving a development problem, which I think solving problems in your development is really fun.

BRAD: Right.

PIPPIN: Building products and building tools is cool too, but then running into problems when you’re building those things and saying, oh, well, let me build something else that fixes that problem. I think this is a great example of that.

BRAD: Yeah. Cool. I’m going to check this out because I was just recently in this situation. I think it was on an airplane or something. What I ended up doing is downloading the open sans font that I needed to my local machine and then just commenting out the link, whatever, the link tag that includes it.

PIPPIN: What I’ve done a few times that also works kind of is if you turn your Wi-Fi off. For whatever reason, that actually works as well.

BRAD: Oh, yeah.

PIPPIN: But if you don’t turn the Wi-Fi off on your computer, it freaks out.

BRAD: Huh. Weird.

PIPPIN: Yeah. I don’t know why, but apparently all of the HTTP requests fail instantly if Wi-Fi is disabled.

BRAD: Hmm.

PIPPIN: At least in OS X.

BRAD: Interesting.

PIPPIN: So, anyway, it’s a cool, little plugin. Thanks, Mr. Norcross, for taking the time to write that.

BRAD: Yeah, for sure. So I’ve been hearing a lot about commoditization of WordPress themes. I’ve been hearing it since, I think, PressNomics this past October or maybe even before, and I’m still baffled that I have no idea what it means. Do you understand what people mean when they say that WordPress themes are becoming commodities? Does that make any sense to you?

PIPPIN: Well, yes and no. Initially — I don’t really agree with the title because, in a way, I think WordPress themes are designed to be products that are plug and play. You purchase it, you turn it on, and you’re done. To me, that is kind of the definition of a commodity in some way, I mean if you look up the literal definition of a commodity.

BRAD: I’m going to look it up right now. Here is it: A raw material or primary agricultural product that could be bought and sold, such as copper or coffee; a useful or valuable thing, such as water or time. Hmm. It’s pretty ambiguous.

PIPPIN: It’s a very different definition than I read. But I think the overall argument with it regardless, I guess, of what semantics tell us is that WordPress themes are in some way maybe using some of their–

Okay, if you hire a designer, and you hire a development team to build you a custom website, one of the things that you’re getting is supposedly a very unique setup, a very unique design, the layout, etc., or that’s the plan, a specialized one, whereas a theme is not.

BRAD: Yeah.

PIPPIN: Widely used. Just as an example, take the Avada theme. Everyone sees the Avada theme, and they know that’s Avada. Kind of like when you see 2012, you know that’s 2012. And I think that’s where some people are getting into saying that these themes, when they say that they’re becoming much more of a commodity. Now, to be honest, I don’t pay as much attention to the theme world, so I may be completely wrong on this.

BRAD: Yeah, you and me both. We probably shouldn’t even be — we’re probably not qualified to even talk about this.

PIPPIN: We’re not the right people to talk about this issue.

BRAD: But to me that word “commodity”, to me I think of — the first thing I think of is the financial report on the business channel where they’re talking about the price of crude and how it’s fluctuating and gold. Right? And the difference between those things and a theme, if you kind of — well, there’s obviously differences. But if you’re just thinking about it financially, I mean no one– If I buy gold tomorrow, no one is going to give me support or service for that gold. Right?

PIPPIN: Right.

BRAD: It’s a good that I can use as currency, basically, right? I don’t see people buying up themes to ward off the Great Depression. That’s not — that’s why I just don’t understand how it’s a commodity, how these things are a commodity. If WordPress themes all of a sudden had no support, like if you didn’t have to support them and you could trade them as currency then, yeah, I would be like, oh, yeah, they’re definitely commodities. But that’s not happening any time soon. I don’t see that ever happening.

PIPPIN: No.

BRAD: When is there going to be a day where a theme is never going to require support, right?

PIPPIN: There is an interesting discussion on WP Tavern. It started yesterday. Jeff Chandler wrote a post titled: Are the days of paying less than $100 for a WordPress theme over? And it was basically a list of a bunch of different articles that have talked about the state of the WordPress theme industry, are WordPress themes a commodity, on selling them, prices of themes, things with the GPL in themes, and a whole bunch of other articles that have been recently published about selling themes and the theme market.

One of the things that was brought up in the discussion of the article is how a theme, the definition of a theme should be something that you can just install, turn on, and you’re done. When you purchase a theme, there really shouldn’t be any after-purchase support. There shouldn’t be. There shouldn’t need to be is what several people like Chris Wallace were saying based upon the way that a theme works and what a theme is designed to do. Unfortunately, that’s not really the case. I mean, as any theme company knows or anybody that’s ever sold themes or anybody who has ever sold plugins even knows that there’s a huge amount of customer support involved with themes.

BRAD: I like what Chris is saying though in his article that the way they’re building their themes now, they’re really minimizing the possibilities of them having to provide support.

PIPPIN: They’re trying to attain that goal where you don’t have support.

BRAD: Right.

PIPPIN: Where you don’t need it. And I love that idea.

BRAD: But I think the only way that that’s going to — you know, you can get the percentage down, right, like you can say we really decreased our support requests, right? But to get it down to zero, I think you’re going to have to pretty much ban plugins, right, because plugins are going to affect your theme regardless.

PIPPIN: Absolutely. The thing is, you have 40,000 plugins out there. There’s going to be a bad one.

BRAD: Right.

PIPPIN: I think this is why WordPress.com doesn’t have nearly as much theme support. But what’s interesting is that even on WordPress.com, the theme authors still do customer support questions.

BRAD: Right, right.

PIPPIN: What I mean is that even in a setup where you don’t have plugins at all —

BRAD: Right.

PIPPIN: — there’s still customer support.

BRAD: And it’s not just plugins. I mean that environment is highly restricted, right?

PIPPIN: Yeah.

BRAD: Those themes are almost completely different, right?

PIPPIN: Right. Now I would suspect that the kind of customer support questions you get on .com are completely different than on a self-hosted theme site simply because there’s not nearly as many variables that come into play. I would love to see if Chris Wallace — I know you’re the person that said that where I read that comment, so if you’re listening to this, by the way, I’d love to know what kind of questions you get, or anybody else who sells themes on .com.

BRAD: Yeah.

PIPPIN: I’m kind of intrigued by that. Are they questions about, hey, I don’t know how to change a color? I don’t know.

BRAD: Yeah.

PIPPIN: I’d be very interested to hear what those are.

BRAD: I bet’cha they’re very different. That would be my guess is that they’re quite different.

PIPPIN: My guess is they’re very different and that they’re probably much simpler.

BRAD: Right. At what point are the theme authors — so WordPress.com must provide their own support for the platform, so at what point does the support request get kind of offloaded on the theme author?

PIPPIN: Which…? Yeah, I don’t know.

BRAD: Yeah. See, we need to have someone one to talk about this, clearly.

PIPPIN: Yeah. There’s a good topic for us.

BRAD: Yeah.

PIPPIN: Some of the comments on the WP Tavern post, I mean the idea was: are we going to stop paying less than $100 for themes? A couple of people said, “You know what? If I get a well coded theme that just works, I have no problem paying $100 for a theme versus $30.” Other people brought up the point that, well, you shouldn’t be paying for good quality versus bad quality because, if you’re buying something, it should be good quality, period.

BRAD: Right.

PIPPIN: Which I think is a very fair point.

BRAD: Yeah. I mean right now a lot of that cost —

PIPPIN: In other words, your theme shouldn’t be priced higher because it’s minimal and good quality as opposed to somebody who is priced lower just because it’s poorer quality.

BRAD: Yeah, right.

PIPPIN: That’s kind of a crappy way to do pricing, to be honest.

BRAD: I don’t know. It depends. I don’t know. For me, like Chris Wallace’s article was excellent because he was talking about niche themes and stuff like that, and I think that he has a great point there that that’s really how things are going. And I think, if you are building a niche them that’s kind specialized, right, then I think something like that does warrant a higher price tag because it’s a specialized thing, right?

PIPPIN: Certainly, but the price is based upon the focus of the theme, not how well you wrote your CSS in the theme.

BRAD: Right.

PIPPIN: That’s basically what one guy was pointing out in the comments.

BRAD: Right. Hmm.

PIPPIN: In general, I think I completely agree with him. Now that does not mean that I am — okay, let me put it this way. I am much happier paying a premium for a quality theme than I am paying the same price or less for a less quality theme. But are you — was the price of that theme from the author determined to be higher because it was a better CSS or better PHP? Does that make sense?

BRAD: Right. I’m not even going to talk about pricing because pricing is really crazy. I mean there’s psychology around pricing. If you have a higher price, some people will come to you purely because they believe that a higher price will get them higher quality, right?

PIPPIN: Right.

BRAD: Which is not necessarily the case. You might just be higher priced because the guy arbitrarily chose a higher price. So, yeah, I’m not even going to start getting into that. Should we talk about TimThumb and the crazy security alert?

PIPPIN: Yeah. Let’s mention that real quick. Anybody who didn’t know, TimThumb has been, unfortunately, once again, discovered to have a major security flaw in it. Did you read about it, what the flaw does?

BRAD: I haven’t even read a thing about it. I just saw it and was like, eh, that’s old news.

PIPPIN: The good news is that the flaw only affects people that have actually turned on a specific feature that is disabled by default, which is good. It doesn’t necessarily affect every single person using TimThumb. However, if it’s enabled, it’s what’s called their Web shot feature. If it is enabled, it allows someone to execute a pretty simple command to execute any arbitrary PHP they want.

BRAD: Yikes.

PIPPIN: Yeah, it’s a pretty big deal. Somebody actually showed an example of how it works, and it’s basically a single request to the TimThumb file, and it allows you to, I think, basically put in either the location of a PHP file or put in straight PHP and then execute that. Once you can do that, you can do anything you want, so it’s a pretty big deal.

BRAD: Right.

PIPPIN: TimThumb, unfortunately, has a pretty negative history of having some vulnerabilities in it.

BRAD: Yeah.

PIPPIN: Which is kind of unfortunate because I think the script itself is really cool.

BRAD: Yeah. I think the big problem with TimThumb is that it gets bundled into things, and then it never gets updated.

PIPPIN: And never updated, yeah.

BRAD: Right, whereas WordPress has a fair number of vulnerabilities that come out, but they get dealt with really quickly and updated quickly, whereas TimThumb is not necessarily easy to do that, right? For example, if TimThumb was included with your theme, well, does updating TimThumb bust your theme? Who knows?

PIPPIN: Right.

BRAD: So it’s really up to the theme author to update TimThumb and then do a new release, and sometimes that just doesn’t happen.

PIPPIN: And then hope that every single one of your customers or users update.

BRAD: Right, right.

PIPPIN: Which we both know as a reality is not going to happen.

BRAD: There are a lot of things that are probably not going to work out in that whole string of events there, right? Yeah.

PIPPIN: That alone is one of the reasons that I try to avoid scripts like TimThumb or external libraries that are not necessarily going to be vulnerable, but that you do need to keep updated and be very aware of. I’m not saying that you should avoid them. I’m just saying that you should be very cautious about just including them just because they’re nice or that they solve a problem. You have to think about the bigger picture of, okay, what if this fails? What are we going to do?

BRAD: Yeah. The sequence of events we just discussed, we’re talking about TimThumb, but it could be a different script that was bundled with the theme that has a vulnerability that isn’t getting updated, right? It’s really a symptom of that whole process. Yeah, I don’t know. I think the onus is on the theme author to make sure that they update their libraries that they’re including and then get those updates out to their customers and get them updated, really.

PIPPIN: Right. Unfortunately, you’re not going to be able to get every single customer updated because either some people aren’t going to see the notifications, they’re not going to read and figure out why it’s important.

BRAD: Right.

PIPPIN: But as product creators, it is our responsibility to at least ensure that we’ve done everything that we can.

BRAD: Yep, absolutely. Cool. Well, so we don’t have any new iTunes reviews, but we would love to get some.

PIPPIN: That would be awesome.

BRAD: If you are consuming this podcast through iTunes, if you could just go on there and click on that right most star for us, that would be cool. We’d appreciate that.

PIPPIN: I think that pretty much wraps us up for the day, but I would love to send out another invite to anybody that wants to tell us about a development failure that has affected how they work today or things that they keep in mind, whether it’s how much you test or the way that you work, the tools you use, etc. I’d love to hear about those. And I think it’s something that I would also love to have ongoing throughout Apply Filters because I think learning from failures is one of the best ways that we get better as developers. And so if that’s myself or Brad telling a story of where we failed or hearing from the listeners and then sharing that story, I think we can all learn from other people’s mistakes as well, so anybody who wants to share, here’s an open invitation.

BRAD: Absolutely. To do that, it’s probably best to submit a topic idea, so go to ApplyFilters.fm, click submit topic idea in the header, fill out that form, and we’ll get it.

PIPPIN: Yep. You’re also welcome to leave a comment on one of the episodes, if you want.

BRAD: Sure.

PIPPIN: Either method will work fine. However you want.

BRAD: Depends if you want this public or not.

PIPPIN: Yeah. By the way, if you want to tell us a story, let us know if you want your information publicly released or not. We have no problem keeping things private, but we will also mention who it came from if you would like us to.

BRAD: Perfect.

PIPPIN: Thanks, everybody, for listening.