Development Workflow Best Practices – Big Media & Enterprise Meetup Boston

Rob Martinez from NorthPoint Digital presented “Development Workflow: Best Practices and Tools in WordPress” at the recent Big Media & Enterprise Meetup in Boston.

View the presentation slides below: 

The Boston Big Media & Enterprise Meetup was held on June 11, 2014. Check out the other presentations from the event.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

Want more information about WordPress services for media or enterprise sites? Get in touch.

WordPress and NESN.com – Big Media & Enterprise Meetup Boston

Michael Hall from the New England Sports Network (NESN.com) presented “How WordPress.com VIP helps NESN be a part of the ‘Digital Day’ for fans of New England sports” at the recent Big Media & Enterprise Meetup in Boston.

View the presentation slides below:

 

The Boston Big Media & Enterprise Meetup was held on June 11, 2014. Check out the other presentations from the event.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

Want more information about WordPress services for media or enterprise sites? Get in touch.

Managing Hierarchical Content – Big Media & Enterprise Meetup Boston

Niall Kavanagh, Boston University, presented “Managing Hierarchical Content on Large Page-Count Sites” at the recent Big Media & Enterprise Meetup in Boston.

View the presentation slides here:

 

The Boston Big Media & Enterprise Meetup was held on June 11, 2014. Check out the other presentations from the event.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

Want more information about WordPress services for media or enterprise sites? Get in touch.

Harvard Business Review and WordPress – Big Media & Enterprise Meetup Boston

Kevin Newman, Harvard Business Publishing, presented “Adapting WordPress’ role within a larger content strategy” at the recent Big Media & Enterprise Meetup in Boston.

View the presentation slides here:

 

The Boston Big Media & Enterprise Meetup was held on June 11, 2014. Check out the other presentations from the event.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

Want more information about WordPress services for media or enterprise sites? Get in touch.

Non-Blocking WordPress – Big Media & Enterprise Meetup San Francisco

Alex Khadiwala and Nico Vincent from TechCrunch recently presented on “Non-Blocking WordPress” at the recent Big Media & Enterprise Meetup in San Francisco, California. Download the slides here.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

Why Choose WordPress CMS to Build Websites: A Government Perspective

WordPress.com VIP Director of Platform Services, Peter Slutsky, presented to the DigitalGov University about using WordPress CMS to build government websites, along with Dan Munz, from the Consumer Finance Protection Bureau, last year.

DigitalGov is brought to you by the Office of Citizen Services and Innovative Technologies in the U.S. General Services Administration and their job is to help government agencies build a 21st century digital government.

“Can WordPress be a full-fledged CMS? Our experience is absolutely yes, it can.” — Dan Munz, Deputy Assistant Director for Consumer Engagement at Consumer Financial Protection Bureau.

In this presentation you’ll learn:

  • How to determine if WordPress is a good option for your agency
  • The important technical considerations
  • The biggest challenges and successes CFPB had with implementing WordPress
  • The resources you’ll need to implement it and keep it sustainable
  • How to get buy-in and make the business case to switch/choose WordPress
  • And a Q&A from the attendees

Below is the video of the presentation: 

If you’re looking for information about government sites using WordPress, check out our spotlight on Building Government Websites with WordPress CMS or get in touch directly with the WordPress.com VIP team.

The Importance of Escaping All The Things

Nick Daugherty is WordPress.com VIP Lead Engineer. Here he shares some important information about escaping in code and how that can increase security in WordPress sites anywhere in the world. 

If there’s one issue we flag more often than all others in code reviews…it’s escaping.

For starters, we should all agree that escaping (fundamentally, sanitizing input and escaping output) is a critical aspect of web application security. What may be less universally agreed upon is where to escape. On that point, we require “late escaping“- escaping as close as possible to the point of output – and further, we now require it everywherealways.

You may now be thinking:

“Do I really need to “late escape” everything? Always? Even core WordPress functions?”

We hear you. And, here’s why this is important to us:

In addition to some automated scanning, we manually review every line of code our VIP customers commit to the VIP platform. And, while the original author of a particular piece of code may know exactly where they’ve already escaped their output and/or it’s convenient to trust a WordPress core function’s escaping, it’s much, much faster and more reliable for our reviewers to check for “late escaping”. This way a reviewer can be 100% positive that output has been escaped properly by simply looking at the point of output.

We acknowledge this standard requires a bit more effort from developers writing code for the VIP platform. But, we see the benefit as three fold:

1. “late escaping” makes VIP reviewers more efficient, which means customer code is reviewed and deployed faster,

2. a consistent practice of “late escaping” makes missed escaping obvious, thereby reducing the chances that unescaped output makes it into production,

3. a consistently applied escaping standard- and we’ve chosen “late escaping” as ours- allows automated tools to better augment our human reviewers…further improving on #1 and #2 above.

To illustrate the importance of escaping everything, let’s look at a pattern where escaping is commonly omitted: Widget form elements.

A Widget form may look like this:

<label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label>
<input type="text" id="<?php echo $this->get_field_id( 'title' ); ?>" title="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" value="<?php echo esc_attr( $title ); ?>"/>

Those get_field_id( 'title' ); ?> and get_field_name( 'title' ); ?> calls should be safe right, since they are core WordPress functions?

Let’s see what happens when we drop this bit of code anywhere in our codebase:

add_action( 'widget_form_callback', function( $instance, $widget ){
    $widget->id_base = '"><script>alert("Greetings! You have been hacked.");</script>"<';

    return $instance;
}, -999, 2);

Oh no! Javascript has been injected where it shouldn’t be.

Here is a more real world case illustrating how easy it is to get to a point where we’re outputting values of indeterminate origin:

add_action( 'widget_form_callback', function( $instance, $widget ){
    My_Widget_Controller::setup_widget_form( $instance, $widget );

    return $instance;
}, 10, 2);

// ...

class My_Widget_Controller {
    static function setup_widget_form( $instance, $widget ) {
        $widget->id_base    .= self::get_widget_id_base( $instance, $widget );
        $widget->name       .= self::get_widget_name( $instance, $widget );
    }

    static function get_widget_id_base( $instance, $widget ) {
        global $my_config_object;

        return get_option( 'my_widget_id_base_prefix' ) . '_' . $my_config_object['current_site']['widgets']['id_base'];
    }

    static function get_widget_name( $instance, $widget ) {
        $name = '';

        // ... arbitrary processing to arrive at a $name

        return $name;
    }
}

Now we’re down a rabbit hole, and it’s not so clear that get_field_id( 'title' ) will give us safe values.

Even values that are ’100% safe and there is no way this could ever be abused’ need to be escaped, because future refactorings can introduce hard-to-detect vulnerabilities if there is unescaped code hanging around:

$class = ( 'featured' == $category ) ? 'home-featured' : 'standard';

?>

<div class="<?php echo $class; ?>">...

Seems harmless enough - $class can ever only have two values. Great, we’re safe!

Until 6 months from now, when a new business need refactors this to:

function my_get_post_class( $post ) {
   // ... arbitrary processing to determine a post class. Maybe we pull it from meta now?
   return get_post_meta( $post->ID, 'custom_post_class' );
}

// ...

$class = my_get_post_class( $post );

?>

<div class="<?php echo $class; ?>">...

Hmmm, now we’re outputting meta values directly, and there is no way to know that without following a potentially complex program flow – a recipe for an exploitable site.

What about constants? Those are the foolproof, never changing pillars of security, right? Consider the following:

// let's say this is for setting a class name, depending on the site we're on
$my_setting = get_option( 'safe_data' );

// ... elsewhere

define( 'MY_SAFE_CONSTANT', $my_setting );

// ...

<div class="<?php echo MY_SAFE_CONSTANT; ?>">...</div>

later down the line, our option gets updated (somehow):

update_option( 'safe_data', '"><script>alert("hax0rd");</script>' );

Another example of how constants can be exploited is conditional constants:

if ( ! defined( 'MY_SAFE_CONSTANT' ) ) {
    define( 'MY_SAFE_CONSTANT', 'safe-value' );
}

// ... elsewhere

<div class="<?php echo MY_SAFE_CONSTANT; ?>">...</div>

As a hacker, all I need to do to inject anything I like into the page is to add this somewhere before the previous code:

define( 'MY_SAFE_CONSTANT', 'unsafe value' );

What About Core Functions?

This concept applies to nearly all code in a theme, including many core functions that return a value. Some core functions that output, such as bloginfo(), have output escaping applied automatically – we recommend using the equivalent ‘return’ function and manually escaping

Example: bloginfo( 'name' ); could be rewritten as esc_html( get_bloginfo( 'name' ) );. This approach ensures everything is properly escaped and removes ambiguity.

A post on the merits of escaping would be incomplete without addressing the fact that most esc_*() functions in WordPress apply a filter before returning. While true, the simple answer is: Filters on the escaping functions simply are not allowed on WP.com, and would be quickly caught during code review. Your site is always much safer when escaping all output.

The Bottom Line

If it’s not escaped on output, it’s potentially exploitable. Never underestimate the abilities of an attacker – they’re experts at finding the way to make the ‘this should never, ever, be possible‘ things happen :). For maximum security, we must escape all the things.

A WordPress Agile Journey Through the Eyes of a Project Manager – Big Media & Enterprise Meetup Toronto

Joey Ryken, Rogers Digital Media, presented “A WordPress Agile Journey Through the Eyes of a Project Manager” at the recent Big Media & Enterprise Meetup in Toronto, Canada.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

WordPress and Olympic.ca – Big Media & Enterprise Meetup Toronto

Anthony Moore, TrewKnowledge, presented “WordPress and Olympic.ca” at the recent Big Media & Enterprise Meetup in Toronto, Canada. We’ve also featured the official Canadian Olympic Committee site before on VIP News.

You can see a copy of his presentation online at TrewKnowledge.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

SF Developer & Superuser Training: Remaining Spots Available!

VIP Training Days, developer and superuser (administrator / editorial staff) training will take place from June 17 – 19th in San Francisco. Each day is a separate, unique one-day course, limited to 20 participants and led by a team of WordPress.com VIP instructors, so you’re sure to get plenty of interaction time with the instructors.

We still have space available, so register now!

In addition to our Developer Fundamentals I and Superuser (administrator/editorial staff) courses, the upcoming training in San Francisco will also feature a new course for intermediate developers, which brings together a lot of the content and best practices we have shared at our VIP Workshop in the past, focused on security & performance! More information on the new course: WordPress Fundamentals: Security, Performance, & Debugging.

VIP Training courses are suitable for users of both self-hosted WordPress or WordPress.com VIP sites.

Register for VIP Training Days in San Francisco!

Big Media & Enterprise WordPress Events in San Francisco & Boston:

If you’re going to be in San Francisco but won’t attend the training, don’t forget to sign up for our first Big Media & Enterprise WordPress Meetup on June 17th! There will be networking + some interesting flash talks from VIP clients and other enterprise WordPress users. There’s also a Big Media & Enterprise WordPress Meetup in Boston tomorrow, June 11th!

For more information about upcoming WordPress.com VIP events, be sure to keep an eye on our Events page.