Understanding Security Holes

Just finished my talk on Secure Code at WordCamp Philly 2015!  Thanks to everyone who came, here are my slides:

On Jetpack and Auto-Activating Modules

Hopefully, this is the last time that I’ll have to answer this question.

Frankly, it’s been answered dozens of times before. Now, I’m hoping to use this as a canonical ‘Answer Link’ that I can refer people to.  I’ll keep up with comments, so if anyone would like to ask

So, why does Jetpack auto-activate features?

Well, to start off, I should probably clarify what we currently do on this. We don’t auto-activate every new module that comes in.

We never auto-activate features that affect the display or front-end of your site — or at least not unless a site administrator explicitly configures them to.

So, for example, something like Photon, which would swap all your content images to CDN-hosted versions, doesn’t auto-activate. Our comments system doesn’t auto-activate either, as that would swap out your native comment form. Our sharing buttons do, but they don’t display unless you take the time to drag down some sharing buttons to the output box under Settings > Sharing.

However, modules like Publicize, Widget Visibility, and the like — they just give you new tools that you can use, with no risk to affecting your everyday visitors. When users upgrade, we give them a notification of what just happened, and point out some new features we’ve built in that they may want to activate themselves.

One thing we’ve recently expanded on, perhaps six months ago, is a ‘plugin duplication list’, for lack of a better phrase. These aren’t plugins that have an actual code-based conflict with a module, they’re ones that may be … duplicating effort. Previously, we were just scanning for plugins that would output OG Meta Tags, and short-circuit our own provider. However, since Jetpack 2.6, which shipped in November 2013, we’re actually doing it via a filter for all modules. For example, if you’ve got Gravity Forms or Contact Form 7 installed and active, our internal Jetpack Contact Form won’t auto-activate. If you’ve got AddThis or ShareThis active, our sharing buttons module won’t even kick in.

Now, obviously, we can’t catch every single plugin that may be similar enough to one of our modules to give cause to negate auto-activation. So there’s a filter, `jetpack_get_default_modules`, that can be used in any plugin to cancel auto-activation on any module.


add_filter( 'jetpack_get_default_modules', 'my_jetpack_get_default_modules' );
function my_jetpack_get_default_modules( $modules ) {
    return array_diff( $modules, array( 'module-slug' ) );
}

But I don’t like auto-activation of new features!

Okay.

You’re totally allowed not to.

We’re going to continue using our discretion to auto-activate select modules by default, but if you’d like to turn it off permanently for yours or a client’s site, we’ve made it ridiculously easy to do.


add_filter( 'jetpack_get_default_modules', '__return_empty_array' );

That’s it.

We believe that judiciously enabling new features is a win for users, especially considering 1) how low-impact most features are when ‘active’ but not actually implemented by a site owner, 2) how awkward it is for a site owner to have to enable something twice — for example, enabling the Custom Post Formats bit, and then having to visit Settings > Writing in order to actually enable the Portfolio custom post type.

We’ve spoken to many, many users who find a default feature set convenient, and resent having to make a bunch of ‘decision points’ if they had to manually activate each and every module. Good software should run well out of the box. So we’ve set up the defaults as we have. Yes, some people disagree and are vocal about not wanting anything to auto-activate. That’s okay. We try to design for the majority, with the best user experience we can provide.

If you have clients, that you’d like to be active in the relationship with, and customize the Jetpack experience for — that’s terrific. You’re the type of people that we add bunches of filters for. We’re all about empowering you to override our decisions, we just prefer to keep the default user interface free of a thousand toggles.

Decisions, not options — no?

One Year with Automattic

Well, it’s that time.

One year ago today, I started full time at Automattic.

Best. Job. Ever.

I get to work with some of the most brilliant minds I’ve ever known, all of whom, in addition to co-workers, I am proud to call my friends.

I get to contribute to open source software, and still have free time in the evenings for my family.

Each team meetup, company-wide meetup, and WordCamp I attend feels more like a family reunion than a work function.

I have the privilege of leading the team that develops Jetpack, and the ability to improve the workflow and capabilities of millions of users, every day.

For all this, to all my colleagues friends at Automattic and in the WordPress community at large, thank you.

And by the way, we’re hiring.

My Dopp Kit

Dopp Kits are wonderful things, and I highly encourage anyone who does much traveling to look into putting one together.  It easily saves me an hour or more on each trip — both on the front-end of collecting everything, as well as scrounging for anything I’ve forgotten once I arrive at my destination!

So here’s what I’ve got:

dopp-kit-contents

It’s served me well thus far, but what do you think? Am I missing anything critical?

Automattic!

Starting Monday, April 22nd, I’ll be working full time at Automattic!

When I first started working at Speck Products, I’d remarked to a friend that I thought I’d be there for good.  I loved the environment, I loved the people, and I said the only reason I’d ever leave is if Automattic ever wanted me and I could spend my days working full time on WordPress — more in a joking way, as I never really expected it to happen.

Eight plus months later, I find that to be exactly the situation I’m in.

I can’t find a single thing to gripe about regarding my tenure with Speck.  Everyone there was an utter joy to work with.  Challenges were plentiful to keep me engaged, but never overbearing.  I was kept occupied, but never overburdened.  Everyone was friendly and provided a great atmosphere.

However, now I’ll get to do something that I count myself as incredibly fortunate for.  I get to spend my days  doing the sort of work that I’ve volunteered my time doing for the past year and a half.  The environment that has been my passion, is now my job.  And I couldn’t be happier.

I’ll be spending my days on the Jetpack team for Automattic, increasing the tools available to WordPress.org users through WordPress.com by way of the Jetpack plugin.  I’m very excited by the road map we’ve got going forward, and I can’t wait for some of you to see the features that we’ve got in store.

The best is yet to come.