A Deep Dive Into Building A 50+ Person WordPress Studio With Mario Peshev


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Mario Peshev

Entrepreneurship is living a few years of your life like most people won’t so that you can spend the rest of your life like most people can’t.

horizontal line


At MalCare, we focused on contributing to the WordPress community in many different ways. We strive to be a source of valuable information for WordPress users looking to learn more about web security. However, there are times when we like to zoom out a little bit and discuss topics relating to the WordPress community in general.

Today we had the opportunity to do just that. We recently had the opportunity to chat with

That’s an interesting perspective that happens to challenge my introduction!

A while back, probably during my freelance era, someone told me: “Freelance isn’t all too different from working a day job. You still trade your time for cash. If you’re sick or away, you don’t generate income. A real business generates income even if you’re not actively involved in the day-to-day.

While I don’t “fully” agree with the stance (and trust me, it was a painful realization back then), I did strive to build a business that doesn’t die off if I’m away for a day.

DevriX still requires a lot of my time but I’m able to speak at a conference or visit clients abroad (as I did for a couple of weeks in September) while the team is working in the interim. Robust processes are in place and team leads can take on if I’m not around. This is what I deem important in running a business.

In terms of tips, it varies across different teams, cultures, types of businesses. More importantly, it’s a rough investment that lasts a few years before it truly thrives. A quote I read yesterday is a great example of what a business represents:

Entrepreneurship is living a few years of your life like most people won’t so that you can spend the rest of your life like most people can’t.

It’s a grind. Building a brand takes forever. Generating positive reviews and testimonials isn’t easy. It’s a numbers game at some point, and time helps when credibility piles up.

1. Before we get started, I just want to thank you for taking the time out of your day to chat with our blog readers about your experience in the WordPress space. You’ve been a developer for WordPress since 2005 but have worked as a software engineer and computer support for a few companies before that. Today, you are one of the bigger influencers in the WordPress space. You run DevriX, a company that builds and maintains high-scale WordPress platforms, which consists of a team of 40 plus people. To put it lightly, you do a lot within the WP space! Before we dive in too deep, why don’t you begin by telling us a little bit about your journey so far? What was it about WordPress that caught your attention and didn’t let go?

Hey, thanks for having me!

It’s been a while since I first got to play with WordPress. I built my first site as a kid in 1999, thanks to my commitment to becoming a Pokémon Trainer! (I’m kidding… no, not really.)

My first website was built with HTML. I was studying QBasic at the time, and some Pascal a year later.

While I spent a few years building desktop applications, the company I worked for launched a self-hosted blogging platform which is when I stumbled upon WordPress (and compared a few other solutions along the way). I launched my WordPress blog a year after and got busy playing with template files and layouts.

2008 was when I launched my first client project on top of WordPress with loads of custom development (as the number of plugins was negligible at the time). My first startup was a theme framework, and that’s when we transitioned entirely to WordPress at DevriX.

WordPress really took off when custom post types were officially introduced and the CMS concept was a fact. Especially compared to Joomla and Drupal, and anything outside of the PHP world, WordPress was a definitive winner (as proven by the market share growth for a decade to follow).

2. WordPress is the world’s most popular platform with regards to being a content management system. In fact, research from Kinsta reveals that 34% of all websites on the Internet are being powered by WP. However, you started with the CMS during a time when it wasn’t as big as it is today. During your career what have been some of the biggest changes in WordPress that you’ve witnessed that has propelled it to the position that it’s in today? What made this CMS succeed over others?

One of the early signs of innovation was the template hierarchy.

Any CMS at the time posed constraints in terms of what is possible (design-wise). WordPress clearly took off with the design community since developers were able to craft “pixel-perfect” designs (before the responsive trend). Business owners worked with designers on anything they wanted and WordPress was able to deliver, period.

The 5-minute install helped a lot. The simplified look-and-feel and consistent dashboard experience were awesome. Nowadays, site builders like Wix or Squarespace invest quite a lot in a simplified onboarding experience for back-office users, but nobody thought about user experience back in the day.

Introducing custom post types and taxonomies was a major win for WordPress. When Matt Mullenweg clearly stated that WordPress is an “application framework” and will soon be “the operating system of the web”, this solidified the strength of the community.

And let’s not forget that the WordPress community is just amazing. Along with the event engine (in the form of action and filters), hundreds of thousands of developers launched free plugins or built extensions for users across the world.

3. WordPress is making some pretty big changes as of late to the WordPress core. What are your personal views on these changes?

The introduction of the REST API was important, though I feel we’re so far from mass adoption. The core does not support authorization properly without 3rd party solutions like JWT or some OAuth external extensions. This has been the case for about 4 years now but I really hope it will soon work out-of-the-box even for junior developers willing to build on top of it (including devs working in different industries).

Gutenberg, I’ve got mixed feelings here.

Unifying the infrastructure for all page builders was definitely important. The concept of editing your entire site with blocks is quite innovative (and we’re getting there). The long-term goal of introducing a core multilingual engine didn’t require Gutenberg, but it became a focus since Gutenberg is now a fact for over a year now.

The editing experience needs a lot of work for mass adoption, too, and there are important quirks and blockers (as proven by accessibility reviews) that need immediate attention. If we get through this, we may see a new golden age for WordPress.

4. You have been the CEO of DevriX for almost 8 years now, helping businesses scale their platforms and become more efficient with their workflows. Besides working with high-profile clients for the company, you also mentor your VPs and senior managers – working closely with everyone on board. Does it seem like you take a more hands-on approach than other CEOs would normally take in the development industry? How important has this been to your success?

I often refer to myself as a “learnaholic”. Learning on a daily basis makes me feel alive.

Running a business is a great way to dive deep into anything from tech through marketing to bookkeeping or legal. And I did pivot as a freelancer anyway.

One lesson I learned from the WordPress community is that building a product can be trivial (both quick and easy). What makes a product (or an agency) successful in a crowded space is understanding economics, product management, marketing, business development, customer success, ways to sell internationally and deal with user data (accounting & legal).

Growing DevriX is an incredible experience on its own, but working with other businesses is an enlightening experience. It’s almost like running ten different companies on a monthly basis. I believe that it makes me a better CEO as I’m able to project different outcomes of a business plan. I receive broader access to talent and see how they react in different workplaces. And I get to interact in different dynamics and cultures.

5. You have impressive credentials. 20 years of your life you’ve delved into the world of technology, 12 years in training and management and another 8 in the marketing sector. Did knowledge in these areas help you catapult DevriX to become one of the top 20 WordPress development companies worldwide. What pushed you to branch out to these other sectors? Were all of these steps planned out to bring you to where you are today?

I’d say it was coincidental for the most part. I grew in a small geek community, landing a part-time job in an Internet cafe in 2001 or so. This was the early days of assembling computers, setting up Linux servers and LAN networks, things like that.

Fast-forward a few years, I got a job in a training company. My hit-or-miss experience became organized; I couldn’t teach my students “That’s just how I roll”, but instead teaching core programming concepts or paradigms around object-oriented programming was the right approach. This developed my management skills (thanks to communication and psychology resources and clubs I became a part of) and boosted my career as a result.

And marketing? I was running forums and blogs a long time ago, and even organized events around 2009. Though I hadn’t heard of “content marketing” or “community building” at the time, it’s been an inseparable part of my journey that I happened to “organize” and focus on later on.

In a nutshell, it’s hard to determine whether this path led me to where I am today or I picked it intentionally (without understanding what I’m dealing with). 🙂

6. On your personal website you mention that You guys at MalCare know how complicated security is better than almost anyone out there 🙂

There are thousands of security vectors a large website potentially exposes. Different submission forms, XSS injections, potential SQL injections, uploading content with a malicious MIME type, DDoS attacks, malicious 3rd party scripts, man-in-the-middle attacks, brute force attacks… Where does it ever stop?

Keeping your platform up to date at all times is integral. Relying on a properly managed host that cares about security. Maintaining an adequate password policy. SSL certificates are a must (especially when working from a coffee shop, let alone an airport).

Setting up a reliable WordPress solution that handles common malicious requests or blocks brute force attacks can really help.

7. In one article I’ve read, you mentioned that DevriX follows a unique approach in comparison to other agencies building the “lego” development. You also said that you have an extensive suite of simplified libraries which you use internally for various needs. How effective has this approach been for DevriX in terms of managing projects that grow with time?

Ever since we started, we positioned DevriX in the mid-to-enterprise market. My background is in enterprise engineering and WordPress is a great starter framework for high-scale products and solutions.

I’ve never been pumped by the “race to the bottom” that the vast majority of the freelance/SMB space fights about. Sure, it’s truly great for starting businesses and pet projects. But the only way to stay competitive is learning to set up a $59 premium theme with a bunch of plugins which contradicts our understanding of speed, stability, security (or our 3S Pillars as we call them).

Even though we work with fewer customers, we’re generating insane ROI thanks to following best practices in complex projects where it pays off. And this allows us to focus more on solving business problems at scale, anything from creative through tech to marketing.

8. I like what you said in one of your discussions about WordPress security – mentioning that the platform is very robust and secure in terms of vulnerabilities. You also stated that there are many good ways to keep one’s website protected. Can you share with us some of the best WP site security practices that you personally use and recommend?

Mario Peshev, a fascinating mind, a builder, CEO, speaker and WordPress enthusiast on his journey building DevriX to a team of over 50 people. This is an exciting interview, so let’s jump in.

9. Besides attending WordCamps and WordPress meetups, you also co-organize groups like WordPress Bulgaria Meetup Group, WordCamp Sofia and WordCamp Europe. What were some of the major hurdles that you faced managing these groups? What are the major benefits that these groups provide you personally, and what major benefits do they provide your company?

For starters, not a single customer signed with our thanks to my involvement as a co-organizer of major WordPress events. I know this isn’t the case for freelancers and small agencies building low-cost projects, but it’s a fact for us.

In terms of hiring, we’ve had several people joining due to the fact that we support the community. Not the majority though, since we use a number of different channels.

The main reasons we do support major WordPress events (and often sponsor, present at, etc.) are giving back to the community, staying ahead of the game, helping out in initiatives we care about, growing our team as community contributors as well.

Some of our teammates are really stoked to present and get immediate feedback from other WordPress members. We’ve got 9 Core contributors and developers here appreciate the complexity of building for a platform running 34% of the web. Our marketing team joins the polyglot crew. Support and QA dive deep in support forums. We do help out with theme reviews and maintain free plugins as well.

There are other “perks” of networking within your community. Direct access to vendors or plugin authors may be handy for emergency support or discussing specific partnerships. Brainstorming sessions with other business founders or developers can be enlightening. Think of a mastermind group at scale!

10. There are a lot of WordPress influencers nowadays that people can get inspiration from. You are of course one of them. But is there anyone (or people) in particular whom you admire and you believe is leading WP on the right path?

Given the negative connotation of “influencer” ever since Instagram became an influencer platform, I’m happy to stay off of similar lists when I get a chance 🙂

Many of the incredible people I’ve met in the WordPress world aren’t as active online. One of the reasons why WordCamps are so valuable (the only place to meet with most of them and get to chat). But you can always learn a ton on WordPress business growth from thought leaders like Chris Lema or Troy Dean. You can also learn successful product growth from Syed Balkhi or Carl Hancock. You can learn SEO from Joost De Valk, and professional development from Tom McFarlin or Pippin Williamson. Heather Burns can teach you about legal challenges. Brian Jackson or Siobhan McKeown can teach you about content marketing. You can learn about community building by Remkus de Vries, digital marketing from Kevin Muldoon, branding from Jennifer Bourn… You get the point, so many incredible WordPress heroes are profiling in their own sub-community within WordPress.

11. I’ve watched your video about your predictions on whether web developers and designers are going to be obsolete in the coming years. Let me ask a similar question. What do you think about the future of WordPress in the next 5 to 10 years? Are there any up-and-coming technologies that you believe will affect development on the platform down the road (either negatively or positively)?

Over the next 5 to 10 years, WordPress will keep growing though I suspect we’ll hit a saturation point soon (since 34% is a ton anyway). Probably slow down at 40-45%, staying around that (and under 50% of the web).

Site builders like Wix, Weebly, Squarespace will continue to attract smaller businesses that find WordPress too complex. Automattic will push harder to retain market share, though its focus will (again) be on WordPress.com, both for blogs and eCommerce integrations since they acquired WooCommerce a few years back.

The enterprise market wouldn’t benefit a ton from major initiatives like Gutenberg. This won’t be a major selling point there. The REST API could be to some extent, though we’re seeing businesses both trying to detach the front-end interface. There are some that build back-end applications while retaining WordPress themes as a presentation layer.

So starting businesses will still stick to WordPress for the most part, but not necessarily self-hosted, and many picking other hosted site builders. Small to mid-sized businesses (anything from business sites to magazines to small eCommerce stores to portals) will keep working with WordPress just as much as they do now. Enterprise will use WordPress predominantly for front-facing portals, or multi-site solutions for some of their departments, or intranets, or as a headless application in addition to the rest of their stack. WordPress multisite and the REST API will be the two key selling points for some large corporations.

(And SaaS can absolutely benefit from building atop multisite, I can testify).

12. Most of our readers at MalCare are WordPress enthusiasts who are interested in the security aspect of the platform. Many readers of this blog are proud users of our WordPress security plugin. However, web security is a multi-dimensional beast that requires we look at it from many different angles. What advice would you impart to someone reading this blog who manages the safety of their website but doesn’t yet have a solid plan to minimize risks?

Make regular updates a priority and enforce a strong password policy. Avoid heavy and bloated themes and plugins — they tend to pose the biggest risk for attacks. Don’t save on hosting costs, shared hosts can be penetrated through a staging or an outdated plan hosted on the same plan (or even server).

But in any case, security reviews and scans can be integral to the longevity of your site. The more your traffic grows, the more common brute force and DDoS attacks. Professional security services can proactively detect vulnerabilities and attacks, manage backups, and handle cleanups. They ensure your website doesn’t run malware mining bitcoins or spreading spam from your server. In the long run, it’s worth it!

Thank you greatly for taking the time to chat with our blog readers today Mario. We greatly appreciate the work you put into this interview. I know I speak on behalf of our blog readers when I say “wow”. Your perspective and insights are incredibly valuable. To our blog audience, if you’d like to learn more about Mario and follow his journey building a scaling company you can either follow him on Twitter or visit his website here.


You may also like

How To Prevent Fake Orders on WooCommerce
How To Prevent Fake Orders on WooCommerce

Running an eCommerce store can be challenging on multiple fronts. This is especially true when dealing with the disruptive issue of fake orders. Fraudulent transactions not only skew your sales…

What Are Some Website Security Best Practices?
What Are Some Website Security Best Practices?

Right now, as you read these words, your website could be under attack! Cyber threats don’t sleep. They are relentless, constantly probing and testing your digital defenses, looking for any…

WooCommerce Security Issues: A Complete Guide
WooCommerce Security Issues: A Complete Guide

WooCommerce security is important for every store…even the small ones.  Hackers have evolved to find different ways to exploit different types of websites for their own gain. Thankfully, website security…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.