Coding Best Practices: Preventing XSS in JavaScript

Nick Daugherty, from the VIP Platform team, shares some best practices for VIP developers and anyone wanting to write secure WordPress code. For more, see our VIP Documentation

The primary vulnerability we need to be careful of in Javascript is Cross Site Scripting (XSS). We’re probably all familiar with the escaping functions we use with PHP in WordPress to avoid that — esc_html(), esc_attr(), esc_url(), etc. Given that, it only seems natural that we would also need to escape HTML in Javascript.

As it turns out out, however, that’s the wrong way to approach Javascript security. To avoid XSS, we want to avoid inserting HTML directly into the document and instead, programmatically create DOM nodes and append them to the DOM. This means avoiding .html(), .innerHTML, and other related functions, and instead using .append(), .prepend(), .before(), .after(), and so on.

Here is an example:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var link = '<a href="' + data.url + '">' + data.title + '</a>';

    jQuery( '#my-div' ).html( link );
});

This approach is dangerous, because we’re trusting that the response from any-site.com includes only safe data – something we can not guarantee, even if the site is our own. Who is to say that data.title doesn’t contain <script>alert( "haxxored");</script>;?

Instead, the correct approach is to create a new DOM node programmatically, then attach it to the DOM:

jQuery.ajax({
    url: 'http://any-site.com/endpoint.json'
}).done( function( data ) {
    var a = jQuery( '<a />' );
    a.attr( 'href', data.url );
    a.text( data.title );

    jQuery( '#my-div' ).append( a );
});

Note: It’s technically faster to insert HTML, because the browser is optimized to parse HTML. The best solution is to minimize insertions of DOM nodes by building larger objects in memory then insert it into the DOM all at once, when possible.

By passing the data through either jQuery or the browser’s DOM API’s, we ensure the values are properly sanitized and remove the need to inject insecure HTML snippets into the page.

To ensure the security of your application, use the DOM APIs provided by the browser (or jQuery) for all DOM manipulation.

Escaping Dynamic JavaScript Values

When it comes to sending dynamic data from PHP to JavaScript, care must be taken to ensure values are properly escaped. The core function esc_js() helps escape JavaScript for us in DOM attributes, while all other values should be encoded with json_encode().

From the WP Codex on esc_js():

It is intended to be used for inline JS (in a tag attribute, for example onclick=”…”).

If you’re not working with inline JS in HTML event handler attributes, a more suitable function to use is json_encode, which is built-in to PHP.

This approach is incorrect:

var title = '<?php echo esc_js( $title ); ?>';
var content = '<?php echo esc_js( $content ); ?>';
var comment_count = '<?php echo esc_js( $comment_count ); ?>';

Instead, it’s better to use json_encode() (note that json_encode() adds the quotes automatically):

var title = <?php echo wp_json_encode( $title ); ?>;
var content = <?php echo wp_json_encode( $content ); ?>;
var comment_count = <?php echo wp_json_encode( $comment_count ); ?>;

Stripping Tags

It may be tempting to use .html() followed by .text() to strip tags – but this approach is still vulnerable to attack:

// Incorrect
var text = jQuery('<div />').html( some_html_string ).text();
jQuery( '.some-div' ).html( text );

Setting the HTML of an element will always trigger things like src attributes to be executed, which can lead to attacks like this:

// XSS attack waiting to happen
var some_html_string = '<img src="a" onerror="alert(\'haxxored\');" />';

As soon as that string is set as a DOM element’s HTML (even if it’s not currently attached to the DOM!), src will be loaded, will error out, and the code in the onerror handler will be executed…all before .text() is ever called.

The need to strip tags is indicative of bad practices – remember, always use the appropriate API for DOM manipulation.

// Correct
jQuery( '.some-div' ).text( some_html_string );

Other Common XSS Vectors

  • Using eval(). Never do this.
  • Un-whitelisted / un-sanitized data from urls, url fragments, query strings, cookies
  • Including un-trusted / un-reviewed 3rd party JS libraries
  • Using out-dated / un-patched 3rd party JS libraries

Helpful Resources

Have some Shortcake – the plugin which makes shortcodes a piece of cake

Shortcodes can be a useful way of defining complex HTML elements within the WordPress editing window. But as Matthew Haines-Young, senior engineer at WordPress.com VIP Featured Partner agency Human Made, told the London Big Media & Enterprise Meetup, ‘everybody hates them.’

His solution is Shortcake, a plugin developed as part of Human Made’s work with the US media company Fusion. It gives developers the ability to add user-friendly modules to the Add Media window, making the shortcodes themselves (almost) invisible.

You can browse Matthew’s slides below:

Shortcake lives on Github for the moment, but it has proposed as a candidate for future inclusion in the WordPress core software.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group.

Want more information about WordPress services for media or enterprise sites? Get in touch.

Introducing CoSchedule, the newest member of our Technology Partner Program

We’re excited to announce that CoSchedule has joined our Technology Partner Program. CoSchedule is a comprehensive marketing tool to help you and your team execute your entire content marketing strategy within WordPress.com VIP. If you’re looking to plan awesome content and save a bunch of time, the CoSchedule plugin on VIP can help you do just that.

Here are 10 reasons to check out CoSchedule:

1. Customize Team Roles 

WordPress VIP customizable team roles

Customize everyone’s role on your team to give permissions for specific responsibilities. Help them use the features they need to do their work, and hide the ones that get in their way.

2. Control Who Can Share Content

WordPress VIP custom social media permissions

You can control access to your social profiles to limit who can and can’t publish to each account. Give specific team members the rights to use certain company social media profiles while restricting others’ access. This will help you get a ton of traffic from your team, while providing advanced accountability for social sharing.

3. Advanced Profiles For Sharing Content

WordPress VIP social media security and private profiles

When you create content your team is really proud of, they’ll want to share it with their personal fans, followers, and friends. Your team can rock at social media with private social profiles and share your content to generate even more traffic.

4. Better Accountability

WordPress VIP security and access logs

Sometimes, you just need to know who published what. It helps to have a full history log of who modified your blog and social media content. CoSchedule will help you know exactly who did it.

5. Scheduling Social Media Messages

WordPress VIP social media scheduling

Schedule social media messages as you write your blog posts. That means multiple team members can work on a project at the same time to move faster, be more productive, and work together in the same tool to see what everyone is working on.

6. Custom Workflow That Works For Your Team

WordPress VIP customizable content marketing workflow

Create a workflow that suits your needs: build your own task templates, name those tasks, assign them to the right custom roles for your team, and automatically change the due dates if you move your content around on your calendar.

7. Analytics

WordPress VIP social media analytics

You need to know how your content performs to prove your ROI and improve your future content.

8. Work Where It Works Best For You 

WordPress VIP custom dashboards

You can access CoSchedule directly within WordPress.com VIP, or as a standalone web app.

9. Security

CoSchedule uses the same security technology most banks use to protect your information. Check out their status log whenever you’d like to see stats on our up times. You’ll always have access to at least two support techs during regular business hours, and at least one support tech is on call 24 hours a day.

10. Get The Support You Need

There’s something special about receiving support that helps you get through a tough problem. And taking that to a whole other level is even better. Get the priority level support you need for any question you have when you choose CoSchedule for WordPress.com VIP.

The support includes setup assistance and full support for your entire experience with CoSchedule. Don’t hesitate to reach out.

WordPress For Weans – how the Scottish education system is encouraging kids to contribute with confidence

It’s one of the largest WordPress multi-site installs we know of in the UK, but few have ever heard of it. Scotland’s Glow was the world’s first national intranet for education, and features WordPress as one of several components offered to pupils and teachers. It supports more than 140,000 websites, blogs and e-portfolios, with hundreds more being added each week.

Glow product owner John Johnston joined us at March 2015’s London Big Media & Enterprise Meetup to explain how WordPress was supporting the Scottish curriculum’s aim to produce successful learners, confident individuals, responsible citizens and effective contributors. You may need to channel your inner Scotsman to make sense of his title, ‘WordPress For Weans’!

John’s slides are also available as a PDF.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group.

Want more information about WordPress services for media or enterprise sites? Get in touch.

WordPress On The Inside – how the UK government is deploying WordPress as an intranet platform

Helpful Technology is a relatively small London consultancy specialising in digital engagement. One area of focus for Steph Gray’s team is corporate intranet development; and they have had great success deploying a WordPress-based intranet solution inside several UK central government departments.

Steph and his colleague Luke Oatham joined us at March 2015’s London Big Media & Enterprise Meetup to talk about the features which had made the project a success. And if you like what you see, their code is available as open source for anyone to use and improve.

For a clearer view of Steph and Luke’s slides:

The GovIntranet theme can be found on Github, with the user community located at govintranetters.helpfulclients.com. Luke also blogs about his work at intranetdiary.co.uk.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group.

Want more information about WordPress services for media or enterprise sites? Get in touch.

Snakes In A Plugin – WordPress plugin security

Duncan Stuart is Head of Products at dxw, a London agency specialising in projects for the public sector. He has a particular interest in security; and at our London Big Media & Enterprise Meetup in March 2015, in a presentation entitled ‘Snakes In A Plugin’, he demonstrated the most common vulnerability they find when conducting security reviews of WordPress plugins.

Duncan’s slides can be seen below:

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group.

Want more information about WordPress services for media or enterprise sites? Get in touch.

Introducing the WordPress Security White Paper

We’re very proud to share the WordPress Security White Paper with the WordPress community!

The white paper is an analysis and explanation of the WordPress core software development and its related security processes, as well as an examination of the inherent security built directly into the software. Decision makers evaluating WordPress as a content management system or web application framework should use the white paper in their analysis and decision-making, and for developers to refer to it to familiarize themselves with the security components and best practices of the software.

The WordPress Security White Paper is available directly on the WordPress.org site. In addition, the HTML and PDF versions are available at Automattic’s Documattic Updated! Now on the WordPress GitHub repository for any updates and/or additions.

We’d really love to encourage and help share translations of the white paper to the global WordPress community. If you have a translation to contribute, please add it to the WordPress GitHub repo so others can benefit, too. Pull requests welcome!

The text in the white paper (not including the WordPress logo or trademark) is licensed under CC0 1.0 Universal (CC0 1.0) Public Domain Dedication. You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Thank you to all who contributed to the initial release and compilation of this document: Barry Abrahamson, Michael Adams, Jon Cave, Helen Hou-Sandí, Dion Hulse, Mo Jangda, and Paul Maiorana.

Below is the table of contents for the white paper, which you can find here.

Overview
Executive Summary
An Overview of WordPress
The WordPress Core Leadership Team
The WordPress Release Cycle
Version Numbering and Security Releases
Version Backwards Compatibility
WordPress and Security
The WordPress Security Team
WordPress Security Risks, Process, and History
Automatic Background Updates for Security Releases
2013 OWASP Top 10
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross Site Scripting (XSS)
A4 – Insecure Direct Object Reference
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross Site Request Forgery (CSRF)
A9 – Using Components with Known Vulnerabilities
A10 – Unvalidated Redirects and Forwards
Further Security Risks and Concerns
XXE (XML eXternal Entity) processing attacks
SSRF (Server Side Request Forgery) Attacks
WordPress Plugin and Theme Security
The Default Theme
The Theme Review Team
The Role of the Hosting Provider in WordPress Security
A Note about WordPress.com and WordPress security
Appendix
Core WordPress APIs
White paper content License
Additional Reading

A special note: As you can see in the table of contents, the white paper is specific to the open source core WordPress software. The core WordPress software is the foundation of WordPress.com and there are additional Security FAQ related to WordPress.com VIP here.

Join the VIP team at an Upcoming Event!

We hope you’re staying out of the snowdrifts and keeping warm wherever you are, and we wanted to make sure you knew of some upcoming events the WordPress.com VIP is organizing or participating in, in the near future. We hope to see you and have a chat at any of these events!

We’re meeting & greeting in Seattle! If you’re in or around the Seattle later this month, several members of the WordPress.com VIP team are hosting an informal meet and greet on February 24th! Please get in touch if you’ll be in the area so we can send you an invite.

The Big Media & Enterprise (BM&E) WordPress Meetups are a great way to meet other developers, product managers, and editorial teams who use large, high-traffic WordPress sites. The evening is usually centered around 3-4 flash talks followed by discussion and networking. Past BM&E events have been held in NYC, Boston, San Francisco, Toronto, and London.

Boston’s BM&E is March 10th, after two reschedules due to snow. We’re hoping the date sticks (and not the snow)! You can join the Boston group on Meetup.com & RSVP here.

March Big Media & Enterprise Meetup

Tuesday, Mar 10, 2015, 6:45 PM

Workbar Cambridge
45 Prospect Street Cambridge, MA

45 Members Attending

** Update Part 3: We’ve rescheduled this meetup to March 10 because of snow and transit difficulties. Thank you for your patience! **The Big Media & Enterprise meetup is open to developers, product managers, and editorial teams who run large, high-traffic WordPress sites. If you plan on attending, please be sure to RSVP.Doors open at 6:45 p.m.,…

Check out this Meetup →

London’s BM&E is also March 10th. We’re headed back to London for another event! You can join the London group on Meetup.com & RSVP here.

March 2015 Meetup

Tuesday, Mar 10, 2015, 6:30 PM

Westminster HUB
80 Haymarket #1st floor SW1Y 4TE London, GB

15 Members Attending

The Big Media & Enterprise meetup is open to developers, product managers, and editorial teams who use large, high-traffic WordPress sites. If you plan on attending, please be sure to RSVP as space is limited.Doors open at 6:30 p.m., presentations will begin at 7 p.m. We will have 4 “flash talk” presentations, each lasting 10 minutes, followed by…

Check out this Meetup →

We’ll also be coming back to San Francisco on April 8th for a Big Media & Enterprise WordPress Meetup. You can join the San Francisco group on Meetup.com & RSVP here.

April 2015 Big Media & Enterprise WordPress Meetup

Wednesday, Apr 8, 2015, 6:45 PM

Automattic Lounge
132 Hawthorne St San Francisco, CA

1 Members Attending

The Big Media & Enterprise meetup is open to developers, product managers, and editorial teams who run large, high-traffic WordPress sites. If you plan on attending, please be sure to RSVP as space is limited.Doors open at 6:45 p.m., presentations will begin at 7 p.m. We will have 4 “flash talk” presentations, each lasting 10 minutes, followed by …

Check out this Meetup →

Also in April, a few WordPress.com VIP team members will be at the National Association of Broadcasters (NAB) Show in Las Vegas, from April 13-16th. Will you be there? Get in touch.

NABShow_Logo

And our flagship event, the WordPress.com VIP Intensive Developer Workshop, is happening in May 4-7th and still has space available. More information on the event, and you can pre-register here.

vipworkshoplogo

Several of the WordPress.com VIP team will also be at WordCamp London from March 20-22nd. If you’re attending, please say hi!

featured-london-yellow-825x510

To keep up-to-date with our events, follow @WordPressVIP on Twitter and check our VIP Events page.

Variety.com and Deadline Hollywood Launches: Lessons Learned – Now With Full Transcript

Gabriel Koen from PMC (Variety.com, Deadline Hollywood) presented “Launches: Lessons Learned” at the recent Big Media & Enterprise Meetup in San Francisco, California, now available with full transcript. 

View the presentation slides below:

I come here from Penske Media I’m going to be talking essentially about our product launches and what’s gone wrong and how we’ve used that to essentially adapt what we do and how we do it.

For those of you who haven’t heard of Penske Media, you might have heard of some of our brands. This includes TV|Line, Deadline, Variety, BGR, entv, Hollywood Life. We run about 30 events, including some that are on, I don’t even remember what, CW I think, and a couple of others.

To give you an idea of what our launch schedules tend to look like over the last few months, everything from new major sections on our sites to actual site redesigns and brand new sites themselves.

We launched mundial section for Variety Latino, a Contenders Awards aggregation section for Variety. Back in May we did a full on site redesign launch for TVLine events, like our power of women event, International Editions on Variety, a new section for our events. And generally, every month we do at least six or so brand new products or sections for our sites. Anything from just a new page, to a new major feature, to brand new site.

So basically getting on to what we’ve done, these are in no particular order. So one of the things that’s the most common that we’ve run into in the past especially is you know, we go through all this trouble launching a new feature, a new section on the site and 3 months down the road we realize hey we’re not getting any mobile traffic to this section.

So obviously, we forget to add a link to it, to our mobile themes header or side bar or you know even forget a mobile optimized version of it.

Sometimes the solution is changing the way that you develop or think about your products in general.

It’s odd but it happens and then essentially we’ve targeted that by we’re making a push to do a responsive theme for all of our sites at this point and I think the number one driving reason for that, aside from higher mobile engagement as the years go on is just that, you have to account for different devices and different sizes when you’re dealing with responsive. You know, it gets bakes into your QA processes and your thought patterns.

So the key take away from that is just not every problem that you encounter has a solution like “oh yeah I need to remember that”, sometimes the solution is changing the way that you develop or think about your products in general. More so than “ oh, I have to remember to do this on launch day”.

Another big one, especially a big problem for sites like ours that are ad-driven for our revenue, we forget to loop in different team members or different people within the organization and then we find out they were completely unaware of the launch and you know, we didn’t think that they needed to know.

So you know something happens like ads don’t even show up on your new section, or the wrong ads show up in the wrong places on your shiny new website design. So in order to combat that we started doing cheat sheets where prior to each launch, we just put together a simple one-sheeter that explains okay, here’s all the key dates, people involved and milestones that are going to get us from the concept to actual page on site.

So the overall take away there is just every team involved knows who else is involved and what other teams are there someone in there is bound to know “hey so and so from the editorial team or from our vince coverage team is gonna need to be involved in this and it just helps circulate the communication there.

We just put together a simple one-sheeter that explains here’s all the key dates, people involved and milestones that are going to get us from the concept to actual page on site.

We have had launches where we forgot to actually turn it on whether it’s actually activating the theme or enabling a core feature for the theme or dragging the widget to the sidebar.

And the problem there is there wasn’t one person who was owning that launch or that feature, that particular thing. So from then on, we just have to make sure that every thing that’s on our checklist, everything that’s happening, has one person that owns it, since we found that everyone on the team may know what’s going on but they may think that someone else is actually going to do it.

And sort of adjunct to that is you know, it’s useful, we’ve found that, you need to have someone who’s, with a small team especially, you tend to get focused on all the little pieces needed to pull the whole thing together, but the way things like this get missed is you tend to not have somebody just keeping the eye on the overall thing or project or launch and just making sure all the piece fit together.

And we’ve had launches where the key stakeholders never actually saw the feature we were building before we built it and pushed it out. So obviously hilarity ensued once actually saw that we launched a major section of the site that they were responsible for or feature that they had to suddenly start populating content for etcetera.

So essentially to combat that, we realized in addition to just making sure that we flip the switch and loop in ad ops teams and editorial teams and what not, we need to make sure that communication was actually part of our list. You know, so at a certain point, it’s like one of the steps is make sure that you know who to communicate this to make sure that you actually get them to review it at certain points.

 From then on, we just have to make sure that every thing that’s on our checklist, everything that’s happening, has one person that owns it

So you know, treating your milestones and key communication points as actually just something else you do just like QAing the feature, just like building it, just you know, every other piece of it.

And one of the last two are kind of some of the more embarrassing ones at least from my point of view. So the times when we broke something and just kind of hoped that nobody would notice while we were scrambling to fix it.

And of course, meanwhile, the actual stakeholder sees it and you know, starts being very vocal about seeing it, which very quickly escalates the situation. So it’s kind of obvious in hindsight, but you just have to you know, own up to what you’re doing. Whether it’s good or bad, when things are going wrong, when things are running late, you just have to make sure that you’re, you know, keeping constant communication going with your key stakeholders for a project.

Key stakeholders, just a sidebar for a second, could be anyone from if you’re launching a new section, well it’s going to the the editor or writer of that section it could be the general manager of the site. Just whoever it is that is most invested in the success of that project or product.

Whether it’s good or bad, when things are going wrong, when things are running late, you just have to make sure that you’re, you know, keeping constant communication going with your key stakeholders for a project

And then I think the key thing that we also learned from it is overall, those, it stings a lot less whenever you go to someone and say “hey we just noticed we did this or something happened, we’re actively working on it and we wanted to let you know and keep you in the loop” than them suddenly looking at their site and seeing a mess, you know.

Other ones are right after our launches. Having the general manager of the site say, “hey I noticed I’m getting fewer page views can you look into it?”

What’s going on? Well many things. We found a couple times where we’ve accidentally blocked search engines from indexing things we had meta tags or robot […] files from our dev sites that made it into production and we just never looked because who would do that?

Other times, we left analytics off of pages, especially when doing ajax operations and you know, things that aren’t a strict load where you still want to track page views or other engagement based off of that.

So essentially what we’ve found there is kind of a two-fold answer because there’s multiple problems there. First, it is not making assumptions. Maybe you looked at something or scanned it at one point and said “oh yeah, that looks good” and you move on.

Or maybe you’re just like, “yeah of course we’re tracking page views on this why wouldn’t we do that?” And the kind of take away that we really got driven home in those scenarios is, product launches do extend past the launch date.

Not only from just keeping an eye on things and just making sure things are working, but just from this point of view of from if you’re a product person, measuring the success of the product or project that you’ve just pushed out.

Is it working? Are people actually using it? And being able to respond to those things that you see, whether it’s in analytics or whatever so, that’s pretty much it.

Just to quickly go over how we at PMC have overall handled dealing with these things we’ve sort of, we start with the idea of let’s just do something and let’s just do it as a small team and see what works and what doesn’t work.

As we make mistakes, we introduce process to combat those mistakes that happen frequently and we constantly strive to reevaluate whether what we’re actually doing is working or not.

So we know that as we grow in size and as our sites grow in complexity, there’s just more process that you have to do to be able to handle these various scenarios. But we also know that process can kind of get in the way and the more process you have, the less likely you are to actually follow those processes, so it’s really finding a very happy balance between the two so that you’re actually being effective with the things that you’re trying to do.

So I’ll just kind of go over these quickly you know, it starts with project planning we typically work backwards and forwards from our launch date to make sure that our timelines meet somewhere in the middle, to make sure that we’re identifying all the people who are involved in the project and getting them looped into the timeline discussions.

We put together our little one-sheeter cheat-sheet with stakeholders, dates, URLs for being able to test things and check things dates, when they can go in and look at it, that type of thing.

We have one checklist for what we need to do before we launch, things like who we need to coordinate with to get on the actual launch time, it’s usually the WordPress.com VIP folks and then we need kind of configurations that we have to deal with.

We have our timeline for launch day, it’s literally a minute by minute calendar with who’s responsible for something and what the status of it is. We use Google Docs for all of this because our company is on Google Apps for business, but previously we used things like Trello and whatever works.

The key to all of this is to make it easy for people to access. Since we’re on Google Apps and using Google spreadsheets, we don’t have to do anything special for someone to log in and see a sheet or someone to edit it or for someone to have access to it.

Then we have our actual launch checklist, just a general overview of what needs to be done and who owns that piece of testing or review and we go through that once right before we launch and once right after we launch.

One of the newer things that we’ve introduced that’s been really successful is our support structure. Essentially we’ve started creating a chatroom, sometimes it’s a Google hangout sometimes it’s a Skype chatroom, it depends on who the stakeholders are and what they use every day.

On launch day, we everybody gets into the chat room, and that way whenever somebody comes across a problem or something, they just type it in or say what they’re seeing and you have that instant one-on-one communication.

We also try and identify one or two key people on the team, like if you’re doing a site launch, it might be the general manager of the site and the lead editor.

They’re the conduit between the writers and the other staff on the site and us so it lessens the noise that goes on on those launch days and our ability to find out what is actually a problem.

So that is basically it. Any questions?

Q: One thing on the VIP team that we’re really bad at right now is celebrating our launches internally So when we put in weeks or even months working towards a launch, we’re not very good at patting on the back and saying nice job, good effort, all that stuff.

Do you guys do anything like that to celebrate the launch or sort of like, boost internal moral?

A: That’s actually a very good point, that should actually be part of this because it’s certainly something that all of us on the team have strived to make part of our launch process. You know, we’ll send out an email and we’ll include the CEO and other people on it just saying “hey, this went live”, if there were people who were really, you know, worked 24/7 to get it out, we’ll make sure they’re acknowledged in that.

Our CEO is actually really great about it as well, he’ll respond and say fantastic job, especially, Amit Sannad or whoever else on the dev team that has been working weeks and weeks to get the thing out.

You know, we’ll usually, it’s tough because we have a distributed team as well, so those of us, like most of the product team is based out of Los Angeles, so we’ll get together and go out and have drinks or something like that.

We just try and, we’re still working on figuring out how to better include the people who are located outside of our office area. So far, we’ve just been making up with small gifts and tokens of appreciation thanks and emails and pats on the back and so forth, but we ‘re trying to find ways to do better on that.

Q: Do you use automated testing at all to help eliminate some of those issues?

A: We don’t. Sorry, he was asking if we use any sort of automation or automated testing to help with these things, and you know the short of it is we don’t. There’s a lot of reasons why we don’t and none of them are really that good.

Most of them boil down to like we haven’t found out how to automatically test for some things. We have introduced some types of automated tests like we have pingdom alerts that look for the ad strings on our various pages so we know if ads aren’t rendering and things like that.

But we’re still not at the point where we’re using any kind of unit testing. We’re not using any kind of selenium or UI testing. It would definitely help quite a bit with some of these things.

Any other questions?

Awesome, thank you.

See the presentations from previous Big Media & Enterprise WordPress Meetups. For Big Media & Enterprise WordPress Meetup groups in other cities, see the full list on VIP Events and join your local group. 

Want more information about WordPress services for media or enterprise sites? Get in touch.

The Dream Internship: Work at Automattic (Summer 2015 and beyond)

Applications are now open for the WordPress.com VIP internships! We’re currently focused on applications for the summer 2015 period, but we’ve also opened up a dedicated internship application form which will allow interested students to apply for internships on a rolling basis during the year.

Our company Automattic — which runs WordPress.com, Akismet, VaultPress, and many other services — is looking for a few stellar student interns, specifically to work with us on the WordPress.com VIP team. WordPress.com VIP provides hosting and support for high-profile, high-traffic WordPress sites, including Time.com, FiveThirtyEight.com, qz.com, TechCrunch.com, Recode.net, NYPost.com, etc.

Where will you be working you may ask? Anywhere! We are a distributed company and are happy if you work from wherever you are — as long as you have a good broadband connection.

For more information and to apply for one of our paid internships, please refer to the dedicated Internships page here on the VIP site.

We look forward to seeing your applications!