{"id":2088,"date":"2012-11-30T10:08:24","date_gmt":"2012-11-30T16:08:24","guid":{"rendered":"https:\/\/wpengine.com\/?p=2088"},"modified":"2024-06-06T09:41:44","modified_gmt":"2024-06-06T14:41:44","slug":"tony-perez","status":"publish","type":"post","link":"https:\/\/wpengine.com\/resources\/tony-perez\/","title":{"rendered":"Finely Tuned Consultant: Tony Perez of Sucuri Security"},"content":{"rendered":"<p><a href=\"https:\/\/wpengine.com\/blog\/tony-perez\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-thumbnail wp-image-2090\" title=\"Tony Perez - Sucuri Security\" src=\"https:\/\/wpengine.com\/wp-content\/uploads\/2012\/11\/tony-perez1-150x150.jpg\" alt=\"Tony Perez - Sucuri Security\" width=\"150\" height=\"150\"><\/a>This Friday, I&#8217;m talking with Tony Perez, the guy behind much of the security protecting top WordPress sites in the industry, but he&#8217;s not limited to WordPress. Tony&#8217;s company, Sucuri Security, Founded by Daniel Cid and Co-Founded by Dre Armeda, manages security on sites across the interwebs. Tony&#8217;s background is the Marines, and after he left the corps, he traveled internationally as a defense contractor, including stints in Afghanistan and as a subject matter expert to NATO.<\/p>\n<p>Tony got engaged with WordPress as much because of the Community he saw driving it, as well as the software platform itself. Turns out his brother-in-law was this dude named <a href=\"http:\/\/twitter.com\/dremeda\" target=\"_blank\" rel=\"noopener\">Dre Armeda<\/a> and was pretty excited about this thing called &#8220;WordPress&#8221; and was organizing an initiative to focus on a simple concept: <strong>remove malware from websites.&nbsp;<\/strong>When we talked, Tony explained that WordPress&#8217;s greatest strength is its ease of use. And it&#8217;s greatest weakness is also its ease of use. At WP Engine, we&#8217;re glad to work with Sucuri because of how accessible they make security to the average WordPress user.<\/p>\n<p><strong>In Tony&#8217;s Own Words:<\/strong><\/p>\n<blockquote><p>\u201cI\u2019m Tony, if you have never talked to me you know that I live and breathe Website Security. I spend a good amount of my time remediating malware cases, troubleshooting sites and web application penetration testing (yes, website hacking). I am a very young White Hat but have the opportunity that most don\u2019t have, the ability to see live hacks and techniques on a daily basis.\u201d<\/p><\/blockquote>\n<p><strong>And now onto Tony&#8217;s Answers:<\/strong><\/p>\n<p><strong>When was the first time that you really got excited about WordPress and at what point did you decide to make it your career?<\/strong><\/p>\n<p>It was in January 2010, but it wasn\u2019t because of love it was because of greed. At the time I could care less about the community, I just knew that I could push the platform into the enterprise and with a background in enterprise I knew the financial rewards would be there. For those with backgrounds that stem into the closed markets like Windows based products you know what I mean. The emphasis was never community.<\/p>\n<p>It was not until I helped organized WordCamp San Diego 2010 that I really fell in love with the platform and its community.<\/p>\n<p><strong>Where do you go first to get your WP news, insights, and updates?<\/strong><\/p>\n<p>Honestly, it\u2019s twitter. It used to be WPCandy but they seem to be having ups and downs as of late, some of the others. I also like WPForce, but my first stop is usually Twitter, get a lot of great info there. I also prefer reading personal blogs more over reading news from media outlets, they are often more forthcoming and insightful.<\/p>\n<p><strong>What WP consultants deserve more love than they get? Who should we be paying attention to?<\/strong><\/p>\n<p>I like me some Mark Jaquith, mainly because of what he\u2019s about and what he does and more importantly how he\u2019s engaged in other communities. Also because of his emphasis on WordPress security. Also a quick shout out to Pippin for his recent disclosure, if you\u2019re not aware he went back through some old code found he had opened his application to serious vulnerabilities and quickly disclosed it after patching. Doesn\u2019t always work like that so he deservers some serious props.<\/p>\n<p>The other person is Brian Mess with WebDevStudios, he\u2019s a bit spastic and if you have ever talked to him you know what I mean. If you have the opportunity to drink with him I encourage you to do so, but just make sure he leaves his camera at home. He\u2019s doing some really phenomenal development extending the application into areas that most only talk about. So kudos to him and his team.<\/p>\n<p><strong>What performance tips would you give to other pros (as related to speed, scalability, security, plugins, backup, etc.)?<\/strong><\/p>\n<p>I can\u2019t say much about anything but security, but what I can say is that more emphasis needs to be put on educating developers and designers alike around theme and plugin vulnerabilities. Big theme and plugin shops have no excuse, they need to be getting their code reviewed.<\/p>\n<p>If we weren\u2019t seeing the problem every day, I wouldn\u2019t be saying it. Also, WordPress makes available some very good functions designed to help you escape your code, use them. Here is an article that better articulates what I\u2019m talking about: <a href=\"http:\/\/blog.sucuri.net\/2012\/10\/wordpress-themes-xss-vulnerabilities-and-secure-coding-practices.html\" target=\"_blank\" rel=\"noopener\">http:\/\/blog.sucuri.net\/2012\/10\/wordpress-themes-xss-vulnerabilities-and-secure-coding-practices.html<\/a><\/p>\n<p>The biggest issue affecting WordPress Themes and Plugins is XSS, RFI, LFI, SQLi attacks. These are all things beyond the end-users control, so check yourself before you wreck yourself.<\/p>\n<p style=\"padding-left: 30px;\"><strong> If there is nothing you take away from this, take this:<\/strong><\/p>\n<p style=\"padding-left: 60px;\"><em>Never trust your users, validate all inputs coming and escape everything going out.<\/em><\/p>\n<p><strong>Confess to us your biggest moment of WP fail?<\/strong><\/p>\n<p>It was not until 2012 that I installed my first WordPress install manually.. sniff sniff<\/p>\n<p><strong>If you were going to spend this weekend creating a plugin that doesn&#8217;t exist, what would it be?<\/strong><\/p>\n<p>Man, if I could I would built a plugin that easily allows a user to force a password reset for all users. This is a key function post hack and it\u2019s always the one thing that never gets done. Very frustrating.<\/p>\n<p><strong>Do you use Themes &amp; Child Themes, Roll your own, or both?<\/strong><\/p>\n<p>I\u2019m about as incompetent as it comes when comes to themes so I usually rock a child them to one of my preferred frameworks.<\/p>\n<p><strong>What&#8217;s your favorite theme or theme framework? Why?<\/strong><\/p>\n<p>I\u2019m not e developer or designer so I like to rock Genesis and their themes. Another favorite is WooThemes, just depends on my mood.<\/p>\n<p><strong>Favorite plugin?<\/strong><\/p>\n<p>Have you heard Sucuri has a premium plugin that is offered free to its customers? No..?<\/p>\n<p>In all seriousness, I like it because it doesn\u2019t do much it\u2019s simple and its designed to be so. Its most powerful features is two-fold, it\u2019s auditing and it\u2019s built-in Web Application Firewall (WAF). Still has a lot of work to be done, but with time it\u2019ll get better.<\/p>\n<p>Outside of my own, I like auditing plugins and plugins that focus on access authentication. Specifically I like Duo Factor and Google Authenticator for access authentication.<\/p>\n<p>I like auditing plugins it\u2019s very important, you need to stay on top of what is going on with your site, especially if you\u2019re the so-call \u201cwebmaster\u201d.<\/p>\n<p><strong>Least favorite plugin?<\/strong><\/p>\n<p>Oh man all the security plugins that are offering 150 different hardening tips. If I could outline the number of sites that are infected running these plugins it\u2019d be very disturbing.<\/p>\n<p>That being said, it might be a little unfair I am sure they do protect some; they are just so overwhelming sometimes.<\/p>\n<p><strong>What&#8217;s the coolest thing you&#8217;ve ever done with Custom Post Types?<\/strong><\/p>\n<p>This one time, in band camp.. yeah I have done nothing with CPT\u2019s..<\/p>\n<p><strong>What do you think is the biggest challenge that WP consultants will face in 2013?<\/strong><\/p>\n<p>Surprise surprise, web security. Consumers are getting smarter, Google and Bing blacklisting are not helping, the various media outlets bashing on WordPress are also slowly making waves. The idea that security is someone else\u2019s problem is no longer the case, as developers and designers it has to be part of your thought process.<br \/>\nAlso, not doing so is only giving the platform you love a bad name. Frankly speaking, almost nobody knows you but millions know WordPress. Think about paying it forward, you can do that by developing more secure code.<\/p>\n<p><strong>If you could change one thing today about WP, what would it be?<\/strong><\/p>\n<p>I would change the way WordPress uses an antiquated approach around access and roles. I remember having a conversation where the response I got was, \u201cthey didn\u2019t want to make it like Microsoft\u201d, but that\u2019s the problem. Our approach is already the Microsoft, the 1990\u2019s way. Every user by default is an administrator, the platform can write to itself on the server, it\u2019s all very dangerous and it facilitates the issues presented by the weakness in themes and plugins.<\/p>\n<p>It\u2019s going to be an issue that we\u2019re not going to be able to avoid for much longer, it\u2019s that or we deal with the increase in compromises.<\/p>\n<p><strong>Where do you see WordPress going in the next 2-3 years?<\/strong><\/p>\n<p>It\u2019s pretty obvious that it\u2019s targeting the CMS market and with every build it leans further in that direction. I worry though about its back-end complexity; remember complex things break in complex ways. I do think however that we\u2019ll continue to see significant refactoring occurring and the core of the platform will be nothing like what it was when it first started. I do worry though if it\u2019ll isolate the everyday blogger in the desire to better penetrate the enterprise and larger organizations. If that perception continues you\u2019re likely to see splintering within the community and what are nothing more than rumblings will turn into realities. So the next few years will be interesting for sure, and whichever direction it takes it\u2019ll be successful and the community will be 5 times its current size.<\/p>\n<p><strong>Tell us a story where you saved the WP day for yourself or on a client project. &nbsp;What made the difference for you?<\/strong><\/p>\n<p>Oh man, this is a hard one because everyday I work on remediating cases. That\u2019s right, I have a team of 15 and with my business partners we run a pretty good size organization, but we all remediate cases. This is intentional, it keeps us in touch with reality and reminds of what we we\u2019re doing, it\u2019s how we build our products.<br \/>\nWhat\u2019s very exciting about what I do is the sense of satisfaction you get, it pales in comparison to any of the software projects I have ever managed. People come to us when they are the most vulnerable and many have no idea what is happening. The ability to service them quickly, retain all functionality, harden the environment and remove them from Google blacklisting is priceless to me.<\/p>\n<p><strong>What&#8217;s the biggest misconception you encounter about WordPress, and how do you clear it up for your clients?<\/strong><\/p>\n<p>The biggest misconception is its insecure. I hear this from developers and designers too, which really infuriates me. The platform core is actually very secure, even the issues found as of late are very low priority. The biggest is the environment, themes, plugins and the user. That\u2019s what I tell people.<\/p>\n<p><strong>If you were interviewing another WordPress developer for a job, what is the first question you would ask and why?<\/strong><\/p>\n<p>Tell me, and show me, the things you do to ensure you are developing securely. Do I really need to explain why this is important to me?<\/p>\n<p><strong>What did I miss? &nbsp;Here&#8217;s your chance to fill in the blanks and add something you want people to know about you!<\/strong><\/p>\n<p>The thing I want people to understand is that WordPress does have vulnerability, but it\u2019s a double-edged sword. It prides itself on its ease of use and its extensibility, unfortunately for every good there is a bad, and that same ease of use and extensibility is its biggest weakness.<\/p>\n<p>As for me personally, I am married and have three kids. I am also a Harley riding, tattoo wearing, foul mouthed; gun carrying, Columbian Cuban with a hot-temper. I am not known for keeping my mouth shut and am often quick to offer my unsolicited opinion, it\u2019s just in my DNA.<\/p>\n<p><strong>Thanks Tony!<\/strong><\/p>\n<p><strong>If you&#8217;ve got a website, WordPress or otherwise, head on over to <a href=\"http:\/\/Sucuri.net\" target=\"_blank\" rel=\"noopener\">Sucuri.net<\/a>&nbsp;to do a free malware scan and make sure your site stays squeaky clean. And if you ever need some security help, Tony is your man.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This Friday, I&#8217;m talking with Tony Perez, the guy behind much of the security protecting top WordPress sites in the industry, but he&#8217;s not limited to WordPress. Tony&#8217;s company, Sucuri Security, Founded by Daniel Cid and Co-Founded by Dre Armeda, manages security on sites across the interwebs. Tony&#8217;s background is the Marines, and after he<span class=\"tile__ellipses\">&hellip;<\/span><span class=\"tile__ellipses--animated\"><\/span><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[411],"tags":[],"class_list":["post-2088","post","type-post","status-publish","format-standard","hentry","category-finely-tuned-expert"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Finely Tuned Consultant: Tony Perez of Sucuri Security | WP Engine<\/title>\n<meta name=\"description\" content=\"Meet Tony Perez and discover his journey, expertise, insights, and contributions to web security and development.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Finely Tuned Consultant: Tony Perez of Sucuri Security | WP Engine\" \/>\n<meta property=\"og:description\" content=\"Meet Tony Perez and discover his journey, expertise, insights, and contributions to web security and development.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wpengine.com\/resources\/tony-perez\/\" \/>\n<meta property=\"og:site_name\" content=\"WP Engine\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/wpengine\" \/>\n<meta property=\"article:published_time\" content=\"2012-11-30T16:08:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-06T14:41:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2012\/11\/tony-perez1-150x150.jpg\" \/>\n<meta name=\"author\" content=\"Austin Gunter\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@wpengine\" \/>\n<meta name=\"twitter:site\" content=\"@wpengine\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Austin Gunter\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/wpengine.com\/resources\/tony-perez\/\",\"url\":\"https:\/\/wpengine.com\/resources\/tony-perez\/\",\"name\":\"Finely Tuned Consultant: Tony Perez of Sucuri Security | WP Engine\",\"isPartOf\":{\"@id\":\"https:\/\/wpengine.com\/resources\/#website\"},\"datePublished\":\"2012-11-30T16:08:24+00:00\",\"dateModified\":\"2024-06-06T14:41:44+00:00\",\"author\":{\"@id\":\"https:\/\/wpengine.com\/resources\/#\/schema\/person\/669f047558daf2cf0747a7cbe8bf5a74\"},\"description\":\"Meet Tony Perez and discover his journey, expertise, insights, and contributions to web security and development.\",\"breadcrumb\":{\"@id\":\"https:\/\/wpengine.com\/resources\/tony-perez\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/wpengine.com\/resources\/tony-perez\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/wpengine.com\/resources\/tony-perez\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/wpengine.com\/resources\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Finely Tuned Consultant: Tony Perez of Sucuri Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/wpengine.com\/resources\/#website\",\"url\":\"https:\/\/wpengine.com\/resources\/\",\"name\":\"WP Engine\",\"description\":\"Managed Hosting for WordPress\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/wpengine.com\/resources\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/wpengine.com\/resources\/#\/schema\/person\/669f047558daf2cf0747a7cbe8bf5a74\",\"name\":\"Austin Gunter\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/wpengine.com\/resources\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3c46fa98068156fdd2b81c009b7d8110d8d6eb6b287305e7e0c64fb29cbb7088?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3c46fa98068156fdd2b81c009b7d8110d8d6eb6b287305e7e0c64fb29cbb7088?s=96&d=mm&r=g\",\"caption\":\"Austin Gunter\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Finely Tuned Consultant: Tony Perez of Sucuri Security | WP Engine","description":"Meet Tony Perez and discover his journey, expertise, insights, and contributions to web security and development.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Finely Tuned Consultant: Tony Perez of Sucuri Security | WP Engine","og_description":"Meet Tony Perez and discover his journey, expertise, insights, and contributions to web security and development.","og_url":"https:\/\/wpengine.com\/resources\/tony-perez\/","og_site_name":"WP Engine","article_publisher":"https:\/\/www.facebook.com\/wpengine","article_published_time":"2012-11-30T16:08:24+00:00","article_modified_time":"2024-06-06T14:41:44+00:00","og_image":[{"url":"https:\/\/wpengine.com\/resources\/wp-content\/uploads\/2012\/11\/tony-perez1-150x150.jpg"}],"author":"Austin Gunter","twitter_card":"summary_large_image","twitter_creator":"@wpengine","twitter_site":"@wpengine","twitter_misc":{"Written by":"Austin Gunter","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/wpengine.com\/resources\/tony-perez\/","url":"https:\/\/wpengine.com\/resources\/tony-perez\/","name":"Finely Tuned Consultant: Tony Perez of Sucuri Security | WP Engine","isPartOf":{"@id":"https:\/\/wpengine.com\/resources\/#website"},"datePublished":"2012-11-30T16:08:24+00:00","dateModified":"2024-06-06T14:41:44+00:00","author":{"@id":"https:\/\/wpengine.com\/resources\/#\/schema\/person\/669f047558daf2cf0747a7cbe8bf5a74"},"description":"Meet Tony Perez and discover his journey, expertise, insights, and contributions to web security and development.","breadcrumb":{"@id":"https:\/\/wpengine.com\/resources\/tony-perez\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wpengine.com\/resources\/tony-perez\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/wpengine.com\/resources\/tony-perez\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wpengine.com\/resources\/"},{"@type":"ListItem","position":2,"name":"Finely Tuned Consultant: Tony Perez of Sucuri Security"}]},{"@type":"WebSite","@id":"https:\/\/wpengine.com\/resources\/#website","url":"https:\/\/wpengine.com\/resources\/","name":"WP Engine","description":"Managed Hosting for WordPress","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wpengine.com\/resources\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/wpengine.com\/resources\/#\/schema\/person\/669f047558daf2cf0747a7cbe8bf5a74","name":"Austin Gunter","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/wpengine.com\/resources\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3c46fa98068156fdd2b81c009b7d8110d8d6eb6b287305e7e0c64fb29cbb7088?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3c46fa98068156fdd2b81c009b7d8110d8d6eb6b287305e7e0c64fb29cbb7088?s=96&d=mm&r=g","caption":"Austin Gunter"}}]}},"acf":[],"_links":{"self":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/posts\/2088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/comments?post=2088"}],"version-history":[{"count":0,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/posts\/2088\/revisions"}],"wp:attachment":[{"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/media?parent=2088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/categories?post=2088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpengine.com\/resources\/wp-json\/wp\/v2\/tags?post=2088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}