How I handled a big security issue 😬
First, some context...
Prior to GapScout (my current project), I started a company called LearnDash. It's a WordPress plugin for creating online courses. I created that vertical in WordPress (today, you'll find countless "WordPress LMS" options). I grew it into a 7-figure ARR business and sold it in 2021.
I started that company because I hated my consulting job. It was 100% a lifestyle business. Until, it wasn't. It became my job. I had employees to take care of, and customers from all over the world.
Here's the thing... I don't know sh*t about coding. I can whip up HTML to change some color of text, but that's about it. 😆
After ~4yrs into the business, I experienced my first security scare
Software is susceptible to security issues, and that's particularly true with WordPress plugins. On New Year's Day, someone wrote into support indicating that they had malicious files on their server because of a loophole in the software.
More and more tickets came in with the same message.
My stomach sank.
I called my lead developer to inform him, and he started working on a patch right away to clean things up. After an hour or so, it was fixed and a new version ready to go out.
Now, if you know anything about WordPress, it's that you have ZERO control over your clients' websites. You can push out a fix, but they have to update it or they'll still be exposed to the flaw.
It was tempting to go about this quietly, but I knew that the main priority was to communicate.
Look, I'm human. Part of me just wanted to push out the fix and call it a day. Just deal with the issue behind closed doors, so to speak. But, I didn't. I knew that for something like this, I had to over communicate.
As soon as the update went out, I also sent an email to all the customers that was very straight-forward.
The subject line was: "Security Issue, Update Immediately"
And in the email, I included a TLDR, 3-bullet point summary of what happened and how to fix it - emphasizing the urgency that they update. Below that, I included more details about how it was reported, why that security issue existed, and a list of FAQs I anticipated.
In my email system, I configured the settings to resend the email to anyone who did not open it after 12hrs. And then a day, and then a couple of days - just to maximize the chances that it would be seen.
The backlash
There was definitely backlash to this issue from a number of customers, but not anything I couldn't handle.
Some people just wrote in with snarky remarks. I still replied to them personally, so they could see I heard their complaint.
Others demanded money. That was out of the question (unless they were within the refund window). So instead, for a handful of people, I extended their license for a full year, free of charge. I realized that we needed to gain their trust again, and this extra year gave the company that opportunity. Most (if not all) people were okay with this.
For one person, I paid for a clean-up service to remove any malicious files on their website. I was prepared to do the same for others, but the truth was that most people were not impacted yet by the issue. Those that were seemingly had taken care of the file issue already.
That said, some customers did push back more. They wrote super long emails saying why my company owed them not just the price of the product, but more money.
I responded to all their concerns, but in a few cases (two or three I believe) they simply would not take "no" for an answer. In this case, I referred them to the law firm that I used for the business. Not in a malicious way, but just to give them the option to pursue a legal course if they believed more money was owed.
Because here's the thing: If someone asks you for money, they are suing you, and that's a legal matter you shouldn't deal with. Let the pros do it.
Of course, they didn't pursue any legal action. The Terms & Conditions that I had for the business were pretty explicit about security issues (because that can happen in WordPress) and who is liable.
After a few weeks, the dust will settle.
The few weeks into the new year were stressful, but I managed to keep most people happy. I listened, I wrote emails, I gave options, I acknowledged and accepted personal responsibility for what had happened.
One thing you will find is that most people have short memories for this kind of thing. Security issues happen in software, from big companies to small. Naturally, you don't want to deal with it, but if you do, just know you're not alone. It's not the first security issue your customers have encountered in their lives, and it won't be the last.
And that's the key takeaway: just be a human.
Don't hide behind corporate jargon and "policies". It just pisses people off. Be personable and accessible. Show that you care.
I really hope I have never manage a security issue at scale but it seems like you did it well, @MrJustinF!
Can you give some guidance on what to include in T&C to minimize liability? Do you know if there are any differences depending on the location of company and users?
Honestly, I hired a law firm for a couple of thousand dollars. They asked me questions about the business, product, and customers, then wrote the entire T&C.
thanks god it finished must be hard we have a dev company too https://criov.com/ we are wasting too much time on dealing with safety too WordPress is fine but risky
Wow - that sounds like it was rough. Glad you were able to make it through okay and thanks for sharing your story. Good call on referring to the lawyers when they pushed too.
It was stressful at the time, but looking back, it wasn't so bad. I'm glad I had the experience. Also, it's one reason why I've moved on from WordPress and building a micro-SaaS. Way easier when you control the environment.
This comment was deleted 8 months ago.
That's a good start. The reality is that this does not mean they can't come after you for more (according to my previous lawyer). It's there as a prevention mechanism, but it's not an iron shield.