Sign in Subscribe
Birthday Retrospective

4 years of Securing Laravel! 🎂

I almost missed it, but it's time to celebrate 4 years of Securing Laravel!

Stephen Rees-Carter

Stephen Rees-Carter

10 min read
4 years of Securing Laravel! 🎂

Greetings, my friends!

I know I promised we'd have the long-awaited In Depth covering Passkeys, but as I was preparing to start working on the article I realised this one will go out on 30th August - the day before Securing Laravel turns 4!! 🎉 So as is tradition, I will be taking the week off from writing a new In Depth or Security Tip, and instead take time to reflect on the past 12 months of Securing Laravel.

It's quite incredible to think that I started this 4 years ago - back then I called it Laravel Security in Depth, and launched on Substack on the 31st August 2021. I've since renamed it to Securing Laravel and moved from Substack to Ghost, but I'm still publishing weekly Security Tips and monthly In Depth articles on my rolling 8 days + 1 hour schedule. Well, mostly...

Before we dive into the details, I want to thank all of you for supporting me over these past 4 years. I love writing these articles each week, and being involved in the Laravel community, and I wouldn't be able to do it without your support. So thank you to everyone who is subscribed, everyone who reads my articles each week, and everyone who follows me on the various social media sites. Your support means the world to me, and I would not be able to do this without you. A special thank you also for my premium subscribers - I will be forever grateful that you appreciate my work enough to support me financially. 🙏

Let's take a look at the past year...

Published Articles

Last week I published Security Tip #120, and In Depth #37 came out at the start of August. It's pretty cool to think just how much I've written and published over the years on here, and I've definitely found my style of writing.

Over the past year specifically, we've had:

As I say every year, these numbers don't add up to a clean year - you'd expect ~39 Tips and ~12 In Depth articles. This is partly due to my release schedule being 8 days + 1 hour, as opposed to a fixed weekly release time.

However, this past year I have missed a couple of weeks... 😔

We covered a lot of different topics with our security tips. Starting with Hashing, Signed URLs, presets in Pest and PHPStan, XSS, Passwords, Crypto, SVGs, debug output, Authentication, and ending in a series on MFA to go along with the In Depth articles.

With the In Depths, we finished the series on Pentesting Laravel, reviewed my Security Audit Top 10, and then started an epic series on Authentication and MFA. This series included a 2 part deep dive into Laravel's new Starter Kits (pt1, pt2). And spoiler alert: I was not impressed. 😒

In addition to these, I also sent out two Laravel Security Notices. The first back in November, advising of a High Severity issue: Laravel Environment Manipulation via Query String, and then another one in July for a Critical Severity issue in Livewire: Remote Code Execution Vulnerability. Apart from one person on social media who somehow missed the point of these notices, I was encouraged to hear from folks who appreciated these notices and I will definitely continue doing them in the future.

Something I want to work on in the future is a "Getting Started with Laravel Security" series, which covers the basics - either by pointing to existing articles or introducing new articles. This would then form a good started point for new subscribers, and community members who want to learn more about security.

Subscribers

As of right now, there are 4,017 total subscribers (free & paid), and 183 premium subscribers. In addition, Fathom Analytics reports around 5k unique visitors to the website every month.

If I'm honest, these numbers aren't where I was hoping they'd be. Last year saw 3,858 total and 162 premium, so the increases are pretty small. In fact, there was a few months where the number hovered just under 4,000. I celebrated hitting it, and then it dropped, bounced, dropped, bounced, over a number of months. This was pretty disheartening to see.

Thinking about these numbers and the past year, I can see a few reasons:

  1. Moving from Substack to Ghost.
    Substack has a powerful subscriber discovery pipeline, which allows you to easily grow subscribers - and it's quite pushy about getting folks to subscribe before reading free content.
    Ghost on the other hand has no discovery pipeline and is subtle about prompting subscribers to sign up, so I suspect a number of potential subscribers just read the articles when linked without signing up.
  2. I haven't done as much promotion as I should have.
    Marketing and promotion doesn't come naturally to me, and for reasons I'll get into a bit later, I simply haven't had the time or energy to do much of it this year. The result being less folks have been prompted to subscribe.
  3. Content is moving to video!
    So much of new content being released now within the community is in video format, especially short videos. Securing Laravel is the total opposite - long-winded written articles... So maybe I'm just not producing content that a lot of the community is looking for? I personally don't learn from videos, I like to read at my own pace, and refer to code and examples in text, so this format is important to me and I'm keeping it like this.
  4. Everyone has less money to spend on "another subscription".
    I've had a number of long-time subscribers cancel for financial reasons - they simply cannot afford it. I totally get it, money is tight at the moment and employers just aren't providing the kind of learning budgets that support subscriptions like Securing Laravel, and folks who pay for it themselves aren't getting enough work to justify the cost. It sucks for me, as this is how I make a living too, but I totally get it.

These are all things I need to reflect on, and figure out the best way forward. I don't want to change the format, and I'll still keep writing my articles for as long as I have subscribers (no matter how few), but I would like to grow Securing Laravel. Both in terms of total subscriber numbers and web traffic, but also grow premium subscriber numbers. Currently premium subscriptions only just cover the time I spend writing articles, but I would love to grow the numbers so I can do more research within the community.

On the subject of subscribers, please subscribe!

You'll receive my weekly Security Tips, important Laravel Security Notices, and previews of the monthly In Depth articles. You'll also make me feel all warm and fuzzy inside. 🥰

Subscribe!

And I would be remiss if I didn't offer you a sweet discount to celebrate Securing Laravel's 4th Birthday!

You'll get all the cool stuff you'd get with a free subscription, plus the full monthly In Depth articles - which I pour so much time and love into! Also, signing up for this will make me feel very loved and supported!

Get 25% off Monthly - only $11.25!

And if you'd rather sign up for Yearly, here is the link you want!

Get 25% off Yearly - only $112.50!

Reflections on a year with Ghost

As I mentioned at the top, Securing Laravel moved over to Ghost in May 2024, so we've been here for over 12 months, and I definitely have some thoughts:

Pros

  • The writing experience is really nice. I easily moved on from missing Footnotes, and have been enjoying writing in Ghost.
  • The various callouts and blocks make for nice contextual separators, and I really appreciate the TK reminders so I don't leave placeholders lying around.
  • The support team are incredibly responsive to questions.
  • The site design is nice and clean, and the recently released Analytics offers useful information about posts.
  • The ActivityPub integration is pretty cool - you can find me on Mastodon, Threads, etc, as @stephen@securinglaravel.com.

Cons

  • Ghost is blogging software with paid mailing lists on the side. So it's lacking basic features like Welcome Emails, payment reminders, prompts to subscribe, etc. I noticed a significant drop in new subscribers after moving.
  • Ghost's discounts are either Monthly or Yearly, which means I need to make a custom landing page to offer both. I also can't open discounts to all new subscribers.
  • The search feature only matches tags or titles, and not content. Which is incredibly frustrating for finding specific things within my articles.
  • Paid subscriber management is incredibly basic and limiting.

Overall, Ghost is great as a writing and blogging platform, but it has some major limitations for paid mailing lists. I don't regret moving off Substack, but I didn't realise how big some of the limitations would be.

Analytics

Let's take a look at the last year on Fathom:

Analytics for the last 12 months.

Interestingly the amount of traffic was higher around the end of last year and has dropped off a bit this year. This isn't totally unexpected, given I've had less time to promote things this year.

It's rather significant the Livewire RCE is the most popular article - it was a big issue when it was announced, as you'd expect from a critical vulnerability. /?action=unsubscribe is still on the list too, despite the lack of unsubscribes to back it up - I still suspect email client auto-clickers for that.

It's nice to see Laravel News sitting so high on the Referrers list, beating out Twitter. LinkedIn also has a good showing. Oh and Freek deserves a shoutout for driving traffic this way too!

Countries are interesting to look at - USA is expectedly at the top, and UK, but it's cool to see Netherlands and Germany so high up too. Pushing Australia down under India.

Top 10 Countries for the last 12 months.

This Past Year...

(Skip this section if you'd like to avoid my brutal honesty...)

As I've alluded to a number of times, a number of things didn't work this year...

Those paying attention to my schedule will have noticed that I missed a couple of weeks around New Years, and published articles really late many times since then. I was disappointed in myself for missing these weeks, but I also knew I could not have published at the quality level I would have been happy with.

I also never set up that Birthday Challenge I talked about last year - and you'll note I haven't even tried to do it this year.

I launched Sponsorships for Securing Laravel back in May and there has been Zero interesting. I was chatting to someone in the community before launching it who was interested, but after launch, nothing... Granted, I didn't promote it very hard, but the complete lack of interest from the community suggests it's not worth doing.

I could put this down to me not promoting it, but I'd rather spend the time writing quality content than chasing sponsors. I don't know how it works for other mailing lists, and things like Podcasts, but it felt very disappointing.

Combine these with the lack of growth of subscriber numbers, and it has overall been a hard year with Securing Laravel, but I think all of that is more a symptom than anything.

Behind all of this is fact that I've had a couple of brutal years personally. I won't go into details, but it basically ticks all the boxes: physical health issues, mental health issues, stress, burnout, kids having trouble with school, neurospicy kids, deaths in the family, significant family changes, financial stress, my own neurospicy suffering under stress, etc... in short: it's been brutal.

Ultimately, it all comes down to me not having the time or mental space to properly promote and market my things, and thus the growth isn't there. Not much I can do about it until I deal with the personal stuff that is going on. I am working on that stuff, but it's going to take time.

Looking Ahead

Good question? 🤔

I will continue to write my weekly Security Tips and monthly In Depth articles, but beyond that, I'm not sure.

I think I will retire the Sponsorships, it's not working as-is, and it never felt quite right anyway. So that will most likely disable from the site very soon. I'll leave it up in case someone sees this and realises it's perfect for their business, but that's probably just wishful thinking on my part!

I talked about adding a Community Links section to the Tips last year, and I've still got that idea bouncing around. Likewise, I am considering adding a "Recent PHP Vulnerabilities" list, so you can be kept aware of any vulnerabilities in packages you might be using.

I would like to take a more active role in reviewing and making PRs for the core Laravel framework and tooling. Such as I did with the 2FA PR that was unceremoniously closed. 😒 I am concerned with the speed at which Laravel is moving and the lack of security focus... although all of this requires more time, of which I am currently lacking.

Also, as I said above, I need to spend some time organising articles and providing a few learning paths for new subscribers. There is a lot of content there now, so it's hard to know where to start - especially if you're new to Laravel. There is a lot of potential here, I just need to take advantage of it.

I think that's about it.

Sorry that wasn't a more positive or encouraging post. I wasn't sure if I should even sent this out, but I feel it's important to reflect on these things honestly, and there'd be no point if I sugar coated everything.

Before we finish up, I want to once again thank all of you. If you've made it this far, you obviously care a lot about Securing Laravel and/or my security work. So thank you so much for being there and supporting my work. It means the world to me that over 4,000 people subscribe to my emails and like my work. Thank you so much for being a part of that. 🥰

As I've done in previous years, can I please ask you to do two things:

  1. Leave a comment or send me an email, answering:
    1. What you love about Securing Laravel.
    2. What you think can be improved about Securing Laravel.
  2. Please share a recent article with at least one person.
    Maybe forward an email to a colleague with a useful security tip that might be relevant to them, or post it up on your social media of choice?

Thank you,
Stephen

Read more