Managing security for the WordPress project is a challenge to say the least. The sheer volume of reports, the resulting noise, securing an aging codebase, handling disclosure – all difficult to handle, but just the tip of the iceberg. How do you motivate and organize a volunteer team? How do you keep sites and users secure with so much third-party code? How do you educate users? When is it okay to break things to fix security issues and how do you manage reputation when you do? Should you backport? How far? They may not have it all figured out, but over the years they’ve learned a lot – often the hard way. Aaron has led the WordPress Security Team since the end of 2016 and been a part of it for over five years. He’ll share what he’s learned along the way, how things have improved, what changes didn’t help (even when they were sure they would), and what things they still struggle with. He’ll also share an overview of the tools they use and processes they follow, in hopes that no one else has to learn the hard way.
Aaron is the WordPress Security Team lead, has been a regular contributor to WordPress for more than a decade, and is currently funded by GoDaddy to work full time on the WordPress open source project. He has over eighteen years of web development experience and worked with clients ranging from small local businesses to Google, Yahoo, Disney, and Harvard. He’s been called both a coffee snob and a beer snob, but considers both to be compliments. When not buried in code, he enjoys spending time with his wife and son, riding his motorcycle, and reading sci-fi/fantasy books.