Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!


I'm Aaron D. Campbell - WordPress Security Team Lead - Ask Me Anything

May. 10, 2017

Born and raised in San Diego, I now live in small town Oklahoma. Even after being here nearly four years, the small town thing still feels like a bit of a shock.

I started writing computer code about 26 years ago in 1991. Open source BASIC games that shipped with MS-DOS were where I started and I still think that open source and an open web are absolutely important to the human race as we move forward (big claim I know, but it's true). It's a large part of what motivated me to start contributing to WordPress just over a decade ago, and what has slowly moved to where I am today – funded by GoDaddy to work full time on the WordPress project.

Aside from technology, I'm 35, have been married 17 years, and have a 13 year old son. We live on a large piece of land, that used to be a kids camp, where I go hiking and fishing, ride motorcycles, and even canoe with my son. You should come to Camp Press and check it out.

I love beer and I love coffee. I'm a bit of a snob about both, but I'm okay with that. And now that I have my second cup of coffee in my hand...

Ask me anything!

27 votes   Flag
Nemanja Aleksic

Hi Aaron, thanks for being on our AMA!

- What's the daily routine like of a WordPress Security Tzar?
- How did you get into contributing to WordPress?
- How much are your kids in touch with technology?

Aaron D. Campbell

I'm not sure there really is a "daily routine", although one can dream. If we're nearing a security release, much of my time is probably spent making sure every item going into that release has an owner, checking in with them regularly, testing patches, and generally coordinating between all the people involved.

Between releases I might be coordinating with hosts to try to get data about various issues we're working on, working with reporters to coordinate disclosure times, addressing people's concerns about specific issues when they're brought to my attention, or working to set up the tools and processes that we need to continue to scale our team.


Before I started contributing to WordPress, I started using it for client projects. It was open source, which was important to me for flexibility and control as well as for learning from it and once a project was done it was simple enough that the client could run the site on their own. Even back in 2005. My first contribution actually came as a result of a bug I found while working on a client site. I opened a Trac ticket, submitted a patch, my code was added to core, and I was HOOKED. I've been contributing regularly ever since.


My son is like most teenagers I think. He's not particularly interested in doing what dad does but he's also completely addicted to his phone, his laptop, and his video games. It's weird to think that he considers himself to be not very technical, yet daily uses a touch screen phone to stream movies out of the ether. His generation definitely has a different baseline for technology, and it's really quite exciting.

Tina Todorovic

Hey Aaron,

It was great meeting you at WCCHI (finally:-)) and thank you for taking the time from your busy schedule to answer the questions here.

What are the podcasts and/or news sites that you like to read and listen to?

Have you ever tried an espresso from the Jura coffee machine (en.wikipedia.org/wiki/Jura_Elektroapparate)? If you haven't I really recommend it. No matter which coffee beans you put into Jura the coffee tastes amazing.

I am looking forward to Camp Press & for trying out some Oklahoma beers:-).



Aaron D. Campbell

Hey Tina, it was great to finally meet you too!

I don't do a lot of podcasts, but I never miss Post Status Draft (poststatus.com/category/draft/) although I often catch up in marathons when driving. I also like to listen to Office Hours FM (officehours.fm/podcast/) when I can, and recently discovered Developer Tea which I want to start listening to (spec.fm/podcasts/developer-tea).

I have not tried the Jura, but now I'm going to have to! I will say that I miss having access to the commercial espresso machine at my friend's coffee shop in Phoenix. A quality machine makes a huge difference for espresso. It's part of why I do french press or chemex at home :-)

Dejan Markovic

Hey Aaron,

It was great running into you at WCCHI.

Does security team have any plans for the implementation of security checks for plugins that are submitted to wordpress.org?

I am looking forward to seeing you again at Camp Press (if not earlier).



Aaron D. Campbell

Hey Dejan, it was fun hanging out a little bit in Chicago!

At the moment there's no plan to implement any kind of automated security checks into the plugin repository. It's been talked about, and it's something that I'm interested in personally, but it will also require a lot of careful planning and a needs to have a really great UX that goes beyond simply alerting you to potential issues. Static analyzers still return a lot of false positives, so guiding a developer through the process of identifying whether the issue is real and giving them a way to continue if it isn't – these are just a couple of the things that need to be solved before we ever start implementing.

Something we are definitely interested in doing in the near future though, is starting to extend out and have our security team cover some of the most popular plugins as well. Offering assistance and expertise first, and eventually maybe even allow reports to come directly to us. Assuming it works out well, we'll continue to extend our umbrella out over more and more plugins. It's really quite exciting. No one uses WordPress without plugins and themes, so keeping those plugins secure will help secure our users in a very direct way!

Jack Huang

Hi Aaron, thanks for joining AMA!

Just one question: which is the best all-in-one plugin for wp security do you think?


Adam W. Warner

Hi Aaron, glad to see you here!

Here's one security related question, and a few more personal.

1. What exploit/vulnerability have you seen through the years that you feel was the most clever, or the trickiest to reverse engineer and solve?

2. What’s your favorite ’90s jam?

3. What was the last gift you gave someone?

4. What were you like in high school?

5. Have you ever seen anyone remove an artificial eye? If so, what was your reaction?

Mainul Kabir Aion

Hi Aaron,
Thanks for making WordPress secure for general users like me :)