Dougal Campbell Interview

Interviews

Meet Dougal Campbell (@dougal), one of the original (hardcore!) WordPress developers, contributing features such as XML-RPC API support, Post Custom Fields, mass re-enabling of plugins, and Conditional GET support for feeds. If that wasn’t enough he’s written numerous plugins, created a theme, and worked on several high-profile websites, such as DoctorOz.com, NCAA.com, PGA.com, and Weather.com.

Today we talk about how WordPress has changed over time, the merits and challenges of Open Source software, WordPress security, digging into the guts of WP, and more development goodness than you could shake a bundle of sticks at.

What was your background before coming to WordPress development, and how did WordPress first come into your life?

My first experiences with the web were at the very beginning of everything. In the early-/mid-1990s, I was the Systems Manager for one of the first ISPs in Huntsville, Alabama. Early on, we just offered dial-up access to a Major BBS system, which was connected to a Linux box, which provided gateway access for things like email, usenet newsgroups, file transfers, and a gopher interface. This was in the 0.99.x days of the Linux kernel, and the question of whether to pronounce ‘Linux’ with a long or short ‘I’ sound were just starting. And the World Wide Web was still an academic experiment that nobody had heard of yet.

But it wasn’t long before this cool new program called ‘NCSA Mosaic‘ started making the rounds, and the GUI interface for hypertext documents was much cooler than the text-based menus offered by gopher. Mosaic was followed by Netscape Navigator (and later, Microsoft’s Internet Explorer), we upgraded our systems, offering direct SLIP and PPP connections, ISDN service, shell accounts, and customers could create their own homepages.

It was in these early days that I first heard of this CGI script called PHP/FI. At this time, “PHP” stood for “Personal Home Pages” — it was only later that it was renamed to mean “PHP Hypertext Processor”. One of my first experiments was to use PHP and MySQL to create a database-driven news site for our customers, which I loosely modeled after Slashdot. It was my first blog-like system, pulling articles from the database newest-first, and displaying them ten-per-page. I didn’t even bother to make an article editing system, I just used PHPMyAdmin to add new entries to the database.

A few years later, we were starting to see open source blogging software. There were things like Movable Type, PHPNuke, Drupal, and even Slashcode which were fairly well known, and a lot of smaller projects. When I decided to set up a blog of my own, the first system I tried out was one of these lesser-knowns, named MyPHPBlog. I even became a code contributor to that project. But the lead developer was slow to integrate changes and push out new releases, and I became frustrated with it. For a while, I considered creating my own blogware from scratch, but I didn’t really have enough free time for that, so I was also keeping my eye out for other promising projects. I had started looking at b2, and it looked really interesting, but it seemed that its developer had more-or-less disappeared, and other people were forking the code already, or talking about switching to something else. I was already aware of this kid called Photomatt, and he was talking about forking b2 into a new system, with the blessing of b2’s creator.

So I think in March 2003, Matt asked me if I was interested in joining in on this WordPress thing he was kicking off. At the time, I was super busy at work, and replied that I just didn’t have time for it. But in April, things were a little more calm, and we were still exchanging emails about it, and I said that I could try to join in and at least contribute some ideas, if not code. Soon after, I was doing things like adding HTTP 304 browser caching support to the RSS feeds and expanding the XML-RPC API with support for the Movable Type and metaWeblog APIs. I remained an active core contributor for at least the next year or so. And I’ve tried to stay active in the community up to the present day.

As a “Developer Emeritus” of the WordPress platform, and a former Core Developer you added elements to WordPress, such as XML-RPC API support and Post Custom Fields, that are still fundamental today. Which are you proudest of?

I think I ‘d have to say Post Custom Fields. At the time, I was very interested in metadata systems, and I had been experimenting with things like FOAF (the Friend of a Friend data format) and other RDF vocabularies. When I first mentioned the idea of postmeta for WordPress, the other developers seemed to think it was a mildly interesting idea, but were not as excited about it as myself. I knew that it would open the doors for some really fun and interesting possibilities for plugins, though. But even then, I didn’t imagine just how many different ways people would end up using it. Eventually, we also got metadata for users and comments, too.

I’m proudest of that because I love seeing how many different plugins and themes rely on it now, and for all the creative ways people have put it to use!

What are you most and least enthusiastic about the way that WordPress has changed since you first got involved?

I am most enthusiastic about the massive uptake of WordPress. At last count, it’s powering something like 18% of the top 1 million sites? I think *anyone* would have to be impressed by that. And anybody who has ever contributed the least little bit of code or idea to WordPress can say, “I’m a part of that!”

I am least enthusiastic about some of the recent dogmatism we’ve seen over the “100% GPL” guideline for WordCamp contributors. I think the idea of barring someone from organizing or speaking at a WordCamp simply because all of their code is not available in a “100% GPL” fashion (e.g. in a split-license situation where the PHP code is GPL, and the CSS/images are under a different license — which *is* allowed under the GPL interpretations we’ve seen), is just too harsh, and only serves to divide the community.

It would be one thing to ask speakers to only promote “100% GPL” projects at a WordCamp. It’s quite another to bar them from speaking about *anything*.

You’ve developed and contributed several plugins to the WordPress ecosystem. Is that something you’d recommend doing, and are there any caveats to go with that recommendation if so?

I highly recommend it. Sometimes the simplest of ideas can take a life of their own and become popular. If you think of an idea for how to add a feature to your site, and can create a plugin to implement it, you might find that you weren’t the only person to want that feature. Declare it GPL, submit it to the plugin repository, and then have fun obsessing over the download counts! 🙂

The caveat is, on the internet, there are plenty of people with lots of time on their hands who like to point out faults in others. If you are not an expert coder, someone is likely to point out flaws in your code, and sometimes they might do so in a very unkind fashion. If your skin isn’t thick enough to put up with that, and you tend to take criticism of your work personally, it can be very depressing when somebody tears your code apart and tells you that You’re Doing It Wrong! If this happens, try to use it as a learning experience. Find out how to Do It Right, improve your code, and update. Life is all about constantly learning new things. When I first started learning to play trumpet in 7th grade, I sounded pretty terrible. But I practiced, and got better, and in high school I was in the symphonic band and marching band, and had solo parts. It’s the same with coding, and putting your code out for the public to see is like playing a concert in front of an audience.

As your career has developed are there certain types of projects or clients you’ve gravitated toward more, and if so how are those different to the type of projects or clients you were interested in a few years back?

That’s a hard question. I’d *like* to be doing full-time work involving WordPress. But unfortunately, the job market hasn’t been able to lead me in that direction. As a result, lately I’ve been gravitating more towards front-end work (JavaScript and CSS) than back-end coding. With the semi-exception that I’m also interested in the node.js server, though I don’t use that in my work, and I don’t have much time to play with it on the side.

In the past, I have stayed almost exclusively in the back-end of web development, dealing mostly with overall business logic, database interactions, integrating other data systems and sources, etc. But more recently, the browser has become a much more interesting platform in its own right. The power of modern HTML5, JavaScript, WebGL, and other associated bits makes for a very fun playground to explore.

You’ve presented (and will be presenting, at WordCamp Atlanta 2013) on WordPress security more than once. What would your top three tips be for locking down a WordPress installation, and more generally, what are the most overlooked security issues you see developers make?

Fortunately, WordPress itself tends to be pretty secure. Even when we do see point-releases for security problems, most of them have been ‘privilege escalation’ types of things, where you’d already have to be a validated user in order to take advantage of them. Random, anonymous internet users wouldn’t be able to get into anything.

Tips?

1. If your site doesn’t need the ability for new users to register an account, don’t turn that feature on. And don’t create user accounts for anyone that you do not *absolutely* trust. And when you do, only give them the access role they *need* (‘Contributor’, ‘Editor’, etc). If your site *does* need registered users, make absolutely sure that you have a backup system in place. Back up your database, and also any theme or plugin customizations, and maybe your media uploads if those are important. BACKUP, BACKUP, BACKUP!
2. If your web host makes you use FTP to transfer changes to your site, don’t do that (“You’re Doing It Wrong!”). Use a secure file transfer method like FTPS, SFTP, or SCP. If your host doesn’t support a secure file transfer method, it’s time to figure out how to move your site to a service that does. The FTP protocol transmits your password in cleartext, and while you might think the chances of somebody intercepting that information are small, I can assure you that it happens all the time, often to people who do know better.
3. If your web site is mission critical (whether for a business or just because it’s important to you), try to evaluate the reputation of any themes and plugins you add to your site. *For the most part* plugins and themes you download from wordpress.org should be pretty safe. Especially if there are a lot of downloads and good ratings. If there seem to be some bad ratings, read the forums and see if there are valid complaints that you should be concerned about. For third-party sources, if you aren’t sure of the reputation, ask around the community (on Twitter, in the wordpress.org forums, etc.).

Programmers don’t like to re-invent the wheel. Instead, we like to take an existing wheel, share it, improve it, re-share it, improve it some more, and so forth. This is how WordPress came to be. And because of that nature, WordPress contains within it a toolbox full of utility functions that solve common problems, ready for developers to use. This includes many functions to help you code more securely. One of the main things to learn about is the ‘esc_*()‘ family of functions.

Also, for plugin or theme option pages, learn about the Settings API.

Security is such a broad subject, it’s nearly impossible to convey the complexity to someone who doesn’t already have some technical background. You have to consider every piece of a system — not just the WordPress source code, or even just the themes and plugins you add. Because that all sits on top of PHP and MySQL, which have their own security concerns. And PHP is running alongside a web server, which might be Apache, Nginx, IIS, or something else. And those are running on a server, which might be one of several different flavors of Linux, or FreeBSD, or Windows, or who knows what else. And those servers might also be running other services, like SSH, FTP, email, IRC, etc. And if there are other users on the server, they might have installed other software that you don’t even know about. And there are the network routers, and load balancers, and the DNS system, and…! The internet is a vast system, and while individual pieces of it can be somewhat simple, they are woven into a whole that is extremely complex.

You continue to be active in the WordPress community, including presenting at WordCamps. What keeps you involved, and why would you recommend getting involved with the wider WordPress community to someone just starting out?

I suppose my continued involvement largely comes from the fact that I was fortunate enough to be so deeply involved in the early days of WordPress. I enjoy looking back and seeing how far WP has come over the years — how the features and interface have evolved. And even though I can’t always spend as much time working with WP as I might like, I also enjoy guiding newer community members to an “aha!” moment when they understand how to make WP do something they need.

The vast majority of the WordPress community are some of the most helpful and friendly people you could hope to meet. If you ever have a question about how to do something, all you really have to do is ask — on the support forums, on Twitter, the WordPress Stack Exchange, etc. You will generally get answers to your questions by someone who really knows what they’re talking about pretty quickly. And by using that opportunity to learn, and then later pass along some of your own knowledge to somebody newer than yourself, you have a chance to pay it forward.

What are the biggest benefits and challenges you’ve faced working with Open Source software? Does one outweigh the other for you?

The biggest benefit to working with Open Source, especially as a developer, is that I can modify the code however I see fit. There are very few closed source applications that let you do that at all, and if they do, it’s only if you pay a hefty licensing fee and sign strict contracts. As a user, you generally get the benefit that bug fixes and new features are released at a much higher rate than with closed source products. Since the source is available to all, many developers are able to investigate bugs and determine the best way to fix them.

The main challenge, though it’s lessened these days, has been getting companies to utilize Open Source alternatives to closed source commercial products. Most corporations are strongly attuned to Risk Management. With Open Source, you often (but not always) are not dealing with a centralized entity with contracts to hold them accountable should something go wrong with the product. Many companies consider this a very high-risk problem. You find it much less with the kinds of products associated with web development (web servers, database servers, browsers, etc).

You’ve previously advocated getting stuck into the guts of WordPress. What do you think are the least understood or most under-utilized aspects of WordPress as a platform, and how should designer-developers be making better use of them?

I’m not sure I have a good answer for that. I can say that some of the features that *I* am not as familar with as I’d like to be are the WP_Rewrite class, Custom Post Types, and Custom Taxonomies. I’d really like to find time to dig into those more, and find some interesting ways to use them for my own projects.

Maybe I can side-step the question a little bit here, and suggest that if you’re just getting started with learning to write plugins or themes for WordPress, you obviously have to start with the action/filter hook system. Find some simple examples to work from, experiment, learn the basics of those. Poke around in the WordPress source, and find places where it calls do_action() or apply_filters(). As you dig around, you’re very likely to see an action or filter that you never knew about, that might spark ideas for how you can use it for your own needs.

Once you understand the hooks well, start looking at the various files in the wp-includes directory. See how WP uses the walker classes, how the XML-RPC server class can be extended to add new API calls, how the image editor classes are used. Or you can start with your theme files, see how each piece of content is put into place, and what filters it goes through along the way. When you start looking at the code on your own to figure out how it all fits together, you are bound to learn something new and surprising. I can’t tell you how many times I’ve gone through the WordPress source, trying to figure something out, and said, “I didn’t know we had a function to do *that*!”

What’s the biggest difference between web development as a job and web development as a hobby? Can one feed into the other, or should they remain distinct?

Generally speaking, web development as a job will often limit which technologies and platforms you get to work with. On the one hand, by focusing on those core pieces, you will become very proficient with them. But on the other hand, web development as a hobby lets you explore wherever your interests take you. In my current gig, I’m dealing with Drupal, PHP, MySQL, JavaScript, and some of the more common parts of CSS. But what I’d *like* to be playing with node.js, websockets, WebGL, HTML5 canvas, CSS animation, and Arduino systems. And of course, WordPress. 🙂

I think for most people, the two do feed into each other. Obviously, the things you work on as a hobby outside of your job let you explore new areas. This can lead you to have new perspectives, new ways of thinking about and approaching problems, and this will almost always improve your overall skills and ability to do your job. And likewise, the focus you get through your work lets you gain a deeper understanding of your core tools. You get a similar benefit here because that strong reinforcement of knowledge keeps your skills honed and ensures that you are able to solve problems quickly. You can often extrapolate that knowledge and apply it to the new things you are trying to learn in your hobby life.