Often people come to me with a simple “Can you tweak this thing on my website?” and when I get a login I end up fixing basic security and performance and privacy things. This totally isn’t their fault! They don’t know what they don’t know. And my job is to educate and guide them in the right direction.

This lead me to thinking I should do a “WordPress Website Drivers License” course that covers some of the hidden aspects of running a website and helps people understand not only what they need to do, but why they need to do it.

It could be generic, rather than WordPress specific. But focussing on WordPress would give me a chance to talk about tools and settings that are specific to that platform.

There’s a flip side to this though: why does WordPress, out of the box, have so many basic security and performance problems that require initial lockdown? Sure, some “features” of WordPress are wide open to abuse if you can get an admin login, but we could limit the attack vectors; we could close some of the holes.

Surely simple brute force protection/rate limiting, two-factor auth (or password-less login), not-having-a-user-called-admin, page caching, and perhaps even testing SPF records are solved problems now? So why do I have to add these in myself to protect people that I work with?

And yes, I know that some of these things exist and may be merged into WordPress core in future. But until they are, it’s not just the editing experience that puts WordPress behind the likes of SquareSpace and Shopify.