WordPress – General Chicken

A valid use case for confirmation emails

There is a business value to the use case pattern on many internet platforms where a confirmation email is sent, and then an encrypted or nonced link must be clicked to perform the confirmation action. The value of the features is:

The pattern confirms the user receiving the email has credential access to the receiving email account, reducing SPAM, and increasing security.

When you signup for Facebook, they send you an email with a link to confirm your account before it become active. This proves to Facebook that the recipient email is alive, and the http user requesting the account has recipient credentials for the email account.

This seams to be the intended purpose behind the admin email confirmation feature as of 4.9, as well as providing additional security to the system. My contention is that this is a confused purpose, and in fact renders WordPress LESS secure for several reasons.

Similiarity to the add user feature
When a user registers for a WordPress site, a confirmation email is sent to him from the site, to confirm the user has access to the email. This valid use case, is identical to the one used by facebook.com, described above. It is the confirmation of some information between two human groups / persons [the stakeholders of the site, and the user who is trying to register].

It is important to understand: THIS IS NOT A SECURITY FEATURE! An administrator can run arbitrary code. There is a check box available for administrators to override the outbound email:

Why can’t this emial be a true security feature?
In computer science, there is a concept called “arbitrary code”. A user who can run arbitrary code can literally do anything on the system, and can’t be restricted.

Reveiw: Testing Your WP Plugins A Practical Guide

Quality of Work [in PHP / WordPress outsourcing]

The quality of work done by low cost outsourcers is an obvious issue. You can overcome this problem by instituting a strict Test Driven Development cycle with your programmers.

Technique: The 4/7 work unit

When hiring low cost outsourcers, I use what I call the 4/7 scheduling technique. The work day is 4 hours long, and one week out.

4 hour work day: I have noticed that computer programmers work approximetely for four hours. If you make them sit in front of their workstations for 8 hours, you get about the same ammount of work done as when you sit them down for 4 hours. I leave it to the philosophers to discuss why, it’s just true. Knowledge workers should work in 4 hour shifts.

One week out: I hire low cost LAMP programmers on sites like Upwork and Freelancer all the time. You can debate the morality of hiring overseas, or offering low wages, but you shouldn’t debate the metrics.
You can post an ad for a PHP programmer and from the moment you post the ad until the time the programmer is working can be as low as 15 minutes. So there is no lag time to get the worker.
The concept of “one week out” means that if you hire a programmer this way, he will work for approximately one week before you notice a significant drop off in the quality of work, or the outsourcer simply stops responding. This is just a fact of life. How long would you keep working an $8/hr job with zero chance of promotion? These people aren’t stupid, just broke. It’s fine to offer a low wage, because that’s money that human being wasn’t going to have before they met you. Be upfront. Don’t nickle and dime. But don’t expect that person to be happy about it, and don’t expect them to do any kind of work that requires them to sleep on it. They’ll decide there are greener pastures somewhere else.

This is fine though, and part of the paradigm. As long as you maintain security best practices, high turnover isn’t a problem.

Test Driven Development really shines as a methodology when you have low skilled programmers. It simply produces very high quality code, it’s just time consuming. With ultra low cost programmers, time isn’t a factor. You can just hire more manpower and go to a 24 hour schedule.

In terms of WordPress, the difficulty lies in setting up the test environment. Low cost programmers can easily understand the TDD cycle, and can be taught quickly how to write tests. It’s the setting up of the system that they can’t do.

You should setup the development server yourself, and simply give access credentials to the

Hiring low cost, off-shore WordPress / PHP outsourcers

How to get cheap software for WordPress using Test Driven Development.

Post an ad on a site like Upwork.com or Freelancer.com for a low cost PHP programmer, and you’ll experience something unlike anything else in business. You’ll receive applications faster than you can possibly read them. A vertitable gusher of low grade computer programmers. Give me your tired, your poor, your huddled masses.

$5/hr software developers, what could go wrong?
Obviously a lot. However, these programmers represent a massive untapped talent pool, and Test Driven Development is the technique you can use to leverage this talent. Using TDD, you can safely, effectively, and efficiently use low cost human talent on your projects.

Issue #1: Quality of work
Issue #2: Onboarding and retention
Issue #3: Security

Concept Massive talent pool
Concept Cost comparisons
Concept No employees
Concept 24 hours a day