March 17, 2015

Apply Filters
Apply Filters
Episode 36 - PayPal Express, Blogging, and Security Updates

In episode 36, we discuss our recent projects, past and upcoming WordCamp trips, the benefits and disadvantages of PayPal Express, making active blogging a part of our teams’ routine, separating team member’s responsibilities in projects, security updates, and more.

This episode was sponsored by WP Ninjas, the creators of Ninja Demo and the highly popular Ninja Forms plugin.


Show Notes:

INTRO: Welcome to Apply Filters, the podcast all about WordPress development. Now here’s your hosts, Pippin Williamson and Brad Touesnard.

PIPPIN: Welcome back to Apply Filters, Episode 36. Today we’re going to mostly talk about some things that we’ve been working on. We’ve got a couple of main subjects to hit on, as well as a little bit of a discussion on some recent security things related to plugin releases. Why don’t we just go ahead and jump right in? Brad, tell us what you’ve been working on.

BRAD: Yeah. Well, we’ve been working on our Amazon plugins, the release that’s coming up for Amazon S3 and CloudFront plugin.

PIPPIN: Is the release getting closer and closer?

BRAD: It is, but there are still lots of work to be done, and so we’re still probably a couple months out, it seems. I think I said that the last episode, so we’re not big on release dates, but we’re pushing forward. Definitely things are getting done, so that’s always good, right?

PIPPIN: Sure. Do you find that you set a release date once you kind of have a more definitive timeframe in mind?

BRAD: I tend not to because here’s the reason I don’t like release dates. If you set an arbitrary date, and it is arbitrary, you always hear about engineering projects going over budget and it was supposed to take one year; it takes three years. It’s because there are people that are setting the deadlines; it’s just arbitrary. They just pick a date — we want it by then — and it has nothing to do with how long it should take.

PIPPIN: Right.

BRAD: I find, with these kinds of projects, there are just so many unknowns that you don’t even know that you don’t know yet.

PIPPIN: I don’t 100% or disagree with you. I kind of like release dates, mostly just for the reason that I think it gives you a target, and maybe it’s because I’ve always worked better under pressure. I feel like once I have a deadline or whether it’s an arbitrary deadline or something like that set up, I tend to work better because suddenly there’s a goal in sight. It’s, by March 15, we’re going to have this done or we’re going to reassess.

BRAD: Yeah.

PIPPIN: But that might just be how I function.

BRAD: Well, it’s a good point, and it might be, in the future, better for my team to have a date to be working towards. I’m not sure. That might be something we experiment with in the future. What I’ve found for me personally is that it ends up being a quality issue. I will force — if it needs to be done by a certain date, I’m going to start cutting corners when the date gets closer.


BRAD: I don’t like that idea. I don’t like cutting corners when you’re trying to build a solid foundation for something that you’re investing in for the future.


BRAD: And so, I think that’s really the reasons that I avoid…

PIPPIN: Yeah, I absolutely agree with that. For us, we set a release date for all of our releases, or at least the major ones. But, if that release date has to be pushed back, that’s going to get pushed back before we’re going to try and cut a corner.

BRAD: Right.

PIPPIN: There’s no such thing as a hard set release date for us, at least for how we do it right now, just because if you tell me that this has to go out in 24 hours and it’s not ready, yeah, we’re going to cut corners then.

BRAD: Yeah.

PIPPIN: That’s what we definitely don’t want to have happen.

BRAD: The due dates I’m used to are from client work where there’s a marketing team that’s going to do a big advertising campaign launch on such and such a date, and so the website has to be ready by that date or the marketing campaign will be driving traffic to nothing. It’s like this doomsday date. If we don’t hit it, we’re screwed. What you just described makes a whole lot more sense where it’s kind of a more flexible due date, right?

PIPPIN: Right.

BRAD: We’ve also been working on the multisite tools add-on for Migrate DB Pro.

PIPPIN: Give me a quick overview again of what that’s going to have.

BRAD: You’re going to be able to export a sub-site. The first release will allow you to export sub-site–

PIPPIN: Will that allow you to–?

BRAD: –as a single site.

PIPPIN: Ah, that’s exactly what I was just going to ask.

BRAD: Yeah.

PIPPIN: That is so cool.

BRAD: You’ll be able to import it as a single site install.

PIPPIN: That’s such a cool feature.

BRAD: Yeah. That’ll be pretty handy.

PIPPIN: I’ve had cases where I had a multisite network, and I really wanted to take one of the sites out and make it its own dedicated site. Doing that is just painful.

BRAD: Yeah. Yeah, it is. We have a guide right now that really makes it a lot easier, but we’re just going to take that one step further. It’ll just be a couple checkboxes and click the button.

PIPPIN: Awesome.

BRAD: You get your sub-site pumped out as an SQL file, so that’ll be pretty awesome, I think. We’re also experimenting with changing the table prefix in this.

PIPPIN: Like during the export process?

BRAD: Yeah, because you have to with sub-site because sub-sites have an underscore and a number.

PIPPIN: Yeah, like WP_13_posts.

BRAD: Yeah, exactly. People are going to want to change those. There’s no doubt in my mind, so we’re going to allow them to change the table prefix and hopefully we can perfect that and then port it to the rest of the plugin–

PIPPIN: Excellent.

BRAD: –so that you can change the prefix….

PIPPIN: How are you handling — when you export a single site from a network, obviously you’re pulling that site’s tables: WP_post, post_meta, all of those ones. Then what do you do with the shared tables? The users table, for example, is shared for all sites on a network.

BRAD: Yeah. Well, we allow you to export those, and we just treat them as — well, so you can exclude them, so if you don’t want to export your users tables, you can just exclude those and then maybe you set up a single site install somewhere else, and then you’ll just use those fresh user tables and just overwrite all the other tables.

PIPPIN: Okay. Cool.

BRAD: That’s one way you could do it, or maybe you want all those users.


BRAD: Then you have to go through them manually and delete the ones you don’t want – something like that. It really depends on what your goal is.


BRAD: Yeah.

PIPPIN: Got it. That’s very cool.

BRAD: It’s flexible enough that you can do what you need to do, I think.

PIPPIN: Love it.

BRAD: Yeah, we’ll have some documentation for that for sure.

PIPPIN: Do you have a rough idea of when that will be out? Are you thinking a week, three weeks?

BRAD: Actually, we’re testing it right now.

PIPPIN: Sweet.

BRAD: It’s really close. Ian has been working it. New Zealand Ian, he’s been working on it, and we’ve been giving him lots of pretty good feedback, I think, and kind of pushing him to make it better. I think it’s in a really good spot right now.

PIPPIN: That’s awesome. I can’t wait to see it.

BRAD: Yeah. Then we’ve also been pumping out blog posts. It’s something new we’ve been doing this year. We started kind of, like, all of our blog posts to date have really been release blog posts like, “Here’s a new release and what’s new in this new release,” and then that’s it. That’s our whole blog, right?

PIPPIN: Right.

BRAD: We started to actually produce original articles around WordPress and just development that our customers would be interested in, basically.

PIPPIN: That’s all under the Blog on Delicious Brains?

BRAD: Yeah, yeah, so I wrote a post about GUIDs in WordPress, so there’s a GUID column in the posts table, and so I wrote a post about what that is and why you shouldn’t touch it, et cetera.

PIPPIN: What’s the real reason for the post? Did you find that it’s just something you want to do because maybe it’s a form of giving back, or is it a business strategy for you?

BRAD: I think it’s both. I can tell you it’s done a lot for our traffic to our site, so it’s helping in that respect, and I was hoping that would be the cast. There was definitely a strategy there. But, it’s also a good way to give back. Our customers, if you go to our blog and you take a look at the comment sections, people are really responding to it. They love our posts.

And, we’re really investing. I mean we’re not farming these out to a writing agency or something and they’re just writing some drab articles that aren’t for developers. We’re all developers, and we’re writing for developers, so it’s pretty high quality blog posts. I think that’s why people are kind of responding to it.

PIPPIN: It’s a nice way to be able to help establish–I don’t want to say–a sense of authority.

BRAD: Credibility.

PIPPIN: Credibility: that’s the word I was looking for.

BRAD: Yeah.

PIPPIN: As opposed to these guys build this cool product called WP Migrate DB Pro. Well, what do they really know about WordPress in general?

BRAD: Yeah.

PIPPIN: I think this really helps to establish some of that for people that don’t necessarily know who you are already.

BRAD: Absolutely. A couple more examples of posts, so Ashley wrote one about hosting WordPress yourself. Ian in the UK wrote one about a tour of the WordPress database, so he goes through all the tables, explains what they are, and all the columns and everything. He just put one out last week about multisite as well.

PIPPIN: Very cool.

BRAD: Yeah.

PIPPIN: I know you and I talked about this in our pre-show before the last episode a couple weeks ago, and I don’t think we talked about this in the episode much. You told me that you were starting to do this, and I thought it was really, really awesome. I realized that maybe we should do this, and so we did. We started doing it as well. In the last two and a half weeks, three weeks since our last episode, we’ve managed to push out, I think, five or six posts across two different sites.

BRAD: Wow! Holy shit!

PIPPIN: It’s been awesome so far.

BRAD: Yeah. What are you blogging about?

PIPPIN: We’ve got a couple of things. We’re keeping it a little bit closer to the products as opposed to a little more generalized than WordPress. I do want to branch out more.

For example, we had one; Sean wrote about how, if you want to integrate with one of our primary extensions, which is called Front End Submissions, and you want to do some custom stuff on that, dealing with post meta fields. Here’s kind of a walkthrough, a general overview of how you can do this, how this works, which was the weird mesh between a tutorial and a blog post, but it was really good. It’s been received very well.

Then we’ve done two related to MailChimp. Both Affiliate WP and EDD have connections to MailChimp in terms of adding customer data or subscribing your affiliates or emailing your affiliates through MailChimp, et cetera. We did one about how you can put subscribers directly into specific groups within your MailChimp list.

BRAD: Right.

PIPPIN: Maybe you have three different groups in your list and you want to separate them. You can do that based upon what they’ve purchased, and so we did that.

We did another one. Andrew wrote one about how you could take your affiliates from your website using Affiliate WP. We did this actually kind of for any affiliate program. Then how you can import those into MailChimp and use that list to actually email your affiliates. Instead of emailing your customers, you can actually email your affiliates. If you have promotional material or you have a new product coming out and you want to send this information to your affiliates to help them promote it, this was kind of a walkthrough on how to do that. But, it included a really crucial point, which is how to use merge tags in MailChimp to pull in affiliate specific data, like their affiliate ID, so you can build the referral links for them directly inside of MailChimp.

BRAD: Nice.

PIPPIN: And how you can do things like that, which can be really, really useful.

BRAD: You’re talking about the Affiliate WP blog mainly here, right?

PIPPIN: Right, so this one was Affiliate WP. The other MailChimp one was EDD, so we’ve been doing this on both.

BRAD: I see. Cool.

PIPPIN: People from both teams work on both projects, so they’re kind of intermixed for us.

BRAD: Have you considered blogging about affiliate marketing stuff or e-commerce kind of stuff?

PIPPIN: Yes. That’s the focus that we want to start getting into more and more.

BRAD: So not necessarily from a developer’s perspective, but from an affiliate marketer’s perspective or an e-commerce specialist – I don’t know who.

PIPPIN: Which is actually exactly the post that I wrote write after you and I discussed this two weeks ago, which was starting out very simple in terms of what are the fundamentals of running a successful affiliate program in terms of: you need to have a good system, obviously, to track them. You need to make it easy for your affiliates to do this. You need to do this, do this, and do this. Yeah.

BRAD: How long is it taking you? Have you figured out how long it takes you, on average to write an article, to edit it, and get it out, in total?

PIPPIN: Definitely it’s varying depending on who is writing it, what they’re writing on, et cetera. The MailChimp article for Affiliate WP took quite a bit longer, but to Andrew’s credit, we were traveling across the state. We were trying to use mobile hotspots while in the car while he was trying to write it, which makes things a little bit more difficult, and we were going to a conference at the same time.

BRAD: Right.

PIPPIN: Things like Sean just pushed out one for the importance of staging sites for e-commerce businesses, and I had no idea he was even writing that. He just said, “Hey, I wrote this up this morning.” I don’t know. It might have taken him anywhere from ten minutes to five hours depending on when he got up.

BRAD: Yeah.

PIPPIN: I find, for me, I like to write posts in one go. I like to sit down and finish it. Sometimes I’ll write one and then come back to it later in the day to kind of polish it off. But I would say anywhere from an hour to seven or eight hours.

BRAD: Yeah, it can take a serious chunk of time–

PIPPIN: Yeah, it really can.

BRAD: –to polish it off.

PIPPIN: I found that in my own blogging over the last five years or so that even sometimes a really short post will take you up to five or six hours to do, maybe more.

BRAD: Yeah, and I thought I just sucked at writing, and I’ve been reading this Earnest Hemmingway – it’s Hemmingway on Writing. It’s a book of his letters to people about writing, so him talking about writing. He talks about throwing away, like, he throws away ten times as much as he actually publishes.

PIPPIN: Interesting.

BRAD: His wastebasket is full of crumpled up pieces of paper. I’m like, huh, well, if a great writer throws away a lot, well, that’s probably good that I’m doing that too.

PIPPIN: Yeah, certainly.

BRAD: That’s why it takes so long, right? You write a lot that you throw away. At least I do anyway.

PIPPIN: I find that I will write up, like maybe I have an idea and so I’ll write a draft just kind of summarizing it. Then the next day, when I decide to come back to it, I throw the whole thing away and redo it.

BRAD: Yeah, yeah, that can happen. Yeah.

PIPPIN: But sometimes that’s necessary just to get the idea going.

BRAD: Yeah. Yeah. Yeah, I wish there was a better way. I wish there was an easier way, but that’s the process, I guess, to produce content.

PIPPIN: I think, so far, and you’ve definitely alluded to it. I think it’s a great idea having the whole team contribute post on a weekly basis. We’ve set it up. We set up a Trello card for it.

BRAD: Yeah, so did we. Yeah.

PIPPIN: We’re trying to get — we want to get into a schedule where everybody posts at least one article a month. That way, between five or six of us, we can have somewhere between three and five posts every single month across the sites.

BRAD: Yeah, exactly.

PIPPIN: We’re still slowly getting into it. Sean is a beast, and Sean has done several. Then a couple others are in draft. But, overall, just the idea that we’re trying to get everybody consistently writing is good.

BRAD: Yeah.

PIPPIN: And I think it will help a lot.

BRAD: What tools are you using? I assume that you have a kind of review process where you submit the draft and everybody reads it?

PIPPIN: Yeah, it’s all in Trello. We have a general Trello board that we call our administration board for internal projects, and we have a list for blog posts. When somebody has one, if they have an idea, they can drop it into the ideas list. Then once they are ready for someone to look at it, they can push it over to, like, ready for review. Then anybody can give feedback on it.

BRAD: What are you using, though? Are you using Google Docs?

PIPPIN: Trello. We write the posts as a draft inside WordPress.

BRAD: Oh, so your drafts are right in Trello.

PIPPIN: No, we’ll write the draft in WordPress.

BRAD: Oh, in WordPress. Okay. Gotcha.

PIPPIN: Yeah. I’ve always told them it was kind of silly to write something in Google Docs or Word or anywhere else and then move it. To me, it just makes so much more sense to just do it directly inside WordPress.

BRAD: The Google Docs feedback tools, though, are super good, how you can just highlight something and then add a message to it.

PIPPIN: Yeah, I’ll give you that. That’s definitely true.

BRAD: Then you can have a conversation in the sidebar about that thing you highlighted, so it’s pretty solid for that. Then they have a newer–what’s it called–suggesting mode where, if you turn that on, you can start editing the document. It provides them as suggestions that the author can go through and then check yes or no to accept the suggestions. It’s pretty solid.

PIPPIN: That’s cool.

BRAD: It’s pretty solid.

PIPPIN: That is very cool.

BRAD: We were using that at the very beginning. Then we were like, well, why don’t we just do it in Markdown in GitHub and just use pull requests and feedback…?

PIPPIN: Then do you have one of the Markdown plugins for WordPress, and then you can just copy into Markdown?

BRAD: That’s the plan. I think I was lazy. We’ve only done it once, I think, and I was lazy, and I just produced the HTML.

PIPPIN: Those can work really well.

BRAD: What’s that?

PIPPIN: Mark Jaquith wrote one that’s really cool where it gives you a Markdown version of the editor. You drop it in and off you go.

BRAD: Yes, yes, yes. I think we’re going to try using that.

PIPPIN: That’s a cool idea.

BRAD: Yeah. Another nice thing about it is that we can upload images, like screen grabs or whatever that are going to go in, and we just link them from within the Markdown in GitHub.


BRAD: And they just show up in there.

PIPPIN: Yeah, that’s pretty sweet.

BRAD: Yeah, pretty good. What else is going on here?

PIPPIN: You have WordCamp Miami coming up pretty soon, don’t you?

BRAD: Oh, yeah, a couple months. I’ve been looking at houses. I finally booked a house for the team because we’re flying the whole team in for this. It’s the first time we’re going to meet in person.

PIPPIN: That’s awesome.

BRAD: And getting T-shirts printed up and business cards and all that stuff, so everything is pretty much — I keep thinking of new things to do because, when you’re doing something like this that you’ve never done before.

PIPPIN: Right. We just finished our first full team meet-up during Prestige Conf in Vegas. We rented a house out there, and it was a lot of fun.

BRAD: Yeah, it was good? It went well?

PIPPIN: Yeah, I think it went really well, just getting everybody in one place. It wasn’t absolutely everybody. There were a couple people that weren’t able to make it, but it was the majority. It was everybody that’s been on the team for a long time.

BRAD: Yeah.

PIPPIN: A couple of newer members weren’t able to make it, but it was awesome.

BRAD: What did you do? You had a house, right? What did you do for food? Did you order takeout? How did that work?

PIPPIN: We did a whole mix. The first day that we were there, we went to the grocery store and just bought a bunch of stuff for, like, breakfast and that kind of stuff. Then we just–I don’t know–did it on the fly.

BRAD: Yeah.

PIPPIN: One day we ordered a whole bunch of pizza. Then we went out to eat a couple of times. We spent enough time at the actual conference too that there was a solid–I don’t know–five meals or so already covered.

BRAD: Gotcha. Okay. Yeah, that’s what I was thinking for us too.

PIPPIN: I would definitely go to the grocery store and get some of the essentials.

BRAD: Yeah, breakfast stuff. You have to.


BRAD: When you wake up and there’s no food, it’s devastating.

PIPPIN: That’s horrible. That’s the worst part of my week if that happens to me.

BRAD: Yeah. At least there’s got to be coffee, or people just go bananas.

PIPPIN: Which was actually a problem for us, and we learned this the hard way that, number one, don’t trust Pippin to not forget the coffee maker. Number two: Don’t count on the house having a decent coffee maker.

BRAD: Oh, crap. I just assumed that there’s going to be one.

PIPPIN: Ours ended up having a Keurig in it, but it was a little, tiny one that just barely worked. A couple of us are a little more picky on our coffee than most people.

BRAD: Ah, yes. Right.

PIPPIN: And so, K-cups are kind of terrible, in my mind. We took some fresh ground coffee, but it turns out that the Keurig there did not work with fresh ground coffee very well.

BRAD: Oh, it didn’t push it through or something, right?

PIPPIN: Yeah, it had the adapter, but for making a whole cup, you would get about a third a cup of coffee. It was sad.

BRAD: Yeah, that’s not good. You also went to WordCamp this past weekend, didn’t you?

PIPPIN: Yeah, Andrew and I. Andrew, who is from New Zealand, who came up during Prestige Conf in Vegas, is actually here for two and a half months just kind of working on site together, getting some face time, and so we drove out to WordCamp St. Louis, which is about an eight or nine-hour drive from where I live. We went out, and I gave a presentation on getting serious about backwards compatibility, and it was a good time.

BRAD: Nice.

PIPPIN: I think it went well. The organizers there, the primary one being Aaron Graham, did a phenomenal job and put together a good event.

BRAD: Nice. That’s cool. Nice. What else have you been working on?

PIPPIN: Recently, so there have been a few things. Some of this actually played in nicely with our WordCamp St. Louis trip. We just finished the EDD 2.3 release about a week and a half ago, a week ago – more like a week ago. Obviously we’ve been working through post release issues, which there always are some, and we’ve had two minor releases that we’ve pushed out, so we did 2.31 and 2.32 within a couple of days to fix – neither of them were really major issues. They were pretty edge cases that we ended up fixing.

With 2.3, we had a large update to our URLs, our file download URLs, so we introduced a new, signed URL system that makes the download URLs a lot more secure. I talked about some of this in our last episode, but it coincided nicely with WordCamp St. Louis because I was giving a talk on backwards compatibility, and so I was able to use the signed URLs as an example, both in terms of, hey, let’s look at how it was done, and also did it work.

WordCamp St. Louis was three days after the 2.3 release, so we were able to kind of look at it and say, well, we either failed or we did well. In this case we did well. We haven’t heard of a single report of a broken site due to signed URLs.

BRAD: Nice.

PIPPIN: Or a single download link, which is nice. It was fun to have that opportunity to kind of use it as a case study in terms of what could have gone wrong, some of the details about how we managed it, and stuff like that. Then immediately following that, immediately following the 2.3 release, we’ve been working on another large change that is also taking backwards compatibility into account with our software licensing extension.

We’ve had a problem for a year and a half now in that software licensing and Easy Digital Downloads allow you to create a bundle of products. Let’s say you sell five WordPress plugins, and you want to offer a developer bundle that includes all of your plugins at a discount. Well, when somebody purchases that bundle, they get a license key for each plugin inside the bundle, just like if they had purchased them separately.

That’s all well and good, but what happens when it comes to renewal time? Do you renew the bundle, or do you renew the individual items? Well, in our case, we didn’t support renewing a bundle, so you had to renew each item individually, which actually meant that your renewal cost was greater than the original bundle cost, normally.

BRAD: Oops. Yeah.

PIPPIN: Which, yeah, was kind of an oops and a “we should fix this” kind of scenario. Right after 2.3, we started really focusing on building and fixing that problem and allowing bundles to be renewed and then all of the license keys for the products inside of the bundle to be automatically renewed with that. That update is getting ready to go out, but it has to take into account all of the existing license keys that have been purchased and has to make sure that we run an upgrade script so that all of those previous bundled purchases properly support renewals because we changed the way the license keys are stored a little bit now.

BRAD: What if they want to only renew–?

PIPPIN: Renew one item in the bundle?

BRAD: Or, yeah, two or three, or something?

PIPPIN: What we’ve done, we’re actually generating a set of license keys now. We generate a key that is for the entire bundle. Then each product has a key as well. There are a few reasons for doing that, but we ended up using the post parent field inside of WP Post for that. We generate a license key for the bundle and then each of the child keys for the products, and then they each get the post parent set to the bundle. If you want to renew an individual item, all you have to do is detach it from the bundle and it becomes a standalone key.

BRAD: I see, so you can maintain the existing keys.

PIPPIN: That’s right. Let’s say they want to renew a single key, or they try to renew a bunch of keys. If it’s part of a bundle, it’s going to automatically add the bundle to the cart and then renew that. If they say, “Hey, I want to renew this, but I don’t want the bundle anymore. I just want this one product.” You can detach it from the bundle and then renew it on its own.

BRAD: I see. Okay. Cool. That’s cool.


BRAD: Then there are all these other crazy scenarios that there’s really no point getting into it because you can’t cover, for example, if someone detached it, then they were like, “Oh, actually I do want the bundle. I forgot about this thing I needed in the bundle, so I want to refund the renewal of this one thing and then renew the bundle.”

PIPPIN: There are all sorts of little edge cases like that.

BRAD: Yeah. You can’t get them all, right?


BRAD: It would be so complex for the end user.

PIPPIN: Yeah, you do the best you can and then, for other edge cases, sometimes it takes a little bit of manual work.

BRAD: Yeah, exactly.

PIPPIN: All of this has mostly been the work of Chris Klosowski that he’s been doing for the last week and a half, which has been awesome. This morning and yesterday, I’ve been kind of going through and reviewing all of the changes and testing them out. It’s getting really, really close to being ready to go.

BRAD: Awesome. That’ll just go out as a part of your site, or does it need an update?

PIPPIN: It’ll be a two-part process. Number one, we’re going to put it up on the EDD website itself. Our licenses are managed through software licensing through the extension, so we’re going to test it ourselves on our own website before we push out the update.

BRAD: I see.

PIPPIN: We’ll put it on our site. We will run the upgrade routine. We have a couple of customers that are actually waiting to renew a bundle until we do this. We’ll go notify them and say, “Hey, you can do this now.” We’re going to actually kind of use that as a test, as a real world test, and then as long as everything goes well, then we will push it out to everybody else.

BRAD: Gotcha. Cool.

PIPPIN: That’s the way that we usually do things. EDD version 2.3 that we pushed out five, six days ago, that one actually ran on three of our live sites for three weeks before it was ever released.

BRAD: Right.

PIPPIN: Just as a way to test it in the real world.

BRAD: Cool.

PIPPIN: Yeah. Now you mentioned to me earlier that you’ve been doing some work on your site. Along with the blogging that you’ve been doing, you’ve been doing some actual improvements to the site.

BRAD: Yeah.

PIPPIN: What kinds of things are you working on?

BRAD: Well, it was the weirdest thing. I was at Big Snow Tiny Conf, and I was on the chairlift going up the hill. I get a phone call. I’m like, “No one calls me.”

I answered. It was PayPal. Some account exec asking me to upgrade our checkout to PayPal Express and, in return, they would reduce our rate, our per transaction rate. I was like, “All right, sounds good.” I looked into PayPal Express, and I was like, “Oh, I don’t know about this PayPal Express thing. It’s kind of weird.”

PIPPIN: The API is kind of wonky.

BRAD: Yeah. Maybe it’s not good. Maybe it won’t be good for our checkout, but I’ll push forward anyway. I think it is actually a better experience now.

PIPPIN: Is it live on the site now?

BRAD: It is, yeah. PayPal standard, the way it works is you fill in your whole order details and then, at the end, it bounces you to PayPal, and you log in or put in your credit card information on the PayPal site. Then you’re bounced back to the site, the original site, eventually, right?

PIPPIN: Right.

BRAD: PayPal Express is quite different. Usually there’s a PayPal Express button. They put it on a cart page, so instead of going to “Checkout,” you would go to “PayPal Express.” Then you choose your billing and shipping address that you probably already have stored at PayPal. Then you basically authorize the transaction on your PayPal account. Yeah, you would have to log into PayPal before you do that.

PIPPIN: Right.

BRAD: Then you authorize a transaction. Then it brings you back to the site to complete the transaction, to confirm it. But when it does that, it also brings all that billing and shipping information back with it, so you don’t have to fill anything out. It’s perfect.

PIPPIN: Which is really nice.

BRAD: I think it’s the flow that they’re kind of pushing–

PIPPIN: I’ll be really curious.

BRAD: –for mobile, because if you’re on a mobile phone, it’d be great, right?

PIPPIN: Oh, yeah, definitely.

BRAD: No credit card numbers, nothing, right? You just tap a few buttons.

PIPPIN: I would be really curious to know. My concern with PayPal Express has always been that it’s an extra step to complete the purchase. You authorize in PayPal, you return to your website, and you confirm the order there.

BRAD: Mm-hmm.

PIPPIN: I always wondered if there would be a higher drop-off rate due to people not realizing they need to complete the order or it’s just giving them one more chance to cancel out. Have you seen any of that yet?

BRAD: Yeah.

PIPPIN: Maybe you’re just not live long enough to know.

BRAD: Yeah, I’ll let you know.

PIPPIN: Okay. I’d be really curious to know.

BRAD: We’ll have those rates, those drop-off rates, I’m sure, in the future. Yeah, it’s just too early to know at this point.


BRAD: You know what? In two month’s time, we might be backtracking on this, but I think it is a better experience overall. My biggest concern is that people haven’t seen this enough yet, this flow, this different flow to PayPal, and they’re going to think that they’ve already paid, right?

PIPPIN: Right.

BRAD: When they get back to my site, they’re going to think they’re done.

PIPPIN: That’s an issue that I’ve seen. We have a PayPal Express add-on for EDD, and we’ve had people run into exactly that issue where their customer wasn’t sure, wasn’t aware, that they hadn’t actually paid yet. They got back to the checkout, they thought they were done, and they closed it.

BRAD: Right. Yeah, so we’ll see what the numbers say.

PIPPIN: I think that’s always the case when you just have to be very careful to make it very clear they’re not done.

BRAD: Yes. Yeah, I think that’s part of it too. We definitely have a few tweaks to make still to our checkout as well.

PIPPIN: I just went through it and it’s really nice looking.

BRAD: Yeah.

PIPPIN: Sorry for screwing up your rate by dropping it off.

BRAD: By dropping? What do you mean?

PIPPIN: I went through PayPal to….

BRAD: Oh, you bastard! You’re a bounce! Yeah. Oh, and also the other thing. We used to have the Stripe overlay, so when you would hit “Enter Payment Details,” or whatever, the Stripe overlay would pop up, and you’d enter your information into that little form. Then you’d submit it, and then it would go. But it was Stripe branded.

PIPPIN: Right.

BRAD: I’ve changed that to just be a standard, embedded form in our page.

PIPPIN: I would love to know what you find with conversion rates with that, if they are better or worse, with the Stripe at least, because we did a test on that with Affiliate WP. I think I’ve told you about this test.

BRAD: Yes, but I think it’s quite different though.

PIPPIN: It is different, for sure.

BRAD: Yes.

PIPPIN: Because ours was actually not on the checkout page.

BRAD: Yes.

PIPPIN: Ours was on the pricing page.

BRAD: Right.

PIPPIN: But I’m still really interested to know how that overlay or the lack of the overlay affects conversions. I really want to do it again, but see if I can test it where half the people on checkout get an overlay, half the people just get an embedded card form.

BRAD: Right.

PIPPIN: I think it would be a fascinating A/B test.

BRAD: Yeah, so just to be clear on how our checkout has changed, before what you would do is there was no credit card details in the main form, and you would hit the button as if you were kind of completing the order. Then the overlay would come up for Stripe.

PIPPIN: Right, which is definitely a strange experience.

BRAD: It is strange. It’s super strange, and we got quite a few people emailing us saying that they thought that they completed the order, it didn’t work and stuff, and what they had done. Who knows what they had done, but it was definitely foreign to them. And so, I think this is going to help a lot. It’s just part of the form. There’s really nothing different about any other shopping experience.

PIPPIN: Very cool.

BRAD: Hopefully it helps.

PIPPIN: It was a very smooth experience going through it just now.

BRAD: Cool. I hope everyone finds it smooth.

PIPPIN: Are you measuring the change at all?

BRAD: Yeah, but I’m not running an A/B test or anything.


BRAD: I’m just going to watch the rate.

PIPPIN: Just looking at … convert … or not.

BRAD: Yeah. Yeah, it’s only been a week so far, so it’s really pointless to look at the numbers yet.

PIPPIN: Yeah. Yeah, we’re running an A/B test right now for Affiliate WP, just a very simple one. We’re testing a headline on the main site, like on the homepage. We’ve changed the headline text to show three different versions. I keep looking at the results. I’m like, oh, well, that’s really interesting. Then I realize, oh, it’s only been running five days. Maybe I should just close it and ignore it for a while.

BRAD: Yeah, yeah, inconclusive, right?


BRAD: Yeah, yeah.

PIPPIN: You see those results, and you want to try and make a conclusion or jump to assumptions about it, but you really shouldn’t.

BRAD: No, because it’s telling you you shouldn’t.


BRAD: Yeah, you’re using Optimizely, right?

PIPPIN: There’s a reason it doesn’t tell you which one is the winner yet.

BRAD: You’re using Optimizely?


BRAD: Yeah.

PIPPIN: Such a cool system.

BRAD: Yeah, it’s good. I also worked on URL coupons, which is really to check out, so instead of having a coupon form, probably just in a little over a month we’re going to remove the coupon form from our checkout. The only way you’ll be able to apply a coupon is using a URL.

PIPPIN: I’ve been interested in doing that.

BRAD: Yeah. We’ll see, though, because I feel like we’re probably going to get quite a few emails from people saying, “I can’t find the coupon form.”

PIPPIN: Right.

BRAD: But hopefully it’ll work. The real reason we’re doing this is because the coupon form, when people see it, they’re realize, oh, I should look for a coupon.


BRAD: Then they go to Google, find some cat pictures, and then you’ll never see them again, right? They go away, and they never come back.

PIPPIN: There’s another aspect to it, and this is one that we recently were digging into for Affiliate WP. You know how you have affiliate coupons a lot of times. I don’t know if you guys personally do them, but I know you’re probably aware of what they are.

BRAD: Mm-hmm.

PIPPIN: You have affiliate accounts, and they have a dedicated coupon code. If anyone uses that coupon, that affiliate gets a commission. There are great and bad things about them, but we discovered a problem with one of ours. We were noticing that it was being used a lot, which is fine. I have no problem. If they’re legitimately helping us get more customers, then I’m going to reward them for that. That’s part of an affiliate program.

BRAD: Yes. I know where you’re going with this.

PIPPIN: Yeah. We were looking at it, and I noticed that it had been used a lot, and so I started to be a little skeptical on it, but I went and looked at the account. I realized that the amount of traffic he had sent us, this particular affiliate, was extremely low, but the number of referrals was extremely high. It’s because they were using the coupon code.

BRAD: Yeah.

PIPPIN: Now, you have to look at him and say, okay, how are they finding that coupon code? It’s because they’re going to checkout, they’re seeing there’s the option to enter a code, they Google Affiliate WP coupon, they find it, and then they enter it.

BRAD: Yeah.

PIPPIN: Now is that necessarily a bad thing? Maybe, maybe not, but I’m inclined to say it is because, number one, we’re giving the customer a discount, which maybe it’ll convince more people to purchase that wouldn’t otherwise. But we’re also giving the affiliate a commission on one that they didn’t necessarily earn because they didn’t actually send us new traffic.

BRAD: Right, so you’re giving– Yeah, we have the same problem, so we pay out our affiliates 20% in commission.


BRAD: We give them coupon codes for 20% off, so essentially when both are–

PIPPIN: You paid 40%.

BRAD: –applied, it’s 40%, right?

PIPPIN: Yep, and that’s exactly our issue. In this case, it’s not that the affiliate has done anything wrong because they were given a code. What we ended up doing was we just emailed him and said, “Hey, here’s the scenario. Clearly this is not good for us, so we’d like to make a couple of changes. Here’s what we propose. Let’s let it sit for a month, and let’s reassess.” In this case, he was extremely friendly about it and completely agreed, and so we’ve done things like we asked him to go ahead and write additional reviews or blog posts about it to do more organic referrals.

BRAD: Right, to make up for it. Yeah.

PIPPIN: But it’s just something to be aware of, and so removing that coupon field on checkout is something that we’ve been considering for the exact same reasons.

BRAD: Yeah. It eliminates that problem, right?

PIPPIN: Right.

BRAD: Of going out and searching.

PIPPIN: And it would still allow the affiliate coupons to work. It just means they need to update it to preset it from a URL.

BRAD: Exactly, yep. Yeah, that’s exactly what we’re doing right now, so if you go; if you use a coupon URL, you get dropped off on our features, the Migrate DB Pro features page, and a little thing will slide down from the top in yellow that says, “Your coupon code has been applied.”


BRAD: Then when you get to the checkout–

PIPPIN: Does that work on any page of the website?

BRAD: It does, yeah. We did it that way on purpose.

PIPPIN: Is that a native feature in WooCommerce, or is that one that you built?

BRAD: We built. There’s an add-on for WooCommerce that does a bunch of stuff that we didn’t need, and the code that we wrote is super simple. We just decided let’s just do it, do it ourselves. Maintaining it ourselves is a little bit easier than managing a plugin.

PIPPIN: Yep, it makes sense. Well, if you end up making that change in the near future, I would love to hear how that turns out.

BRAD: Yeah, yeah.


BRAD: Well, we’re going to remove that form one of these days. I’ve already sent an email to our affiliates warning them that the coupon code field is going away and to use these new URLs, so it’s going to happen.


BRAD: Anyways, what else have you been to?

PIPPIN: One of the things that we’ve been working on outside of code and development is, number one, ramping up our support team in terms of getting more people involved with it, even just part-time work. We’ve added two new people in the last two weeks: one specifically for Restrict Content Pro, and so he’s coming in to help us part-time, and then we’ve got another guy that just hopped on to join us for EDD support part-time. Just trying to spread the load out a little bit more, get more people involved, and then also adding another person specifically for maintaining documentation.

We’ve been aware that documentation is super hard to maintain, so we have always, always tried to kind of say, like, “Okay. Everybody, let’s help out with documentation.” The support guys, so this would be Sean, Andrew, myself, anyone else contributes some documentation, help update it, keep it up to date, but that doesn’t really work. It doesn’t work to have everybody do everything because everybody ends up with a focus.

Honestly, which is good because they should have a focus. They should really have their focus on what they’re best at. John is awesome in support. Sean is awesome in support. Sean is also awesome in documentation and site updates. Andrew is awesome in support, documentation. Chris is fantastic in development – all of these different things.

We’re trying to break it apart a little bit more and instead of saying, “Hey, Sean, this week can you work on documentation?” or, this week I’m going to work on documentation, or things like that.

BRAD: Right.

PIPPIN: We want to have someone dedicated to come on just for documentation.

BRAD: Give people a kind of ownership of things so that they can kind of take pride in it.

PIPPIN: Exactly. Yep.

BRAD: Yeah, it makes a big different, I think.

PIPPIN: Yeah, so right now we’re working with Topher DeRosia part-time to do documentation, so he’s slowly getting ramped up on maintaining documentation, writing documentation for extensions that don’t have it, and we’re hoping in the near future that this might become a full-time position. But we’re just kind of playing with it for now and seeing how that goes. If it doesn’t end up happening within the next couple of weeks, it’s definitely something that’s going to happen in the long-term because there’s so much to do with documentation.

BRAD: Cool. Should we do a quick rundown of a couple news stories in the WordPress space?

PIPPIN: Yeah, definitely. What do you have for the first one?

BRAD: Well, there was kind of some hoopla about automatic plugin updates, so there was a security bug in the WordPress SEO plugin, right? Do I have this right?


BRAD: Yeah, which is super popular. I think it’s fair to say it’s used on the majority of WordPress installs, right?

PIPPIN: It’s definitely a really large number.

BRAD: Yeah, and so that being the case, it’s a big problem when there’s a security flaw in that software because it also affects the security appearance of WordPress itself, right?

PIPPIN: Right.

BRAD: A lot of people, if your website got hacked, they’d probably blame WordPress even though it was a flaw in WordPress SEO. The WordPress plugin team has the ability to push an update, force an update on all the installs, and that’s what they did. It just fixed this one little thing, but a lot of people felt this was a violation of their–I don’t know–confidence in the WordPress plugin team. I don’t know. People weren’t happy about it, anyway.

PIPPIN: There were definitely people that felt it was a breach of their privacy almost because they have a self-hosted version of WordPress and suddenly it’s kind of crossing the lines of what’s self-hosted versus what’s managed.

BRAD: Right.

PIPPIN: I will say I think it was the right move, and I fully support the auto updates.

BRAD: Yes, and I’m on the same page. There’s a great article that I’m in complete agreement with written by Morten Ran-Hendriksen. We’ll link it up in the show notes. I couldn’t have written it any better myself. It’s pretty much, I agree with everything he says in his article.

PIPPIN: Yeah, it’s superb. I think, for anybody who wants a TLDR is that really we can talk about all day how the automatic update was maybe a breach of trust–we didn’t give permission for it to happen–but what people tend to forget is that those of us that are outspoken in the WordPress community, those that speak up, those that have an opinion like this are a very small minority of WordPress users, maybe less than 1% of the users. The real user base of WordPress doesn’t care about updates, and not necessarily that they don’t care about updates, but they’re not in there managing their sites. They’re just using it to write their content.

BRAD: And they’re not listening to this podcast.

PIPPIN: Absolutely. That’s for sure. That’s who these updates are for is for the 99% of users that would be affected by a security flaw because their site probably wouldn’t get updated unless they already had someone else who was managing it for them. And, it’s really important to realize that we need to get these things fixed. If there is a security flaw that is really significant and that could have a drastic impact in a lot of different ways on a lot of sites, that needs to be resolved. When 99% of the sites out there are being managed by people that really are not necessarily paying attention to updates in WordPress, don’t really care because they’re running their own things, that’s what this is for. That’s what these updates are for, and I support it 110%.

BRAD: Yeah. I see it akin to like a push notification that there’s a hurricane coming or something.


BRAD: That comes to your phone that you didn’t ask for, and you’re like, “Oh, it’s spam.” Well, yeah, maybe, but it sure is nice to know about that hurricane.

PIPPIN: Yeah, I totally agree. On the subject of security updates and such, there are actually been several updates recently for other plugins that had security flaws. Most of them related to SQL injection, and that includes WordPress SEO, Gravity Forms, Pods, MainWP, WooCommerce, Affiliate WP, et cetera. Actually, some of what I’m going to say here came from a quick conversation I had last night.

Yesterday, we discovered a bug in Affiliate WP, an SQL injection bug. It turned out to be a really minor issue because the only way it could be exploited was if you were already a full admin and logged into the website, which at that point you can do anything to the site anyway, so it’s much more minor of an issue.

We pushed out a fix for it anyway, though, and we posted about it. A couple of people came back with comments about, like, “Hey. It’s kind of concerning to see all of these different plugins pushing out security fixes. Are these developers, even high profile developers of WooCommerce, Gravity Forms, et cetera, are these people serious? Why are all these problems here?”

It the mentality that when you see the words “SQL injection,” you immediately assume this is a critical error, a critical problem. All these sites are vulnerable to these horrible issues, which is really an overreaction. Just because it’s an SQL injection does not mean that it can be exploited. It just means, in a perfect scenario, in this particular case where you have the right privileges, where you have access to this, you know how to do it, et cetera, it could be exploited.

Now, obviously there are some that are very, very real. But, the point that I’m trying to get to is that Securi, the security firm, published a really nice post titled Understanding WordPress Plugin Vulnerabilities. It goes on to this exact idea that we see SQL injection and just assume the worst, which is really not necessarily the best way to react. Instead, you need to look at what the actual issue is and how severe is it.

They run through how they actually score vulnerability, so I’m using what’s called the DREAD Score, which is: Damage, Reproducibility, Exploitability, Affected users, and Discoverability. It’s really: How much damage is it going to cause if it’s exploited? How easy is it to reproduce? Is it something that’s going to be exploited easily? How many people are going to be affected? And how easy is it to discover this bug? All of these updates, all of these plugins that had these updates recently, none of them even scored high, so none of them were even severe vulnerabilities.

BRAD: Not even the WordPress SEO one?

PIPPIN: Let’s see. I’m not sure. Actually, they gave it a low score in terms of it was not a very high priority.

BRAD: Interesting.

PIPPIN: Which is kind of interesting because it was considered a high priority, at least for the team because they pushed an auto update.

BRAD: Yeah.

PIPPIN: Now, I haven’t looked at the exact flaw in that one, so I don’t have anything else I can say on it.

BRAD: Yeah.

PIPPIN: I think it’s really important that we stay grounded when we see a security flaw, or we see SQL injection, or privilege escalation.

BRAD: Yeah. I mean, there are subtleties to it, right?

PIPPIN: Absolutely.

BRAD: It’s not just like the sky is going to fall.


BRAD: The sky is going to fall if this and if that. There’s a lot of ifs, most likely.


BRAD: Like in your case. If you’re a super admin, which means you already can destroy the site, so big deal.

PIPPIN: Yeah. Really, let’s say some malicious person wanted to go in and exploit the bug that we had in Affiliate WP. Sure, they can do that. But in order to do it, they have to trick a site admin into exploiting it, which really means that they probably already have full access to the site.

BRAD: Yeah.

PIPPIN: The exception to that is if they manage to get the admin to install another plugin that then exploited the vulnerability. That’s possible. But again, it’s still an action on the site admin required. It’s not like I can go to any website that’s running Affiliate WP and just exploit. I have to be logged in as an admin.

Anyway, for anybody who is interested, even if you’re not interested, I would suggest you go read both the post on understanding vulnerabilities from Securi and the one from Morten Ran-Hendriksen.

BRAD: For sure.

PIPPIN: Anything else you want to throw out, Brad, before we wrap up?

BRAD: I think we should wrap it up.

PIPPIN: Maybe we should give a quick shout out to our sponsors real quick. Once again, the guys from Ninja Forms are awesome. They’ve been an ongoing sponsor. They do some really cool things. They pushed out a couple of updates recently that had some really nice performance improvements, and they’re great.

BRAD: Yeah.

PIPPIN: Go check them out. Leave them a rating. Try their plugins.

BRAD: They had a nice blog post about that too. We’ll link that one up in the show notes too.

PIPPIN: Yes, they did. Thanks for remembering that.

BRAD: Yeah. All right, thanks, everybody.

Apply Filters © 2024