#### [00:00:00] Teaser

Jesse Friedman: Welcome to Impressive Hosting, a podcast about the role hosting plays in shaping the open web. I’m your host, Jesse Friedman. On the show, we go deeper than uptime and dashboards. We talk about hosting as infrastructure, about ownership, independence, and what it takes to be an ethical, high-end WordPress hosting company that actually serves creators, businesses, and the internet itself. Before we dive in, head to impressive.host. That’s where you can comment on episodes, ask follow-up questions, and help shape future conversations. You’ll also find links to follow, like, and subscribe wherever you listen.

Today we’re having Dan Knauss back on. We had a great conversation about the user experience of security. We talked about the community and the way things are shaping for them, hosting responsibility towards security and the messaging around that. We talked about WordCamp Canada and your efforts there to help bring more people into the WordPress community, which is great.

Where we were leaving off though was talking about AI and the need that people have to understand human patterns, to understand the systems that connect us all. In doing so, they’re actually improving their likelihood of being better employed in the future, or more successful with the use of AI. I think this is really true.

One of the things I’ve been working on lately is asking people in this industry, people outside this industry, CEOs, tech leaders, what my daughter, who’s 18 and about to go off to college, should be studying. It feels like the careers we’ve positioned as defensible and safe, despite the technological evolution we’re living in, may not be as safe in their current form. Maybe they’re going to shift and evolve. People need to change the way they’re working. Maybe a computer science degree is not the best path forward. Even if you were thinking about going into law or medicine, AI is going to have a bigger hand in that in the future.

I’ve asked a lot of people about this. I’ve asked philosophers, I’ve listened to podcasts like Ryan Holiday, who’s a stoic philosopher. I’ve asked Matt Mullenweg, Steven Wolfram, Hillary Mason, and a whole bunch of other people in my life what my daughter should be studying. Almost unanimously, everyone has said that the liberal arts, understanding psychology, philosophy, art, the way people connect and talk, and human needs, it keeps coming back to this idea of understanding human systems. The invisible connective tissue between us humans and what it is that we need is the best way to understand what to build next. That’s something AI is likely going to struggle with for the near future. I’ve gotten away from saying AI will never be able to do something specific, because that seems like setting myself up for failure. But it definitely seems like AI is not going to be solving that specific issue anytime soon. I’m curious, Dan, what do you think about that? You’ve been using AI for a while now for your own work. Does that resonate?

Dan Knauss: It does, very closely. One of my daughters is at the School of the Art Institute in Chicago, doing all this very hands-on work. She’s always been very non-digital. Well, she got started when I gave her an iPad, but she’s really come at it from a much more hands-on angle, even learning how to make her own paints. Another daughter is here with me, midway through the University of Alberta. They have an interdisciplinary program she’s part of called Science, Technology and Society. It’s very open to how students want to tailor it. She started in philosophy, then picked up a math minor and mixed in a bunch of other things.

Her family, parents and grandparents, all have a broad humanities and arts background. But I find myself saying, you know, you’ve got to dig into Python, you’ve done R, that’s cool. I’m advocating the opposite direction, probably annoyingly some of the time. I pulled out Studio and I’m explaining the history of the LAMP stack. She’s picked up things here and there, but I’m waiting for what’s actually going to get her hands-on and digging in. I don’t know if it’s going to be a comp sci course, because I remember that being a huge turnoff. I’d started coding in grade four, back in the early days. And when you get there it’s like, oh, sorting arrays every possible way.

Jesse Friedman: Yep.

Dan Knauss: I wanted to be making video games.

Jesse Friedman: One thing that’s funny about that time was that we used to buy these bibles, these encyclopedias, these huge reference manuals for writing code because the internet was still young. There was no Stack Overflow, no place to go ask questions about how to code something or see examples. GitHub wasn’t a place where you could see how other open source developers were writing and developing things. So we had these giant manuals. I remember a teacher of mine handed me hers. It was a few versions out of date, but it came with all her highlights and notes written in the margins. That was a prized possession back then, something really special.

You know, you’re pushing your kids to learn Python and kind of go back to basics. But that’s kind of the point, right? Maybe they don’t need a formal education around code anymore. Maybe what you need more is the passion, the interest, and the curiosity to know that you can build something.

Dan Knauss: I think so.

Jesse Friedman: You can learn how to do it yourself. Maybe. I don’t know.

Dan Knauss: I think I came up in the old BarCamp days, and Joomla and Drupal users groups, and then WordPress, these three all intersected. That social dynamic, I feel younger people want some of that back. It kind of goes along with their rediscovery of vinyl and browsing real bookstores.

They all know WordPress. My daughter’s class has to take turns writing on the course blog and doing presentations, introducing the speaker of the week across faculty and going through their work. So they’re used to seeing it as an established institutional tool. Some of them know it or have done something with it. But there’s this whole community and this whole open culture behind it. You can dive into this pretty deep. What are the entry points that really turn them on? It may actually be the relationships or the creative angle. For my art school daughter, she’s got a .com site. I just had to set it up and let her go, and she’s taken off with it.

Jesse Friedman: Yeah.

Dan Knauss: Portfolio work, displaying her stuff. Those are my learnings from having kids and watching them grow up and exceed me. With students, you want them to have enough unstructured play,

Jesse Friedman: Yeah.

Dan Knauss: getting the fundamentals and things. Then they’ll start doing things that emerge that you couldn’t plan. I’ve always valued that. I think we need to keep that going with and around the AI tools. They do see a lot of bad uses. They’re quite turned off with social media as we’ve known it, as a closed platform. Someone will do a clearly ChatGPT-generated homework presentation and they have to deal with that. There is an emerging peer expectation around it, and hopefully faculty are setting the tone for that. But how can this be an actually creative tool and not just the Cliff Notes? I remember those things.

Jesse Friedman: It gives me hope for the open web that people are going to get in there and publish something and feel great about it. Instagram, TikTok, these other social media platforms have shortcut the distance between learning how to build something and publishing. But there’s still something truly special and magical about owning your own part of the internet and publishing on it, developing an audience. It takes longer and it’s a harder job, but it’s worthwhile.

I’ve seen that with my daughter’s generation too. You give them a website and at first they’re a little challenged by it. The shorter attention span, the immediate need for gratification. I hate that I’m generalizing an entire generation, but I think it’s true. And I think even our generation is suffering from this now. We have this feeling that things need to be faster and faster. We’ve seen this with WordPress too, right? The five-minute install came in and all of a sudden people expected that from every other installation solution. Now hosts just install WordPress when you sign up. It would be a weird expectation if you signed up for a hosting company and it didn’t come with a WordPress instance and you had to install it yourself. But as you get through that initial friction, it is just so gratifying and special. I still see that spark in people, and it gives me hope.

Dan Knauss: Yeah. I don’t know if it’s a certain type of people. I think it’s a culture. It’s that DIY ethic, and those lights can turn on at any point in life. It’s about creating that opportunity for it to happen. The magic still works for me. I’ve been scratching my own itches, working on plugins over the last six months or so. I had to fix something to make it compatible with two-factor authentication plugins, primarily the canonical one for WordPress, which I didn’t realize had its own channel in the Make Slack. So in bringing in some bug fixes there, with the interface and other stuff, I got sucked in. Hey, it’s more accessible than I thought to actually move towards committing some code and contributing at that level. I’ve done a little of that in odd ways here and there over the years, but this is a newer step. It just happens naturally if things lead and progress the right way. That gets the wheels turning, like how is this a teachable moment I can bring into our hack day demo this weekend?

People don’t realize, they all know WordPress, but they don’t necessarily know open source. I’ve realized with some local friends that they didn’t necessarily know what open source means.

Jesse Friedman: Right.

Dan Knauss: So I’m going back and trying to translate that. Talking about Bruce Springsteen probably dates me, but it seemed to work. He was very self-taught. He talks about how bad he was and how much he loved the punk ethic. I think AI is now getting related to that. Rick Rubin said something about it, that you can just get on stage and do something. There’s a fine line though. You’ve got to stick with it, you’ve got to actually be engaged with learning the craft. But Springsteen, someone you think of as fantastic, describes it beautifully in his autobiography. Buying what he didn’t know was a bass guitar and stringing it the wrong way, playing it for a month before someone pointed it out. That’s why it sounded so muddy. Some of his early stuff is just not pleasant to listen to. That’s okay. That’s the beginner’s freedom, getting on stage and doing the improv. You kind of learn that sometimes you’re going to bomb, and that’s really part of it. If we take the time and hold each other up, the pace of things doesn’t mean you’re going to get crushed because it wasn’t perfect the first time.

Jesse Friedman: That’s a really beautiful sentiment. I think you’re right, especially with the WordPress community. One of the challenges in getting more people involved is that if you’re already in it, writing code as a core developer, the barrier to entry feels very low. But from the outside looking in, as someone who has been in that position, it’s incredibly intimidating and daunting. You think there’s this huge canyon between you and being a contributor. There’s this assumption that it’s going to be way harder than it really is. These people are well respected, they’ve been doing this for a long time. Why would they want to spend five minutes helping me get a PR up? But the reality is that’s what the WordPress community was built on. Every one of those people was just getting started at one point and got a little bit of extra help from somebody.

Dan Knauss: Yeah.

Jesse Friedman: As we think about that, there are multiple ways to contribute. There’s contributing directly to core, but there’s also contributing to plugins. You actually just finished launching a new plugin this past year, right? WP Sudo?

Dan Knauss: Well, I haven’t submitted it to the repo yet. It’s gotten some attention from Remus and others. It’s got like 40 or 50 likes on,

Jesse Friedman: Yeah.

Dan Knauss: no one ever looks at my stuff, so that’s cool. Some interesting discussions. It’s more serious than that. It’s around a number of other things and is maybe more of my considered take on some of these security-related issues we were talking about. It’s a self-teaching thing and it’s ultimately coming out of an earlier, simpler thing I coded myself, with a “p” in front of it, like pseudo-sudo. A false one that wasn’t actually forcing you into re-authentication in a fundamental way. Not every possible privileged action was being covered. It was more of an interface thing.

Jesse Friedman: So this newer plugin, WP Sudo, tell us what it actually does.

Dan Knauss: At its simplest core, it gates actions. It doesn’t matter what capabilities are involved. If there’s any admin action on the short list of things that have a potential blast radius, you just have to re-authenticate. Ideally you install it as an MU plugin to get it as early as possible in the sequence. It’s not a flawless security approach, but it’s trying to stay really close to core, almost like a last layer. Thinking of your guest Tom Raef, he gave me a lot to think about here. Other people like John Blackbourn, Tim Nash, and Calvin Alkan over the years, who has a kind of sudo system in his Fortress plugin. I always wanted to do a poor man’s version of that, something that could go in the repo as a more educational and broad-reach type of thing. It forces you to think about attack surface. It’s designed to be somewhat configurable. You pick what it targets. Are you going to close down XML-RPC entirely or make it challenge? Is WP-CLI closed or open? GraphQL, the REST API, are you going to do a secondary challenge if someone wants to do a privileged action coming through?

Jesse Friedman: So what happens if a plugin I’ve installed wants to do something with one of those actions?

Dan Knauss: Yeah, that’s not going to catch it there, especially if it was a compromised plugin. That’s a conceptually related thing. Is there a way we could get to that level? But that’s not what this is solving. That would be another layer of complexity, but it’s something I’ve been thinking about and researching.

Jesse Friedman: So this is more specifically about user roles inside WordPress. The user taking an action. It doesn’t focus on capabilities, but what it does is monitor what actions you’re taking within WP Admin and make sure you’re authenticated to do that.

Dan Knauss: Yes. You have to go through a second authentication, and if you have two-factor on, it will require that as well. The goal is making that as smooth an experience as possible so people aren’t frustrated and they internalize it as normal. They’re not going to turn it off because of another clunky two-FA experience. Even down to the language level, where do you want friction and where don’t you? That’s a really interesting question with security. I wish it were a more comprehensive type of thing, but it will work in a case where someone has compromised an account but doesn’t know the password to it.

Jesse Friedman: I think it’s interesting because it goes back to what we talked about in the first episode. A lot of times users don’t know what they need to know about WordPress security. They make a lot of assumptions about what the host is going to do for them, what the plugins are doing for them. This sounds like something that can help educate them around the decisions they’re making and get them a little more in tune with the actual site.

What’s really interesting when I talk to hosting companies is how often a user will set it and forget it. They’ll build a website, turn everything on, and then forget everything they’ve learned about building that website because they don’t log in again for another six months or a year until it’s time for renewal.

Dan Knauss: Quite.

Jesse Friedman: And then keeping things up to date. Yeah. So maybe there’s something in there like a remind-me feature, a dismiss-for-now kind of thing.

Dan Knauss: I envision it as a set-it-and-forget-it. Think about it once, and then it’s okay to forget. There’s a little green light with a countdown. Once you’ve re-authenticated, you won’t have to do it again within a window, up to 15 minutes. That’s going to remind you it’s there. But which layers you’ve opened, which ones you’ve closed, which ones are semi-gated, you configure that one time. It’s also now looking at the AI connector level, because that allows you to insert an API key for Claude or other external services, which you know could be a risk. Once you set that, I don’t want people thinking about it too much unless they want to. Everything it’s doing is easily logged. I might put in a basic logging dashboard. But it works with major activity logging plugins, so you could plug everything into a SIEM. You could get feedback like, someone has just done this admin action. If it’s a single-user site, you shouldn’t see much of that. I’d love it if people used AI to parse logs, which it’s been great at for a long time, and just get a heads-up about general site health. There are so many ways to get a quick notice to your phone about an anomaly. Not a massive wall of text, but a meaningful, maybe-you-should-check-this-out. Everything else just handled, with a digest once a week or something like that.

Jesse Friedman: Yeah, I like that. Especially pushing information to you in a way that’s digestible rather than having to consume everything yourself. That’s where AI really shines, not only deciphering all that data but figuring out what’s meaningful to you as a customer or user.

So we’re approaching, oddly enough, the end of this episode. Before we go though, I want to ask you one more question. We talked about hosting, security, and AI. The folks at home are running hosting companies or agencies, constantly looking at what hosting companies need to be doing and changing as the industry evolves. As a parting question, if you could fix something in the hosting industry, or give some advice to people listening, or ask them to build or change something, what would it be?

Dan Knauss: If we’re talking about the WordPress hosting industry specifically, or broader than that?

Jesse Friedman: Let’s keep it focused on WordPress.

Dan Knauss: I’d like to see a new level of relationship with the WordPress community and with open source. Mentioning Jeff Paul again, he highlighted the open source endowment and I was pleased. I’ve been researching and following the emergence of these ways to fund open source sustainably long term, and I’ve happily joined in on that too. I’d like to see hosts not just giving in that way, but being engaged. It’s not just put your money where your mouth is, though that’s a big part of it. There’s a lot they could be supporting directly, and saying, we want to see your commitment. You want us to be your customers for the long term. What I’m buying here is not a temporary strip-mall office for my business. I want the neighborhood to get better over time, not worse.

Jesse Friedman: Yeah.

Dan Knauss: You’ve blogged about this. I love the urban architecture analogies and the Jane Jacobs approach. That would be my ask: build for the future, build for future generations. Think about this no longer as a boom town where you get in and get out. What is the web we really want? I think open has a lot to do with maintainability, sustainability, and people who want business and personal relationships. They want a culture. Show us a new level of commitment for that. Because I think that’s where the people who stick around a long time and do creative things are at. And younger people coming up are looking for something better than what they’ve ended up with.

Jesse Friedman: I really love that. When we talk about hosting companies’ responsibility to WordPress and open source, it’s often around the idea that they’re selling WordPress, so they have a responsibility to improve that experience and ecosystem. But you’re shifting it a little and looking at it from a different perspective. When you give back to WordPress and open source, and maintain community as a focal point, you create gravity. You pull people in. That can be customers, contributors, a variety of things. When you stand up as a leader inside open source, there are always people looking for an opportunity to contribute, showcase it, talk about it, leverage it. Looking beyond the commercial aspect to the driving community factor is really great. It’s a great way to end the show. Dan, thank you for that.

Dan Knauss: Yeah.

Jesse Friedman: And thank you for joining us.

Dan Knauss: Thank you for doing this. I’m glad our conversation happened back at WordCamp US and that it’s continued.

Jesse Friedman: Yeah. It’s been a real pleasure getting to know you and see the projects you’re working on. Maybe we’ll have you back on soon.

Dan Knauss: You gotta mention that. I don’t have to read your blog now. Your traffic’s going to go down. You’re just sending it to me. I love it though.

Jesse Friedman: Yeah. For people who may not know, you can actually subscribe to my personal blog at jesseblog in snail mail form. I print out the blog posts and mail them to people. Dan is one of a handful of people who actually seems to enjoy it. I like it because frankly everything is online, and sometimes my personal writing, the stuff I do for that blog, is really meant to help people slow down and think about these systems we talked about earlier. I like the idea of you sitting on the porch with a cup of coffee reading it, or taking it with you on the plane to ground yourself as you take off.

Dan Knauss: Yeah.

Jesse Friedman: That’s the kind of thing I’m hoping for. But thank you for prompting that shameless plug. I appreciate it, Dan. Great having you on.

Dan Knauss: Thank you.

Jesse Friedman: Thanks for joining us on another episode of Impressive Hosting, where we uncover the core tenets of great WordPress hosting. Do you have a follow-up question for today’s guest, a thought or comment on anything we talked about, a future guest suggestion, or a hosting horror story? What do you think makes great WordPress hosting? All your comments shape the show. Drop them at impressive.host. We also appreciate you following us on social media and subscribing to the podcast on your favorite platform. Finally, do check out our list of open source projects that need support at impressive.host. Whether it’s code, community, or cash, you can make a difference. See you next time.