Lessons Learnt Building a WordPress Cloud App


A few weeks ago I released WP Scanner – a tool for monitoring WordPress load time, performance, and security. In this article I want to share with you my journey over the last few months, along with some of the lessons I’ve learned.

Why was WP Scanner Born?

There are already plenty of tools for monitoring site performance and security plugins for securing your site, so why build WP Scanner? It’s a good question and one I pondered myself for many months before finally knuckling down and building it.

Firstly, the vast majority of performance tools are dated and some of the recommendations are no longer relevant today, especially with HTTP/2 gaining widespread adoption. In addition, they don’t check for WordPress specific nuances, such as object caching, which can have a big effect on performance.

Secondly, security plugins can be process intensive, especially those that perform active monitoring, such as Wordfence. This can have a negative affect on your site’s performance, which is why some hosts disallow such plugins. Offloading security monitoring to a third party service can massively reduce CPU and memory usage locally. The majority of security plugins don’t check things such as security headers either, which shouldn’t be overlooked.

Thirdly, wouldn’t it be great if you could measure your site’s performance and security from a single dashboard, without the need for multiple services? Better still, what if you could monitor every site you manage from the same dashboard?

What is it Built With?

When initially sitting down to design WP Scanner I knew WordPress wouldn’t be a good framework to build upon. It’s great choice for a CMS, but I personally wouldn’t use it for anything more complex than that. One factor in particular that pushed me away from WordPress is that WP Scanner would rely heavily on queues, which WordPress has no native support for. I decided on Laravel, a modern PHP framework.


If you haven’t worked with Laravel before, you should really check it out. The ability to work with a framework built on modern, best practices and write code that’s easily maintainable is a breath of fresh air. It also has a bunch of components built-in such as authentication, caching, queues and task scheduling, to name but a few. This allows you to quickly iterate on your ideas without wasting time reinventing the wheel on standard application code. Laravel is well tested, well documented, and backed by a huge community of developers. It also has Laracasts, which is one of the best learning resources on the web for PHP developers. Learn some simple commands and code tweaks to optimize performance in Laravel with this guide.


One prospect that I wasn’t looking forward to was writing the components that WordPress has built-in, or that can be added using third party plugins. I’m talking specifically about password resets, subscriptions, billing and invoicing. Luckily, Taylor Otwell (the brains behind Laravel and many other awesome projects) released Spark shortly after I started developing WP Scanner. Spark is essentially a Laravel package that provides the boilerplate for Software as a Service (SaaS) apps. All of the aforementioned components are included, in addition to user profiles and a good foundation for quickly building your UI with Vue.js. At $99 it was a no brainer and saved months of development.

WordPress Plugin

For WP Scanner to function, it needs a companion WordPress plugin. The plugin actually serves two purposes. Firstly, it verifies site ownership and prevents users from scanning other sites to discover potential security flaws. Secondly, it acts as an agent and responds to requests from the main app. This allows the heavy lifting to be performed on the WP Scanner servers, thus not negatively affecting your site’s performance.


Let me prefix this section by saying that marketing is completely new to me and is something that I’m learning along the way. What I do know is that marketing is difficult and time-consuming, but it can make or break the success of your product.

Building a Marketing Site

The marketing site is what needs to convert users who stumble across your product into paying customers, so it needs to look professional. Unfortunately, I’m not a designer, so I opted to use a theme builder, which I found on ThemeForest. I’ve been known to criticize ThemeForest in the past, but this was $19 really well spent. After just a couple of hours I had a decent looking landing page which would have taken me days if I’d tried to design the page from scratch. Another option was to hire a designer, but as a completely bootstrapped project I wanted to keep costs to a minimum (more about costs later).

One area of improvement I’ve identified with the WP Scanner homepage is that I’m not communicating why the user needs my product. It’s great to showcase the features, but you need to be explicit and describe why the user needs those features. That’s something I will be working on in the coming weeks.

To Blog or Not to Blog

If done correctly blogging can drive more traffic to your site, which in turn can result in more leads. The Delicious Brains site is a perfect example of this. Traffic has increased 300% since we started blogging last year, but as Brad discussed in a recent Apply Filters episode you need to do something useful with that extra traffic by funnelling it to your products. If you don’t, the time and money you spend marketing is potentially wasted.

I know blogging is something I need to make time for over the coming months, but I’ve decided to take a different approach. Instead of writing semi-regular blog posts I’m going to build a knowledgebase of WordPress performance and security articles. The idea is that each article will correlate to a rule in the scanning tool, which will serve two purposes.

Firstly, it will allow me to direct existing users of the app to the knowledge base, which explains how to improve their scores. For example, clicking the ‘More Info’ link will open the article.


Secondly, I will be able to funnel new users to the app by adding a call to action at the end of each article, something like: “Scan your site for this vulnerability and many more using the WP Scanner app…”. Digital Ocean does this really well.

I’m hoping this will save me a considerable amount of time as I will be documenting the app while at the same time performing content marketing. This will also give me a good foundation for blog posts in the future, for example, a knowledgebase article on page caching can have a blog post comparing the available page caching solutions.

The Power of Social Media

I don’t have many Twitter followers nor do I use Facebook, or any other social media platform. But, over 20% of traffic to WP Scanner was from social media in the first week. Why was that?

We’ve all seen the tweets, “Hey, I’ve just launched this awesome new product, check it out…” Make sure you do it! Although, like me you may only have 200 Twitter followers, your friends may have 10,000+ followers between them. As the saying goes, “It’s not what you know, but who you know.” This proved very true during the launch of WP Scanner. A single tweet can start a chain reaction of retweets. Moral of the story: make friends. Just remember, if they do help you out, make sure you repay the favour when you get the opportunity.

WordPress Specific Marketing

Admittedly I didn’t do a lot in the way of WordPress specific marketing for the initial launch, which in hindsight was probably a bad idea. In fact, if it wasn’t for Iain I wouldn’t have done any. He posted an announcement on ManageWP and contacted Brian Krogsgard of Post Status. Both provided a good source of exposure and initial traffic. Going forward I will make a conscious effort to email as many WordPress news sites as possible when major features are added. It’s a numbers game after all.

If you’re creating a WordPress plugin and you’re in a position to host on the wordpress.org repo, do so! This is now my biggest source of traffic and I receive a steady number of new users per day from the repo alone. Spend some time crafting your plugin’s readme.txt file and play with the wording so that your plugin ranks higher in search results for target keywords (but don’t abuse the system). WP Scanner now ranks sixth for “performance” and second for “scan”.

Lessons Learnt

Here’s what I’ve learnt so far, I’m sure this list will grow with time:

Leverage Third Party Services

Use third party services to your advantage, especially in the early days. Remember, paying $10 a month for a service which can save you hours of development time is worth it. Here are some of the services that I use and their associated costs:

Service Costs (First Month) Costs (Now)
Digital Ocean – Servers $40 / mo $20 / mo
Laravel Forge – Server provisioning $10 / mo $10 / mo
Stripe – Billing, subscriptions and invoicing % of transaction + 30c % of transaction + 30c
Pusher – Realtime notifications Free Free
Bugsnag – Error monitoring and alerts $9 / mo $9 / mo
Campaign Monitor – Transactional emails $9 / mo Cancelled
Ottomatik – SQL and file backups to S3 $10 / mo Cancelled
$78 / mo $39 / mo

After the first month I cancelled both Campaign Monitor and Ottomatik. The reason I did this was that it allowed me to quickly configure backups and transactional emails without delaying the launch of WP Scanner. Once the product was live I then implemented backups to S3 and transactional emails via Mailgun. This helped to reduce monthly running costs.

Don’t Optimize Too Early

It’s a classic mistake. You spend all your time optimising your product, adding layer upon layer of caching and performance enhancements, which usually results in two things:

  1. It pushes the release time back
  2. It increases running costs

I fell into trap number two. I provisioned a server that was massively overpowered, which doubled my monthly running costs. This is something you just can’t afford to do in the early days when your product is making little or no money. A few weeks after the launch I ended up building a completely new server to decrease running costs, because you can’t simply downgrade servers on Digital Ocean. This took valuable time from building new features into the app, however, it did reduce server costs by 50%.

Don’t Burn Out

Take time to recharge. Go for a walk, or to the gym, just spend some time away from the computer. It’s true that you need to keep your foot on the gas, but don’t go flat out. You will likely burn out and start to resent your product. Heck, some of my best ideas and eureka moments have come while being away from WP Scanner.

It’s not just yourself that will start to feel the strain, remember those around you. It’s too easy to push people away in order to steal another few hours on your product. Don’t let relationships fall by the wayside!

What’s Next for WP Scanner?

I have a lot planned for WP Scanner, but there are two areas I’ll be focussing on in the coming months. Firstly, I will be introducing ‘Incidents’, which will actively check your site for specific security events and alert you when they’re triggered. For example, users will receive email notifications when new admin accounts are created, core files are changed, or your site is blacklisted for containing malware.

Secondly, the performance rules need updating for best practices in 2016. This will include checks for HTTP/2, responsive images and many more. A new waterfall view will also be introduced, which will help you to identify any assets that are loading slowly.

Building a cloud app has certainly been an experience, but one that I’ve thoroughly enjoyed. It’s demanding, but there’s nothing more rewarding than seeing someone use your app and continue to come back. Remember, dream big and believe in your product, but don’t get disheartened if it’s not an overnight success. Rome wasn’t built in a day.

Have you launched your own product? What lessons have you learnt?

About the Author

Ashley Rich

Ashley is a PHP and JavaScript developer with a fondness for hosting, server performance and security. Before joining Delicious Brains, Ashley served in the Royal Air Force as an ICT Technician.