As a client service provider by day, one of my common problems when using WordPress is tracking and monitoring user activity. When a project has multiple users making changes every day it can sometimes become a game of “he said, she said” when things go wrong and no one can be held accountable. WP Security Audit Log aims to help solve problems like that as well as keep WordPress administrators aware of any suspicious behavior that is taking place on their site that might be malicious in nature.
Developer Robert Abela took the time to discuss how he became interested in WordPress security, the biggest difficulties that have come up during WP Security Audit Log’s development and some interesting talking points about why his company stopped using Easy Digital Downloads.
Can you start by telling me a bit about yourself and how you got started working with WordPress?
Thank you for having me on this interview Brian. I am Robert Abela, the founder of the WP Security Audit Log plugin and the WP White Security website. I am from sunny Malta but live in Scotland. I worked in software startup companies for the first 15 years of my career. I worked as a QA engineer, systems engineer, researcher, project manager, product manager and VP of marketing. Five years ago I left the corporate world and I started working solo, doing contract work and focusing on the plugin.
I got to know about WordPress around nine years ago, during my last full time corporate job. We needed a blog and started using WordPress. While using WordPress we noticed that there were a lot of opportunities in the WordPress security industry, and since we were a web application security software company we built a WordPress security service. Unfortunately the product never really took off, but it was a good opportunity for me to learn even more about the WordPress ecosystem and it got me hooked.
What was the initial inspiration for WP Security Audit Log?
Since I had a security background and had just worked on WordPress, when I left my corporate job to work solo I started doing WordPress website security audits and cleanups through WP White Security.
While doing cleanups and security audits I noticed that none of the admins used a WordPress activity log plugin. I found it very odd for someone to run a powerful CMS such as WordPress, with multiple users working together and not having any sort of audit/activity log solution. I looked for a solution back then and only found two non maintained plugins. This was not surprising since even though audit logs are as useful as hardening in security, they are not easy to sell because they do not have a direct impact in the running and operation of a website. So I decided to start developing a plugin myself because I thought it was easy!

Was there any portion of the plugin, or a particular premium feature, that was difficult to develop and why was that so?
We have been developing this plugin for five years now, and it is installed on more than 80,000 websites, so we do encounter a few problems from time to time. It is the nature of the business, especially when a plugin and its popularity start to grow. So I’d like to share our top three problems that we had and still have in some cases: a technical problem, an operations problem and a usability problem.
The technical problem is performance. The WP Security Audit Log plugin keeps a log of every change a logged in user does. So on larger websites, where you have hundreds and sometimes even thousands of users logged in and doing work at the same time, performance becomes a concern. In the early days we had quite a few issues but thanks to the cooperation of the users we managed to nail them all down. Nowadays we are still working on performance – we do not have problems as such but we are always looking at ways how to improve the resource footprint of the plugin. It is a constant challenge about finding the right balance between providing functionality and using the available resources in the most efficient way. I wrote more about this subject in a plugin performance post.
The operations problem is testing. With every release we have to make sure that every event is captured by the plugin. Considering the plugin keeps a log of more than 350 different events that can happen on a WordPress website, and the list is ever growing, it is impossible to manually test every single event manually. We have started working on automating the plugin testing but are not even close to ready. Apart from the challenge of building the environment and finding the right tools, we also have the challenge of when to allocate the resources to work on this project VS developing more features on the plugin. And automated testing is a must since we do frequent releases and we want to deliver a good quality plugin that works.
The last big problem we are currently dealing with is a usability problem, which is caused by what differentiates us from the competition. The WP Security Audit Log plugin is known for having a very comprehensive activity log, and that’s all good for advanced users. Though when someone who is new to WordPress and security installs the plugin, they are overwhelmed by the amount of information the plugin reports. So at the moment we are working on finding the right balance, and developing a solution that does not take away any of the information experts need yet at the same time the beginners can easily accustom themselves with the plugin.

You have written a huge piece about your recent transition from Easy Digital Downloads to Freemius. I like EDD but admit it’s not without problems. Could you explain what your biggest gripe was with EDD as a checkout solution and how Freemius helped solve it?
First let me say that I have got nothing against EDD. It helped me start the business and I am sure that it is a good fit for many businesses. There is no perfect solution, though Freemius is a much better solution at this stage. And this is not just about a single issue or process.
We are at a delicate stage during which the business and the plugin are really growing, yet we do not have the resources to do all the things that Freemius does for us on EDD and remain profitable. Most of the things we had to manually setup and manage with EDD they are automated with Freemius, and even better, optimized.
Let’s just use the checkout as an example. The EDD checkout form and process are very long when compared to the single click Freemius checkout. We could have optimized the EDD checkout ourselves, but that would would have required us to customize it ourselves, which means designing it, writing code, running A/B tests and much more. On the other hand Freemius’ customer base are plugin developers so their checkout has already been A/B tested and fully optimized to sell what we sell, WordPress plugins. This is just one example. The same applies to many other things such as cart abandonment, auto follow-up emails, in-plugin purchases and much more as explained in Why we switched from Selling Our WordPress Plugin with EDD to Freemius.
WP Security Audit Log seems like it would be useful to anyone who has to deal with WordPress sites maintained by large groups of users. How do you market to and find those types of customers to buy your plugin?
The WP Security Audit Log plugin is also very useful to a single user website owner, though that is something we can discuss in another interview. I do not know to veer off topic. To answer your question, I do not think it is just about marketing. It is a mix of having the right product, marketing message and outreach efforts.
Developing the Right Product
The best products are those created because of a personal need. The WP Security Audit Log plugin is that type of product. I was a systems engineer in the early days of my career, during which I managed a large web farm. So I have first-hand experience on what it takes to manage large websites. When I started working on WordPress and didn’t find the right tools that enabled me to know what is happening on my and my client’s websites, I started developing the plugin. My own personal experience is the key to success in our business, because I can better understand what the market needs and develop the right features.
Marketing Message
To convince someone to use your product you have to speak their language. You cannot use lingo that does not capture the attention of your audience. For example the message see exactly what your guest bloggers are doing on your website might work with big WordPress website owners who accept guest post, but does not really interest a systems engineer or a webmaster of a finance institution. So you need to tailor your message to reflect your product and to apply to your target audience.
Outreach
You can have the best product in the world but if people do not know about it, it is of no use. This goes hand in hand with the marketing message. Once you have the right message, it is important to put that message where your target audience can see it. We make an effort to better understand our audience, and learn about what they like to read and which websites they visit every day. You can also do this by asking your existing customers. The more you learn about your target audience the easier it will be to target them and tell them about your solution.

I always ask people to offer advice to others just starting out in WordPress plugin development. What is one thing you wish you had known before you started building and selling WP Security Audit Log that would be helpful today?
Dedicate yourself to what you are doing. This might sound like a cliche, but it is what really helped me grow my hobby into a business. In the early years I never gave the plugin enough attention, I wasn’t confident it could actually be a business. So I always treated the plugin as a side project / hobby. Though when I gave it a shot, and dedicated some resources to it things took a turn in the right direction. Hard work is a must and nothing is easy. If it was easy, everyone would do it!
What’s next for yourself and WP Security Audit Log? Are there any new releases or features to look forward to in the future?
There is a lot in store for me and the WP Security Audit Log plugin. This year I am stopping all contract work so I can focus full time on the plugin. The process has already started. In fact I need to find some time to update the services pages on the WP White Security website because I no longer do any WordPress security hardening and audits.
As for the plugin, we try to release an update every month, or every five to six weeks. In the next update we will have a much awaited file integrity checks and logs – the plugin will keep a record in the WordPress activity log when a file is added, modified or deleted from your WordPress website. That is a first for a WordPress activity log plugin and we are very proud of this.
Through the WP Security Audit Log plugin we have pioneered a few things in the WordPress industry, and because of our work security audit logs (also known as activity logs) have now become a common topic when talking about WordPress security. So we will keep on pushing forward, developing new features to enable WordPress administrators to keep a record of everything that happens on their WordPress websites and multisite networks.