I decided to share a letter I sent to RSJOOMLA about their RSFirewall! product for Joomla websites.
I tend to send emails like this more often than I actually want to, and I think going forward I'm going to be posting them on ProvenHelper in hopes that I can bring more awareness to consumers of the same products I purchased.
In this case, I had some issues with RSFIREWALL! that most consumers who purchased this product will have, and if you are thinking of purchasing the product, you should really read this letter I sent to their support staff. I'll update this post if I hear anything interesting back.
And now, here's the email:
I believe RSFIREWALL needs to be reworked a little. Here are my honest thoughts about what this software needs.
FORWARD To Management
1. Easier Installation.
To have RSFIREWALL setup to the point that it runs a scan and grades your website at 100%, every consumer has to spend a lot of time researching how to accomplish what your programmers failed to note in the instructions of the software.
Moving temp directories for the typical consumer is not as easy as it is for your programmers to accomplish on their test websites. First consumers have to research online how to do this from third party sites, then we have to sift through all the websites that talk about how unnecessary these steps are for security, until we find a website where someone provided these missing vital instructions.
The installation should be more automated then it is and for the parts that cannot be automated for whatever reason, clear written instructions should be provided within your software. There should be no contemplation on whether complete instructions are needed. Never assume your consumers are programmers! This is a major oversight.
Another thing that should be provided is some type of note that alerts consumers that they will not be able to install certain types of software on their Joomla site anymore, after applying the recommended configuration changes, unless they back track all the changes. Obviously this is a huge inconvenience for your typical consumer. I'm not sure how many people wrote in to alert you of these frustrating problems, but you should know that since this is a subscription based product, your consumers who are already annoyed by these issues, will definitely keep their options open when it comes time for renewal.
2. No Consumer Wants To Shoot Themselves In The Foot Or Get Help From Arrogant Support Staff
I went through the hassle of configuring everything properly to get that 100% grade, and thought that the software was going to trap only legitimate hacking attempts. I'm aware that this can be a complex issue, but it's even more complex for a typical consumer without a programming background, because it's hard to discern what the bits of code from an apparent remote file inclusion really mean.
Up until recently I thought your software was doing a fine job until I found out that its flagging from what appears to be my Adsense Ads, as some type of remote file inclusion. I thought that someone was simply trying to manipulate some type of loophole in Adsense/DoubleClick products to hack into my site, but your support staff informed me that this in fact was a false positive.
How is the typical consumer without a programming background supposed to read these error logs without any type of software assistance (maybe a grading system) or a popup explanation next to the error to guide us into understanding what's being attempted. If your software cannot figure it out, why do you expect your consumers to?
Also, out of the box, this software should work seamlessly with Google Adsense products, since a large portion of websites use this product.
I hope you can use this information to improve your product because it does have a lot of great features, but it lacks refinement in the areas I pointed out.
BTW: It sucks using a support system when the "expert" would rather have us know everything they know, instead of going above and beyond in helping your consumer love your product instead of feeling frustrated that we can't get the damn thing to work properly.
I'm not a programmer, but I am a former IT guy who worked in large data centers for Pfizer, so I understand what it's like helping people in these areas. Maybe a better training system for your staff would greatly improve your sales and customer retention rate in the future. It's sad to work with companies who aim to have great support, but don't provide enough training to accomplish that goal properly.
Your software is better than average and your support is okay, but nothing about this experience has been great. I hope someone at RSJOOMLA really listens and acts on this honest assessment of your product and services, because no one becomes great from knowing it all.
Reply from RSJOOMLA: A little harsh, don't you think?
Alexandru Plapana wrote:
Thank you for your honest thoughts. We really appreciate this as it really helping us improve the overall customer experience with both support and component.
The bottom line is that you are right - the component and support service can (and will be) better. No question about it. It is absurd to think that we have created the perfect security component or that we have the perfect customer support service (or have the perfect clients for that matter).
You should keep in mind that we are here to help you use our components not to provide overall web-related training (we are here to assist, not to do it for you). We are not making assumptions on our customer's knowledge but we can't tackle every web-related aspect or allocate time for training customers. Site management does require a little bit of everything - it is up to you to learn the required skills. Our responsibility is to provide what you payed for - namely a security component and assistance in using it - which we have been doing so far.
I will try to address the pointed issues below:
1. Assuming that an application can provide 100% security is absurd. The grade is designed to provide an estimation on what the user can do to limit potential hacks. Not all security measures are approved by everybody (i am not sure that any idea is approved by everybody). We provide recommendations that we believe in, but you should apply them, of course, according to your needs. Every website has its own requirements - the component, RSFirewall! in this case, should be flexible enough to accommodate as variate requirements as it can. The final result really depends on how the user (!!) sets it up.
From you customer support ticket history, you have reported two issues that are already addressed by the product documentation - scrambled tags and Google blocking. A simple read-through the product's FAQ section would have solved this. Don't get me wrong i still agree that the documentation could be better but for everything that is not covered by the documentation, we do have the complementary (!) customer support service. We simply can't cover all just with documentation. Users are not reading it as it is, couldn't image what would happen if it would be more technical and more consistent.
2. False positives are real and occurring probably in every aspect - it would be ideal not to have this. But just think this through... if we had the perfect security software there wouldn't be hackers to start with.
We can't provide exceptions that will work for everybody. Lets take your example for that matter. Well, there is no exception rule that will work for everybody (this is why it is so important to allow users to configure the component according to your their needs). SEF re-writting is common (it comes down to how your URL looks like), so common that everybody has their own preferring as SEO is not a fixed science.
You don't need programming knowledge to set up RSFirewall!, perhaps a more in-depth reading through the documentation and of course, some general web-related knowledge.
And of course the controversial customer support service. Room for improvement - definitely a big YES, but the question is at what cost. Who would support this cost ? This would finally be reflected within the overall component price. Something to think about.