Why Choose WordPress CMS to Build Websites: A Government Perspective

WordPress.com VIP Director of Platform Services, Peter Slutsky, presented to the DigitalGov University about using WordPress CMS to build government websites, along with Dan Munz, from the Consumer Finance Protection Bureau, last year.

DigitalGov is brought to you by the Office of Citizen Services and Innovative Technologies in the U.S. General Services Administration and their job is to help government agencies build a 21st century digital government.

“Can WordPress be a full-fledged CMS? Our experience is absolutely yes, it can.” — Dan Munz, Deputy Assistant Director for Consumer Engagement at Consumer Financial Protection Bureau.

In this presentation you’ll learn:

  • How to determine if WordPress is a good option for your agency
  • The important technical considerations
  • The biggest challenges and successes CFPB had with implementing WordPress
  • The resources you’ll need to implement it and keep it sustainable
  • How to get buy-in and make the business case to switch/choose WordPress
  • And a Q&A from the attendees

Below is the video of the presentation: 

If you’re looking for information about government sites using WordPress, check out our spotlight on Building Government Websites with WordPress CMS or get in touch directly with the WordPress.com VIP team.

The Importance of Escaping All The Things

Nick Daugherty is WordPress.com VIP Lead Engineer. Here he shares some important information about escaping in code and how that can increase security in WordPress sites anywhere in the world. 

If there’s one issue we flag more often than all others in code reviews…it’s escaping.

For starters, we should all agree that escaping (fundamentally, sanitizing input and escaping output) is a critical aspect of web application security. What may be less universally agreed upon is where to escape. On that point, we require “late escaping“- escaping as close as possible to the point of output – and further, we now require it everywherealways.

You may now be thinking:

“Do I really need to “late escape” everything? Always? Even core WordPress functions?”

We hear you. And, here’s why this is important to us:

In addition to some automated scanning, we manually review every line of code our VIP customers commit to the VIP platform. And, while the original author of a particular piece of code may know exactly where they’ve already escaped their output and/or it’s convenient to trust a WordPress core function’s escaping, it’s much, much faster and more reliable for our reviewers to check for “late escaping”. This way a reviewer can be 100% positive that output has been escaped properly by simply looking at the point of output.

We acknowledge this standard requires a bit more effort from developers writing code for the VIP platform. But, we see the benefit as three fold:

1. “late escaping” makes VIP reviewers more efficient, which means customer code is reviewed and deployed faster,

2. a consistent practice of “late escaping” makes missed escaping obvious, thereby reducing the chances that unescaped output makes it into production,

3. a consistently applied escaping standard- and we’ve chosen “late escaping” as ours- allows automated tools to better augment our human reviewers…further improving on #1 and #2 above.

To illustrate the importance of escaping everything, let’s look at a pattern where escaping is commonly omitted: Widget form elements.

A Widget form may look like this:

<label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label>
<input type="text" id="<?php echo $this->get_field_id( 'title' ); ?>" title="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" value="<?php echo esc_attr( $title ); ?>"/>

Those get_field_id( 'title' ); ?> and get_field_name( 'title' ); ?> calls should be safe right, since they are core WordPress functions?

Let’s see what happens when we drop this bit of code anywhere in our codebase:

add_action( 'widget_form_callback', function( $instance, $widget ){
    $widget->id_base = '"><script>alert("Greetings! You have been hacked.");</script>"<';

    return $instance;
}, -999, 2);

Oh no! Javascript has been injected where it shouldn’t be.

Here is a more real world case illustrating how easy it is to get to a point where we’re outputting values of indeterminate origin:

add_action( 'widget_form_callback', function( $instance, $widget ){
    My_Widget_Controller::setup_widget_form( $instance, $widget );

    return $instance;
}, 10, 2);

// ...

class My_Widget_Controller {
    static function setup_widget_form( $instance, $widget ) {
        $widget->id_base    .= self::get_widget_id_base( $instance, $widget );
        $widget->name       .= self::get_widget_name( $instance, $widget );
    }

    static function get_widget_id_base( $instance, $widget ) {
        global $my_config_object;

        return get_option( 'my_widget_id_base_prefix' ) . '_' . $my_config_object['current_site']['widgets']['id_base'];
    }

    static function get_widget_name( $instance, $widget ) {
        $name = '';

        // ... arbitrary processing to arrive at a $name

        return $name;
    }
}

Now we’re down a rabbit hole, and it’s not so clear that get_field_id( 'title' ) will give us safe values.

Even values that are ‘100% safe and there is no way this could ever be abused’ need to be escaped, because future refactorings can introduce hard-to-detect vulnerabilities if there is unescaped code hanging around:

$class = ( 'featured' == $category ) ? 'home-featured' : 'standard';

?>

<div class="<?php echo $class; ?>">...

Seems harmless enough – $class can ever only have two values. Great, we’re safe!

Until 6 months from now, when a new business need refactors this to:

function my_get_post_class( $post ) {
   // ... arbitrary processing to determine a post class. Maybe we pull it from meta now?
   return get_post_meta( $post->ID, 'custom_post_class' );
}

// ...

$class = my_get_post_class( $post );

?>

<div class="<?php echo $class; ?>">...

Hmmm, now we’re outputting meta values directly, and there is no way to know that without following a potentially complex program flow – a recipe for an exploitable site.

What about constants? Those are the foolproof, never changing pillars of security, right? Consider the following:

// let's say this is for setting a class name, depending on the site we're on
$my_setting = get_option( 'safe_data' );

// ... elsewhere

define( 'MY_SAFE_CONSTANT', $my_setting );

// ...

<div class="<?php echo MY_SAFE_CONSTANT; ?>">...</div>

later down the line, our option gets updated (somehow):

update_option( 'safe_data', '"><script>alert("hax0rd");</script>' );

Another example of how constants can be exploited is conditional constants:

if ( ! defined( 'MY_SAFE_CONSTANT' ) ) {
    define( 'MY_SAFE_CONSTANT', 'safe-value' );
}

// ... elsewhere

<div class="<?php echo MY_SAFE_CONSTANT; ?>">...</div>

As a hacker, all I need to do to inject anything I like into the page is to add this somewhere before the previous code:

define( 'MY_SAFE_CONSTANT', 'unsafe value' );

What About Core Functions?

This concept applies to nearly all code in a theme, including many core functions that return a value. Some core functions that output, such as bloginfo(), have output escaping applied automatically – we recommend using the equivalent ‘return’ function and manually escaping

Example: bloginfo( 'name' ); could be rewritten as esc_html( get_bloginfo( 'name' ) );. This approach ensures everything is properly escaped and removes ambiguity.

A post on the merits of escaping would be incomplete without addressing the fact that most esc_*() functions in WordPress apply a filter before returning. While true, the simple answer is: Filters on the escaping functions simply are not allowed on WP.com, and would be quickly caught during code review. Your site is always much safer when escaping all output.

The Bottom Line

If it’s not escaped on output, it’s potentially exploitable. Never underestimate the abilities of an attacker – they’re experts at finding the way to make the ‘this should never, ever, be possible‘ things happen :). For maximum security, we must escape all the things.

A WordPress Agile Journey Through the Eyes of a Project Manager – Big Media & Enterprise Meetup Toronto

Joey Ryken, Rogers Digital Media, presented “A WordPress Agile Journey Through the Eyes of a Project Manager” at the recent Big Media & Enterprise Meetup in Toronto, Canada.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

WordPress and Olympic.ca – Big Media & Enterprise Meetup Toronto

Anthony Moore, TrewKnowledge, presented “WordPress and Olympic.ca” at the recent Big Media & Enterprise Meetup in Toronto, Canada. We’ve also featured the official Canadian Olympic Committee site before on VIP News.

You can see a copy of his presentation online at TrewKnowledge.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

SF Developer & Superuser Training: Remaining Spots Available!

VIP Training Days, developer and superuser (administrator / editorial staff) training will take place from June 17 – 19th in San Francisco. Each day is a separate, unique one-day course, limited to 20 participants and led by a team of WordPress.com VIP instructors, so you’re sure to get plenty of interaction time with the instructors.

We still have space available, so register now!

In addition to our Developer Fundamentals I and Superuser (administrator/editorial staff) courses, the upcoming training in San Francisco will also feature a new course for intermediate developers, which brings together a lot of the content and best practices we have shared at our VIP Workshop in the past, focused on security & performance! More information on the new course: WordPress Fundamentals: Security, Performance, & Debugging.

VIP Training courses are suitable for users of both self-hosted WordPress or WordPress.com VIP sites.

Register for VIP Training Days in San Francisco!

Big Media & Enterprise WordPress Events in San Francisco & Boston:

If you’re going to be in San Francisco but won’t attend the training, don’t forget to sign up for our first Big Media & Enterprise WordPress Meetup on June 17th! There will be networking + some interesting flash talks from VIP clients and other enterprise WordPress users. There’s also a Big Media & Enterprise WordPress Meetup in Boston tomorrow, June 11th!

For more information about upcoming WordPress.com VIP events, be sure to keep an eye on our Events page.

Documattic: WordPress.com VIP Presentations & Resources on GitHub!

We’re excited to release what we feel could be a valuable resource to the WordPress community at large, “Documattic,” which is a GitHub home for WordPress.com VIP presentations and other resources.

Screen Shot 2014-06-04 at 12.10.44 PM

On the WordPress.com VIP team, we spend a lot of time talking to big brands and enterprises about their WordPress needs, which things are working for them, and which situations, features, or functionality need additional information or assistance from the VIP team moving forward. We spend a lot of time explaining the great features of WordPress to client IT, security, and editorial teams, and work with partners and agencies to provide up-to-date information about WordPress software and its vast community of developers, designers, content creators, and site owners.

We’d like to provide even more of that information online, in the hope that it can be useful for the next enterprise looking for information about WordPress, for the agency that needs some reliable answers about how WordPress works in order to explain it to their clients, and for community members who continually have to answer the question, “Can WordPress do that?” We have that information, and we’re excited to start sharing, curating, and building it up in a collaborative way.

There are three resources in the repository to start: the Security FAQ, the WordPress in Government FAQ, and my recent presentation about Trends in Enterprise WordPress Content. We’re hoping to add more in the future and we’d love to hear which documents, presentations, and resources might be useful to you.

If you’re an agency that works with WordPress, think about adding your own resources to the repository, so the WordPress community-at-large can benefit as well!

Check out the Documattic repo on GitHub.

The documents on the repository are released under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license. Any documents or resources you’d like to see added to the repository? Make a pull request, or comment below, and we’ll see what we can do!

New! WordPress.com VIP Cloud Hosting Statistics

At WordPress.com VIP, we love statistics.

We’d like to share some of the statistics associated with our WordPress.com VIP Cloud Hosting service, where we support thousands of publishers and serve billions of page views every month to their visitors through the WordPress.com infrastructure.

Take a look at our new VIP Stats page to see more about our how we provide world-class service and support to some of the world’s biggest WordPress sites and the numbers behind what we do:

WordPress.com VIP Statistics page

Want to know more about how WordPress.com VIP Cloud Hosting works? Get in touch

How to Set a Vagrant Development System – Big Media & Enterprise Meetup Toronto

Paul Bearne presented “How to Set a Vagrant Development System” at MetroNews.ca, at the recent Big Media & Enterprise Meetup in Toronto, Canada.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

One Theme, One Multisite, 30+ Unique Websites – Big Media & Enterprise Meetup NYC

Simon Dickson and Simon WheatleyCode for the People, presented “One Theme, One Multisite, 30+ Unique Websites” at the recent Big Media & Enterprise Meetup in New York City.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

Big Media & Enterprise WordPress Meetup: Seeing your content as WordPress sees it

Simon Dickson, Code for the People, Director, presented at the Big Media & Enterprise WordPress Meetup in London, with his presentation “Seeing your content as WordPress sees it.”

Simon explores using WordPress for a potential election campaign site and how visualizing the data from a slightly different viewpoint makes it easier to see how it can fit in with WordPress’ data structures and taxonomies.

Watch the video of his presentation and see his slide deck below!

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group.