#### Teaser

Jesse Friedman: Welcome to Impressive Hosting, a podcast about the role hosting plays in shaping the open web. I’m your host, Jesse Friedman. On this show, we go deeper than uptime and dashboards. We talk about hosting as infrastructure, about ownership, independence, and what it takes to build ethical, high-end WordPress hosting that actually serves creators, businesses, and the internet itself. Before we dive in, head to impressive.host. That’s where you can comment on episodes, ask follow-up questions, and help shape future conversations. You’ll also find links to follow, like, and subscribe wherever you listen. Today we have Dan Knauss, who has spent the last decade inside WordPress building solutions for enterprise clients at Multi.dev, shaping a security product at Stellar Web, and reporting on the business of WordPress as the editor of Post Status. He’s based in Edmonton where he organizes the local WordPress meetup and co-led WordCamp Canada 2025. Hey Dan,

Dan Knauss: Hey Jesse. Good to connect.

Jesse Friedman: It’s great to have you on. Thanks for joining. Tell us a little bit about yourself and what you’re working on.

Dan Knauss: I’ve been working on a lot of different things. I’ve got the time to do that now. It’s been a busy week. I do podcasts quite a bit at different points, but I had two land this week. It was great to come on here and talk security with MalPress founder Robert Abella earlier this week. Then our local polytechnic, the Northern Alberta Institute of Technology, has a lot of WordPress in their curriculum and through their faculty. They invited me to give a talk up there, and that was fun. I don’t usually get all that in one week, but I really enjoy talking to folks, especially a wide age range, and seeing what they know and are doing with WordPress.

Jesse Friedman: That’s great. I just got back from WordCamp Asia and there were a lot of students there. It was awesome to connect with them. It’s always nice when college students or even younger are showing up and getting interested in WordPress. WordPress is such a great gateway into learning your career. There are so many opportunities and avenues you can go down. As a former professor, I’ve actually seen that happen. It’s such a cool feeling when you run into your students and see the career they’ve built on the back of WordPress.

Dan Knauss: Absolutely. I have a teaching background as well and I feel like I slide back into that pretty naturally. Locally, I’ve seen some students show up at my meetup and then later they’re working at a local agency. You help make those connections and see the growth happen. It’s great.

Jesse Friedman: Very cool. I think you and I sat down for the first time together a couple years ago at WordCamp US. We had such a great conversation about WordPress security. So when I put out a call for guests and you raised your hand to join this podcast, I was very excited. I remember we were having a really passionate, strong conversation about the needs that customers have, agencies and all that. Tell me what’s top of mind for you with security these days. AI always seems to come up as both the thing everybody’s afraid of and the thing that’s going to solve all the problems at the same time. Is there anything non-AI that’s top of mind for you?

Dan Knauss: The most recent thing that’s come up is going around talking to people who are sort of tangentially aware of WordPress on a surface level. They pick up a lot of the general news. Like this week, probably someone saying, oh, I heard there was this big exploit. You mean maybe the thing where someone sold their whole plugin operation and then someone just completely took it over? It wasn’t repo-distributed at all on .org, it was some commercial third-party entity. I do end up in those kinds of conversations. Robert Abella reminded me of that too. In that mid-market segment, that’s a very big separation from enterprise level, where that stuff doesn’t really land. But all the negative noise in just the WordPress news cycle, there’s always a drumbeat of something. Usually exaggerated or context people don’t understand, and then it becomes, oh, it’s a WordPress problem.

Jesse Friedman: Yeah, algorithms have been really bad at inflating the problems to an extent that they’re not really there. I have an Android phone, and if you slide to the left you get the Google newsfeed. If you click on just one article about WordPress security, the next two weeks is all WordPress. From that perspective, without the context of my career and understanding how everything works in the community, I would be pretty nervous about WordPress too, because every one of those articles is about WordPress being hacked or plugin injections or whatever. They make it seem as if WordPress is this singular closed platform that everyone lives on, the exact same version. One thing that affects one small aspect of the community seems to affect the entire community. It does a disservice to the way people perceive WordPress. The articles are not painting a clear picture of what’s actually happening.

Dan Knauss: Yeah, absolutely. That’s been an unfortunate long-term reality. One of the things I finally got to go back to, given the time, was a style guide I started writing years ago for writing about security. I actually made it part of a project to figure out a couple of ways to use agents and separate models to build an editorial team and maintain technical documentation. A style guide sits on that line between technical docs and broader editorial work. You can apply the style guide to anything else and ask, am I consistently following this in my other materials? The whole thing started from a desire to hit that topic and say, let’s start by talking about trust and vulnerability. What I think is now more industry-wide accepted is that we’re trying to restrain blast radius when you have really big systems. If you look at any security newsletter, Microsoft, Adobe, every week it’s the same. We’re now in a position where you just assume things are going to happen. A lot of it is coming through social hacking and phishing and compromise of personal accounts. The goal was to shift the discourse toward how do we talk about vulnerability in a broad and then specific sense, and then try to mitigate it once we actually understand what it is. This was oriented toward people who have security products, but it could go pretty broadly too. I think it’s unfortunate that we don’t always start from the best place when taking on those issues.

Jesse Friedman: Yeah, it’s interesting. One of the things I learned years ago working on security products is that there’s a lack of emphasis on the idea that security products have user experiences. A lot of times people think that if you’re invested in your security, you’re going to wade through the mud and do whatever you need to get the product up and running. But the bigger problem is that most people don’t think they need added security plugins or solutions. So when there’s a poor user experience, people bail and give up, which leaves them vulnerable. When you talk to hosting companies who have to balance the race to the bottom on pricing, that usually ends up in a reduction in security features that you have to bolt on later. Then there’s the lack of understanding that comes with people not realizing what it actually means when you’re using a backup solution that isn’t WordPress-focused and it’s just backing up your entire section of the box. What that actually means when it comes time to do a restore. There’s just such a lack of understanding and expertise that goes into that. I think hosts have a responsibility to educate users on security, or to make it invisible, to make it work so well that it operates in the background and customers don’t have to deal with it. What’s your take on that?

Dan Knauss: I think the more hosts get involved, the better. There should be an open-source, broad-market security discourse oriented toward anyone, rather than this weird marketing thing that isn’t always accurate, that sometimes sells on fear, uncertainty, and doubt. The larger industry has moved in a good direction where the message is more about building a security culture and teaching people how to think realistically about their risk exposure. A lot of that is manage your users, know your users, think about what has access, what you’re doing with plugins, and all the other surfaces that WordPress has and really any system. As it opens to AI, there’s just an absolutely necessary responsibility to educate. It’s definitely in a host’s interest to do that. Finding the way to make that work commercially is the challenge. No one wants to subsidize security usually, but it seems like that’s the long-term way to go, whether you’re an agency or a host. Make that a point of relationship with the customer. Hey, we care about your welfare, safety, brand, and reputation. This escalates at higher levels of concern with certain customers, but there are a lot of agencies and people who have been on the web a long time where this just hasn’t been presented to them in the right way.

Jesse Friedman: Yeah, I was on my way to WordCamp Asia and I stopped in Turkey. I had a night in Istanbul and I was walking the bridge over the Golden Horn. There were these restaurants one after another, and the hosts were standing out there encouraging people to come in, pretty aggressive, not in a negative way, but just, you definitely want to eat here, come on in. Everybody’s preaching about how great their restaurant is, how fresh their food is. It dawned on me that it’s very much like searching for WordPress hosting. You type something into Google, a bunch of ads come up, everybody’s promising the best WordPress experience, everybody’s using vague terms like managed WordPress that don’t actually have a strong definition. People make a lot of assumptions about what’s being promised there. If these hosting companies are all competing to win this customer, a lot of times the messaging gets truncated. The opportunity to educate gets removed and it all becomes a marketing exercise in how to acquire this customer. That’s all well and good if you’re following it up with a great experience where you’re educating them. You land the customer, now you have a responsibility to make sure they have a great experience. But all too often hosting companies don’t care about that. They care more about acquisition than retention. Especially if they sell a three-year plan. Those $2 a month plans look pretty attractive until you realize the price is tied to a three-year upfront fee. They get stuck on the idea that they’ve acquired the customer and now just move on to acquiring the next one. With security in particular, there’s a fine balance you need to strike between education and fear marketing. But you need to help people understand what it is they don’t know.

Dan Knauss: Yeah, that’s absolutely true. Unfortunately, over the 20-plus years I’ve had some kind of hosting relationship, and I feel like I’ve used almost everybody in the space at some point, there’s really that sense that what might start well goes bad. For those who are in business and have been around for a decade or two and want to keep going that way, it’s dispiriting. It does something to impair the culture and the business of WordPress and beyond, in other ecosystems too, when you realize you’re going to be taken for granted or you’re going to be on some old plan that just sits and stagnates rather than being reengaged as a customer. For a lot of people running agencies who got into it from a marketing or design direction, it’s all black boxes. So there becomes a lot of permanent distrust. I can’t know what’s really going on, but I know it always goes sideways two, three, four years in. I’ve always felt a lot of frustration about that. Can’t we do better? Little things like Kevin Ohashi’s performance reviews at Review Signal, for me years back, getting to know Kevin and interviewing him for Post Status, it was like, wow, this pierces through the black boxes. Thank you. This matters.

Jesse Friedman: Right.

Dan Knauss: I’ve talked it up ever since. That’s the kind of thing I wish we had more continuity with, where you really have that transparency. I think that performance issue is very closely tied to security as well. Those two tend to relate and it’s a general quality signal.

Jesse Friedman: You’re touching on something that seems to be a recurring theme here. We know that regardless of your level of expertise and what you’re shopping for, people tend to care about three things. Security to an extent, though the more novice they are, they think security’s important but don’t necessarily understand their responsibility to it. They make a lot of poor assumptions about what they actually get out of the box. Performance is obviously key. And then reliability and uptime. Those are the three things. When I talk to partners who want to evaluate WP Cloud and start using it, a lot of times the pitch I’m giving them is that WP Cloud is an opportunity to stop worrying about the infrastructure. You’re going to have two types of customers. One who cares about what’s actually powering everything underneath. When they learn about WP Cloud’s cloud infrastructure, the automated multi-region failover, all the pieces that go into putting up guardrails and optimizing for WordPress-first performance and security, they’re going to be very happy with it. But for the vast majority of customers, especially those with less experience, they’re actually not shopping hosting anymore. That’s been a paradigm shift in the industry. You look at Shopify and Wix and these other platforms, they’re not selling CPUs or boxes or location. They’re just making the promise that everything will work in the backend. A lot of times people are making the same assumptions from WordPress hosting companies. I think that’s okay and we can capitalize on it. With the WP Cloud opportunity, what I tell hosting companies is that you can spend less time selling infrastructure and more time selling the partnership, the curated list of features you’re offering, specific solutions to niches, things like that. But one thing we still leave behind is a proper security checklist that a host imposes on a customer to be transparent about what they’re offering and what they’re not, where the line is and where the host does its level of security hardening versus where the customer needs to pick it up. A little more transparency there would provide a much better experience.

Dan Knauss: Yeah, absolutely. I’m always in favor of empowering people through education. It’s a tough proposition. There’s always a bias toward, don’t make me think, just take my money. At some point they get burned by that. But in general, with the agentic web and AI, there’s got to be a shift toward personal investment equaling personal responsibility. Even if liability isn’t the first thing on your mind, there’s just an emerging code of conduct needed for people doing anything remotely serious online. Until people see it happen close to them it’s a tough sell. We’ve had some bad ransomware incidents happen in Canada, and it’s always interesting when you talk to people totally outside tech whose company or a company near them was hit, and suddenly they’re starting to take security seriously with their personal networks and devices. It’s not a hopeless cause. There is increasing interest out of necessity. Unfortunately it comes with lower trust. A zero-trust model is more attractive in a world with less trust, which is tough, because they kind of cross each other in open source, where you gain trust by being able to see through the black boxes and see who’s providing good quality.

Jesse Friedman: If you think about it from this perspective, if you were going to do some bungee jumping off a bridge and you chose the cheapest option, and instead of hooking up your harness for you they just handed you all the equipment, that’s kind of like a hosting company. They’ll provide the hardening solutions and security tools, but they’re handing you this harness and you have no idea how to hook it up. At that exact moment you either say, I’m not going to jump, I’m going to bail, or I’m going to pay the extra fee so you can actually hook me up and do it right. The customer standing on the edge of that bridge can see the threat. They understand that if they’re not hooked up correctly, it’s going to hurt. But with the hosting industry, most people don’t actually understand the threat. They don’t think, I’m vulnerable. I’m curious though, when we think about this from a user’s perspective, you’re helping with WordCamp Canada. How did it go? What did you learn from that event?

Dan Knauss: It’s a totally different experience when you’re running it. I spoke about security the previous year and volunteered and wore a couple of hats, but I wasn’t on the organizing team. So I signed up for that. It was very consuming in the last month. Fantastic energy, great everything. Matt was a surprise keynote at the end. A big deal for me was Dave Winer. I got to hang out with him, walk around, and just talk in the mornings. I think a lot of people had that experience. He was a fantastic keynote speaker. Just connecting with a lot of people I hadn’t necessarily met before. That always happens at word camps. As much as possible when you’re still trying to run the party for everyone and make sure everyone connects. Definitely a lot goes into it and a lot comes out if you put a lot of heart in there. About 300 people, it’s manageable. You can give everyone a really individualized, welcoming experience wherever they’re coming from, however new or old it all is to them. I really enjoyed the energy of that. We had some outstanding ways to onboard people to contributor day and make those connections. Jeff Paul had a fantastic approach to how people can come in from a project management standpoint. Just a lot of great material that’s still out there on the web. Security wasn’t a major topic there, but it was great to have some awesome hosting companies out and a really steady core from the Montreal and Ottawa area, hosting agencies all coming out and backing it. Just a really personal, direct relationship with everyone throughout. Everyone was really supportive.

Jesse Friedman: That’s really great. Is WordCamp Canada going to bounce around to different cities or is it always going to be in Montreal?

Dan Knauss: Well, Montreal has put on their own in the past and I would love to see that happen again. This was really growing out of the Ottawa group, which I think is one of the only ones still going, maybe Winnipeg too. Ian Stewart’s out there. I know a bunch of people are in Winnipeg who went all the way through COVID, and Ottawa too has just had a lot of city-level camps over the years and that meetup keeps going. So it was easy to organize around that. You really need that common core of people with some continuity and experience. Carleton University has Troy Chaplin, who’s just a great contributor and has been behind WordPress as an institution over the past decade. But people do want you to move it around if it’s going to be called WordCamp Canada. We can’t just keep doing it in the same place. It’s definitely better if it’s closer to you at different times. So the next one is going to be at the University of British Columbia, their downtown campus in Vancouver this fall.

Jesse Friedman: Oh nice.

Dan Knauss: That’s another big WordPress campus as well. They actually have quite a lot documented. Their CIO published a white paper some years back on hardening WordPress and that gave me the original motive, along with people like Kevin and others in the security space, to say, I’m going to write a version of this. I finally finished that off with my AI editorial team, fact-checking, source-digging, updating, checking against the hierarchy of authoritative documents. Something along the lines of a runbook and hardening guide, and then one that works like a CIS benchmark with level one, level two, ultra-paranoid, or a reasonable level for different contexts. UBC gave me that idea way back and I finally finished it. It’s in my GitHub account at D-K-N-A-U-S-S, so anyone can check it out.

Jesse Friedman: Nice. That’s great. That educational energy where people are learning and trying to get more out of it is nice because it breeds that energy and you end up taking it internally at work. Actually, we’re doing an interesting project at Automattic where we’re all tasked with dedicating a little bit of time to just building something great. There’s a buzz right now where folks are jumping across team lines, meeting new people, working with new people, pumping out ideas. You get that at WordCamps too. You get it at universities. My daughter’s about to go off to college and I feel energized for her. There’s just so much going on right now coming off my visit to WordCamp Asia as well, where there’s just so much energy. I think a lot of that is actually driven by AI, because a lot of the limitations people felt they had in the past are being wiped away in terms of their ability to contribute. I know we’re using AI more on the .org side of the house as well. Do you think it’s something that’s going to be self-correcting? Right now there’s so much energy, so many people taking advantage of it. Are we building too much? Are we all building the same thing at the same time? Do we need to take a step back and figure out a way to organize our thoughts? Or is it good chaos and we want to capitalize on it and keep moving?

Dan Knauss: Well, there’s always some of both. Something’s good, something’s bad, depends on context and who you’re talking about. I’ve been pretty pleased though. Once the models really shifted, I’ve been watching for years trying to use this more for research, writing, editing, documents, and reigning in big client files. It’s gotten super useful for that. My coding experience was not impressive for a long time and then it all shifted for a lot of people around November or December. I am pretty optimistic and do see that as opening the door with students. I also see the ones who are mid-program now thinking, am I now just an ever more fungible cog who can be easily replaced? I think that’s a great message point. I would say yes, slow down, think, read broadly, write, think creatively. You have this opportunity to use your full brain when maybe you thought you were just doing this one technical thing. They’re usually way into whatever’s the coolest thing in front-end and I’ll learn stuff from them, but then I’m also talking about business reasons, total cost of ownership, maintenance over time. It leads into these interesting intergenerational discussions about what it actually takes to maintain these cool things. I think always elevating students to that bigger picture, how do things all link together and how can I put them together in novel ways, that’s the real opportunity. I don’t think AI is going to be that kind of architect for us. There’s opportunity in that to step back and do higher-order things. But what’s actually going on under there?

Jesse Friedman: Yeah, I agree. Having the ability to detect patterns, to see the underlying systems, especially human systems, and understand how humans are operating, that’s going to be a skill that if you have, great. If you don’t, I would say improve it, because AI is going to step into a lot of fields. But one of the things it’s not really going to be very good at is being empathetic to what humans actually truly need in the invisible web that connects us all in real life.

Dan Knauss: Yeah.

Jesse Friedman: Before we continue, we need to take a break. I would love to continue this conversation. There’s still so much to talk about. I want to talk about your plugin and continue this conversation about AI. But we do need to take a break. So thanks for hanging in there, and we’ll be back with another episode.

Jesse Friedman: Thanks for joining us on another episode of Impressive Hosting, where we uncover the core tenets of great WordPress hosting. Do you have a follow-up question for today’s guest, a thought or comment on anything we talked about, a future guest suggestion, a hosting horror story, or thoughts on what makes great WordPress hosting? All your comments shape the show. Drop them on impressive.host. We also appreciate you following us on social media and subscribing to the podcast on your favorite platform. Finally, do check out our list of open-source projects that need support at impressive.host. Whether it’s code, community, or cash, you can make a difference. See you next time.

#### Conclusion