Using WordPress to Make a Secure Twitter for Business

**Update 9/16.  I’ve fixed the one unprotected feed security issue mentioned below in Step 5.  Please see the Micro Blog Security Fix after reading this post, before attempting to build a similar system.**

We’re growing fast right now, very fast.  It’s exciting stuff.  In 2007 we spent the majority of our time assimilating as a team, determining which projects could drive the most revenue, and looking for a warehouse.  We had a very good year, but 2008 has been a whole new story.  Everyone knows what to do and all four of us have just been executing all day long.  The result has been a 2-3 times growth in revenue every single month this year so far – pretty impressive in my opinion considering we have no employees and didn’t take any outside funding.

However we have had an increasing communication problem. Everyone was accomplishing stuff so fast that the remaining three partners had a hard time keeping up on everyone else’s progress.  Minor things would slip through the cracks because of a lack of communication.  We only have one day where we are all in the warehouse (Monday) so we only have one full team meeting per week.  The rest of the time we’re on our own.  It was becoming clear that weekly updates weren’t quick enough.

For example, we started a big sale on Detailed Image during a 1 hour down time for our credit card processing service.  George and Mike were running the sale, Greg and I were the ones aware of the downtime posting.  Consequently, I posted a message on the site that our credit card processing was down just as the sale was going off.  Not a huge deal – the sale ended up being a success – but it highlighted an increasing communication problem that was coming from the fact that everyone was just accomplishing so much every day and didn’t have an effective way to communicate what they did to everyone else.

We needed a way to quickly communicate simple things such as “we’re out of Flex Buffers” or “a shipment of Chin Up Bars came in today” or “I made a minor fix to the shipping system”.  Instantly I thought of the micro-blogging phenomenon Twitter, which allows you to post mini blog posts of 140 characters or less from your phone, the web, or a slew of other places and then others can read them on your twitter page, get updates on their phone, or subscribe to your RSS feed.

Unfortunately there are two problems I saw right away with Twitter:  it isn’t secure and it doesn’t allow multiple people to post to a singular feed.  When I checked the list of API apps I couldn’t find one that solved those two issues.  I ultimately decided against it because of the fact that our confidential company information would be stored in their database and we just can’t have that.  I wanted more control, but I didn’t want to build something from scratch.  A solution needed to be something I could throw together in hours, not days or weeks.

When we met about it we talked about our other options:  Skype or email.   Skype doesn’t work because it interrupts you. A response is expected when you receive an instant message.  I don’t need to be interrupted with a message from George telling me we’re out of a product.  I just need to know within the next day or so in case I’m interacting with a customer or processing an order with that product.  Skype also relies on all of us being on our computers all day long to receive messages, which we’re not.  So we turned to email.  It worked OK for a couple of weeks, but my biggest problem is that most of us only check our email 1-2 times per day.  I don’t want to open my email every time I want to notify them of something I accomplished.  I also don’t want all of us clogging inboxes up with these updates.  On a basic level, email messages should be items you need to take action on, and these updates are updates that do not need a reply.

Our Solution

Then I had an idea:  customize a version of WordPress to make a micro-blogging system to meet our needs.  In addition to the multi-user and security issues, I needed to create something that integrated into everyone’s existing routine.  If the solution required a new application to be open or a new web page to visit, it wouldn’t work.  The only thing that really fit the criteria is our Google Apps page that we all have set as our default home page on our browser for our shared task lists, wiki, documents, and email.

Here are some pictures of the completed product.  The Google Apps page:

Micro Blog Google Apps Page

The login page that displays when trying to access the blog:

Micro Blog Login

The blog home page:

Micro Blog

Step By Step Instructions

These instructions assume you have a domain, hosting, and a working knowledge of WordPress and development with PHP/MySQL.

  1. Install WordPress on your domain, making sure to uncheck the box that says “I would like my blog to appear in search engines like Google and Technorati”. This ensures that WordPress doesn’t ping search engines and blog directories with updates of your latest posts.  Even though we will password protect everything, we need to make sure that none of the blog gets indexed, including the RSS feed that WordPress produces.
  2. Install and customize a simple WordPress theme. My choice was uTheme.  The idea here being to have something simple and easy that people can use to read the updates, post a new update, and access the secure RSS feed.  Everything else in my opinion is a waste.  I went in to the template files and removed code for comments, categories, and other miscellaneous stuff on the sidebar.  Our posts only include the title, the body, and the date posted.  Our sidebar only has a search box, a link to post, a link to the secure RSS feed, and the archives.  For the link to post, I linked directly to the wp-post.php page so that logged in users are only a click away from posting.  In addition, WordPress returns you to the last viewed page after a post, so if you come from the home page of your blog you’ll be returned to the home page after a post, minimizing the clicks your users need to write a post.  I also changed some of the colors in the CSS to match our company colors.
  3. Create user accounts for all potential users and modify WordPress to display who posted in the title.   I created accounts for all four of us with our first name as the name on the account.  I then called the <?php the_author(); ?> function to display the author of each post everywhere the title is displayed (home page, permalink page, and feed).  This way I can make a post and my partners can instantly know that I wrote it.  For example, if I wrote a quick post entitled “Inventory updated” WordPress would display it as “Adam:  Inventory updated”.
  4. Install the WordPress Password Plugin. This password protects each page of the blog, preventing unwanted visitors or spiders from viewing the site.  In the configuration file you can set your password and can identify specific pages to not be password protected.  You should disable the password protection for the RSS feed (we’ll password protect this in a different way).   I also customized the login.php page of the plugin to look a bit better aesthetically.
  5. Use FeedBurner to create a password protected feed. “Burn” your unprotected feed and go to Publicize -> Password Protector to password protect the feed.  Use this feed for everything related to your blog.  DO NOT give anyone the URL to the original unprotected WordPress feed.  That is not password protected and is most definitely the weak point of this system.  I’d also advise against putting the URL of this blog in your robots.txt file – it isn’t going to be indexed if you follow these steps, but by putting it in there hackers could potentially find the location of your feed.
  6. Use FreeMyFeed to securely pull your feed. Most (almost all) feed readers do not support password protected feeds like the one we just created.  Enter FreeMyFeed.  They provide you a unique URL for your feed.  As long as you don’t give this URL away, you should be safe to use this feed in any manner that you use a normal feed.  According to their site: “Usernames, passwords, feed URLs and feeds are never stored on the server. Usernames, passwords and feed URLs are only parsed from the alternate URL to retrieve your RSS feed on the fly from the original source and then are discarded.”
  7. Install the CustomRSS Google Gadget. This ties it all together for us.   Use the feed from Step 5 to securely pull the headlines from your micro blog.  You can click on a link and the gadget will drop down and display the full post, meaning you do not need to leave the Google Apps page unless you want to post.  I customized the gadged by linking the “Pure Adapt Micro Blog” title to our micro blog home page and then modified the aesthetics to match our colors.

Other optional enhancements – I developed this for our needs, but there’s a lot more that can be done.  You can post via email to WordPress.  Since you can send email from a mobile phone, you could post from your phone.  You can also display the RSS feed in your feed reader or Vista desktop RSS widget (I do both).  WordPress plugins like the SMS Text Message plugin could be configured with a few hours of work to send text message updates to all users after every post.  I’m sure there’s more that I haven’t thought of – the possibilities are really endless.

Now I feel like we have a communication system for everything.  We still use meetings, phone, email and Skype, but the void left by those is now filled.  A few weeks in we’re all loving it.  Problem solved!

21 comments on Using WordPress to Make a Secure Twitter for Business

  1. nethy says:

    Hi Adam,

    You’re already using Google Sites as a sort of Intranet right? Why not just use the ‘announcements’ to do this?

    What do you get from the seperate blog?

  2. Adam McFarland says:

    Well, the first reason is because I didn’t know there was an announcements feature 🙂 I looked around a little bit and still couldn’t find it…do you have a link? I’d be curious if it had all of the features mentioned above…

    Beyond that though, I like the fact that this data is in our database and we can do whatever we want with it. I can see this platform evolving quite a bit so that eventually it is fully integrated with our mobile phones (SMS & mobile email like I mentioned above). I could also see us giving limited access to employees. And there’s probably a lot of other ways it could evolve too. For the few hours of work it is nice to now “own” the platform and be able to tinker with it and add/remove features as we please.

  3. nethy says:

    Hey Adam.
    here’s an example site with all the features (i think)
    http://sites.google.com/a/organic-city.com/intranet/Home

    I just created a site in about 2 minutes while chatting to someone about something else. It has announcements.
    Google Sites have done a real good job with this. I actually think this could make a real good Intranet type thing.
    http://sites.google.com/site/testsitexx.

    You create a new page. Make it an ‘announcements’ page. then you can insert an announcements gadget on other pages.

    I don’t think it does rss. But from what i gathered you’re just using the feed to stick the posts on your current company homepage and it does that without it.

    Not sure about limited access. But I’ve just been very impressed by Google sites (Now I just need a use for it). If they actually intend to be a basic Intranet for SMEs that you can put together in ten minutes, they’ll need to add that.

  4. Adam McFarland says:

    Very cool. I see what you’re saying now: Google Sites is different from the company Google Personalized Start Page. We use Google Sites like a Wiki, but we’d still need to find a way to pull those headlines back to our company start page that links to our email, docs, task list, etc.

    Don’t get me wrong – this would have met our basic needs and after seeing it I probably wouldn’t have built the system I built.

    Although now that we’ve got the system live I’d rather use what we have because of all of the flexibility and scalability…

    Certainly good to know for anyone who reads this that there is an alternative option.

    Great feedback as always Nethy 🙂

  5. I love this idea but the one unprotected feed is really a killer for using this system for anything important. What’s the point of using feedburner for this system anyway? Normally, the only reason I use feedburner is for stats and to provide readers a way to subscribe via e-mail, but if you’re using this internally why not just use the wordpress supplied RSS feed while password protecting the whole site?

    Also, check out prolouge, which is basically a twitter style wordpress theme (made by the wordpress people no less).

  6. Adam McFarland says:

    Adam –

    Thanks for the comment. Feedburner’s password protection was basically the best way that I could password protect the feed so that it was readable by FreeMyFeed (and could thus be un-encrypted for normal feed readers). When you password protect the feed using the plugin I installed (or manually at the server level) I was unable to properly get FreeMyFeed to show the feed.

    I’m sure it’s possible, but it wasn’t that important to me/us for the stuff we’re using it for. Down the road I may build a more secure, more sophisticated system from scratch.

    Also – the only reason I even messed with the feeds was because I knew my partners would never visit the site directly and I needed a quick way to get it on their Google start page. If that wasn’t the case I would totally disable the feed and just leave the site itself password protected.

    Btw Prolouge is very cool.

    Thanks for reading.

    Adam

  7. […] since I wrote the post a few weeks back about our internal micro blogging system (see Using WordPress to Make a Secure Twitter for Business) I’ve been bothered by the fact that it isn’t really as secure as it should be.  […]

  8. Grazyna says:

    Interestingly, even for accountants :)))))

  9. […] Blog – to avoid said constant interruptions that instant messaging can pose, we created an internal micro blog that enables us to post status updates for the others to read.  The posts display on our Google […]

  10. Dale says:

    Way cool… I always wondered why they don’t do this at work.

  11. amenodimeno says:

    That’s good man, keep it going.

  12. Daniel Craig says:

    Hey, I was looking around for a while searching for email security service and I happened upon this site and your post regarding WordPress to Make a Secure Twitter for Business | Adam McFarland, I will definitely this to my email security service bookmarks!

  13. KJ says:

    hello,

    i need help im finding it difficult implementing your solution. is there a detailed guide on how to accomplish this task?

    thank you and great work.

    Regards
    KJ

  14. Rob says:

    Now we’ve got a 3 person team together for an exciting new project I’ve just, literally just got round to setting up a system like this. P2 seems like the perfect theme for it & I’m confident that with the server level folder passwording it should be secure. Do you still use your system much? Any more improvements or things that might be worth noting?

    • Rob says:

      oh yeah, and of course a massive THANK YOU for writing such a well thought out and helpful post.

      • Adam McFarland says:

        Glad to hear you’re giving it a shot! I would definitely use P2 if I was going to do it again. Or maybe potentially look in to Yammer.

        Unfortunately we retired ours in late 2010. Everyone didn’t buy in to it, so not everyone checked it regularly, and we ended up having a few instances where someone not reading it (when others assumed they had) caused an issue.

        Since then we’ve switched over to using email for these types of messages. It does make the inbox a bit more messy, but at least you know everyone is checking it actively. And most of those emails are quick-hitters so they don’t really slow you down too much when clearing your inbox.

        We also use Skype for group chat, but try to keep it to a minimum due to the interruptive nature.

        I still think these systems have a place, especially in groups where there’s remote workers. It’s probably not something that we’ll try again, but if I were starting a new company I might give it a shot again if it seemed like it would be beneficial.

        • Rob says:

          Yeah, I discovered Yammer about 24 seconds after putting the finishing touches to this..damnit. Ah well, we’ll give it a whirl. Only took about 1.5 hours.

          Sorry to hear it didn’t work out for you – why do you think people didn’t buy in?

          Do you still use your internal wiki? If so, is that just a google apps doc?

          • Adam McFarland says:

            Awesome keep me posted on how it goes!

            For us , I think people just never saw it as important, for whatever reason. I made the majority of the posts, half of which it seemed no one read.

            We do still use our wiki’s quite a bit. We use Google Sites in our Google Apps accounts, which is their version of wiki software. We have several ones – one for owners, one for customer service, one for everyone at the company, and soon one for accounting. It’s super easy to control who has access to what. We’ve done a good job of making sure that every important business process is documented on our wiki’s.

            Funny how some things stick and others don’t 🙂

  15. […] our work done and then communicate that back to the team, either the following Monday or using our internal micro blog. We’d ask questions via Skype IM, with the occasional phone call or in-person […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Commenting Rules

I'm honored that you found this post interesting enough to leave a comment. Before posting, I have a few ground rules:

  • Please keep your comments as relevant to the post as possible.
  • No personal attacks or any other nastiness.
  • Your first comment is subject to my approval.

Thanks!