Finely Tuned Consultant – Gennady Kovshenin

Today I’m chatting with Gennady Kovshenin, a freelance web consultant and developer from Russia. In addition to being a first class plugin developer,he also spoke at WordCamp Russia 2013. Read our interview below, where we discuss his favorite plugin, tea recommendations, and where he sees WordPress going in the next 2-3 years.

You can find Gennady on twitter at @soulseekaah.

1. How did you get started with WordPress?

The first time I heard about WordPress I was working in marketing for a small company who decided to get a blog going on WordPress.com. After encountering limitations of their platform (custom design and functionality) I was assigned to look into alternatives. This is when I found out that WordPress was an open-source project and that it could be self-hosted. I wasn’t a programmer back then, but the company hired one to set WordPress up on their own servers.

Fast-forward several years, I was exploring programming starting with C and Python, eventually quitting my day job and moving to freelance projects, where I got into PHP and started exploring WordPress as a CMS, recommended by my brother Konstantin Kovshenin (who now works for Automattic). Learning as I work proved to be of great help in mastering WordPress, along with helping out beginners on #wordpress IRC, forums and WordPress StackExchange, and my blog.

2. What you are currently working on?

If I’m working on something related to WordPress, it’s almost always something backend-bound. I rarely delve into front-end stuff like themes and design, mostly plugins and systems of plugins. I often work with Gravity Forms addons, having written and published a couple of really useful ones I get custom Gravity Forms work requests several times a month. Right now I’m preparing for WordCamp Russia 2014, where I’m giving a talk on code profiling (speed measurement) in WordPress. I’m also finishing a couple of security audits for sites running a considerable amount of code in a WordPress context.

3. You’ve written for Smashing Mag. What motivates you to write and what do you enjoy writing about?

I enjoy learning by doing. To get a deep insight into WordPress I wrote several “internals” posts where I would read around a specific subsystem of the core code and try to explain it all in the form a long blog post. By doing so I learn a lot myself and gather a much better understanding on a specific topic, while helping others out. I used to write a lot on my own blog, lots of WordPress-related posts among other programming topics. Most of my writing is motivated by some problem that I’m solving at that time, sharing my solutions with others and with future me (I frequently find myself referring to my own posts years later). I enjoy writing about low-level, sometimes obscure stuff, surfacing knowledge that can usually be gained by reading source code, knowledge that is not documented, or things I came up with.

4. Your Smashing Mag profile says you drink a lot of tea, what is your tea of choice?

I used to drink up to three litres of tea a day until I started running long distances. Due to its effect on my sleep my caffeine intake has since been cut down to nearly zero, with an occasional pot of green tea once a month or two. I’d have to say that my favorite is classic Oolong tea, this year I discovered Tai Ping Hou Kui which is on top of my list and only found in specialized tea shops around here. No sugar, no milk. I also like tea-like drinks like Rooibos and Lapacho.

5. Where do you go first to get your WP news, insights, and updates?

I’d have to say that most of my daily news comes from Twitter, where I follow many of the WordPress rockstars. I don’t have an RSS feed of favorite WordPress blogs, anything I read on WordPress is either because I stumbled on it on Twitter or I searched for it myself. I’m probably missing out on much, but that doesn’t prevent me from getting work done.

6. Can you tell us a little bit about the WordPress community in Russia?

This year I’m speaking at WordCamp Russia 2014 in Moscow for the second year in a row. Russia is only beginning to hop onto the WordPress train; most programmers pick Drupal, Joomla and Bitrix for content management systems here, which is a pity. WordPress is widely considered to be a blogging system, which is, obviously, untrue. Much of the offline community action is happening in Moscow, with frequent meetups and whatnot. Where I live pretty much nobody’s heard of WordPress (apart from friends or people I happen to have done work for) so offline meetups are non-existent. I have to drive a little over 800 kilometers (500 miles) to attend the nearest offline, unofficial WordPress event, or fly for 2.5 hours to Moscow to get some action. Overall WordPress is gaining attention and popularity bit by bit, so the community will only grow in the coming years.

7. What do you think will be the biggest challenge for WordPress consultants in 2014?

On the one hand, clients are beginning to understand how powerful WordPress is that they’re ready to build very advanced functionality on top of it. Thankfully, WordPress is almost always ready to handle the most complex of demands. On the other hand, WordPress appears to be so simple to start fiddling with that there’s an oversaturation of bad “programmers” out there. A lot of the code that I get to review is so horrendous that it ends up not working or working badly, giving WordPress a bad name with many clients. Pushing for WordPress to be part of a solution for a problem a client needs solved is a challenge. My “let’s use WordPress” is often followed by “but WordPress is for blogs”, “WordPress is constantly being hacked” and other cliches. Winning clients over takes a bit of patience and a lot of responsibility too.

8. And do you have any advice for consultants in that situation?

Well, first and foremost, believe in what you’re going to deliver and how you’re going to do it. While simple, WordPress is difficult to master and one bad architecture decision may end up in a system that doesn’t really work. So when pushing for WordPress make sure you’ve figured everything out. How the extra data is structured and stored, how well your code couples with the WordPress APIs, etc. When writing code on top of WordPress there’s no framework or standards per se, you pretty much do whatever you like while using the core functionality as much as possible so that your code is maintainable and clear. Once you’re sure that you can pull off a project on top of WordPress, reassure the client by destroying all common anti-WordPress myths. WordPress is not for blogs, more than 22% of the top ten million sites are powered by WordPress. WordPress is secure as long as it’s setup correctly (weak passwords, broken plugins), it’s a target for attackers only because it’s the most popular CMS in use. This should help consultants get clients on board.

9. If you were going to spend a weekend building a new plugin, what would it be?

There are so many plugins for WordPress that chances are it’s already been built. However, I’d look into building something security-related, a vulnerability scanner on top of something like RIPS. I know there are scanners based on whitelisting and blacklisting plugins and themes, but a static code analyzer would probably work better for custom code. So, yeh, I’d probably do that.

10. Favorite plugin?

Jetpack. It’s usually the first one I install and consider it to be a must-have, like Akismet. So many great features tightly packed together.

11. Least favorite plugin?

Not sure where to start. I’ve seen a fair share of bad ones. I guess I’ll simply refrain from naming any bad ones.

12. Where do you see WordPress going in the next 2-3 years?

I think WordPress is becoming more user-friendly, while still being packed with lots of neat features. Users are probably looking forward to inline editing, for example, which we’re bound to see very soon. Development-wise, it’s probably going to stay relatively unchanged, offering a lot of freedom for custom code and functionality with many new APIs (like the JSON API that we’re bound to see very soon) to further facilitate the development of fully fledged web-applications.

13. If you could change one thing today about WordPress, what would it be?

Although never a showstopper, the URL routing system (Rewrite API) is quite uncomfortable to work with and can get very confusing quickly, especially when custom post types, taxonomies are used. At times you end up inventing some sort of custom routing for pages with dynamic content. It’s often a source of issues and weird workarounds. I’m sure this will be worked on in the coming years.

14. What did I miss? Here’s your chance to fill in the blanks and add something you want people to know about you!

I’d love to talk a bit about security in WordPress. On its own, WordPress is very secure, the environment, however, is often times not. The environment includes outdated server software, weak user passwords, custom PHP code (downloaded plugins, themes). Sites that get hacked don’t get hacked because they’re running WordPress, they just happened to. The vulnerability lies outside of the core code and is often the result of either bad server administration, bad development practices or bad user actions. Most WordPress sites are hacked en masse, by automated tools/bots, exploiting weak passwords or known vulnerabilities in plugins (like TimThumb, remember?). The attackers end-goal is to inject spam into the blog. A strong password, reliable plugins, backups, and a reliable host/server configuration will keep the bad guys out.

More important applications can be targeted by hackers working their way in for a high return value (often times information in the form of data dumps, etc.). Such cases are very rare, if the attacker has nothing to gain from spending days and weeks of manual work and great effort they’re simply not going to. If you’re running a high-profile application on top of WordPress and feel like you’re being targeted since there’s value to be gotten from a successful attack then you should perform a full security audit of the system. This is true for applications not running on top of WordPress, too.