 Good morning everyone Yeah, let's let's go into it. So most of the introduction was already done and I seem to have lost up. There we are. Okay so Most basics have been been told already. I'm very passionate about Performance and security. Those are the things I work most with at Combell and Of course debugging issues for clients I'm on Twitter and at Brecht Rijkaard and my website is just as well brecht rijkaard.com The slides will be tweeted and will be published on my site later today. So you'll find them there Who's ever has ever had this or? This one for that matter Or even when migrating a website and we all know this Okay So for some reason the connection to the VGA is a bit flaky. We'll try to deal with it Things like that should also become a knowledge. Is there anyone in the room who hasn't had it? You sir are awesome and a very lucky man and like doesn't it make you feel like We all get frustrated now before we can dive into the the process of going through Solving the problem. There's a little bit we need to know about error codes there's Well, there are many kinds of error codes, but there are two kinds that you'll be confronted with the most Which are 400 based error codes and 500 based error codes The funny thing is these already will give you a good indication of on where to focus your search to solve an issue So basically in really simple terms a 400 code will say you stuffed up. It's a client error The 500 code will tell you your server stuffed up Meaning something went really really wrong on the server not necess not necessarily your Your issue or your cause So Here's a number of error codes. You might encounter. So you see The 400 ones always have something to do with Basically your code or something which is missing in your application or You're doing a request. It's not entirely correct You are trying to connect without proper authentication things that are client site related And of course the most common one of all the for the 404 file not found which is basically your Your website for sending me this Then there's the 500 ones Those are the ones you'll probably see most Especially when working with WordPress You got internal server error not implemented bad gateway things like that Basically, this is your server At that point Now the interesting part is how are we going to debug this? There's quite a lot of tools we can use quite a lot of techniques These are the things I use whenever a client would contact me and would Tell me of an okay. I have this issue or I get the white screen or this or that whatever Basically, I will dive into the server locks. I will use WP debug I'm a huge proponent of WPC ally and then you have of course some other statements You can use like script debug and save queries And there are also a couple of plugins with our which are pretty handy to debug issues So first up the server locks, which is for anyone who has anything to do with hosting probably the go-to resource if you're going to debug something there are a couple of Types of errors you will find in those locks There are more than these but these are the most common ones we'll encounter so you have fatal errors You have warnings and notices and you have limited related errors Okay, so can anybody everybody read it because not quite sure well For example this one It's one we see rather often who has encountered this one before One person okay, so for example, this would be if you were trying to do a request towards a specific file or Folder or whatever and it would be denied because of for example the HTX is prohibiting The connection to that and this will result in this kind of error message The pretty much stating that your your server or your setup is preventing the request from being completed There are other ones which are not as as obvious like this one This technically tells us that your Your request is waiting on some kind of feedback or some kind of call back before it can continue And it the response just didn't come in time and it aborts It's it keeps on pulling this one is a classic Just by show of hands who has seen this one Pretty much everyone in the room just as I expected This is mostly code related so in most cases this will indicate the bug or a typo or anything like that This is something we usually won't always be able to solve as a hoster This needs to be usually done by the developer of the website Then there's One of my favorite tools ever WP debug It's an amazing tool So in WP config you'll have by default WP WP debug Defined as false of course to enable debugging you just alter it to true and save the WP config file This should be common knowledge And at that point a Debug dot dot log file will be generated in your WP content folder containing more error outputs than the regular server logs Now of course it isn't Always as well. Yeah, I was one slide early. I'm sorry so to enable the log You need to at this statement and Then the the log will be will be shown so in the first statement here is actually just visually displaying the one the errors on On the screen this one adds the log file, but of course you don't want them the errors to be visually For everybody to see So this is why we would add this on if you're debugging on production sites this will enable the debug function and In combination with the other two statements write the errors to log and Won't display them on screen for any visitor to see which is a lot more safe in a production environment than if you're just Making it publicly available So my ideal setup in this case would be exactly this Enable debug Enable the log, but don't display it on screen then we Yeah, come to WPC li I've I've been a huge proponent of WPC li for years now Been following it rather closely So it's also great to see that it's now part of the the core services and tools of WordPress and Well that Alan Schliezer has been taking up development amongst others. He's a really good developer So I expect many great things from WPC li in the coming months and years. So What are the things I use mostly? The those are these ones. There's a couple of commands here. So WPC plug-in lists. It's rather obvious it gives you in the command line a Output for some reason why I get interference on my remote So WPC plug-in list gives you a list of all active plugins shows you if Well all installed plugins shows you if they're active if an upgrade is available things like that but It can often occur that And the user activates a new plug-in in the back end and the back end becomes unreachable But the site still continues functioning in this case WPC plug-in deactivate will be a godsend. You just connect to SSH You do WPC plug-in deactivates. Let's say WB 3 total cache And you will be able to disable the plug-in restoring access for the customer without having to do anything else so that's a very easy way to to deal with that kind of issues and Of course, you can also reverse it by just using WPC plug-in activate same thing with the teams Listing teams deactivating them and activating another one if there's an issue And then there's two really really cool addendums which have been made to WPC ally in the last couple of Well last couple of months to a year first one is WPC checks some core which is well At combo we're often confronted with With the customers which site is suddenly throwing an error But for some reason it's not necessarily a bug or anything else. So sometimes it's also a Well, it follows a case of hacking and By running WPC checks some core WPC ally will well verify every single file within the main route installation The WPC admin folder and the WPC includes folder against the repository So against WordPress Pandora and it will output a list of all files that have been altered that shouldn't have been altered Or even all files, which aren't supposed to be there. So that's a very easy way to find if it's caused by hacking for example, and I actually even find it to be more accurate than for example a Linux tool called maldetect Which you also use so it's a very very accurate tool and Just recently with version 1.5, which was released They added checks and plug-in, which is the same thing but against all plugins in the WordPress repository. So this is This is tremendously awesome if you're debugging anything and if there's even the slightest suspicion of hacking so Great tool to use Now another fun funny thing is if you're sometimes WPC ally will crash or Not give you the requested or expected output, but it will result in an error That you wouldn't have found otherwise. So I have some cases where I for example do a WP team list and I found this It didn't turn out in the the regular error logs But through running WP team list. I found this one and Yeah, obviously this is hacking. This is the favicon underscore something something Dot ICO it's something we see rather rather often these days and usually is well a shell or a backdoor or something like that so that's also It's not an intended use, but it's an extra handy use nonetheless Then of course we have script debug Which is another thing we can simply add to the WP config file What it does is by default WordPress will be using minified versions of JavaScript libraries and things like that If you enable script debug as true just by adding it in the WP config file It will not use those versions, but the dev versions the full Unminified versions which can help to resolve issues This is specifically more for a developer profile, but can be handy nonetheless Then there's a another one. I actually during the research of this talk. I actually learned about this one I've been giving support on WordPress and and other sites and then things like that But for over nearly 10 years now, and I didn't even know about safe queries So I'm very ashamed, but I've learned something useful here. So what is save queries? It's another statement we can add to the WP config file But what it does it will store all information on the queries you're running in an array in the WP DB array So The funny funny thing is if we then added add for example this part of the code or this little segment of code to the The footer we can print out all queries just on the page So this is very easy if you want to do an analysis of slow queries or just see what the WordPress is doing Database wise so this can help if it's If your site is especially slow for example in the back end this might help you out Then of course there are useful plugins First one is core control Don't know if has anybody heard of it No, okay So this will help you do a few very handy things It allows you to verify crons you're running on WordPress. So this is actually a bit to verify Yeah Scheduled tasks and things and like that's within WordPress. It helps you to take manual control of Updates, so this will help you to force certain updates on your WordPress It does HTTP logging Extended HTTP logging I should add and you'll be able to test certain transport methods So you'll be able to test specific get or post requests against your WordPress site Can be handy the most favorite one. However is this one the WPD bug bar Which is a very useful plug plug in because it's basically Does everything? WPD bug will do and Save queries will do so to if you're installing this plug in you will be needed to add to set WPD bug to true and enable save queries and then you get a very easy Way to get the output of this just like if you're the save queries You just go to the queries part part and it'll just print it out as As you see it in here So you don't have to add the extra code to your to your footer template or something like that It also allows you to take control of the the internal object cache of WordPress So you'll be able to clear it or just do some tests against it Which is a tremendously interesting thing there's also a Number of typical errors. We're almost on a daily basis confronted with Just by show of hands who has seen a media library like this. It's a fairly common issue Usually not always but let's say in 90% of the cases to my experience it would have something to do with The upload part in the WP options table, which is set incorrectly this mostly would happen after a migration from one server to another especially if the server isn't using the same kind of configuration or soft or paths, so for example if you're going from a Direct admin server to a plus base server or vice versa or anything like that the paths will be different so in most cases it would be resolved by just clearing out the The the value so in this case slash ETC, I just set it there to break it and to make this screen screenshot like that Just by cleaning it out it will WordPress will automatically detect the current path So that should resolve the issue you'll be able to upload again and all files that are there should be shown again correctly Another one is this for this I broke my own site This is also something very common often happens after migrations as well In this case the content is being loaded. However, the CSS is completely ignored or missing or whatever This usually has to do with incorrect site URLs in the database. So in this case, I replaced brechtreikard.com by brechtreikard.com.loka and You see it breaks the entire layout of the site because these two values are what are being used to reference pretty much everything in WordPress Then there's the instant classic Cannot modify header information header already sent Just curious by show of hands in the last couple of weeks I think pretty much everyone has seen this one. There's actually a number of probable causes for this one They could be intentional or unintentional, but most cases would point to a white space before the opening tag of PHP or after the closing tag tastes Just yesterday Told me that's exactly the reason why he does no longer use closing tags in PHP at all Just never uses them anymore other things could be Functions like print and echo which are already producing an output and thus sending a header or raw HTML sections prior to PHP code Those are some causes. There are many more possible causes, but these are The causes are we tend to see most as the cause of issues at support now I'm very happy to be talking about something new coming to WordPress Really shortly if everything's okay, and that's tight Has anybody heard about the tight project within WordPress a couple of people great So what is tight going to be and what will it be or what will it do to impact Your experience and reduce bugs It's actually a new team within the core teams of WordPress which are creating and Are planning to run automated tests against every single plugin that is going to be Submitted to do at the plug-in repository and to the backlog of all existing plugins now These tests will be done by amongst others PHP code sniffer Which will verify if the code upholds certain standards But also is able to just find out about certain errors in the code and in that case the tight team will be Implementing a mechanism normally that will report those errors back to the plug-in developers. So This will result in more bugs getting fixed before it even gets into the repository Which is a very good thing and of course the check of the entire backlog will be an awesome thing To give you an example of what's PHP code sniffer can do not many people know this but recently there has been a huge patch For WordPress core over 100,000 lines of code which have been altered fully automatically by PHP code sniffer One of the leading people in that project was Julia Trainers Follner Who is a huge PHP code sniffer proponent herself? and This was just done by using PHP code sniffer automating the entire process and pushing it to production and There has have there have been some issues, but on a scale so small that it even wasn't an issue at all. So This gives you an idea on how good this PHP code sniffer thing really is and it's also a tool Which you could use for example if you're using PHP storm to develop your your sites There's an implementation of PHP code sniffer already inside of it So you can use it to test your your code as well before going live now What can you do as the end user? It's always easy to say well, it doesn't work. It's crappy whatever Don't do that. If you're confronted with a bug first and foremost contact your hoster work with them find out what's going on and Normally every case they will be happy to help and point you into the right direction or even implement a solution if possible If it's something which can be altered by changing the PHP settings for example or the the file permissions or whatever What's once the if you find out for example a bug in the code Please report it to the developer of the team of the plug reported to the core people of WordPress because only that way we can work together and Well be aware of the bugs fix them and result in a better code base for all people to use Which will in the end result in less bugs and led less errors and a happier crowd using WordPress altogether Yeah, basically this a bit shorter than I was expecting as I've been going rather fast, but are there any questions? Yes Well that would depend on your implementation on the server because technically WPC li is a binary which you can install on your server so If the setup is pretty okay The binary should be able you should be able to use it within the hosting account, but the binary should be Yeah, yeah, so this would prevent WPC li getting compromised Except of course if your server is rooted then you still have the option of getting compromised as well Is there an option to run WPC li remotely because I know it depends on file system and database credentials, I guess Yeah I Haven't used it remotely, so I would have to look into that Yeah Database credentials are yeah There is a slack channel and make it work as the core dot. Orc And there's also since it's been Introduced within the WordPress services and tools. It's also on Megatworkpress.org slash WPC li or WP hyphen CLI I think so there's an entire page where you can follow the latest Developments releases and things like that and you also have WPC li.org Which will also point to these pages, but will also have directing to the entire list of commands You'll be able to use because it's it's an extremely useful tool I only showed you a small portion of the possible commands, but you can for example also use this to to do migrations or change your your domain or Do basically anything you would be doing in the back end, but over SSH on the command line, so it's an extremely potent tool Okay, problem I will in English Yeah Okay, okay, so he asked so I was talking about tight that they will do the automated scans once it's been submitted to repository And he asked if it's also possible to do it before you'll deploy it to the repository The answer is yes, you will be able to do that But you'll need to install PHP code sniffer locally. It's it's an open-source tool, so it's free to use But if you like it, please contribute to the project Or if you use for example PHP storm you can just install it as a plug-in and you can run it locally And it will do exactly the same checks As PHP code sniffer will do in the tide implementation, but do note that tide will include Some more checks some custom checks developed by the WordPress core teams or specifically the WordPress diet team So I don't know which those are yet Yeah Does it also check for edit files? Yeah, it does it does so I just recently I think two days ago Yeah, okay. Yeah, so actually think two days ago I was working on a ticket for a customer which this person site had been hacked And so I ran our mall detect implementation which scan and found I think three or four files I Tend to know now that WP checksum is a bit more accurate So I ran that check as well. It found seven additional files of which were Three of them were altered legitimate files So indicated this these files have been changed and then it simply states File should not exist and it shows you Some file name Well, yeah random string of numbers and digits and then mostly, you know, this isn't quite legitimate So it also shows you added files And that's a great thing with the new addition of the WP check some plug-in Because it will check the plug-in folder for added files as well, which is a really great thing It'll save you a lot of time Cannot They could use word fans You could use if if that's even to high level you could Point your your user to for example things like security side check or Gravity scan which are basically also scans just run run remotely. They're not fully as accurate, but they're They're okay. They're okay Yeah, yeah, absolutely there there are lots of solutions I Haven't used it. No because in my use cases, so I usually provide support on this our shared hosting cluster With the tools I've shown you here in combination with our default logs I mean, I haven't had actually any cases where I wasn't able to solve it and in the exception of one or two cases in the last two years where I had to resort to for example S-rays I Was able to resolve every other case With just these tools. So I haven't had the need to implement them just yet. So Yeah Okay, I think we'll be talking later on Actually, I use word fans on every single site I I operate myself the free one the free one just for the some Settings tweaked. So for example, I don't give hackers an hour to test 30 different times I just Limit the attempts to I think three and ten minutes and then they're already blocked and but basically it's a free version I use Now that I am Using WPC li however, I do tend to use that more often to perform a scan via the checksums Than the word fans. I'm not saying word fans is bad. Not not by any means. It's a great plug-in there. Their scan is very accurate it's just To my opinion the WPC checksum commands are more accurate. So I prefer those Exactly exactly exactly and Word fans would be perfect Technical user And this is the part I hate about making WordPress websites We've been you've been talking about hacks website Is does this come inside when a web sites already hacked or do you do preventive scans and on what basis or how long does it take? We do well, I can of course only speak for our own hosting cluster, but we do preventive Scans a couple of times a month using the Maldi tech package, which isn't it's a custom implementation. We run which scans for file signatures of malicious malicious code and things like that and It reports us if a certain account has been Infected and based on that we do a manual research as well and this is where this comes in Yeah, because Maldi tech this is good, but it's not great. So this is like digging deeper into the research manually using these tools Yeah, exactly. It's quite a lot quite a lot of tools There's another one that we use Yeah, but it's not preventively Depends on what you understand Detection so that means if there is a well known critical vulnerability out there The sites have not been patched and are prone to it We will stop it at the web server level before it enters So even if you weren't quick enough on the gun to upgrade your wordpress It still won't hit you because it's and it only applies to well-known issues Yeah, these little exaltic plug-in that has a leak you only protected by that but well-known Leaks will be covered before you get back. Is this the difference between good-go-sing and crappy hosting? Well, you could say yes But we it would be Arrogance is the same. Yeah, I think it's a common practice that yeah You can depend on the host are doing this as well for you Should yeah, they should Of all the tools you've showed us do you use them every time all the time or is there one particular favorite or when you start? The first actually I basically shown them in chronological order. So The plugins I don't use or pretty much don't use them at all because most things I can do from the command line And well as I said like the WPD bug bar is actually just an easy way to implement save queries and WPD bug for well a bit less technical users So but you can do the same thing via the command line So I always start with these server logs because this will give you the first indication of what is going on and Based on what I can find in the server logs. I will then either resort to for example WPC li or WPD bug or things like that. Yeah Yeah, exactly and that's also the error codes will give you an initial direction to it to go and find your culprit And maybe one more question Well, I don't use it personally because with these tools I'm able to solve 99.99% of all cases that enter and usually if I can't find it we resort to S trace and We really have installed an X debug on a production system. Yeah, exactly An alternative that we are heavily looking into is a use of application performance monitoring tools like Relic or sideways or Blackfire IO It's just a matter of finding your right match and that gives you pretty good breakdowns of what is happening And also gives you a sort of map of all the services that you're calling externally the eyes It's primarily related to performance, but it could be used in a debug complex as well And you have a control your sample rates quite well, and it doesn't eat your server Before we give a big plus to that I have a very important announcements that you won't hear when you start leaving People with dietary requirements because lunch