Agenda
- EUS WordPress Web Hosting – Kyle Kurr
- WordPress Performance & Security – Clint Anderson
- WordPress Workflow – Tabby Chapman
Attendees
- Sylvia Bass
- Tabby Chapman
- Kyle Kurr
- Clint Anderson
- Patty Furukawa
- Amalia Herrmann
- Albert Chi
- John Romine
- Dan Melzer
- Eva Maida
- Srilatha Adurthi
EUS WordPress Web Hosting – Kyle Kurr
Where we are today
Currently we are running shared web hosts or virtual hosting. We have little to no redundancy and have to do manual restores when needed. The locations include on campus hosting and cloud hosting through Amazon Web Services (AWS).
We have over 100 URLs in one single AWS. We realize the weakness of this approach and are planning for the future.
We have started implementing more security processes to block bad traffic. This has been an issue with some WordPress instances on campus. We are blocking the bad actors before they get to your sites.
Where we are going
We are working towards making this a more robust service. Currently we support generic technologies like PHP, Apache, etc. We want to provide WordPress as a better service. This includes improvements in AWS, more system redundancy, better load handling, more security on the front end including IDS and firewalls. We also plan to put sites into containers for better isolation.
We are looking at implementing AWS auto scaling to handle peak traffic. We are also looking at containers to isolate sites so that they do not affect others. We are looking at implementing newer releases of PHP. Our current method is slow for upgrades. We would have to manually update PHP. We are paying for AWS support so we are looking at the Amazon Machine Image (AMI) which has a faster development cycle.
Questions
Plugins & Themes
Patty had some questions on plugins and maintenance. She has faculty who want their own installations and want to install a variety of plugins and themes. She wants to know if OIT provides a safe and banned list of plugins she can share. She wanted to know if OIT provides support if there are problems with themes and plugins to help troubleshoot issues. Kyle said that he doesn’t have the staff bandwidth to provide that level of support at this time. However, he did think having a list of banned plugins was a good idea. Tabby shared that some WordPress hosting providers like WPEngine and GoDaddy WordPress do have lists and thought that might be a good place to start. She did note that some caching and security plugins show up on this list because the services already provide caching and security protections.
Why are people using self-hosted sites?
We also discussed the reason people want self-hosted sites? Generally, it is because they want/need custom themes and plugins. What is offered in Sites.uci.edu is too limited for their needs. They want to be able to install things like event plugins, registration plugins, etc. to extend what the site can do. These are too resource heavy for a shared environment. Patty also mentioned wanting to use SSL sites. This started a discussion on the benefits and complexity of using SSL. We use domain mapping on sites.uci.edu and faculty.sites.uci.edu to allow people to use their own domains. We currently have 60 custom domain on sites.uci.edu and 30 on faculty websites. Using SSL with domain mapping makes this more complex as we would need to get certificates for each mapped domain. We agreed that this would be best to discuss in more depth at a later date.
WordPress Performance and Security – Clint Anderson
Clint talked about the steps he is taking to increase WordPress performance. This included blacklisting aggressive robots that take up too many resources. He also recommends limiting the number of plugins installed. Ideally he likes none, however he does recommend using a caching plugin.
He had some advice on checking a site for malware. If you have shell access you can search for the ‘eval’ function in PHP. He says you can learn to spot malware variables. If you need help with this, you can ask Clint. He said that he has found that malware repeats, sometimes repeats of hundreds of pages. If you have shell access, you can also look for PHP code in uploads. He likes to use WP-CLI to verify the sites. He can check 40 servers at a time. He uses it to compare checksum to see if files do not match what is on the repositories.
He also likes to block XML-RPC. He said disabling pingbacks and trackbacks has been helpful as it has been a vector of attack. He has noticed a large decrease in traffic by doing so.
He does like the Sucuri plugin for security monitoring. Tabby concurred and said she knows the developers and they are passionate about their work. Clint also recommends not using “admin” as a user account as this is a common way of trying to gain access to the site.
Workflow – Tabby Chapman
Tabby talked about giving users access and making sure to use the appropriate level. Only give the user what they need. She said she’s supported far too many sites where everyone is given the admin role when much less was needed.
She went over the default roles including:
- administrator – has full access to the site
- editor – can edit any content but cannot add users, change themes, add themes or plugins, change menus, etc.
- author – can write, publish and edit own content, but not other’s content
- contributor – can write and edit own content, but not publish
- subscriber – can read and comment. She suggested turning off registration which is usually the way subscribers get created. There is little value in the role and can be a vector of attack. This is off by default.
There are plugins that allow you to create new roles or modify existing if the default capabilities do not meet your needs.
WP-CLI – We ran out of time, but Tabby will talk more about this robust developer tool at a future meeting.