Oct 2nd, 2013 | Opinion, Web, WordPress
I was recently added to the WordPress API team and this post contains my thoughts about the recent authentication discussion.
WordPress have a reasonably robust authentication system built in, the username and password system and it would be possible to use it along with Basic Auth to allow for API authentication. Please forgive any typos in advance; this was long and I didn’t really have the time to fully proof it.
Authentication, Identity and Authorization
While Authentication is very important there is also Authorization to consider. Here’s a nice blog post from Apigee on the difference between three (3) terms: Identity, Authentication and Authorization (IMO Apigee are the leading experts on web API design at the moment). In a nutshell here’s what they terms mean:
||What it Means
||Who is making the request?
||Are they really who they say they are?
||Are they allowed to do what they are trying to do?
And as they point out we may not need them all but what we need is the point of this post.
As a side note they say "Take Twitter’s API; open for looking up public information about a user, but other operations require authentication." What this says to me is an API key would be ideal for most read activities but most write activities should require Authentication.
Authorization without Authentication
As much as we need Authentication I think we need Authorization even more. There are some API actions we’ll happily allow anyone to do such as download the list of our most popular posts and we don’t need to authenticate for that, we only need to authorize.
Why authorize? Why not just allow open access? So we can track who we authorized in case, for example we need to rate-limit their usage or even revoke their access.
Let me get this out of the way sooner than later. Anything that requires SSL is a non-starter just as requiring PHP 5.3 for WordPress 3.7 is a non-starter. Need I say more on this point?
However we could allow support for SSL, assuming that for what we implement the SSL and non-SSL solutions are compatible.
Mainstream Options for API Security
Let’s discus the variety of methods for securing an API; some mainstream and some a bit esoteric. Bottom line is that most informed people seem to say "Don’t role your own." So with that in mind I believe we have these options:
||Generally considered the best balanced security option for mainstream web apps where security and ease of interaction for users is balanced. But can be complex to implement, especially on the client end, and requires SSL to be secure.
||Not as good as OAuth 2 but super easy for the client to implement OTOH it is not secure unless SSL is used.
||More secure than Basic Auth but still not fully secure. Quite a pain for the client to implement..
||Well-tested and doesn’t require SSL but is non-standard (ignoring "defacto-" standards) and still requires an API key.
||Very simple for the client to implement and as secure the Capabilities tied to the API key, i.e. if it can only see public data and not update then it’s "secure enough". Fully secure if used with SSL. Assuming users can’t change passwords with the API key then it’s more secure than Basic Auth because user credential are never in a position to be compromised.
(Did I miss anything?)
Given the available options it would seem to me that OAuth 2, Digest Auth and even Amazon Auth are non-starters as a requirement for use of a JSON API in WordPress core because of the complexity each of them heave onto the API client developer, at least if one of these is the option for accessing the JSON API.
Basic Auth vs. API Keys
Which leaves the unsecure Basic Auth and mildly secure API Keys. So review the pros and cons of using Basic Auth – which is tied to the WordPress user’s username and password in the current version of the JSON API – and API keys:
- If API login is compromised then user may loose their account or be made to go through the hassle of regaining access.
- Since APIs access can be automated it’s much more likely that a hacker could capture a username/password on a non-SSL API call (calls might be made continuously) than for a user login (which comparatively happen very infrequently.)
- Can only support one Authorization profile per user account.
- To support multiple authorization profiles a user would need create multiple user accounts,
- To allow another person API access they either need to share their username/password or create another user account for them.
- If API access requires a user account some sites could go from 5-10 users to having 50,000+ users (think of smaller sites like Mashable.)
- If multiple user accounts are required then we’ll need a way to relate user accounts and allow one user account to manage other user accounts.
- API authorization is decoupled from user accounts.
- One or many API keys can be tied to a single user account.
- If API Key is compromised user can login and deactivate it.
- Plugins could easily deactivate API keys if they follow an abuse pattern.
- API keys could be added with expiration dates.
- Sites with a large number of API users do not gain an explosion of regular users.
- Each API Key can potentially support a different Authorization Profile (example use-case: I provide on API key to a social network – the key has limited capability – and use another API key – one that can do anything my user account can do – for an official WordPress mobile app that I use to access my site.)
- Requires what appears to be more architecture
It seems to me from this comparison that API keys are the only reasonable option for allowing JSON API access to much of WordPress. However they are only appropriate for some use-cases and not even as-is they are not as a complete solution. Let’s discuss the rest of the solution for the use-cases in which I think they apply.
It also seems to me that tying API access to users accounts could easily create an explosion of complexity and significant user experience problems as users see their logins hacked by unsecure usage and then are locked out of or even loose their blogs.
API Roles and Capabilities
One of the ways in which API Keys might be acceptable without Authentication is that some things can be made freely available holders of API keys if we add in "API Roles and Capabilities."
Just like User Roles that are assigned a collection of Capabilities we could add "API Roles" that also have "API Capabilities". These Capabilities could be used to determine the Authorization status for each (what I’ll name) an "API Service" when requested.
Note: I’m defining an "API Service" as a URL + an HTTP method (GET, POST, etc.) and I’m calling the collection of Authorizations for all API Services as a "Authorization Profile."
I’ve reviewed the code for the
WP_User classes and I think the first two could be used without modification. If so then we only introduce a
WP_API_Request class. And depending on the opinion of others the
WP_API_Request class could be standalone or the
WP_User class could be refactored to extend from an abstract
WP_Auth class thereby allowing the new
WP_API_Request class to also extend from
We could then decide on a convention that any Capability name prefixed with
'api_' is a capability for an API Service and we add a function
current_api_request_can() or just
api_request_can(). Armed with
api_request_can() we could write code like the following (note that
'api_' as a prefix and thus does not require it to be passed):
Are We Adding Too Much Code?
Although a comment was made that "we don’t want a huge chunk of code just for authentication" I would suggest that even if it were to be a large amount of code, which I doubt there would be, it shouldn’t matter how much code we add as long as that code doesn’t require significant maintenance and more importantly does not impose significant complexity onto the admin user in terms of "more options."
Assume that in Settings > General we add only one (1) single checkbox with the label "Enable JSON API" which by default we leave unchecked.
Once the user has explicitly chosen to enable the API (the equivalent of activating the plugin we have today) a single "Tools > JSON API" option is added.
The Tools/JSON API admin page can use tabs to organize the information so it would not be overwhelming, if even needed.
To offer the user the list of API keys we can reuse/modify the Taxonomy add/edit functionality assuming we add a
'user_api_key' taxonomy to allow us to store, lookup and manage API keys related to Users who would "own" the API keys.
Another tab for the Tools/JSON API admin page could potentially offer the ability to add and manage API Roles and another tab for API Capabilities. Or not, we could require these be managed programmatically just like User roles currently are.
And finally a main tab that allows you to force SSL use, or not.
What I’ve describe above it really not that much code. Would it make sense to risk the potential downside of tying the API to username and password in order to simply avoid the code that the API keys management would require?
Handling Escalating Security Requirements
Consider the "API Services" discussed earlier; we could implement a mapping of authentication requirements to API services such that different services have different authentication/authorization requirements. Consider this table:
||API Services That Allows
||Example API Service
|No API Key Required
||Access to public information with a low risk of needing a rate limiter.
||An API service that returns site name and other metadata. The metadata could also including a links to an API service to request an API key via API.
||Access to public information that might need to be rate limited.
||Return the current list of blog posts.
|API Key + Nonce
||Add Content or Update Revertible Content
||Update of Posts, add Taxonomy Terms.
||Add Content or Update Revertible Content
||Update of Posts, add Taxonomy Terms.
||Returns secure information for client w/o API Key
||Retrieve an API key programatically.
||Updates secure information
||Modify User Profile, Deletes Posts.
||Update highly sensitive information
||Change user password
API Keys + Nonces
Note that we combine nonces with API keys. One of the ways WordPress handles security is with nonces, and the API need be no different. Note that the nonce would be generated by WordPress core or a plugin for the logged in user to allow their browser’s to use the API via AJAX. These use-cases would authorize for the JSON API similar to how the current AJAX system in WordPress authorizes.
For mobile apps nonces could also be offered to last for longer, requiring a mobile device to retrieve a new nonce once every 15 minutes or so but then allowing them to just use the nonce + API key within those windows. Of course you wouldn’t want a 15 minute window for nonces used with AJAX apps
So if we follow the outlined approach we can provide a reasonably level of API access without requiring SSL but we can still enforce the benefit of SSL for those who are likely to have the where-with-all to upgrade to SSL.
Consider this, if they need their sensitive parts of their site updated via API then they are likely special enough that they can make sure that SSL happens. But if unexpected consequences occur and someone builds a SaaS that people want to use but that requires SSL then frankly it creates an opportunity for hosting companies to see a high level of demand for turnkey SSL setup.
And optionally we can add an
'WPAPI_ALLOW_NO_SSL' constant for those site builders and site owners with a "Devil May Care" attitude.
In summary I’m proposing for the JSON API for WordPress to:
- Use API Keys for Authorization
- (And if you are still not convinced, read this).
- Incorporate API Roles and Capabilities
- Support Escalating Authentication Requirements for API Services
- Build Single Menu Item Admin UI for the admin to Manage the API.
Let me know your reactions in the comments below.
Oct 1st, 2013 | Opinion, Programming, Software
As an active JetBrains’ PhpStorm user one of my feature requests was for First Class WYSIWYG Markdown/Markdown Extra Support. Unfortunately they told me (and others) to use a 3rd party plugin which given it’s lack of quality and features turned out to be a non-starter for me. So I continue to use Markdown Pro which I love for what it is but I really need an order of magnitude more features.
But today I was thinking hard about how I’m going to implement documentation for the project I’ve worked on over the past 3 months without killing myself. A sad realization came over me that using MarkDown Pro would be very painful to use because it’s really nothing more than a glorified Notepad with Markdown support and a preview window; it has nothing to support me in the developer of documentation projects.
Then it hit me; what I really need is not an ability for PhpStorm to edit markup but instead a full-featured documentation IDE targeting programmers. And frankly I think the company best positioned to offer this would be JetBrains but I’d be happy to see any company offer it, if someone just will (Maybe those Sublime guys could…?)
So if you are from JetBrains or from some other company please consider the following feature set:
Here are just some of the features that I’d love to see a Documentation IDE support
- Manage "Documentation Projects" vs. just individual markdown files.
- Multi-pane editor like PhpStorm but with panes that support document creation.
- Vertical or horizontal split edit and preview windows.
- CSS-based Themes for preview.
- File Watchers for post processing LESS, Saas another other features.
- Version control support for Git, Mercurial, SVN, etc.
- Support for docs in a subdir of a code repository or as independent repo.
- Support for all major Markup/Markdown format including Different Dialects and HTML
- Conversion between Markup/Markdown formats
- Ability to configure all and/or specific documents to be edited in one format/dialect and saved in another.
- Ability to Publish and Maintain Documentation Websites from DocStorm
- Publish directly to GitHub Pages as well as maintain existing GitHub pages.
- Publish to Evernote, DropBox, etc.
- Offer "POST-To-Publish" feature that would allow us to publish and update using HTTP POSTs so that we could write our own server-side integrations to other locations besides GitHub such as CMS (WordPress, Ghost, etc), Wikis (Mediawiki, etc.), SaaS platforms and more using our own PHP, Ruby, Python, Node.js or other code server-side code.
- Navigation Between Documents
- Jump to Document via selected hyperlink
- Jump to Section of Document via selected hyperlink+fragment
- Jump to File by Name
- Jump to Headings in Project (find by autocomplete)
- Refactor Document Structure to change all affected links
- If URL changes
- If URL fragment changes
- Move selected content into a new file and insert a link to the new file.
- Provide a tree view of files and allow refactoring by drag-and-drop in tree view, with all necessary link fix-up.
- Manage Images
- As part of the project, relative to the project root
- Enable images to be previewed inline
- Search and Replace like the wonderful PhpStorm search & replace)
- Regular expression search.
- Highlight on up/down arrow of selected options.
Also potentially valuable would be integrations with existing documentation tools although I can’t yet envision exactly what that would look like:
- PHP: PhpDocumentor, ApiGen, etc.
- Ruby: RDoc, Yard, etc.
- Python: PyDOC, Sphinx, etc.
- Java: JavaDoc, Doxygen, etc.
- APIs: Swagger, Apiary.io, etc.
Benefits to JetBrains
But even if they won’t do it, maybe someone else will?
If you like this idea please vote for it on the JetBrains tracker
So JetBrains considered the idea, but decided against it. :-( But they have changed their mind in the past if they’ve had enough requests, so please vote for both these tickets, if you will:
Better yet, if you are in the editor space and looking to expand your market, please consider building this flavor of your product and I expect you will find many new customers.
Dec 1st, 2010 | Opinion, Programming, Technology, Web, WordPress
This blog post has been simmering inside me for while. Some might think it as link bait but frankly I don’t blog often because I don’t have the time to manage lots of comments. So the thought of posting something that will likely be controversial has me going against my better judgment (but it won’t be the first time I’ve done that. :)
Say what?!?!? Although the conventional wisdom is that WordPress is really just a great blogging tools and Drupal is more appropriate when you need a full-featured CMS for business use, the conventional wisdom is unfortunately outdated. Since WordPress released version 3.0 in mid-2010 there are now very few if any good reasons to use Drupal instead of WordPress when your business needs a CMS.
Maybe, but history has shown much heresey to be the voice of truth later vindicated. However, rather than ask you to just take my word for it, I’m going to explain below 17 tangible and specific reasons why WordPress is a much better choice for a business CMS than Drupal.
Just the Facts
But for those of you who can’t be bothered to read the details I can summarize in two (2) points:
- Site Architecture and
- Backward Compatibility
Drupal’s site architecture, which on surface appears quite elegant is in reality Drupal’s biggest weakness. Drupal projects can start very inexpensively with large initial wins but the costs to add increasing functionality are discontinuous and in my experience soon soar out of control. I’ve seen several Drupal projects fail simply because of Drupal’s architectural inflexibility; many projects becoming difficult if not impossible to complete On the other hand there is WordPress’ architecture which, while seemingly less sophisticated and with more code duplication nonetheless enables the perfect combination of flexibility and unlimited functionality in my opinion where the increase in cost for more functionality scales linearly starting from zero.
As for Drupal’s position on backward compatibility they only maintain compatibility between major versions, which means you’ll be probably be forced into having to do a fork-lift upgrade since they only official support one major version behind. Who in their right mind would put their business in such a position? WordPress, on the other hand, bends over backwards to maintain an upgrade path between 0.1 versions.
WordPress and Drupal have some different terms for similar concepts and the following might be confusing if you are not aware of how these terms relate. What WordPress calls a "Custom Post Type" Drupal calls a "Custom Content Type."
In WordPress a developer uses the register_post_type() function to define a custom post type whereas in Drupal a developer or user defines a custom content type in the admin console using the "Content Creation Kit" module (a.k.a. "CCK".) WordPress calls all content items "posts" (which is the generic term for the more specific "Pages" and "Posts"; confusing, I know, but that’s for legacy reasons. Drupal on the other hand alternates between calling content items "Content" at times and "Nodes" at other times.
As for versioning, WordPress strives every four (4) months (but it sometimes takes six) to launch a "point 1" or 0.1 version increment (such as v2.9, v3.0, v3.1, etc.) whereas Drupal uses major and minor versions (i.e. v5.x, v6.x, v7.x, etc.) with no specific release schedule between major versions.
Now with that out of the way, on to the 17 reasons.
17 Reasons to Pick WordPress vs. Drupal:
- WordPress Allows Infinite Design Flexibility - Drupal not so much. Because of it’s fundamental technical architecture most Drupal sites have a certain look and feel that is very difficult to get away from (note the "I think though doth protest too much" quality of these three (3) posts), WordPress is as flexible as HTML because of it’s architecture.
More specifically when a browser requests a web page from a Drupal-based website, Drupal inspects the requested URL and then delegates reponsibility for generating parts of the HTML page to both applicable modules and to components of Drupal itself. Drupal then collects up the generated HTML and composes a completed HTML page when it sends to the browser. Drupal manages everything and this archecture is minimizes duplication of responsibilities and is an architecture that an engineer can truly love.
Unfortunately Drupal’s architecture is also highly coupled and thus rather inflexible; when you want a web page that doesn’t fit into Drupal’s model you either 1.) learn complex and arcane methods to achieve what in pure HTML would be incredibly simple, 2.) rebuild major portions of Drupal functionality for your custom page or 3.) just give up and do it the way Drupal wants you to. Or as I like to say when explaining this unfortunate aspect of Drupal:
As a Drupal developer you are constantly battling Drupal to get back in control of the HTML that it will output for any given URL. Drupal is like a "Roach Motel" for URLs: Once a URL enters Drupal it never leaves!
- Usability has been "Baked-in" to WordPress - With Drupal, usability was an afterthought until version 7 and they’ve been desperately trying to improve it; usability tests by the Univeristy of Baltimore identified many critical usability issues in Drupal (the video is a must watch.) But some things such as usability need to be central to the philosophy of the developers and not tacked on as an afterthought. In Drupal you frequently need to visit at least two different pages in the admin to affect what a user would see to be one external change. With WordPress the admin console was originally user tested by the project founder’s mother ("If mom can use it, anybody can!") and that fanatical concern for usability has permetated the project. In Drupal some of the more active developers are known to say "If you don’t find Drupal usable maybe Drupal is not for you."
- WordPress has a WYSIWYG Content Editor in Core - Also a usability issue but an important specific one, with Drupal there is no standard WYSIWYG editor leaving the site implementor to choose from thirteen (13!) suboptimal editor module choices, none of which are maintained at the same level of Drupal core. In WordPress, TinyMCE has been a highly usable standard for more versions that I’ve been using WordPress. (Personally this was one of the biggest issues I had with Drupal and why moving to WordPress was such a godsend for me.)
- WordPress Strives to Maintain Backward Compatibility - Drupal wears as a badge of honor that they wipe the slate clean with every major version. Drupal mostly ignores backward compatibility with the prior major version because yes it is nicer for the core developers not to have to worry about backward compatibility. But for your business the reality is that if you implement a site using Drupal you are stuck on that major version until you choose to invest in an expensive rewrite of your website.
Ponder this issue for a moment. In my opinion, choosing Drupal can result in a nightmare once the version of Drupal they are using becomes too obsolete and is no longer supported. This is such a huge negative that I can’t really see why any business that is doing their due diligence would ever choose Drupal no matter its feature set.
With WordPress most upgrades are seemless and those that are not are usually easily fixed because of the attention to maintaining backward compatibility.
- A WordPress-based Website’s Source Code is Easier to Manage - Drupal co-mingles user content with what is in effect a website’s source code in much more significant ways than WordPress does. For example, to design of "Custom Content Type" in Drupal gets stored in the MySQL database; in WordPress "Custom Post Types" are stored as PHP code. For any business website managed by professionals it is critical to use a source code version control system and it’s easy to submit PHP code to version control but very difficult to submit records in a database to version control. This fact alone is a extremely strong argument for WordPress and against using Drupal for any serious website development project.
Yes out-of-the-box Drupal is easier for a non-technical power user to add custom content types compared to with WordPress, but we are not talking about the needs of a housewife to organize her recipes, we are talking about which one is the better choice for a business CMS and WordPress wins hands down in this category. (BTW, there are plugins for WordPress such as Custom Post Type UI that provide the end-user with the same ease of use for creating custom post types that Drupal has for creating custom content types.)
- Collaborative Development is Easier with WordPress - This reason is a variant of source code being easier to manage. Without a good version control strategy it is much harder to get a local copy of a website for development. Developers in a Drupal shop have to spend a lot more time merging their databases so the up-shot is that many Drupal developers co-develop on the same installation, and often the live installation at that which results in overwriting each other’s code and limits a developers ability to roll back. It’s much easier to develop with a local copy of WordPress so WordPress developers tend to do it more often.
- Revisions of WordPress-based Websites are Easier to Deploy - This reason is also a variant of source code being easier to manage. 1 but the headaches are seperate so I list is as a seperate reason. Because WordPress maintains a lot more of its logic in PHP code WordPress is much easier to deploy than a Drupal application. Drupal developers end up writing a lot more SQL code that they then need to test everytime they need to merge data used to control new application logic into the database of a production webserver on deployment of a revision to an existing website. The significance of this is hard to underestimate.
- Easier to Find Skilled Designers for WordPress - To create a beautiful website design for WordPress designers need to be good at design, of course, but beyond that they really only need to learn how to copy and paste "Template Tags" as they able to have full design freedom when producing the HTML that will be used for a WordPress theme.
Drupal designers, on the other hand, need to be skilled PHP developers too and with a rare exceptions those two skillsets are mutually exclusive. When you do find someone who can do both and do both well, they will be hugely in demand and thus outrageously expensive but the real problem is with Drupal you really won’t know if they are one of the rare few until after you’ve paid them a lot of money to either create a "house of cards", or a really ugly house.
With WordPress you can get a great designer to work with a great developer, both of which are easier to evaluate than combined greatness, and you are set.
- There are More WordPress Professionals Available - A corollary to finding skilled designers, it’s simply much easier to find WordPress professionals to hire for projects than it is to find Drupal professionals.
- WordPress Professionals Charge Lower Rates - Another corollary to finding skilled designers and more WordPress professional being available is it is less expensive to find a WordPress professional than a professional for Drupal. If you ignore the fact that there are many more WordPress professionals another factor is WordPress professionals don’t need to be as proficient in as many areas as their Drupal counterparts. People who can really make Drupal sing are really expensive.
- WordPress’ Code is Much Easier to Debug - Drupal’s highly nested architecture makes it so that a developer spends most of his time looping through a few core functions waiting to find which code controls what they need to modify. Often with WordPress the developer can simply set a breakpoint on the theme’s template file and debug from there.
- WordPress Sites Load Much Faster than Drupal Sites - Drupal runs upwards of 100 SQL queries for every page load because of its site architecture. With WordPress the number can easily be less than 10. And the time to run those SQL queries easily add up. Drupal advocates will claim those queries can be made insignificant by the creative use of caching but the reality is that you cannot cache most items in the admin console so the end user who is forced to use Drupal will be saddled with a level of fatiged and is just not necessary, if you instead choose WordPress.
And lest you feel this is unimportant technical concern be aware that site performance is now something that Google uses to determine search engine result rankings. Host your website on a slow platform and prepare for an uphill battle when it comes to achieve top rankings in Google’s search engine results pages.
- WordPress Requires Less Expensive Hosting - A corollary to page load performance is that the typical Drupal site requires a lot more server to serve each of it’s pages than does a typical WordPress site. Those who choose WordPress for a seriously high traffic site will usually find they can serve more pages with the same servers and/or that the memory requirements for WordPress will typically be a lot less. And for a high traffic sites this could either be real money and/or it can mean that the site is less likely to fail in the case of a flash mob such as a Slashdotting.
- WordPress has the Most Integrations - More companies or their 3rd parties offer plugins for WordPress to integrate with their services than another other platform, specially more than modules available for Drupal. Twitter, Facebook, Freshbooks, MailChimp; you name it, they all have WordPress plugins. If you need one for Drupal and it’s not a mainstream service like Twitter or Facebook chances are you’ll have to pay to have it written.
- WordPress has More Robust Extensibility Method - Both WordPress and Drupal use the term "hooks" to describe their exensibility mechanisms and while there are similar there is an important technical difference. In WordPress you associate a bit of functionality to either run or filter a value based on the name of the hook and you can have as many hooks of each type as are needed. In Drupal you do the same except that hooks are identified hook name prefixed with module name which means you can only use a given hook once in a module; if you need to use it twice you have to create another named module.
Of course the module name limitation is an annoyance but not a huge problem. The huge problem comes when you need a module to disable a hook that was enabled by another module you otherwise need. This is a technique used somewhat frequently in WordPress but when it’s needed it is essential. In Drupal, even if you need to you simply can’t. And all because of Drupal’s architecture choices.
- WordPress has Far More High-Quality Attractive Themes - Drupal has almost two orders of magnitude less. Why is this the case? Because it is so much harder to create a Drupal theme (as mentioned above), designers have to be good developers to theme Drupal (also mentioned above) and there are just so many more people using WordPress.
Now having off-the-shelf themes is great for micro-businesses, startups and even tactical projects but most businesses will want a custom theme developed to showcase their brand in the best light possible yet the existence of so many commercial themes still benefits those who need custom themes. Why? Because it means that collectively WordPress custom theme developers have a lot more experience developing quality themes than their collective Drupal counterparts because many WordPress designer offer up commercial themes for sale in addition to their bespoken work.
And then there are the theme frameworks for WordPress like StudioPress’ Genesis and WooTheme’s Canvas which create excellent headstarts for theme designers with lots of pre-built functionality that designers would often have to charge clients to develop. Drupal does have the concept of theme frameworks but they are really an esoteric option for Drupal.
- Lastly (for my list, at least) there is a WordPress Answers but not one for Drupal - Yes an attempt has been made but there’s just not enough community support for a Drupal Answers (yet?) And while this reason may seem gratuitous, believe me it is not!
The official support forums for both Drupal and WordPress and even the mailing lists for WordPress evidently encourage a level of disrespectfullness that is pervasive in so many open-source communities and it can be a huge time sink for the business person who just wants a problem solved. On the other hand the mechanism used by StackExchange’s WordPress Answers brilliantly encourages timely and helpful support discourages such unproductive behavior with its reputation system.
And whereas many support queries on the Drupal (and WordPress) forums go unanswered, the majority of questions receive a reasonable answer on WordPress Answers (currently at 94%.) If you have a WordPress issue you need solved, or that your developer needs to solve, the existence of WordPress Answer compared with the non-existence of Drupal Answer means that solutions will come far more quickly and far less expensively.
So there you go. 17 Substaintial Reasons why WordPress "The open source blogging tool" is a far better pick when selecting a CMS for business use compared with "*The* (2009) open-source CMS" Drupal. (Oh, and the judges picked WordPress as the best CMS for 2010.) Need another opinion? See Wikipedia’s criticisms of Drupal and the relative lack of criticisms about WordPress.
Of course it would be unfair and disingenous of me to call out WordPress strengths and Drupals weaknesses without also telling you where I see weaknesses with WordPress and strengths of Drupal and for me not to tell you what are the use-cases where I’d be hard-pressed to dismiss Drupal in favor of WordPress. So here you go:
- Drupal Allows for More Flexible URL Design - Since WordPress grew up as a blog they hardcoded the URL routing logic which has resulted in some rather odious limitations in how you can design your URLS. Drupal’s URL management is no panacea either — you can end up with a difficult to maintain mess — but at least Drupal *allows* you flexibility that is often just too hard to implement robustly with WordPress
(Note: I have a plugin on the drawing board whose goal is to remove this limitation from WordPress. Once it sees the light of day I believe WordPress’ URL routing will be much better than that of Drupal. But alas, at least today, Drupal wins in the URL category. If someone using WordPress really badly needs better URL routing in WordPress and can fund the plugin development please contact me as by nature my priorities are defined by my client’s needs.)
- Drupal Offers Out-of-the-Box Content Type and View Creation in the Admin - Yes, out of the box a saavy end user with adminstrator rights can create and define Custom Content Types with custom fields and even custom reports/queries called "Views." This enable and end user with the time to learn Drupal to build a content-based system without any developer help. And for certain scenarios this would be invaluable, such as in certain government or academic departments were there is zero budget for development today, there never will be budget, and the end user either does not want to or is simply incapable of learning how to write the simply PHP required to register custom post types in WordPress.
On the other hand, there are WordPress plugins that duplicate the functionality of CCK and there are numerous plugins that expore the Custom Post Type registration via a UI in the WordPress Admin. Still, as far as I know, there really is not WordPress equivalent of Views.
Still, even though you can create custom post types in WordPress using a plugin that exposes an admin UI it doesn’t mean you always should. As I said above I highly recommend that anyone business that is having custom solutions built using WordPress not build them using an admin UI for defining custom post types but instead embed that logic into version-controllable PHP files.
As for Views, it’s basically the same recomendations as for custom post types; rather than store them in the database like Drupal does it works much nicer just to code calls to WP_Query into PHP code; easier to version control and also easier to test, verify correct and certain that aspect of the site to be bug free.
- Drupal has Positioned Themselves Better in the Eyes of Large Enterprise - Here’s where I think Drupal has succeeded brilliantly. Because of the efforts Acquia’s products, services and solutions there are many large companies that believe in Drupal. I believe they have done a much better job of courting the Fortune 500 crowd than WordPress has via Automattic and it’s VIP Support and Hosting offering.
That’s not to say there are not some really phenominal companies delivering enterprise class solutions on the WordPress platform such as Voce Communications and TayloeGray just that there is a segment of decision makers in large business who will only consider working directly with the primary vendor and in these two cases the primary vendor for WordPress is Automattic and the primary vendor for Drupal is Acquia. And while I love WordPress and think highly of the team at Automattic it’s clear to me that Acquia have done a much better job of positioning themselves as a company that provides enterprise class support for their platform.
But what about Drupal for Community Sites?
One of the use-cases oft cited for Drupal’s superiority is for community sites. But frankly, I don’t buy it.
As an active member of the Drupal community for two years (speaking of which, I need to update my profile there) I found drupal.org to be an extremely frustrating website in which of participate in a community. The forums were not at all effective in the ways that other forums I’ve seen like vBulletin have been effective, and using them as a user was far more pain then pleasure (by contrast I find StackExchange mechansim at WordPress Answers to work brilliantly but alas it’s not software you can implment for your own community.)
Actually at this point I think it’s counter productive to set up yet another social network but if you are convinced your strategy makes sense I’d be included to launch it on BuddyPress instead of Drupal, and BuddyPress is now a plugin for WordPress. And one of the really great aspects of BuddyPress is it that it leverages the brilliant network/multisite feature of WordPress which has completely nailed the "single install - multiple website" architecture.
Who am I to Judge WordPress vs. Drupal?
Full disclosure, I’ve been making my living as a WordPress specialist for almost two years and I plan to launch a company that provides tools and support for professional website developers and interactive agencies who have chosen WordPress as their platform for client solutions. The reality is that I could easily choosen to do the same for Drupal but did not.
I spent two years working with Drupal as my preferred platform, from mid 2007 through early 2009 and I gained experience working with versions 4, 5, and 6. I was drawn to Drupal by it’s elegant architecture (I’m an engineer by degree and thus appreciate elegant technical architectures) and frankly by the fact that Drupal was the only solution of the three main open source CMSes that could actually be used as a CMS without obvious issues (why I avoided Joomla is the story for another day.)
Back in 2007 using WordPress as a CMS was simply not an option, so I moved forward and became enamoured with Drupal and it’s Custom Content Kit, Views and so many other (what seemed like) wonderful modules. I became active in the local Drupal Meetup group and spoke at several of their meetings. I registered a "DrupalCamp.com" domain with plans to launch a local DrupalCamp and more. I really drank the Drupal koolaid.
But then by happenstance I had finished a Drupal project and was looking for another when a 6 week project to write custom admin plugins for WordPress 2.7 fell in my lap. Since I far prefer to develop admin functionality than full websites I figured "How hard can it be?" and took the job. While I worked on these plugins I discovered WordPress much easier to develop for than Drupal but I still held on to the notion I’d return to doing Drupal work once the project was done. As the project progressed an inner conflict raged as I came to prefer WordPress all the while mourning what I would be loosing if I were to leave Drupal (CCK and Views, mostly.)
However by the end of the 6 weeks it became crystal clear to me; WordPress was a much better system than Drupal even without all the CMS features. I was reminded of how many personal Drupal projects I had unfinished simple because it’s do hard to get a good looking site completed in Drupal, the last 15% it pure hell to complete. So I decided I would build my own CCK equivalent and use WordPress instead. Honestly, it didn’t go so well with WordPress at first. Trying to create my own CCK was fraught with frustration and I wasted copious time trying to bend WordPress to my will. But I did and limped along.
Then v2.8 came out. And then v2.9. And then finally v3.0 was announce with Custom Post Types and fortunately I was in a position to just on the beta version. It soon became clear to me that the WordPress team got Custom Post Types right and that v3.0 was going to be a watershed release and, as they say, the rest is history.
As I write this v3.1 is going into beta and with its Internal Linking Dialogs, Post Formats and more WordPress continues to prove that it really is the best choice for almost every business CMS need out there.
So Why Did I Write this Post?
Recently I met with a Senior Vice President of Strategy and Innovation at a large well-known non-profit who is planning to launch a major initiative and he’d narrowed his choices of platform down to two (2): Drupal or WordPress. On a personal level we hit if off fabulously so if it were just personalities I think he might be inclined to take my recommendation on faith but I sensed he is enough of a real professional that he looks beyond the personality of the advocates to assess the actual best solution for this organization.
What he wanted to hear from me which platform I thought was the best and why. I had already reviewed their design brief and wireframes so I had a good idea of what they wanted, and on the surface it looked rather much like a community app. Because of this and also because he had previously talked with several Drupal advocates I think he was leaning towards Drupal. But looking at his requirements and given my issues with Drupal that I detailed in these 17 reasons it was clear at the day is long that WordPress would be a far better platform to meet his needs.
Still, as I tried to explain to him why Drupal would not be a good choice I felt that I might have been coming across as a bit too much of a WordPress zealot whose opinion was not based on objective reasoning. So I decided that I should writing this up to make the case using objective criteria for anyone evaluating the two.
But I still didn’t get around to writing it up because there are always too many other things to do in a day. It wasn’t until a series of posts on Quora with the leading title "Why do so many people use Drupal instead of WordPress?" that I got off my duff and finally wrote this post (even though I have clients whose projects I probably should be working on!)
While Drupal had the lead as best open source CMS for many years, WordPress has eclisped Drupal as the best open source CMS as of mid 2010 with the addition of Custom Post Types.
More specifically Drupal’s site architecture makes it a less than ideal platform for business websites when compared with Wordpress, and Drupal’s philosophy on backward compatibility make it really hard to recommend it to any company for almost any reason at all.
Postscript: About Comments and Revisions
If you are going to post comments:
- Be sure to include something specific about the post in your comment rather than a generic like "Yes I agree" or I might think is spam and delete, and
- If this post gets a lot of comments (which I fear it might) be aware that if your comment doesn’t appear for a few days it’s simply because my client demands have limited my free time and I haven’t had time to release it from moderation.
FYI, I plan to revise this post if new evidence comes to light, somehow I got my facts wrong, or I just identify more to add. Frankly I’ve never much liked the "write-once, forever outdated" form that most blog posts take, so why conform?
Alastair McDermott has just written a blog post on a very similar subject entitled "Why I Recommend WordPress as a CMS." It’s a good read.
If you are going to leave an inflammatory comment criticizing my post then at least have the integrity to leave your full name, your email and a link to something where I can verify who you are and I’ll be happy to publish it (you know who you are.) Otherwise I’ll simply moderate your comment into the trash.
And for what it is worth, it looks like even the Drupal community knows about many of the problems with Drupal:
Apr 8th, 2010 | Miscellaneous, Opinion
I ordered a MacBook Pro last April, the first Apple laptop I’ve ever owned.
I remember when because I ordered it on my birthday. I ordered it after happily using Windows for decades. I did so because I was weary, weary of listening to friends I otherwise respect admonish my use of Windows whenever I’d ask simple questions like "What’s a good Windows apps for taking screenshots" and "How do I use TortiseSVN?" They’d tell me if only I were to use a Mac the angels would bless me and ensure I’d never experience a bad day, ever, from the day forward owning a Mac. They promised continued sunshine where ever I went, and that the temperate would never dip below 72 degrees. (None of that ever happened, but I do digress…)
Of course I didn’t believe them but like Patty Hurst back in the 70s I had lost perspective on what was real and what was hyperbole. I was fatigued. I wanted to be able to ask a question and get a suggestion without all of the bravado and bluster. I just wanted it to stop. So I caved. I spent about $2500 on a MacBook Pro instead of waiting a few months to spend the saner $1250 for a Dell running Windows 7. And like any good new cult member would have, I pruchased AppleCare to go along with it. A full $350 worth of AppleCare. Hey, I had purchased Dell’s 3 year extended service, why wouldn’t I purchase AppleCare?
So my new MacBook Pro arrived and I decided I would give it my all. It was frustrating at first (the Mac is designed for people who don’t want to use the keyboard; it’s all about click, click, click. But once again, I digress.) After almost a year I’ve gotten around most of it’s annoyances (software like Cinch and TotalFinder have made a real difference, but there’s still lots missing.)
Of course I dropped my Mac about a month after getting it thanks to the magnetic "MagSafe" power cord snagging and caused me loose my grip on the computer (I "quoted" MagSafe for a reason…) It fell about a foot. Didn’t actually cause the computer a problem, gotta give it that. The screen was fine. The hard disk continues to run fine to this day. I was impressed even though I’d easily dropped my Dell similarly several times of which I never experienced agailer. But dropping that Unibody did put a kink, literally, in the (evidently) butter-firm aluminum case. And evidently I’m not alone in my sturdiness test results, either. Ouch, just like your first dent in your new car, and so early in my ownership. Ah well.
Fast forward to today. In less than one (1) year my battery was failing (took 1.5 years for my Dell) and my Enter key "broke." The little pin-sized flinger on the back so small I can’t take a clear picture of it, that’s what broke. No problem, I’ll head to the Apple store where they’ll take care of me and my keyboard and if I’m lucky they’ll give me another battery for having proven my loyal Appleistsa credentials since I bought AppleCare for my less than 1 year old objet du désir. Little did I know what was waiting for me at the Apple store…
As a quick aside, I came to love my Dell during my 2+ years with her runing Windows Vista as my primary computer. She gave me about 7 hours of battery life between charges on 2 batteries. I would go places and rarely ever bring a power supply. It was awesome. (With my Mac I’m always painfully cognizant of being battery powered cause I know it ain’t gonna last…) Once my Dell she had a bad battery which they happily replaced, no questions asked. Twice I had her mouse key break yet Dell sent me a new case for free each time (they didn’t sell the mouse key separately. Silly, but hey, they replacde it!) Still, time marches on in ‘puterland ahd she was getting weighted down with too many files in too little of a hard disk. And her processor just wasn’t as captivating as those of the younger models. It was time for a new relationship. That’s when I succumbed to the siren song of the cult of Mac.
Back at the Apple store they took my Mac and did unmentionable things with it in the back, I’m sure, only to return after a long stay to tell me how they would going to replace my battery as a favor (viola!) However, because of my MagSafe mishap they decided to void my AppleCare, that which hadn’t even started! And that meant they were not going to replace my broken enter key "Because the dent might have caused the Enter key to break!" (he didn’t say that, but he implied that by saying "We can’t know what problems your dent caused.") Give me an f-ing break; the dent didn’t cause the Enter key to break. So there you go; my 11 month old Mac with AppleCare purchased but Apple won’t replace the keyboard that broke due to faulty design (they admitted the new MacBooks have different Enter keys; might there be a reason there, eh?)
"Of course you can send it back to be recertified and that will restore your AppleCare" he said. "How much?" I asked? "Between ~$600 and ~$1200." WHAAAAAT? "You mean I have to pay 1/2 as much as I paid for the entire computer one year ago just to recertify my warranty? Are you serious?!?" And he replied "Yes" with a straight face. So let’s see, I can buy a brand new 15" Dell with a faster processor, the same memory and a larger hard disk for $499, but it’s gonna take 150% or 300% of that for Apple to fix my case dent and reinstate the warranty I already paid for, even though there is no other sign of damage to the computer?
"So what are my other options?" I asked. He said he’d be happy to replace the Enter key if I could come back to the store and periodically ask if they have a late-2008 DOA that they could cannablize. I asked "Can you just keep track and let me know?" "Oh no, the Apple Store at Lenox is too busy for that." He suggested I drop by the Perimeter store. I said I’d just call ahead and he said "Oh no, the people answering the phone won’t have to time to help you with that." Great, my option is to drive around town to stores wasting time and gas to just ask if they have an older model that can be cannibablized so I can get my g-d Enter key fixed? And hell, they don’t even sell those Enter keys sans full keyboard notwithstanding the fact that in my certified opinion they are clearly of faulty design. Hello?
In frustration I told my Apple attendance I’d just get a keyboard off of eBay to which my Apple "Genius" countered: "Oh no, if you open the computer Apple technicians will know and they will tag my computer’s serial number as unservicable!" I couldn’t believe this. This is the company that has people stanpay outrageous prices, and then rave about them? Are Apple cult members mad? Or are Mac zealots always just in a Stockholm state of mind?
Now some members of the cult of Mac will admonish me saying "DON’T DROP YOUR LAPTOP" but they are missing the point. I didn’t ask Apple to replace my dented case, I asked them to fix my keyboard. The Enter key did not break because of the dent in the case; any fool can tell that. And I’d be fine with a caveat that if something failed that could reasonably have been caused by the dent then I’d be okay if I had to pay for repairs. BUT TO VOID THE ENTIRE WARRANTY?!? They didn’t even offer to refund of the $350 I paid for AppleCare given I haven’t even gotten past my first year of ownership where the standard warranty should still apply!
Apple, you suck.
Hell, turns out I’m not alone in having my AppleCare voided willy-nilly. Seems that Apple looks for many reasons to void AppleCare (hey I’m a militant non-smoker but my enemy’s enemy is my friend.) Steve’s gotta keep those profits up. Guess the iPod alone’s not enough to keep Wall Street happy. Sheesh.
Lesson Learned? You can’t trust Apple. Skip the Mac, buy a Dell; you’ll thank me for it.
P.S. Yes I know there are some alternate solutions which I will pursue, but I paid a premium price for a premium product and I paid extra for extended warranty and it got me treated by Apple like a Saturday night drunk at a Waffle House. Not what I expected, not when I deserve.
P.P.S. Though admittedly not as bad, this scenario is starting to remind me of the time American Airlines lost my reservation and then had the manager’s manager call me a liar. My $500 AA ticket turned into an $1150 ticket, but USAir sold me one for $850 instead. So American’s custom dis-service cost me $350 in 1990 and I was called a liar. And over a million frequent flyer miles later I’ve avoided flying AA whenever possible and probably told this story 500 times over.
P.P.S. Want to turn this around Apple? Do the right thing. Just reinstate my warranty.
Mar 20th, 2010 | Atlanta, Marketing, Opinion, Personal, Social Media
I’ve been organzing meetups in the Atlanta area since January 2007. Over that time I’ve organized over 50 meetup events, they’ve typically achieved average ratings of 4.5 of 5 or better, they’ve typically had 50 or more people attend, I’ve helped at least five (5) other people launch their meetup groups, and the member list for my original meetup group has grown to having more members than all but one other business-focused meetup group in the Atlanta area. During that time I’ve learned a bit about what it takes to be a good meetup organizer.
Recently someone asked me yet again for advice on how to grow their meetup so I decided this time to blog about it. Let me give the caveat that this is what has worked for me and for my type of meetup but it might not be perfect for yours. My groups have been focused on web/startup/marketing/tech and so I don’t know what works best for a mom’s meetup, for a hiking group or a singles club. Still, people are people and I’m sure anyone organizing a meetup can find something of value here. Here they are, in no particular order (some I fail to do consistently though I know I should; sometimes life just gets in the way):
- New organizers always try "to get input from everyone." From experience I’ve found that to be a waste of time. Find two (2) other people and form a planning team. Map out 5-6 topics, possibly starting with a "101" meetup and build from there.
- Meet quarterly with your planning team to plan so you always have 3 events on the calendar, more if possible.
- Do listen to feedback, but don’t wait for feedback before moving forward. Most people just want to attend meetings, few actually are willing to contribute a significant effort on a consistent basis even if they say or think they will. If people promise to contribute expect they will not follow through until they have proven otherwise.
- As much as possible be the catalyst and facilitator, not the featured speaker at every meeting (people will get tired of you if you do.)
- Schedule 3 to 6 presenters for a monthly meetup (more than 6 works if it’s a workshop and they are there to provide expertise.) It gives multiple perspectives and it keeps you from having failed meetings from building anticipation for a meeting, having lots of people show up and then only to learn that your featured presenter’s "kid got sick" so they decided to cancel.
- Do your best to get people from outside the people who usually attend your meetings to present. There’s the old saw "Familiarity breeds Contempt" (i.e. "I don’t need to attend to hear them talk; I know them already and can talk to them whenever I want.") Bringing in outsiders also makes people aware of your group that might not normally seek it out or attend. If they have an influence base such as on Twitter they will promote your group because it promotes them.
- Only ever schedule a person to present to the group once per year. If you frequently schedule the same people to present your members will think "I’ve already seen them, I don’t need to see them again." That means be sure to get them to talk on the topic where they are the best sui have the most bang for the buck since a lot of people will jump at any chance to present and you really want to get them where they will shine.
- Post a meetup page for each meetup event that includes links about the people who will be presenting including their Twitter account and a short bio. I like to link to their LinkedIn page for consistency, and also link to their company. Be sure to include an evening agenda so people can see when it starts and when it ends. Here’s an example meetup page that has all these things.
- Set up a Twitter account and a Facebook fan page. Always tweet and post about your events in advance and to thank your presenters/participants afterwards.
- Set up a Twitter hashtag for your meetup group (i.e. @StartupAtlanta and #OnStage.) Give people a handout at each meetup with the account, the hashtag and all the presenter’s/participants Twitter accounts and ask your members to tweet about the event.
- Send out emails in advance of your meetups that are hand formatted to look different from the one’s send out automatically by meetup as people tend not to read those. Here’s an example notification email.
- Send an email out about the most recently meeting and reminding them about the next meeting and thank the people who participated/presented.
- For my groups I have focus mostly on featuring local people for our regular meetings but when nationally known people are presented I make them special events. Some organizers always try to get one national calibre "rock star" for their events, and that works for them. Pick what works for your group.
- Keep vendor influence to a minimum; keep it about the people attending.
- Run a meetup only if you really want to help people and/or build a solid community and not if you’ve just got the idea "Hey I can sell my services to this group." The latter can be a serendipitous result but it’s painfully clear to practically everyone who might attend that if your motivations are to sell them (almost) nobody will want to attend.
- Pay it forward, focus on what’s good for the group and the community you envision building, not what’s you are hoping to get out of organizing
- Shake up the format. Have presentations, panel discussions, roundtables, workshops, etc. The topic should make the format obvious. For workshops, recruit lots of helpers. Don’t over worry about format, try a bunch of them, communication will happen ad-hoc (suggest Twitter or make a Google group), and let the topics you pick determine the level of competency. The more detailed your topic announcement the more likely you’ll get the right people.
- Don’t be afraid to ask anybody to present. I’ve never once been turned down except for people simply not being available at the given time.
- Look for ways to hold joint meetups with other groups that have cross-over. (Beg meetup on their forums to more easily enable shared meetups.) If possible take the lead in these joint meetups and get people to RSVP at your meetup group’s page (if possible, and at least until meetup enables shared events.) If you do these frequently you’ll all get lots of benefit and you’ll grow your group.
- Charge for meetings, $5 to $10, starting with your 3rd meeting (assuming you are gaining momentum.) If you don’t charge more than half of your RSVPs will be no-shows. If you charge, only between 10-30% will be no-shows.
- Be aware that many of the people who attend your meeting early on will start attending only sporatically as their lives evolve. That’s normal and don’t take it personally.
- Don’t try to do too many different groups. Unless you are able to make a living from organizing meetups, which is a potential but a really hard way to make a living, it’s really hard to do more than one well, two at the max. I’ve made that mistake and I’ve recently pared back to two with a potential to phase out of one of them in the near future assuming I can find the right people to take over.
- Find a good place to have meetings, not a restaurant unless its set up for meetings in a special room. This is the hardest part. Look for a local coworking space like Ignition Alley. A college or university may also be very open to hosting community meetings as Georgia Tech has been for some of my meetups.
- As for location, you’ll need to decide what works here. In Atlanta you’ll find a bulk of in-town people and a bulk of "up 400" people, and then everyone else is scattered. Pick one and let someone else do the other (you can’t please everyone, so don’t try.)
- Finally, set a consistent date, time, and location. Always have it there so people can get used to it, and if at all possible, never cancel a planned meetup or many people will loose faith in your ability and stop RSVPing for your events.
Well that’s about it for today. I’m sure I missed a few of my own "best practices" and I’m sure there are a ton of other’s I have yet to uncovered but these should get you started.
If anybody has other suggestions please give your best practices in the comments. Be sure to mention your group(s) and how long you’ve been organizing, and include links to their pages on Meetup.com.
Feb 28th, 2010 | Contrarianism, Opinion, Startups
Yesterday Vivek Wadhwa who has recently become one of my favorite authors on startup-related topics wrote a somewhat inflammatory post on TechCrunch entitled "Can Entrepreneurs Be Made?" In it he asserts that entrepeneurs are made, not born, and it’s somewhat inflammatory because he calls out Jason Calcanis, Fred Wilson, and other Silicon Valley VCs as being wrong in their previously stated beliefs that what drives someone to be a great entrepreneur is innate, and thus that they are born.
In reaction Mark Suster, a entrepreneur-turned-VC and another of my favorite authors on startup-topics, responded with "Entrepreneurship: Nature vs. Nurture? A Religious Debate." Mark takes issue with Vivek’s thesis citing his experience and intuition as a recent father and calls out Vivek’s use of stats by implying his was based on a "faulty model" although he does state up front his point-of-view is "purely subjective." Mark goes on to presume Vivek may have "used hyperbole to get more readers" (which might be true though I’d expect that the TechCruch editors are more likely to be the culprit there…) and then complains about Vivek "attempting to “prove" unprovable facts (based on) this kind of data manipulation."
I have incredible respect for Mark but I can’t help but sense a tiny bit of defensiveness in his post. As a VC Mark makes decisions every day that will have profound effect on the lives of entrepreneurs and their families and fortunes. But it’s not uncommon that a subconscious defensive reaction is triggered when evidence comes to light that indicates a person’s important decisions might have been made on faulty criteria (see: choice-supportive bias, post-purchase rationalization and escalation of commitment.) I’m not saying Mark is wrong (or that he is right) but it felt like he was being defensive (as I have been recently.) Even so, if Mark was being defensive I’ll willingly give him a pass because it’s hard to overcome that which makes one human.
Back to the debate at hand; I sit on the fence. While I don’t know which perspective is correct I think the focus on this debate is actually harmful.
I assume that Mark shares Vivek goals and the goals of many others which are "…to boost economic growth by increasing the number of successful high-growth startups."If true then escalation of this nature/nurture debate is taking the eye off the ball.
If Mark and those who strongly believe in the nature convince policy decision makers they are correct then chances are those policy decision makers won’t explore subtlety. If there’s nothing we can do to cultivate entrepreneurs since they’ll bubble up to be recognized on their own, why do anything? Game over.
Wouldn’t it be better to look past the debate and instead focus on cultivating and educating entrepreneurs regardless of if they are made or born? Google has spawned a huge number of startups; were they all born? Maybe they were; Goggle has had many other employees who have not gone on to launch startups. But the fact that Google has spawned so many and most other companies in other regions haven’t proves (at least to me) that a strong catalyst results in more latent entrepreneurs taking action and launching innovative companies. When such a catalyst doesn’t exist those latent innovative entrepreneurs continue to do what their experience and environment present to them as options: be an intrapraneur climbing the corporate ladder or launch a replicative business.
In Atlanta where I’ve lived most my life, the holy grail for many is to work for one of the eleven (11) Fortune 500 companies that litter our landscape. As a graduate of Georgia Tech, one of the better technology schools in the nation and one that houses a very active state-funded accellerator, the majority of students aspire to work for one of those big companies because that’s the local culture. That’s what students talk about and that’s what the administration talks about. Going to work for a big company is what is expected of successful Georgia Tech graduates.
Most people aspire to the level of their peers. If their peers are not launching innovative startups the majority don’t even think to launch innovative startups. To say the vast majority of students who attend Stanford where many of those ex-Googlers who are now launching startups attended are genetically predesposed to be entrepreneurial whereas the vast majority of students who attend Georgia Tech (a top 10 ranked educational institution itself) are not strikes me as a bit too much confirmation bias.
As an aside: I think having so many Fortune 500 companies in Atlanta might be much more of a curse than a blessing. We have over 50 interactive agenies locally and they mostly suckle on the teets of these companies rather than aspire to create the next Google and drive real economic growth in the region instead. The people running these interactive agencies are entrepreneurs but the local culture and entrepreneurial patterns they are familiar with has had then focus on replication and not innovation. And sadly our local Fortune 500 companies do almost nothing I am aware of to foster startup innovation in our region.
Consider Shaquille O’Neal, one of the most dominant players in the history of the NBA. Would O’Neal have ever been drafted by the Orlando Magic if he had never met Dale Brown in Europe who was LSU’s men’s basketball coach at that time? Consider Sergey Brin and Larry Page. Would they have acheived Google’s level success had Sergey’s parents never left Moscow or if Terry Winograd had discouraged Page from analysing the link structure of the web? Clearly people who launch successful innovative startups are influenced by their life paths, their peers, their mentors, the options they are presented by society and a huge amount of luck, no?
Put another way, what’s the likelyhood that situated in remote villages in Africa or in the Amazon there are not 100s of would-be Shaqs who, without opportunity, will never be discovered? How many young car enthusiasts might end up being a leading NASCAR driver if they only had the ability to try? What if every University throughout the country had the startup culture and experienced startup advisors found at Stanford? What if government money across the nation spent on economic development was less focused on the zero-sum game of getting a large employer to relocate from another region and instead were focused on encouraging and supporting entrepreneurs to launch innovative startups?
I’m a rarity from Georgia Tech; I started my first real business about a year and a half before I graduated. But that was after working as a co-op student for many quarters at both Owens-Corning Fiberglass and later at IBM. When I started IBM I was completely enamored with them. After two work quarters though I left IBM thoroughly disgusted and started co-oping with a small consulting firm. It was there after watching my employer fumble I came to realize I could easily join forces with a co-worker and we could run our own business. Since then I’ve run many businesses, a few of which have done well and one that grew very rapidly over five years. During that entire time I can honestly say I had few if any real mentors and thus made more mistakes than any one person should be allowed to make! Had I had a better experience at IBM or had the owners of the consulting firm I worked for not been incompetent I might never have become an entrepreneur; it was my life experiences that moved me in that direction instead. And I’m certain I would have been far more successful entrepreneur had I had a better startup education and quality mentors along the way.
Still I won’t argue being an entrepreneur is purely experiential. I also won’t argue it’s all in the genes. But I will argue that in the grand scheme it just doesn’t matter.
What matters it that there is almost certainly a huge pool of untapped latent innovative entrepreneurs who could transition into active entrepreneurs launching high-growth startups. As Azeem Azhar wrote on the subject:
There are those who may have many pop out of the womb on the far end of the distribution, but emerge in cultures where the things that can make one an entrepreneur are not valued. The pastiche of this would be the high-performing child who is driven back to the fat-middle of law or consulting by school, college and parental pressure. I am sure this group keeps many a psychiatrist and divorce lawyer in business as they hit their forties and reality dawns.
How about we discuss how latent innovative entrepreneurs can get the encouragement, mentoring and other forms of support that are crucial. And since "swinging the bat" more often results in more "home runs" let’s find ways to minimize the potential of finanical devastation of a simple "strike out"to encourage more prospective entrepreneurs to "swing" once and/or to swing more often. And as Samidh Chakrabarti asserts, let’s get more people to pursue their passions as innovative startups by helping them see it as an option and by providing education in the skill sets needed by would be successes but are only obvious to most after they’ve failed.
So why don’t we stop this fruitless back and forth about nature vs. nuture and (at least from a public policy perspective) instead focus on finding and cultivating latent innovative entrepreneurs?
P.S. Fred Wilson, another VC I greatly admire, wrote on this topic back on the 19th in his post "Nature vs Nurture and Entrepreneurship." I wonder where he stands now on the idea of encouraging more latent innovative entrepreneurs vs. continuing the nature/nuture debate?
Feb 4th, 2010 | Atlanta, Opinion, Startups
Lance Weatherby of ATDC and Socialytics wrote a post today entitled Nobody Told Me where he ranted about how there are too many startup activities in Atlanta and not enough people "creating products, getting customers, and building companies." After writing a long comment which his blog wouldn’t accept for some reason I decided now would be as good a time as any to start blogging again. What follows is the comment I originally wrote for Lance’s blog:
As someone who started a monthly Atlanta Web Entrepreneurs meetup back in Jan 2007 I feel like this post paints a target on my back. Hopefully that was not your intention?
What may not be obvious is I have been agonizing over the issues you described for over two years but not sure how my efforts could evolve to help. At the end of last year I finally realized how my efforts could positively affect execution and as such I made the changes to AWE that I did, i.e. renaming AWE to Atlanta Web Marketers and also launching Startup Atlanta.
First, one thing that I obviously wasn’t able to make clear to you (and others?) was that Atlanta Web Marketers is NOT targeted at Startups and listing it in this context is doing it a disserve. AWM is targeted at small and medium sized businesses, non-profits, government agencies and replicative entrepreneurs, NOT on innovative startup entrepreneurs with a goal of helping them market their products and services better on the web. FYI, there is a huge demonstrated need for people who are effectively operating their organizations to learn how to better market on the web and that’s the market need that AWM is targeting. AWM meetings is all about execution those people in those organizations, and by focusing on that target market it becomes a business itself and running the events are execution. So please take AWM off your list of Atlanta Startup events, as it’s not.
Next, Ignition Alley events are for the most part not startup-specific events either. Some are but most of them are targeting the same market as AWM events. It’s as unfair to list Ignition Alley events as being part of the glut of startup events as it it is to blame people who live and work intown as being part of the metro Atlanta’s rush hour traffic problem.
Continuing, there is Startup Atlanta and it is NOT an event; it is a (soon-to-be) non-profit who mission is to study the ecosystem, identify how to grow it and as much as possible be a catalyst help others execute on on advancing the ecosystem. Yes Startup Atlanta will run the #OnStage event monthly (which I think you misnamed as "OnStartup" in your post), it will run roundtables, it will run task force meetings, and it will probably run other events. However, unlike the former Atlanta Web Entrepreneurs events all of Startup Atlanta’s activities will be measured by how well the activities focus startup entrepreneurs on executing and/or growing the ecosystem support needed by startup entrepreneurs to execute and not providing new ways to waste time.
Specifically let’s look at #OnStage. It’s modeled after the NY Tech meetups that according to those I’ve spoken with in New York has been very effective in driving startup execution in the New York area. It’s an event that can give some local entrepreneurs exposure for their startup rather than how most have toiled in obscurity. As a requirement for presenting at #OnStage startup entrepreneurs must demo their offerings somehow (NO powerpoint) so all those who haven’t executed well enough to have something to show won’t qualify. In addition #OnStage allows the audience 10 minutes of rude Q&A forcing presenting entrepreneurs to be well prepared with a viable business model or to come across looking rather foolish to the community. Finally #OnStage rewards startup entrepreneurs who are doing the best job of executing by selecting winners and getting those winners more exposure which hopefully will mean more customers, partners and/or investors.
Beyond that, Startup Atlanta will only be promoting events that have as a goal to either advance the ecosystem or help startups execute better, and we’ll be focusing on metrics as much as possible.
And while Ben Sabrin and those like him may know all they need to execute well without outside help not everyone who could otherwise execute successfully knows everything they need to succeed. And that’s where targeted, smaller events come in including some we plan for Startup Atlanta. I’ve also noticed that ATDC has a plethora of such events which you didn’t mention including "Circles", "Brown Bags", "Open Coffees", and more. While they too add to the glut of events I actually expect they are of the type that will help startups execute better (well, maybe the first two named and possibly others; though not sure about Open Coffees.)
But while I think while your criticism would have been very well placed about this time last year today it’s a little late because we as an ecosystem have evolved. For example, I understand that StartupChicks is doing some really fabulous events focused on execution for their constituents (but as I lack the requried chromosomes I can’t give a firsthand testamonial.) Capital Lounge has renamed to StartupLounge Atlanta to refocus, according to my memory of my discussion with Scott Burkett, on execution rather than on raising capital. And Startup Gauntlet is focused on perfecting a pitch; again, execution and not something you can repeatedly attend. StartupRiot is as I understand it in large part focused on both getting local attention for startups and gaining attention from investors outside of Atlanta who actually write checks, and that is something many local startups badly need to execute as well. I believe most of these evolved because their organizers identified a need to focus more on results and execution.
And some of the other events you mentioned are industry or technology specific too, not startup-specific. So you do Mobile Monday, AWsome Atlanta, SoCon, and ProductCamp all a disserve by listing them here. (As an aside, you didn’t mention ATLRUG; it’s inline with AWsome so why not? As for ATDC/TAG Entrepreneurs and Venture Pipeline I don’t have enough experience with them to comment.)
So Lance please do get to know the value each event and it’s associated organization has to local startup execution and learn which events are startup-related and which are not. Casting doubt on the value certain activities bring may end up harming the creation of products, the gaining of customers and the building of companies more than it helps.
Executive Director; Startup Atlanta
Organizer; Atlanta Web Marketers
Partner; Ignition Alley Atlanta Coworking
P.S. Personally speaking, I spent 2007 through 2009 getting to know people in the Atlanta startup community and to build relationships both as an event host and by attending as many related events as I could. I had never done this locally during my prior two decades and my ability to grow my business beyond $12 million annually greatly suffered because of it (and I expect others who rarely or don’t create relationships in the community suffer an inability to execute as well.) But my New Years resolution for 2010 is to focus my event hosting and attendance on only those events that will help achieve the execution goals I’ve set for Startup Atlanta, for AWM, and for myself. To your point Lance, I’d recommend startup entrepreneurs do the same.
Oct 1st, 2009 | Opinion, Social Media, Web
A friend recently sent me a URL via a Forward-to-Friend.com which is a service of MailChimp. While I really love the guys at MailChimp their URLs for their Forward-to-Friend.com are simply awful. There days of social media well designed URLs are finally being recognized by many as being extremely important, but not everyone gets it yet nor does everyone know best practices for designing URLs.
Make ‘em Short and Sweet
One of the traits of a well designed URL is that they can be grokked with a quick visual scan. They should also be no longer than really necessary because one of the more common link sharing sites (Twitter) shortens long URLs automatically. There are many other traits of a well designed URL, some of which are specific to context but if it’s too long and you can’t understand something about the URL by looking at it something is really wrong. And anything that impedes sharing of links is a foolish addition. So I bitched about this URL on Twitter that a friend of mine sent me in email (let’s call her "Jane Smith" and @BenChestnut asked me to clarify. Here’s the URL:
What’s wrong with this URL?
So what’s really wrong with this URL? Let me count the ways:
This subdomain seems to imply that its specific to the US which I’m lukewarm on having a subdomain in this context it adds unnecessary characters. And what’s with the "1?" Is there a ".us2?" Is this just a server convenience? C’mon guys, hide that crap the user; they don’t want to know.
Okay, so it’s a cool domain, but you really couldn’t you come us with something shorter than 21 characters?!?
Uh, one word: "Why?!?"
Do I really need to say anything about this? I mean, it’s waaaay too long and how does any of this mean anything to anybody? The only thing is does it make the programmer’s life a tad easier to uniquely identify the user but only on the day it was implemented.
Another too long and non-meaningful computer number. The "id=" identifies the URL being forwarded. But does it mean anything?
What would be better?
So here’s a better hypothetical URL with analysis to follow:
The "fwd2.net" domain is owned by a squatter. Why not pay them a few bucks and pick it up? (or get something similar and short?)
Not super short but much like Twitter’s screen name it identifies the links shared by the user who picked the name "janesmith" (i.e it replaces "?u=0fea6c2e08126550f4c318d4b.")
Again not short, but as this would be selected by the user before sharing it would be as short as the user wanted it to be. So the user could have picked just "coyle-fernbank" or "fernbank-oct2" or similar. But what is really important is that it is meaningful!
And another benefit?
With this format you also get this URL:
At that URL you could have all the links "janesmith" shared when she is logged in, and she could set those shared links to be private or public, or later once more functionality is added the links could be made selectively available to different groups of friends.
Further there could be groups of URLs shared such as anything with a trailing slash could be tagged links, i.e. in this case "jazz":
Hopefully you can see a tremendous amount can be done with URL design but sadly there are still too few people who pay attention to it. Maybe that’s because there’s no book of best practices. Hmm, might be an opportunity there…
Still think it is unimportant?
And for you skeptics out there who really think that "users don’t look at URLs" take a look at the apps that are succeeding lately, Twitter being a main one. Most of them are designing their URLs well. Coincidence? I don’t think so.
Thanks for asking
Anyway Ben, thanks for asking. Hoping you see the value in it, make the suggested changes, and find that it’s made a positive difference.
Sep 20th, 2008 | Atlanta, Marketing, Web
Last month on the 21st we had a blowout meeting about Twitter for the Atlanta Web Entrepreneurs meetup group I organize; over 100 people attended!
We started out with an Intro to Twitter which I prepared and delivered. It reminded me of delivering training long ago during my DSW Group, Financial Dynamics, and Expert Education days.
Normally we find others to give all the presentations but given how confused some people where at our Facebook meeting when we started with the assumption they knew about it, I decided it was best for me the Twitter newbie to give the other newbies the introduction and then let the "rock stars" in our lineup really get into the meat of things.
We then launched into a video conference with both Wayne Sutton (@waynesutton on Twitter) and the Triangle Tweetup (@triangletweetup on Twitter) as well as Robert Scoble a.k.a. "Scobelizer" (@Scobelizer on Twitter). Loren Norman (@lorennorman on Twitter) of Snowcap Labs did the honors of organizing the video conference and for that we were very grateful. Knowing what a web celeb that Robert is and the subsequent constant demand on his time, we scheduled Robert to speak for only 5-10 minute but instead he spent over 30 minutes answering audience questions. Kudos!
After the video conference we have the took a break and then moved into a Q&A session with Sanjay Parekh (@sanjay on Twitter), Tessa Horehled (@tessa on Twitter), and Paul Stamatiou (@stammy on Twitter) each gave us their perspectives on why Twitter is so invaluable.
As many people said after the event this was one of their very favorite AWE events yet, and I certainly agree; it was right up there. Thanks to all involved including Wayne and the Triangle Tweetup, Robert, Loren, Sanjay, Tessa, and Paul for making this such a great event.
It really is great to have such nice people who are willing to help their peers all here in our hometown of Atlanta GA.
Visit Flickr to see all photos I took for this event.
P.S. Oh, and I almost forgot! Atlanta Web Entrepreneurs is @atlantaweb on Twitter, and I’m @MikeSchinkel on Twitter. See ya in the Twittersphere!
Aug 15th, 2008 | Atlanta, Marketing, Software, Technology, Web
Just an announcement that we are going to be discussing Why you MUST have a Twitter Strategy at Atlanta Web Entrepreneurs on August 21, 2008.
I’m going to present a short intro/overview to Twitter and then, god willing and the creek don’t rise, we plan to have two (2) video conferences, one from Triangle Tweetup and the other from a soon-to-be-announced Industry luminary with over 25,000 Twitter followers!
After the 8pm break we’ll have a roundtable-less discussion and Q&A led by our featured participants:
Anyone that wants to attend should first be sure to have a Twitter account and to follow atlantaweb. We’ll use that list as a roll call for the meeting and we’ll announce our special guest on the atlantaweb Twitter account by 6pm Wednsday August 20th.
For more details and to RSVP see go here.