Fostering Innovation in Web Security

I’ve always created growth by focusing on free. It started back in 2003 when I launched WorkZoo in London. WorkZoo was a job search engine that ended up being one of Time Magazine’s top 50 websites of 2005. These days we take free search capability for granted, but 20 years ago, before Nginx came along, it was technically very challenging to scale a free search engine on a very small budget. We did it, and it paid off.

We migrated WorkZoo to the United States in 2004 and it became very popular, competing with Indeed, which had also recently launched. We eventually sold WorkZoo in 2005 to a Seattle company. Google had just IPO’d, vertical search was supposed to be the new hot thing, and it worked out well for us.

Since then I’ve launched many Web applications, all free, and some created massive – and in some cases viral growth.

So when I sat down with the founder of a very well known security business a few years ago, I could sense his visceral frustration when he asked me over drinks: “But why would you give it away for free?”. We were hurting them bad and they eventually sold the business. They had built their business on driving revenue by providing site cleanings, and Wordfence had launched free malware scans and free malware removal as part of our plugin back in 2012. It has always been a free feature and still is. They were hemorrhaging business at a furious rate.

In my mind the answer was so obvious that I didn’t take the question seriously: “Because that’s how you create growth.” It was the only way I had created growth.

Over a decade since Wordfence launched, I’ve seen many other growth models, including businesses built on affiliate programs, acquired mailing lists, VC funded direct response marketing, and more. The question that I had to answer for almost a decade before I had a fast-growing cybersecurity company on my hands was this: How do you generate growth with no money and no traction, out of thin air?

The answer turned out to be that you write great software and give away the services it provides for free.

What is exciting about this model is that there is no barrier to entry, other than knowing how to code and having the time to do it. Hosting applications on the Internet has become incredibly cheap, so if you are smart enough to create something useful and host it, you can create growth, and possibly cash flow, out of thin air. Talk about democratizing opportunity!

The word ‘free’ is from the Proto-Indo-European root ‘pri’ meaning ‘to love’. The word has Germanic origins and we inherited it via Old English. The word has a range of meanings, from unconstrained, to unrestrained, to free of charge.

My thinking regarding ‘free’ and freedoms has evolved over the years. As I mentioned above, I’ve created tremendous growth by giving away software services free of charge. Wordfence is a fine example of that: most of the features that secure WordPress are free of charge.

WordPress, the core software that powers over 40% of the Web, has been an inspiration to me, and the journey of the WordPress project is instructive. WordPress is free of charge, but it is also free in the sense of being unrestrained. WordPress uses the GPL license, which means that you can take the software, make it your own, and modify it in any way that you like, provided the changes you release are also unrestrained – in other words, all changes are governed by the same GPL license as the original software.

When you game this out, you begin to understand the longevity of WordPress. How can a business like Automattic be built around an open source GPL project and still have a competitive advantage? Because if a potential competitor takes WordPress Core, calls it their own, and modifies the software, those changes will be unrestrained under the GPL. And if the modifications are great ideas, Automattic can simply merge them back into core. While the GPL does provide potential competitors with freedoms to adopt the software and productize it, it gives those same freedoms to the originator of the software, who can simply take those innovative changes and merge them back into the original product.

Free of charge generates usage growth. Free of restraints can generate a different kind of growth: Innovation.

Once you apply the GPL or a similar open source license to a project, developers can contribute code to a project knowing that their contributions will remain unrestrained. Developers know that the code isn’t someone else’s intellectual property that they may be denied access to in future. Instead, an open source license like GPL ensures that the code a developer contributes will remain free for the world to use and modify for perpetuity.

You see the kind of innovation that an open source license fosters in projects like Linux, Apache, MySQL, and PHP – collectively known as the LAMP stack. And you see it around WordPress.

History has shown us that removing these freedoms in an open source project is a recipe for disaster. Movable Type was the most popular blogging platform from 2001 to 2003. In 2003, they raised venture capital and in 2004 they released Movable Type version 3.0, which changed the license to be more restrictive as they tried to generate cashflow. Movable Type’s users fled to a new platform called WordPress, and the rest is history.

My girlfriend Kerry at the time (now my amazing wife and co-founder for almost 20 years) and I were Movable Type (MT) users who moved over to WordPress. I admired the MT founders, Ben and Mena Trott, and they were an inspiration to us, showing how a couple can build software together, and potentially build a business. So it’s unfortunate things didn’t work out. MT was written in Perl, and I was a Perl developer back then, and, like Ben I was a CPAN contributor.

Creating free services generates growth. Adding freedoms creates innovation. I’ve been good at creating growth in Wordfence. I’m working on getting better at fostering innovation. Here’s how we’re doing that:

Our vulnerability database is free and includes a free vulnerability database API. The API for our vulnerability database includes web hooks, which give developers a way to build applications that scan for vulnerabilities and receive notifications in real-time when a new vulnerability is added. Developers can create open source or commercial applications that use our vulnerability database at no cost. Those applications can be made freely available or someone can build a business around them, and we’ve done all the work to collect the vulnerability data, maintain it, and continue to add the newest vulnerabilities.

Yesterday we announced a program to reward security researchers for every in-scope WordPress vulnerability they contribute to our free vulnerability database. The payment schedule for vulnerabilities is enough to allow researchers who produce consistent contributions to earn significant financial rewards. We’re not just acting as a vulnerability distributor, we are actively funding security research, and that funding is structured in a sustainable and equitable way.

Our mission is to secure the Web, and we didn’t want the world to have to wait for someone to create a fast high performance vulnerability scanner that can scan thousands or millions of WordPress hosting servers very quickly. So we created our own, called Wordfence CLI, which is open source under GPL 3.0. Wordfence CLI uses our free vulnerability database, and provides completely free WordPress vulnerability scanning at a massive scale for open source or commercial use. Wordfence CLI is both free of charge and unrestrained – and you can find the github repository for Wordfence CLI here.

The Wordfence plugin is also GPL’d and you can fork it and innovate as much as you’d like, provided you release the code under the same terms.

Our mission is to secure the Web. To do that we need innovation in Web security. WordPress hosts over 40% of the world’s websites, and as the leading WordPress security solutions provider in the world, Wordfence should be leading innovation in WordPress security. I’m proud of what our team has achieved this year. We’re just getting started.

Mark Maunder – Wordfence Founder & CEO