VIP Intensive Developer Workshop Recap

A little more than a week ago, the VIP Services team hosted the 1st VIP Intensive Developer Workshop in Napa, California.

We wanted a small, intimate event, and it sold out quickly with a healthy waiting list of hopeful attendees! The intensive workshop mixed in-depth developer topics & discussion with lively onsite and offsite dinners in the beautiful setting of Napa, California.

We’ve gotten some great feedback from the attendees, but what was absolutely encouraging was this:

  • 100% would recommend the conference to a colleague
  • 96% plan on attending again & 4% will send someone else from their company

If you’d like to be notified when the next VIP Event (partner meetups, networking events, training, and conferences) is announced, insert your email address below – we’ll send out event announcements and give you the first opportunity to sign up for the next one!

If instead you’d like the VIP Services team to do private training for your developer or editorial teams, get in touch by filling out our Contact form.

For occasional announcements about upcoming VIP Events, insert your email address below.
Below are some photos from the event – we hope you’ll be there next time!

Open-sourcing the Code Comments Trac plugin

At Automattic we love open-source software and try to make more of it. That’s why today we are open-sourcing the Code Comments Trac plugin. We developed it to help us do better and quicker code reviews. Every month the VIP Services team reviews tens of WordPress themes and plugins making sure the code is secure, scalable, and follows the best practices before deploying them on WordPress.com.

In order to get the feedback to our clients faster and track when a theme or plugin is ready to go, we developed the Code Comments Trac plugin. The plugin allows us to leave line-by-line comments on the code, so that all feedback is in context. After that, we create tickets out of the comments and assign them to the theme or plugin developers.

In the end, when all issues are cleared, the code goes live on the client’s WordPress.com VIP website.

If you use Trac and if you do a lot of code reviews, or you just want to leave comments on code, changesets, or attachments, check out the Code Comments Trac plugin on github:

Ready to become a VIP Services Client? Some of the world’s biggest brands rely on WordPress.com VIP Services.

Scott Taylor on WordPress + Memcached

Scott Taylor, Software Engineer III at eMusic, recently posted a comprehensive article on using WordPress + Memcached.

eMusic relaunched on WordPress a couple of months ago, and it’s great to get Scott’s perspective on a key component of their setup.

Here is a quick blurb, and be sure to go read the full post for all the details:

One of the most bizarre critiques of WordPress that I often hear is “it doesn’t come with caching” – which makes no sense because Cache is one of the best features of WordPress out of the box. That’s kind of like saying: “my iPod sucks because it doesn’t have any songs in it” – when you first buy it. Your iPod can’t predict the future and come pre-loaded with songs you love, and your WordPress environment can’t come already-installed without knowing a minimal number of things. You have to pick a username / password, you have to point at a database, and if you want to cache, you have to pick how you want to cache (you don’t HAVE to cache – but really, you HAVE to cache).

Memcached (pronounced: Mem-cash-dee), or Memcache-daemon, is a process that listens by default on port 11211. Like httpd (H-T-T-P-daemon), it runs in the background, often started automatically on server load. A lot of huge websites use Memcached – at least: Facebook, YouTube, and Twitter.

[Read the full post]

Key Differences Between Validation and Sanitization

VIP Services developer Daniel Bachhuber shares some tips on writing better code for your WordPress site:

Your code works, but is it safe? When writing code for a high-profile environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. This commonly comes up when building a settings page for your theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post.

There’s a distinction between how input and output are managed, however.

Validation: Checking User Input

To validate is to ensure the data you’ve requested of the user matches what they’ve submitted. There are several core methods you can use for input validation; usage obviously depends on the type of fields you’d like to validate. Let’s take a look at an example.

Say we have an input area in our form like this:

<input type="text" id="my-zipcode" name="my-zipcode" maxlength="5" />

Just like that, we’ve limited my user to five characters of input, but there’s no limitation on what they can input. They could enter “11221″ or “eval(“. If we’re saving to the database, there’s no way we want to give the user unrestricted write access.

This is where validation plays a role. When processing the form, we’ll write code to check each field for its proper data type. If it’s not of the proper data type, we’ll discard it. For instance, to check “my-zipcode” field, we might do something like this:

$safe_zipcode = intval( $_POST['my-zipcode'] );
if ( ! $safe_zipcode )
$safe_zipcode = '';
update_post_meta( $post->ID, 'my_zipcode', $safe_zipcode );

The intval() function casts user input as an integer, and defaults to zero if the input was a non-numeric value. We then check to see if the value ended up as zero. If it did, we’ll save an empty value to the database. Otherwise, we’ll save the properly validated zipcode.

This style of validation most closely follows WordPress’ whitelist philosophy: only allow the user to input what you’re expecting. Luckily, there’s a number of handy helper functions you can use for most every data type.

Sanitization: Escaping Output

For security on the other end of the spectrum, we have sanitization. To sanitize is to take the data you may already have and help secure it prior to rendering it for the end user. WordPress thankfully has a few helper functions we can use for most of what we’ll commonly need to do:

esc_html() we should use anytime our HTML element encloses a section of data we’re outputting.

<h4><?php echo esc_html( $title ); ?></h4>

esc_url() should be used on all URLs, including those in the ‘src’ and ‘href’ attributes of an HTML element.

<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />

esc_js() is intended for inline Javascript.

<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>

esc_attr() can be used on everything else that’s printed into an HTML element’s attribute.

<ul class="<?php echo esc_attr( $stored_class ); ?>">

It’s important to note that most WordPress functions properly prepare the data for output, and you don’t need to escape again.

<h4><?php the_title(); ?></h4>

Also, as there are always exceptions to the rule, there are a selection of user-submitted data that needs to be validated and sanitized. Freeform text areas would fall into this category. For this, you can run user data through sanitize_text_field() or any of the wp_kses_*() functions.

To recap: follow the whitelist philosophy with data validation, and only allow the user to input data of your expected type. If it’s not the proper type, discard it. Sanitize data as much as possible on output, and a selection needs to be sanitized on input too.

Hit us with your questions or tips in the comments.

Primer: WordPress photo gallery without a plugin

Otto has created a very thorough primer to create a WordPress photo gallery without a plugin. He walks you through understanding pictures and galleries, creating and modifying an image template, and tweaking image and thumbnail sizes.

He reminds us:

You don’t really need plugins to create photo galleries. WordPress has a huge amount of gallery functionality built right in. You just need to make your theme smarter in order to take advantage of it.

Click through to read Photo gallery primer on Otto on WordPress.

Want WordPress for your site? Get.WordPress.com

Cheezburger Network Open Sources Their WordPress Administration Panel

WordPress.com VIP Cheezburger Network, where you get your daily LOLz from one of their 50 popular sites like I Can Haz Cheezburger? and FAIL Blog, have shared the code of their WordPress theme administration panels.

Called CheezCap, it’s a simple library for easily creating custom admin panels.

Screenshot of CheezCap

Cheezburger Network uses a single shared theme across all their sites. In order to avoid having to create conditionals and other per-blog modifications in their theme, they developed CheezCap. Any of the administrators can update the options controlling the layout, design, colors, etc, without having to dig into the theme code.

When asked what motivates his engineering team to participate in the WordPress community, CTO Scott Porad replied:

I can say without hesitation that WordPress has had a hand in the success of Cheezburger. So, to the extent that we can help other people be successful with WordPress, we’re on board!

What I meant to say is… All aboard the WordPress Express! Choo Choo!

WordPress Top Demanded Skill on Elance

Since last year when we wrote about “WordPress in Demand on Elance“, WordPress has surged into the top ten, and now is the sixth most in demand skill on Elance!

Elance Top Overall Skills in Demand Q2 2010

Online publishing dominates this list. It’s exciting that the ever evolving WordPress, built on it’s PHP, MySQL, and CSS stack, continues to be the web development platform in demand.

Elance’s 2010 Q2 Online Employment Report also includes a single profile, that of Ron Z Zvagelsky, highlighting his success as a WordPress Expert on Elance.  Represent!

WordPress Resources for Publishers

One of the biggest strengths of WordPress as a publishing platform is the depth of our community of consultants, developers, designers, and hosting providers. It can be tricky to figure out where to find pointers to awesome WordPress partners, so we’ve pulled together this mini-guide for publishers looking for help.

VIP Services: Hosting and Support
From the team that runs WordPress.com, at Automattic, we also offer VIP Services in the form of Hosting and Support. We’ve worked with more hosts than you can imagine, and in our opinion, the companies in our hosting directory represent some of the best and the brightest of the hosting world. If you’re a publisher with significant amounts of monthly traffic, VIP Hosting by WordPress.com is another option for your hosting needs. If you’d prefer to run WordPress on your own servers, but want some extra optimization, streamlining, or security help to future-proof your site for the traffic to come, you’ll want VIP Support.

CodePoet
CodePoet is a shortlist of WordPress consultants brought to you by Automattic, the company behind WordPress.com. As the world’s largest operator of WordPress blogs (over 16 million and counting), we receive a steady stream of requests from people looking for WordPress savvy web design and software development firms. In response we’ve started CodePoet, a directory of consultants who specialize in building beautiful and efficient WordPress sites.

How-to: Nginx as a front-end proxy cache for WordPress

From Harvard Law’s Dan Collis-Puro, a how-to on optimizing your WordPress MU install, using Nginx as a front-end proxy cache for WordPress:

We put an nginx caching proxy server in front of our wordpress mu install and sped it up dramatically – in some cases a thousandfold. I’ve packaged up a plugin, along with installation instructions here – WordPress Nginx proxy cache integrator.

You can read the full details on Dan’s blog and grab the plugin from the WordPress.org plugin directory.

[ Visit http://blogs.law.harvard.edu/djcp ]

WordPress and Windows Azure

This week I had a unique opportunity to appear at Microsoft’s Professional Developer Conference in Los Angeles, to demo four open source technologies — WordPress, Apache, MySQL, PHP — running on Microsoft’s new EC2 competitor called Azure.

WordPress and Windows Azure probably aren’t the first two things you’d think of together. WordPress has been free and open source software from the very beginning, Windows not so much, but we’ve always supported as many platforms as possible and for at least 4 years now you could run WP on Windows and IIS (Internet Information Services).

Choice and competition are great for spurring innovation and better for users and I believe open source software is a good thing even if it’s on a proprietary platform. (Just like we have an open source iPhone application, or encourage people to use Firefox on Windows.)

If you’re interested, check out the full transcript of the keynote from PDC or watch the video of the keynote.

We also created this FAQ in case you had more questions about what was announced.

What did you announce about WordPress at Microsoft PDC 09?
As part of the introduction of the Windows Azure platform, we announced that self-hosted WordPress can be run in an Azure environment on an open source stack of Apache, MySQL, and PHP. Showing MySQL in particular at a Microsoft conference was unusual.

Are you moving WordPress.com to Azure?
No. WordPress.com, which is Automattic’s hosted blogging service, is going to stay on its existing infrastructure. Martin Cron from the Cheezburger Network launched a new blog Oddly Specific on Azure, which some people confused with Automattic.

Do you use Azure at all?
Yes, we’ve been testing out their blob storage as an alternative to Amazon S3 and Rackspace Cloudfiles. We don’t currently use it in production.

Doesn’t this conflict with your open source orientation?
No. We actually think it’s going to help the spread of open source to have the Free and open Web stack get more support and deployment through Microsoft’s cloud infrastructure, which they’re investing quite a bit in. Besides, as I like to say, once you get a taste of Freedom it’s hard to go back. :)