I could only go so long, on a blog devoted to books about self-improvement and personal effectiveness, without covering the quintessential modern tome on the subject. The 7 Habits of Highly Effective People has become so representative of increasing personal effectiveness that it has almost become a cliché, even to the point where it is derided as representative of the inauthenticity and shallowness of many who claim to practice it. I found myself oddly embarrassed to be seen reading this book on the subway – lest someone attribute that same character to me.
In truth, this book is more worthy of its acclaim than of its infamy. If you can push past the Buzzfeed-style clickbait titles to understand the truths behind them that were the impetus for people to later turn them into buzzwords, you will find enormous value in these pages.
The 7 Habits
In the pursuit of personal effectiveness, most people try to change one of two things: their behavior (“I’m going to try really hard at this!”) or their attitude (hence the popularity of self-help books and motivational speakers). If you’ve tried these approaches, you know them to be ineffective. The only solution for real change is the recognition and changing of your personal “paradigm,” or pattern of perception by which you view the world.
To sum up the seven habits at a high level, an effective person has learned to make the paradigm shift from outside-in to inside-out, progressing along the growth continuum from dependence to independence to interdependence. He has found the balance of being able to produce while also increasing his capacity to further produce.
That may sound like a bunch of gobbledygook, but it will become clear as you progress through the habits and make the paradigm shift the author writes about.
The first three habits are habits of self-mastery, or private victories. These habits must come first, after which come the second three habits of public victories. The last habit is one that is key to the proper functioning and renewal of the first six.
Habit 1: Be Proactive
Put aside the dictionary definition of the word “proactive” for a moment, as well as any meaning you’ve learned to attribute to it from your time in the workforce. You’ll have to do this with several of the upcoming habit titles in order to understand what Covey is saying.
The best way to understand what a paradigm is, as well as which paradigm an effective person possesses, is to first understand the three widely accepted paradigms that most people use to explain human behavior:
Genetic determinism (you are who you are because of your genes)
Psychic determinism (your childhood and upbringing shaped your personality), and
Environmental determinism (the things around you make you who you are)
The prevailing viewpoint is that at our core, we are animals, compelled by a given stimulus to give a certain response. While there is certainly some truth to this, Covey quotes psychiatrist and Holocaust victim Victor Frankl: “Between stimulus and response, man has the freedom to choose.” (See Frankl’s book Man’s Search for Meaning for his story.)
The author defines proactivity (and the paradigm shift that comes with it) as exercising your freedom to choose self-awareness, imagination, conscience, or independent will in between stimulus and response. If you’re unhappy, unsuccessful, etc., it’s because you chose to let something make you that way instead of choosing your own response. This is not to minimize the effect that genetics, upbringing, or environment have on who a person is; however, being an effective person requires that you recognize your responsibility to shape your response to those things.
This is not just positive thinking; being proactive means understanding the reality of a situation, but understanding the reality of a situation also means understanding the reality that you can choose your response to your circumstance. We all have a “circle of concern,” representing all the things that we care about. We can only influence a small portion of the things in our circle of concern, and many people spend their time and energy worrying or complaining about the things they can’t control. The more you focus on things outside your control, i.e. outside your “circle of influence,” the fewer things you’ll be able to control. Your circle of influence will shrink. In contrast, by focusing only on those things within your control, you will find that your circle of influence will grow.
To shift your focus to your circle of influence, stop saying the “haves” (if I only had a better job) and start saying the “be’s” (I can be more _).
Habit 2: Begin with the End in Mind
Everything is created twice: first in a mental creation, then as a result becoming a physical creation. If you don’t consciously choose to control the mental creation, the vicissitudes of your life are created by default, shaped by random circumstances and other people’s expectations and agendas. (Refer to the summary of Think and Grow Rich by Napoleon Hill to better understand what this means, and to learn how to shape your actions based on this principle.)
Said another way, Habit 1 is “You are the creator.” Habit 2 is the first creation.
Beginning with the end in mind means approaching any role you have in life with your values and directions clear. Because we are self-aware, we can realize when we are acting in a role that isn’t in harmony with our values or isn’t a result of our own proactive design.
Whatever is at the center of your life will be the source of your security (your sense of worth), guidance (your source of direction in life), wisdom (your perspective on life), and power (your capacity to act and accomplish).
Most people never take the time to align their values with their center. As a result, they have one or more of many possible alternative centers. People can be spouse centered, family centered, money centered, work centered, pleasure centered, friend or enemy centered, church centered, or self centered. You probably know someone who is an example of being centered around each one of these things, and if you’re honest with yourself, you’ll realize that there are probably times when you become centered around many of these things as well.
Many of these things are perfectly good in and of themselves, but it isn’t healthy for your security, guidance, wisdom, or power to depend on and be determined by any of them. Instead, to be an effective person we need to have a “principle” center – one that is based on timeless, unchanging values. The principle center will put all these other centers in perspective.
Covey puts it this way: “The personal power that comes from principle-centered living is the power of a self-aware, knowledgeable, proactive individual, unrestricted by the attitudes, behaviors, and actions of others or by many of the circumstances and environmental influences that limit other people.”
The best way to make sure your life is aligned with your principles (and the best way to track when you get off center) is to write a personal mission statement. Covey doesn’t present a cookie-cutter formula for doing so, but suggests approaching it from the perspective of roles and goals: who do you want to be, and what do you want to accomplish?
This principle is the same for families or organizations; as hokey as it might sound, an authentic mission statement is the first step in the process of being effective. You need to put in the time, thought, and effort in order to gain the right perspective, and in order to set yourself up for the next habit.
Habit 3: Put First Things First
Habit 3 is the second creation – the physical realization of Habits 1 and 2. Habits 1 and 2 are best characterized as “leadership,” which must come first, while Habit 3 is where we begin discussing “management.”
Effective management means putting first things first, and doing the things that other people don’t want to do. From Habits 1 and 2, you must have a burning “yes” inside you that allows you to say “no” to other things that don’t align with your principles and goals.
Covey describes four levels of time management:
Notes and checklists (reducing your cognitive burden in the present).
Calendars and appointment books (looking ahead to better arrange your future time).
Daily planning, by means of goal-setting and prioritization. Most people never get beyond this level.
Categorization of activities and purposeful focus on and/or exclusion of certain ones.
This fourth level is where the author asks us to operate. He borrows the tool for this categorization from none other than Dwight Eisenhower:
An effective time manager spends as much time as possible in quadrant II, doing things that are important before they become urgent: building relationships, long-term planning, preventative maintenance of all types, etc. The more time you spend in this quadrant, the less time you will have to spend in quadrant I. Delegate or otherwise cut out anything in quadrant III or IV.
In contrast, most people spend the majority of their time in quadrant I and III, doing urgent things that may or may not be important, and rarely allow you to be effective. Most of us try to get out of this vicious cycle by trying to be more disciplined; however, the author contends that your problem is probably not that you lack discipline. More likely, it is simply that your priorities have not been rooted in your values.
In order to become a quadrant II self-manager, Covey suggests a series of four steps:
1) Identifying roles. Write down a list of roles that you wish to devote time and energy to filling. Some examples are your role as an individual (for which you would devote time for self-improvement), your role as a family member (spouse, son, mother, etc.), and your role at work (which may be multiple things, any of which may not correspond to your official title).
2) Selecting goals. Write down one or two goals for each role that you want to accomplish over the next week. Since you’ve already gone through the process of establishing Habits 1 and 2, these goals should be tied into your larger purpose and long-term goals.
3) Scheduling. Take things a step beyond where most people get with their use of scheduling, sit down and plan out your schedule a week at a time. This allows you to match your goals with the best time to accomplish them. For example, peak productivity for most people is between 2 – 5 hours after waking. One use of this principle might be to schedule time 2 – 5 hours after waking on Saturday to do the most important quadrant II activities that your job won’t allow you to do during the week. The key is not prioritize your schedule, but schedule your priorities.
4) Daily adapting. Take a few minutes at the beginning of each day to review the schedule you put together and revisit the values that induced you to establish your goals for the day. In real life, things change, so it is important to allow your schedule to be fluid and adaptable while keeping your focus on your values and priorities.
Habit 4: Think Win/Win
This is another buzzword-type title that will require you to put aside your perception of the term in order to grasp Covey’s meaning. As opposed to some kind of unrealistically happy and friendly attitude, the author defines thinking win/win as a mindset that is always looking for a third alternative to the “me or you” decision. Most people live in one of the following four alternative paradigms:
Win/lose (authoritarian or egotistical)
Lose/win (being a pushover)
Lose/lose (when two win/lose people interact)
Win (focused solely on the results you get for yourself)
To escape these unproductive mindsets, we must develop the three character traits essential to the win/win paradigm:
Integrity (the value we place on ourselves)
Maturity (the balance between courage and consideration)
Abundance mentality (which comes from a sense of personal worth and security)
Try thinking about your relationships as an emotional bank account. By proactively making deposits, you ensure that the emotional funds will be there when the time comes to make a withdrawal. Win/win is often difficult, but is made much easier by the presence of a hefty emotional bank account.
So we can better understand what a win/win decision is and how it is structured, Covey provides the following characteristics:
Clear identification of desired results
Specified parameters within which to achieve those results
Resources to be used to accomplish the results
Accountability by means of specific standards of performance and times for evaluation
Consequences of the results of the evaluation
You can find a more thorough presentation of this approach to effective negotiations in Getting to Yes by Roger Fisher and William Ury. The essence of Getting to Yes is to separate the person from the problem, focus on interests instead of positions, invent options for mutual gain, and insist on objective criteria.
The key to this chapter is that in most difficult situations, the problem is the system, not the people. By approaching those situations with the question of how we can change the system in order to make it work for all involved, many difficult problems can be resolved.
Habit 5: Seek First to Understand, Then to Be Understood
If you want to interact effectively with people and influence them, you must first understand them. It may be common sense, but it stands in direct contrast to most people’s modus operandi, which is to be first concerned with being understood.
Again, Covey breaks things down into a step-by-step framework that makes your own behavior easier to understand. Here are his four levels of listening:
Pretending to listen
The first three are self-explanatory, but you may not have heard the term “empathic listening” before. Empathic listening means getting inside someone else’s frame of reference by “listening” to their body language, tone, expression, and feelings. It’s a tremendous deposit in the emotional bank account.
In contrast to empathic listening, we tend to listen from our frame of reference (even if we are listening attentively) and have these “autobiographical responses”:
Evaluate (agree or disagree)
Probe (ask questions from our own frame of reference)
Advise (give counsel based on our own experience)
Interpret (explain people’s actions based on our own motivations)
By listening empathically instead of forcing our natural autobiographical responses onto each situation, we can get beyond a surface-level, transactional exchange and have a real impact. Needs stop motivating people once those needs are satisfied. Satisfy the need to be understood, and you can move on to being productive.
The other half of this habit, then, is being understood.
Covey refers to the Greek philosophy of ethos, pathos, logos – first character, then relationships, and only afterward the logic of what you’re saying. Most people try to skip straight to logos in every exchange, but it can’t be denied that someone must first trust you and understand where you’re coming from emotionally before they will understand how your logic fits into the overall picture of your perspective. Approach your communication through this framework, and you’ll be surprised at how much more easily you get your point across.
This habit is powerful because it is always in your circle of influence to seek first to understand, then to be understood. When people understand each other, the door is opened for third alternatives – win/win solutions.
Habit 6: Synergize
Despite being entitled with the business world’s most eminently cringeworthy king of buzzwords, this chapter offers enormous value if you can grasp the principle. Covey is not referring here to the type of “synergy” that occurs when two companies merge and become better together by cutting down on administration costs. He’s not even referring only to the simple act of working together to accomplish more than what you could accomplish on your own.
What the author means by synergy is something that may be impossible to understand unless you have experienced it. One way to describe it is when a group of people enter a simultaneous and cooperative state of flow – the “peak experience” of group interaction.
You may have had an experience playing sports where the team just gelled and the plays started clicking like you were moving as one body. Perhaps you’ve played in a musical group and found yourselves in a song where every note was perfect, every hook was tight, and you found yourself improvising riffs you didn’t even know you were capable of playing. You might have been in an emergency situation where a group of strangers came together to act with a degree of cooperation that seemed unprecedented.
Maybe you’ve had one of those conversations with a group of close friends where you were baring your souls about some deep, commonly held belief or commonly faced challenge, and each person’s words created thoughts in your own mind that you then perfectly expressed as insights you didn’t even know you had.
This is what the author means by synergy – a shared peak experience that can be created as the culmination of the first five habits. The key here is that synergy of this type doesn’t have to be a rare experience. We can create it in our everyday lives, beginning to live at a higher level by putting the first five habits into practice and adding a courageous amount of authenticity and openness. To be able to consistently operate at this level is to achieve the ability to be more effective than most people can even dream of being.
Habit 7: Sharpen the Saw
Remember, these are all intended to be habits, which means they have to be practiced repeatedly. In order to be able to practice these things, you need to take the time to renew yourself.
Covey recommends you carve out the time to do things to renew what he classifies as the four dimensions of human nature:
Spiritual (value clarification & commitment, study & meditation)
When you neglect any one area, you damage the rest – so commit at least one hour of every day to these practices.
Covey doesn’t spend enough time on any of these things to be the best “how-to” source for their implementation, and I don’t think that was his intention. His point is that an overall balance is necessary to support the other six habits. If done correctly, it leads to a virtuous cycle of continual personal growth.
In a twist of cruel irony, it seems that the 7 Habits of Highly Effective People has become the poster child for the very things it was written to help people overcome. The crux of the book is that to be effective, you must come from a place of authenticity, starting with your values and building with each successive habit. Unfortunately, it is human nature to imitate the form without delivering the authenticity.
The value of this book made it the victim of its own success when it was catapulted into becoming the business world’s favorite trend for a time. It seems that many people and organizations genuinely liked what they heard, but then tried to awkwardly force the habits onto their own lives or others’ (often cherrypicking the ones that sounded easier) without truly taking them to heart. An unlikely alliance of Covey-directed scorn was resulted between those who have had negative interactions with such people, and the small minds who couldn’t overcome their own scripts in order to understand Habit 1 and take responsibility for the results of their lives.
The disdain is truly undeserved. In reading the book, titles that at first reek of buzzword become epiphanies once you understand the truth of the principle. Reducing this particular book to a quick summary, which certainly has its uses, also has the effect of losing some of the meaning – of taking some powerful, emotion-filled lessons and reducing it to bullet points.
While it is certainly not a comprehensive framework for personal effectiveness, The 7 Habits of Highly Effective People gets many things right, and deserves its spot as the manifesto of personal effectiveness.
One thing this book is missing is the practical technique for managing the human mind to put new habits into practice. For that skill, refer to The Power of Habit by Charles Duhigg.
I’ve also found it useful to rephrase each buzzword title into an action point that more directly states the meaning of what the author had in mind. Once you’ve read the book you’ll have grasped the greater meaning and the nuances of his points, but it’s still useful to refresh your memory in this way:
1. Be proactive. Adopt a perspective of responsibility for your actions, reactions, and results.
2. Begin with the end in mind. Make sure your efforts start with establishment of your personal principles.
3. Put first things first. Spend your time on things that are important, not on things that are urgent.
4. Think Win/Win. Approach every interaction with the perspective of trying to fix the system, not the person, in order to find the solution that is best for all involved.
5. Seek First to Understand, Then to Be Understood. Meet people’s need to be understood, establish trust, and communicate your emotions; communicate your logic last.
6. Synergize. Combine the first five habits for an exponentially higher level of effective and cooperative daily interaction.
7. Sharpen the Saw. Take the time to maintain and renew your mind, body, emotions, and spirit.
Last year, WordPress was responsible for 83% of infected content management sites. Make sure you’re not contributing to those infections and learn how to securely manage WordPress.
(This article is kindly sponsored by Sucuri.) WordPress security doesn’t have a good reputation. More than 70% of all WordPress sites carry some kind of vulnerability according to research done on +40.000 WordPress sites by Alexa. If you develop WordPress themes or plugins — or use WordPress for your websites — that number should scare you.
There’s a lot you can do to make sure you’re not part of the 70%, but it takes more work than just installing a plugin or escaping a string. A lot of advice in this article comes from Sucuri’s guide on WordPress security and years of personal experience.
Is WordPress Insecure?
WordPress has the largest market share among content management systems and a 30% market share among the most popular 10 million sites on the web. That kind of success makes it a big target for hacks. WordPress isn’t less secure than other content management systems — it’s just more successful.
Vulnerabilities in WordPress core are responsible for less than 10% of all WordPress hacks. Most of those are from out-of-date WordPress installs. The amount of hacks that happen on actual security holes in up-to-date versions (also known as zero-day exploits) in WordPress core account for a tiny percentage of all hacks.
The rest of the infected sites were caused by plugins, themes, hosting, and users. And you, as a WordPress website developer, have control over all of those. If this seems like a big hassle to you, then I can recommend Sucuri’s agency plan. Otherwise, let’s find out how to deal with WordPress security ourselves!
Who’s Attacking You And Why?
Let’s bust a myth first: A small WordPress website is still an attractive target for hackers. Attacks on a personal basis are very rare. Most hacked WordPress websites are compromised automatically by either a bot or a botnet.
Bots are computer programs that constantly search for websites to hack. They don’t care who you are; they just look for a weakness in your defences. A botnet combines the computing power of many bots to tackle bigger tasks.
Hackers are primarily looking for a way into your server so that they can use your server’s computing power and turn it loose on some other goal or target. Hackers want your server for the following reasons.
Spam accounts for about 60% of all email, and it has to be sent from somewhere. Many hackers want to gain entry to your server through a faulty plugin or an ancient version of WordPress core so that they can turn your server into a spamming machine.
Attacking Other Websites
Distributed denial-of-service attacks use many computers to flood a website with so much traffic that they can’t keep up. These attacks are very difficult to mitigate, especially when they are done right. Hackers who break into your server can add it to a pool of servers to attack websites.
Mining cryptocurrency is very popular now, but it takes a lot of computing power. Hackers who don’t want to spend a lot of money on a server farm will break into unprotected WordPress websites and gain access to servers or to your websites’ visitors and steal computing power.
Bumping SEO Scores
A particularly popular hack for WordPress is to gain access to its database and add a bunch of (hidden) text underneath each post, linking to another website. It’s a really quick way to bump one’s SEO score, although Google is getting more vigilant about this behavior, and blacklistings are increasing.
Data is valuable, especially when it’s linked to user profiles and e-commerce information. Getting this data and selling it can make an attacker a handsome profit.
Why Does Security Matter?
Apart from not giving criminals the satisfaction, there are plenty of reasons why your website should be secure by default. Having cleaned and dealt with plenty of WordPress hacks myself, I can surely say that they never occur at a convenient time. Cleaning up can take hours and will cost either you or your client money.
To get a hacked WordPress website up and running again, you’ll need to remove and replace every bit of third-party code (including WordPress core); comb through your own code line by line and all other folders on the server to make sure they are still clean; check whether unauthorized users have gained access; and replace all passwords in WordPress, on your server and on your database.
Plenty of services can clean up a WordPress website for you, but prevention is so much better in the long run.
Apart from the cost of cleaning up, hacks can also cost you a lot in missed sales or leads. Hacks move you lower in search rankings, resulting in fewer visitors and fewer conversions.
More than the financial cost, getting hacked hurts your reputation. Visitors come to your website because they trust you. Getting hacked damages your reputation, and that takes a long time to repair.
There’s also a real possibility of legal issues, especially if you have customers in the EU, where GDPR legislation will go into effect in the summer of 2018. That new legislation includes a hefty fine for data breaches that aren’t handled properly.
Money, reputation and legal problems: Bad security can cost you a lot. Investing some time in getting your website, code and team set up with a mindset of security will definitely pay off.
Let’s find out how we can prevent all of this nastiness.
The CIA Triad
The CIA triad is a basic framework for every digital security project. It stands for confidentiality, integrity and availability. CIA is a set of rules that limits information access to the right parties, makes sure the information is trustworthy and accurate, and guarantees reliable access to that information.
For WordPress, the CIA framework boils down to the following.
Make sure logged-in users have the right roles assigned and that their capabilities are kept in check. Only give users the minimum access they need, and make sure that administrator information doesn’t leak out to the wrong party. You can do so by hardening WordPress’ admin area and being careful with usernames and credentials.
Show accurate information on your website, and make sure that user interactions on your website happen correctly.
When accepting requests on both the front and back end, always check that the intent matches the actual action. When data is posted, always filter the data in your code for malicious content by using sanitization and escapes. Make sure spam gets removed by using a spam protection service such as Akismet.
Mak sure your WordPress, plugins and themes are up to date and hosted on a reliable (preferably managed) WordPress host. Daily automated backups also help to ensure that your website stays available to the public.
All three elements lean on each other for support. Code integrity will not work on its own if a user’s confidential password is easily stolen or guessed. All aspects are important to a solid and secure platform.
Security is a lot of hard work. Apart from the work that can be done in code, there’s a huge human element to this framework. Security is a constant process; it can’t be solved by a single plugin.
Part 1: Integrity — Trust Nothing
Verify the intent of user actions and the integrity of the data you’re handling. Throw your inner hippie out the door. Nothing can be trusted online, so double-check everything you do for possible malicious intent.
Data Validation and Sanitization
WordPress is excellent at handling data. It makes sure that every interaction is validated and that every bit of data is sanitized, but that’s only in WordPress core. If you’re building your own plugin or theme or even just checking a piece of third-party code, knowing how to do this is essential.
//Cast our variable to a string, and sanitize it.update_post_meta($post->ID, ‘some-meta’,sanitize_text_field((string)$_POST[‘some-meta’]));//Make sure our variable is an absolute integer.update_post_meta($post->ID, ‘some-int’,absint($_POST[‘int’]));
In this example, we’ve added two pieces of data to a WordPress post using update_post_meta. The first is a string; so, we cast it as a string in PHP and strip unwanted characters and tags with sanitize_text_field, one of WordPress’ many sanitization functions.
We’ve also added an integer to that post and used absint to make sure this is an absolute (and non-negative) integer.
Using core WordPress functions such as update_post_meta is a better idea than using the WordPress database directly. This is because WordPress checks everything that needs to be stored in the database for so-called SQL injections. A SQL injection attack runs malicious SQL code through the forms on your website. This code manipulates the database to, for instance, destroy everything, leak user data or create false administrator accounts.
If you ever need to work with a custom table or perform a complicated query in WordPress, use the native WPDB class, and use the prepare function on all your queries to prevent SQL injection attacks:
$wpdb->prepare goes through every variable to make sure there’s no chance of a SQL injection attack.
Escaping output is just as important as sanitizing input. Validating data before you save it is important, but you can’t be 100% sure it’s still safe. Trust nothing. WordPress uses a lot of filters to enable plugins and themes to change data on the fly, so there’s a good chance that your data will get parsed through other plugins as well. Escaping data before adding it to your theme or plugin is a smart thing to do.
Escaping is mainly meant to prevent cross-site scripting (XSS) attacks. XSS attacks inject malicious code into the front end of your website. An added bonus of escaping data is that you can be sure that your markup is still valid afterwards.
Escape as late as possible. This ensures that you have the final say over your data.
WordPress admin requests are already pretty secure if you have SSL enabled and if you have a decent host, but some vulnerabilities still exist. You need to check a user’s intent and validate that the incoming request is something that was done by the actual logged-in user.
WordPress validates intent with nonces.. A nonce (or “number used only once”) isn’t really an accurate description of this API in WordPress. It doesn’t only use numbers, and it is much more like a cross-site request forgery (CSRF) token that you’ll find in every modern web framework. These tokens make sure hackers can’t repeat requests. It’s a lot more than just a nonce, but WordPress likes backwards-compatibility, so the name stuck.
Nonces are sent along with every vulnerable request that a user makes. They’re attached to URLs and forms, and they always need to be checked on the receiving end before performing the request. You can add a nonce to a form or a URL. Here’s an example used in a form:
<form method= “post”>
<!-- Add a nonce field: --><?phpwp_nonce_field( ‘post_custom_form’ );?>
<!-- other fields: →
The first field checks intent by using a generated code with the 'post_custom_form' string that we’ve passed to the function. The second field adds a referrer to validate whether the request was made from within the WordPress installation.
Before processing your task on the other end of the form or URL, you would check the nonce and its validity with wp_verify_nonce:
Here, we’re checking the nonce with our action name, and if it doesn’t match, we stop processing the form.
Third-party plugins and themes are a hotbed for hacks. They’re also the toughest nut to crack when ensuring the security of your website.
Most WordPress hacks are caused by plugins, themes, and out-of-date copies of WordPress. No piece of software is 100% secure, but a lot of plugins and themes out there either haven’t been updated in a while by their developers or weren’t secure to begin with.
Less code means less to hack. So, before installing yet another plugin, ask yourself whether you really need it. Is there another way to solve this problem?
If you’re sure you need a plugin or theme, then judge it carefully. Look at the rating, the “last updated” date and the required PHP version when browsing through WordPress’ plugin directory. If you’ve found what you’re looking for and everything seems to work, search for any mentions of it on a trusted security blog, such as Sucuri or WordFence.
Another option is to scan the code and make sure it contains proper nonces, sanitation and escaping; these are usually signs of well-written and secure code. You don’t have to know PHP or do a complete code review. A simple and quick way to verify proper use of WordPress security functions is to search the plugin’s code for these strings:
A plugin could still be secure if it doesn’t include all of these strings, but if none or a low number of these strings are found, that is a red flag. If you do find a vulnerability, please share it with the creator in private, and allow them time to fix it.
Keeping track of vulnerabilities in the WordPress plugin space is getting easier with initiatives such as wpvulndb.
Note: Some themes out there bundle versions of plugins with their code. This is a symptom of WordPress not having great out-of-the-box dependency management, but it’s also a sign of a very poorly written theme. Always avoid these themes because they include code bases that can’t be updated.
Themes and plugins rarely contain code written by only one developer. Composer and NPM have made it so much easier to depend on other libraries that it’s become a popular attack vector. If you’re downloading a cut-and-dry WordPress theme or plugin, this really isn’t a concern, but if you’re working with tools that use Composer or NPM, then it doesn’t hurt to check their dependencies. You can check Composer dependencies with a free command-line interface (CLI) tool by SensioLabs. A service such as Snyk (which you can use for free but which also has premium options) enables you to check every dependency in your project.
Part 2: Availability: Keep It Simple
Your main goal is to keep your website online without interruptions. Even with top-notch security, you can still get in trouble. When that happens, a great backup will save you a big headache.
Open-source can’t exist without updates. Most attacks on WordPress websites happen on outdated versions of either the core software or plugins. Security updates to WordPress’ core are now dealt with automatically (unless you’ve disabled this, you monster!), but security updates in plugins are a different story.
Updating is normally safe with popular, trusted plugins, but all plugins should be tested before they go live on your website. Tools such as WP CLI make updating everything much easier. WordPress lead developer Mark Jaquith had an excellent blog post on updating all plugins automatically yet gradually, so that you can filter out possible errors.
Users, Roles and Capabilities
“Availability” in the CIA triad has to do with getting information in the right hands. Our main priority with this is limiting the capabilities of your back-end users. Don’t give everyone an admin account.
The admin account in WordPress is unusually powerful. There’s even an option in vanilla WordPress to alter your complete code base from within the WordPress admin account. (If this is new to you and you haven’t disabled this, please do.)
The roles and capabilities system in WordPress is powerful and is very easy to alter in code. I create a lot of new roles when working with WordPress. The main benefit of this is that you get full control over which parts of the system various users get to access, but another huge benefit is that it prevents third-party code from altering the standard capabilities of WordPress core.
WordPress usually handles email via the server it’s on, but this makes all of your email completely dependent on the server it’s running on. Prevent your emails from getting intercepted and seen as spam by using an SMTP service. A lot of plugin options are available to make sure that all of your mail is sent over a secure SMTP connection.
You will, however, need access to the domain name’s DNS settings to add a Sender Policy Framework (SPF) record. All good SMTP services will provide the exact record that needs to be added. An SPF record ensures that your SMTP service is authorized by the domain to send email in its name.
Monitoring your website online is a 24/7 task that can be fully automated. In the case of WordPress, we’re interested in uptime and file integrity.
Monitoring uptime is usually something a good host will do for you. Tools such as Uptime Robot add even more security. Your first 50 websites are completely free.
Regarding file integrity, if a hacker gains access to your server they can change your code.
In this case, plugins are the answer to your problem. Sucuri has a great auditing plugin. It checks all files in your installation against a vast database of known malicious code. It also checks whether WordPress core is still 100% WordPress core, and it gives you a heads up if there’s been a breach, so that you can fix it as soon as possible.
The ultimate fail-safe of every security process is automated backups. Most good hosts will do this for you, but there are other good options if your host doesn’t offer backups. Automattic makes one named VaultPress, and tools such as BackupBuddy back up to a Dropbox account or an Amazon S3 bucket.
Most of the reliable services in the WordPress backup space are either premium services or premium plugins. Depending on whether you need to fully control your data, you might prefer a plugin that comes with a cloud host, instead of a service. Either one is worth every penny, though.
WordPress isn’t the only piece of software running on your server. Plenty of attack vectors are open when you’re on crappy hosting. In fact, bad hosting is the main reason why WordPress still supports outdated versions of PHP. At time of writing, WordPress’ own statistics page reports that 32.5% of all WordPress installations are running on PHP versions that do not receive security updates anymore.
Note the almost 60% of installations running on PHP 5.6 and 7.0, which will receive security patches only until the end of this year.
Hosting is important not only for keeping your server’s software up to date, though. A good host will offer many more services, such as automated daily backups, automated updates, file-integrity monitoring and email security. There’s a big difference between managed WordPress hosts and hosts that give you an online folder with database access.
The best advice is to find a decent managed WordPress host. They cost a little more, but they provide a great backbone for your WordPress website.
Part 3: Confidentiality
If you’ve made sure that your code base is as secure as it can be and you’re on a great WordPress host, surrounded by malware scanners and backups, then you’re still going to experience security problems, because people are the worst… at Internet security.
Confidentiality is about educating yourself, your client and the users of the website.
You might not know it, but your plugins and themes are probably showing valuable confidential data. If, for instance, you have WP_DEBUG set to true, then you’re showing every hacker your website’s root path on the server. Debugging data should have no place in your production website.
Another valuable data source are comments and author pages. These are filled with usernames and even email addresses. A hacker could use these in combination with a weak password to get into your website. Be wary of what you show the outside world.
Also, double-check that you’ve put wp-config.php in your .gitignore.
Don’t Code Alone
A way to prevent a lot of mistakes from sneaking into your code base is to practice pair programming. If you’re by yourself, this a lot harder, but many online communities are available that are willing to do quick code audits. WordPress for instance, uses Slack to communicate everything about the development of its platform. You will find a lot of people on there who are willing to help. Slower but better alternatives are the WordPress forums, StackOverflow and GitHub Issues, where your questions (and their answers!) are saved so that other people can benefit from them.
Asking for input can be tough, but people love showing their expertise, and WordPress in general has a very open and welcoming community. The point is that if you never ask for input on the quality of your code, then you will have no idea whether your code is secure.
Logins and Passwords
Your clients will need to log into WordPress to manage their content. WordPress core does what it can to prevent weak passwords from getting through, but this usually isn’t enough.
I’d recommend adding a plugin for two-factor authentication to your website, along with a limit on login attempts. Even better, do away with passwords entirely and work with magic links.
Trust But Verify
So far in this article, we haven’t talked about social engineering at all. It’s a form of hacking that’s gaining momentum, but it generally isn’t used to hack into WordPress websites. It is, however, an excellent way to set up the culture around your website with security in mind. That’s because the best defense against social engineering is “Trust but verify”.
Whenever a client, a user or your boss asks for something related to security, the best way to deal with it is to trust but first to verify whether what they are saying is true.
A client can claim they need administrator access to WordPress, but your job is to verify whether this is true. Do they actually need access, or are they missing just a single capability in their role? Is there a way to solve this problem without adding possibly new attack vectors?
“Trust but verify” is a simple yet effective mantra when it comes to security questions, and it can really help get people up to speed.
Is WordPress insecure? No, it’s not. WordPress core is constantly being updated and fixed, and most reported WordPress hacks aren’t from WordPress itself. Is the culture surrounding WordPress insecure? You betcha!
But by having security in mind with every line of code you write, every user you add, every plugin you enable and every hosting bill you pay, you can at least ensure that you’re running a secure website that keeps your reputation intact and your data safe.
1. Engineering is done with numbers. Analysis without numbers is only an opinion.
2. To design a spacecraft right takes an infinite amount of effort. This is why it’s a good idea to design them to operate when some things are
3. Design is an iterative process. The necessary number of iterations is one more than the number you have currently done. This is true at any point in time.
4. Your best design efforts will inevitably wind up being useless in the final design. Learn to live with the disappointment.
5. (Miller’s Law) Three points determine a curve.
6. (Mar’s Law) Everything is linear if plotted log-log with a fat magic marker.
7. At the start of any design effort, the person who most wants to be team leader is least likely to be capable of it.
8. In nature, the optimum is almost always in the middle somewhere. Distrust assertions that the optimum is at an extreme point.
9. Not having all the information you need is never a satisfactory excuse for not starting the analysis.
10. When in doubt, estimate. In an emergency, guess. But be sure to go back and clean up the mess when the real numbers come along.
11. Sometimes, the fastest way to get to the end is to throw everything out and start over.
12. There is never a single right solution. There are always multiple wrong ones, though.
13. Design is based on requirements. There’s no justification for designing something one bit “better” than the requirements dictate.
14. (Edison’s Law) “Better” is the enemy of “good”.
15. (Shea’s Law) The ability to improve a design occurs primarily at the interfaces. This is also the prime location for screwing it up.
16. The previous people who did a similar analysis did not have a direct pipeline to the wisdom of the ages. There is therefore no reason to
believe their analysis over yours. There is especially no reason to present their analysis as yours.
17. The fact that an analysis appears in print has no relationship to the likelihood of its being correct.
18. Past experience is excellent for providing a reality check. Too much reality can doom an otherwise worthwhile design, though.
19. The odds are greatly against you being immensely smarter than everyone else in the field. If your analysis says your terminal velocity
is twice the speed of light, you may have invented warp drive, but the chances are a lot better that you’ve screwed up.
20. A bad design with a good presentation is doomed eventually. A good design with a bad presentation is doomed immediately.
21. (Larrabee’s Law) Half of everything you hear in a classroom is crap. Education is figuring out which half is which.
22. When in doubt, document. (Documentation requirements will reach a maximum shortly after the termination of a program.)
23. The schedule you develop will seem like a complete work of fiction up until the time your customer fires you for not meeting it.
24. It’s called a “Work Breakdown Structure” because the Work remaining will grow until you have a Breakdown, unless you enforce
some Structure on it.
25. (Bowden’s Law) Following a testing failure, it’s always possible to refine the analysis to show that you really had negative margins all along.
26. (Montemerlo’s Law) Don’t do nuthin’ dumb.
27. (Varsi’s Law) Schedules only move in one direction.
28. (Ranger’s Law) There ain’t no such thing as a free launch.
29. (von Tiesenhausen’s Law of Program Management) To get an accurate estimate of final program requirements, multiply the initial time estimates by pi, and slide the decimal point on the cost estimates one place to the right.
30. (von Tiesenhausen’s Law of Engineering Design) If you want to have a maximum effect on the design of a new engineering system, learn to draw. Engineers always wind up designing the vehicle to look like the initial artist’s concept.
31. (Mo’s Law of Evolutionary Development) You can’t get to the moon by climbing successively taller trees.
32. (Atkin’s Law of Demonstrations) When the hardware is working perfectly, the really important visitors don’t show up.
33. (Patton’s Law of Program Planning) A good plan violently executed now is better than a perfect plan next week.
34. (Roosevelt’s Law of Task Planning) Do what you can, where you are, with what you have.
35. (de Saint-Exupery’s Law of Design) A designer knows that he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away.
36. Any run-of-the-mill engineer can design something which is elegant. A good engineer designs systems to be efficient. A great
engineer designs them to be effective.
37. (Henshaw’s Law) One key to success in a mission is establishing clear lines of blame.
38. Capabilities drive requirements, regardless of what the systems engineering textbooks say.
39. Any exploration program which “just happens” to include a new launch vehicle is, de facto, a launch vehicle program.
39. (alternate formulation) The three keys to keeping a new human space program affordable and on schedule:
1) No new launch vehicles.
2) No new launch vehicles.
3) Whatever you do, don’t develop any new launch vehicles.
40. (McBryan’s Law) You can’t make it better until you make it work.
41. There’s never enough time to do it right, but somehow, there’s always enough time to do it over.
42. Space is a completely unforgiving environment. If you screw up the engineering, somebody dies (and there’s no partial credit because most of the analysis was right…)
*I’ve been involved in spacecraft and space systems design and development for my entire career, including teaching the senior-level capstone
spacecraft design course, for ten years at MIT and now at the University of Maryland for more than two decades. These are some bits of wisdom that I have gleaned
during that time, some by picking up on the experience of others, but mostly by screwing up myself. I originally wrote these up and handed them out to my
senior design class, as a strong hint on how best to survive my design experience. Months later, I get a phone call from a friend in California complimenting me
on the Laws, which he saw on a “joke-of-the-day” listserve. Since then, I’m aware of half a dozen sites around the world that present various
editions of the Laws, and even one site which has converted them (without attribution, of course) to the Laws of Certified Public Accounting. (Don’t ask…) Anyone is welcome to link to
these, use them, post them, send me suggestions of additional laws, but I do maintain that this is the canonical set of Akin’s Laws…
Complexity eats a lot of time and resources.
The amount of time and resources increases exponentially with the complexity of the system.
Complexity can be measured by lines of code, levels of hierarchy and amount of tools used.
Linear is much better than nested.
Simpler system takes much less brain power to understand the logic what also increases developer efficiency and reduces amount of issues due to being less tired and more possible issues.
Simpler is much easier to debug and to maintain and to extend.
<div class="col-6 col-sm-12">
Left column. 50% on large screens. 100% on smaller screens.
<div class="col-6 col-sm-12 col-right">
Right column. 50% on large screens. 100% on smaller screens. Has different background for visual difference.
Floating-point numbers are represented in computer hardware as base 2 (binary)
fractions. For example, the decimal fraction
has value 1/10 + 2/100 + 5/1000, and in the same way the binary fraction
has value 0/2 + 0/4 + 1/8. These two fractions have identical values, the only
real difference being that the first is written in base 10 fractional notation,
and the second in base 2.
Unfortunately, most decimal fractions cannot be represented exactly as binary
fractions. A consequence is that, in general, the decimal floating-point
numbers you enter are only approximated by the binary floating-point numbers
actually stored in the machine.
The problem is easier to understand at first in base 10. Consider the fraction
1/3. You can approximate that as a base 10 fraction:
and so on. No matter how many digits you’re willing to write down, the result
will never be exactly 1/3, but will be an increasingly better approximation of
In the same way, no matter how many base 2 digits you’re willing to use, the
decimal value 0.1 cannot be represented exactly as a base 2 fraction. In base
2, 1/10 is the infinitely repeating fraction
Stop at any finite number of bits, and you get an approximation. On most
machines today, floats are approximated using a binary fraction with
the numerator using the first 53 bits starting with the most significant bit and
with the denominator as a power of two. In the case of 1/10, the binary fraction
is 3602879701896397/2**55 which is close to but not exactly
equal to the true value of 1/10.
Many users are not aware of the approximation because of the way values are
displayed. Python only prints a decimal approximation to the true decimal
value of the binary approximation stored by the machine. On most machines, if
Python were to print the true decimal value of the binary approximation stored
for 0.1, it would have to display
That is more digits than most people find useful, so Python keeps the number
of digits manageable by displaying a rounded value instead
Just remember, even though the printed result looks like the exact value
of 1/10, the actual stored value is the nearest representable binary fraction.
Interestingly, there are many different decimal numbers that share the same
nearest approximate binary fraction. For example, the numbers 0.1 and 0.10000000000000001 and 0.1000000000000000055511151231257827021181583404541015625 are all
approximated by 3602879701896397/2**55. Since all of these decimal
values share the same approximation, any one of them could be displayed
while still preserving the invariant eval(repr(x))==x.
Historically, the Python prompt and built-in repr() function would choose
the one with 17 significant digits, 0.10000000000000001. Starting with
Python 3.1, Python (on most systems) is now able to choose the shortest of
these and simply display 0.1.
Note that this is in the very nature of binary floating-point: this is not a bug
in Python, and it is not a bug in your code either. You’ll see the same kind of
thing in all languages that support your hardware’s floating-point arithmetic
(although some languages may not display the difference by default, or in all
For more pleasant output, you may wish to use string formatting to produce a limited number of significant digits:
>>> format(math.pi,'.12g')# give 12 significant digits'3.14159265359'>>> format(math.pi,'.2f')# give 2 digits after the point'3.14'>>> repr(math.pi)'3.141592653589793'
It’s important to realize that this is, in a real sense, an illusion: you’re
simply rounding the display of the true machine value.
One illusion may beget another. For example, since 0.1 is not exactly 1/10,
summing three values of 0.1 may not yield exactly 0.3, either:
Also, since the 0.1 cannot get any closer to the exact value of 1/10 and
0.3 cannot get any closer to the exact value of 3/10, then pre-rounding with round() function cannot help:
Though the numbers cannot be made closer to their intended exact values,
the round() function can be useful for post-rounding so that results
with inexact values become comparable to one another:
Binary floating-point arithmetic holds many surprises like this. The problem
with “0.1” is explained in precise detail below, in the “Representation Error”
section. See The Perils of Floating Point
for a more complete account of other common surprises.
As that says near the end, “there are no easy answers.” Still, don’t be unduly
wary of floating-point! The errors in Python float operations are inherited
from the floating-point hardware, and on most machines are on the order of no
more than 1 part in 2**53 per operation. That’s more than adequate for most
tasks, but you do need to keep in mind that it’s not decimal arithmetic and
that every float operation can suffer a new rounding error.
While pathological cases do exist, for most casual use of floating-point
arithmetic you’ll see the result you expect in the end if you simply round the
display of your final results to the number of decimal digits you expect. str() usually suffices, and for finer control see the str.format()
method’s format specifiers in Format String Syntax.
For use cases which require exact decimal representation, try using the decimal module which implements decimal arithmetic suitable for
accounting applications and high-precision applications.
Another form of exact arithmetic is supported by the fractions module
which implements arithmetic based on rational numbers (so the numbers like
1/3 can be represented exactly).
If you are a heavy user of floating point operations you should take a look
at the Numerical Python package and many other packages for mathematical and
statistical operations supplied by the SciPy project. See <https://scipy.org>.
Python provides tools that may help on those rare occasions when you really do want to know the exact value of a float. The float.as_integer_ratio() method expresses the value of a float as a
Since the ratio is exact, it can be used to losslessly recreate the
The float.hex() method expresses a float in hexadecimal (base
16), again giving the exact value stored by your computer:
This precise hexadecimal representation can be used to reconstruct
the float value exactly:
Since the representation is exact, it is useful for reliably porting values
across different versions of Python (platform independence) and exchanging
data with other languages that support the same format (such as Java and C99).
Another helpful tool is the math.fsum() function which helps mitigate
loss-of-precision during summation. It tracks “lost digits” as values are
added onto a running total. That can make a difference in overall accuracy
so that the errors do not accumulate to the point where they affect the
DRY is often misinterpreted as the necessity to never repeat the exact same thing twice. This is impractical and usually counterproductive, and can lead to forced abstractions, over-thought and over-engineered code.Harry Roberts
DRY, SRP, Modularity etc is not a ultimate goal or strict rule. It is just a principle and recommendation.