 Thank you. Sorry, right Yeah, so hello everyone. So my name is Jack Lennox and as John said I spent my first couple of years automatic working on the theme division So I was mainly focused on themes and on all of the experience around themes and how users select themes how they get started We've worked like that kind of thing and about six months ago It was quite eye-opening for me because as you'll see the automatic VIP team is kind of way down there like the canary down the line for everyone using WordPress because They do some of the craziest stuff you can imagine with WordPress My view of a habit of speaking quite quickly. So and I know that like I have a funny accent and everything So if I am speaking too quickly just don't slow down. This is very much an open thing And this is obviously quite casual. So if anyone has any questions while I'm talking So We're pretty stuck on VIP. I appreciate not everyone here necessarily knows anything about So firstly, like why should you care? Why should you have any interest anyway? We're pretty stuck on VIP actually come in here so I can see my laptop Yeah, so it's enterprise level WordPress hosting on the webpress.com platform We serve about two and a half billion page views per month We have 99 but 976 percent uptime and we have a 349 millisecond average response time Which is pretty pretty good So some of you may also not really know about WordPress.com. So there's another question. I need to kind of answer here WordPress.com is the largest single webpress installation in the world So it's just basically a massive WordPress multi site if anyone's dealt with multi sites only unlike most multi sites Which maybe have 10 or 15 or 20 websites. We've got now getting on to 100 million all running on webpress.com. So it's pretty nuts We're serving through webpress.com 21 and a half billion page views per month and 55.8 million new posts per month. It's pretty insane and tens of millions of sites and blogs as I said I think the exact figure is getting towards 100 million We don't tend to talk about it because there's obviously lots of spam blogs and stuff So we'll just say tens of millions because that's more accurate as to how many people actually use it Back to VIP This is our this is our from our Our promotional website for webpress VIP and actually this is getting a bit out of date now because we've now added to this list like Microsoft and Facebook It's pretty crazy So loads of the Facebook blogs are on are on webpress.com VIP as well as a lot of the microsites They've been launching around their brand and around different values. They have the subdomains that they run That's on with us and like the Microsoft Studio's website is is webpress.com as well and on VIP. So it's pretty pretty cool There's loads of newspaper wise. It's huge and we're just getting the There's a whole load of new newscorp stuff coming over in the uk and newscorp australia is all on webpress.com. It's crazy loads and loads and loads of stuff um Now the problems with this system Is that VIPs want to build their own stuff and for anyone who's run a webpress multi site You may know that it's pretty restrictive You kind of have to run the same thing for everyone So if you have hundreds of millions of bloggers on the one hand and then you have big Corporations on the other hand, it gets pretty tricky to try and keep all these things together Webpress multi site as I say And it's very difficult for us to vet every developer So the way that we get around this issue of allowing people to submit their code to webpress.com VIP Is our solutions which are Coded you coded you coded you ah We review every single line of code uh for our VIP clients And so far we've reviewed about nine million since we got going. So uh hand reviewed by people. It's pretty crazy And this was one of the first key learnings I had on the VIP team I hadn't really done a lot of code review. I'd worked with people a bit. Um, just out of interest who here has done some code review Almost no one that's perfect brilliant. Uh, that's great because um, yeah, because you're you're interested hopefully in why it's interesting. Um So these are the reasons why we do code review Uh, safe code is the is the one of the primary things. Um, we're allowing To some extent people that we know to submit their code to webpress.com VIP They are from trusted clients and companies. Um, but you know, anyone can be an intern anyone can be at any different level So code coming in can be from absolutely anyone. So We will check it for for XSS vulnerabilities Unescaped and unsanitized code and I'm going to go through what those things are and why they're important But that's our primary thing is is keeping everything safe And obviously on the webpress.com infrastructure. It is one massive multi site. So one bug from one developer Couldn't bring down the whole thing, but it's getting towards that way So it would be absolutely catastrophic if we weren't on it with this kind of thing The second thing is scalable code because we have this massive shared infrastructure Again, we need to make sure that people are building stuff that's going to work It's going to be scalable It's not going to knock out one of our clusters or one of our data centers because they've got some crazy query that's, you know querying by Meta keys and values and yeah causing us loads of problems across millions of posts or something like that. So, um So we want to focus on smart queries Make sure that all the functions that are being used are cached and again I'll talk about that and we want to make sure the code is actually good. It's dry Do not repeat yourself for people who aren't familiar with that term and the final thing is readable code Some of you may know there are a set of WordPress coding standards, which sadly a lot of people don't don't use And i'm going to talk about how you can use them if you don't and Yeah, and we want to make sure that the code is readable code is read far more than it's written So we want to make sure that if there is a problem It's easy for someone to dig in find out what the problem is And hopefully solve it and if the code's all spaghetti mess, then it's very hard to work out what's going wrong So to elaborate a bit on safe code, what do I mean by this? um One of the key premises of of producing safe and secure code is to validate and or sanitize early And i'm going to go into exactly what I mean by that, but hopefully some of you have some idea what that is The second thing is to escape late And the third thing is to be aware of the type juggler, which is a php itself and again, I'll explain You may be wondering what the hell that is. I'll explain what that is in the second The guiding principles of our code review process are to never trust user input Escapes late as possible Escape everything from untrusted sources like databases. Your database is untrusted and uses third parties like twitter anything else that's coming in basically everything Never assume anything Never trust user input Sanitization is okay. The validation or rejection is better and I'll explain the differences in a second Never trust user input I have links at the bottom by the way, so I will share my slides and you can find more information on this From the links that i'm putting at the bottom of each slide So validation and sanitization Who here knows what I mean by validation and sanitization? Good, this is a good talk, right? Well, hopefully as long as I can explain it properly, right? So validation is to check if the data that you have is what you actually want For example, we have a function within WordPress This is a core function anyone can use called is email and you can look it up in core Is email basically runs a series of checks to see if an email does at least look like an email It doesn't check if it actually exists. It doesn't send the an email to that email address It will just say is this some characters Followed by an at sign followed by some more characters followed by a dot followed by some more characters And then maybe some more dots and et cetera, et cetera Um And validation is great because if you're if you're validating your data correctly, then you know Before you even try to sanitize it and check that it hasn't got any dodgy things in it You know that it is at least looking like the thing that you want and you can reject it at this point potentially So if you're building an application or you're building something in WordPress or a comment system or anything like that Um, you can say to the user if the thing isn't even an email address Look, it's not an email address And there's loads of other examples like if it was in singapore You might be checking for say a postcode and you know that a postcode is six digits, isn't it? So you can say is this string six digits if it's not rejected. It's not it's not the right thing There are a whole bunch of functions that WordPress provides and you find those at the link One of the most popularly used ones is is email which is very handy. So this is just this just returns a boolean value So if the thing you pass in between the brackets is an email, it will return true If the thing is not an email, it will return false Sanitization is kind of the next step after validation because something might Be sane it might it might be something that is what it says it is But it could still be dodgy It could still be an email address that's actually full of apostrophes and maybe has a SQL injection or something else, which is going to ruin your site So sanitization basically is then to take the data that you've been given And to run it through some checks and potentially replace things in it that you don't want So for example an email address would never have a space in it I think actually his email would pick that up But let's say you might have a you might want to run a function that says like if there's any spaces in this string Take it out because then it's not an email So there are a whole class of functions in WordPress core and again, you find those at the link at the bottom I couldn't there's so many I didn't want to list them all out here, but they I've given the sanitize as the risk Etc. So for example, there are things like sanitize text field, which will Run all of the relevant checks for sanitizing a text field There's a whole lot of others around I'm trying to think now there's like sanitize user. I think that sanitize url Also user is sanitize user is username. So we'll run all of the checks that meet the WordPress criteria for what a username is Sanitize url will run all the checks for what a url should be and it will get rid of anything that shouldn't be there And one of the most common things is if say there's some html in there It will turn it into it will take the html entities and turn them into plain text. So you've probably seen things like and amp Cologne and that's like that's that that is that's an ampersand obviously But when you sanitize it, you don't want to put an ampersand in because an ampersand could be interpreted as Something dodgy as part of a bigger query or something. So you turn it into and Etc. And it works. It's nice Again, never trust user input At the other end, this is how we check things that are coming in. So hopefully if we're validating and we're sanitizing Then by the time anything goes into the database, we know that it's good. Um, that's what I think We know that it's at least Not too dodgy. Hopefully and we know that it's hopefully going to be safe But we still don't trust it As I said, never trust user input So at the other end when you are presenting content to the user, we do something known as escaping Now escaping looks kind of like this. These are some of the helper functions that webpress provides Again, they're actually more than this, but these are some of the key ones that we use a heck of a lot So one of the one of the the top one is escape html. So what that's going to do is escape It's going to check for content that you've taken from your database or you've taken from twitter or somewhere else and it's going to check that it is html so it's going to Get rid of anything that doesn't fit what it considers to be valid html Um, and then like at the other end of that you have something like escape text area And what that's going to do is actually get rid of all the html as well And it's going to turn it into entities Which means that if you use escape text area on some html What the user would ultimately see is the actual html in the browser because it's it would appear to the user Like code whereas it shouldn't happen because the browser should interpret it But it won't if you turn it into entities that way if you strip the entities and turn them into um plain text Then you've got things like escape url that will just basically make sure something is a url It's kind of all the same things the sanitizing. It's just doing it on the other end So that even if someone did manage to get something dodgy into your site You know you're saving it and you know it's still not going to cause any problems Hopefully and then things like escape ATTR that's escape attribute so say you're building up an html element And you've got like the id and the class and those kinds of things You use escape attribute to check that it's what an attribute should be an attribute for example should not have Cretation marks in it because that could end the attribute and do something else and you could do an xss Or something like that, which would be pretty nasty We then have things like escape js escape js to the end That's if you've got some inline js In your in your html page if you're using say a script tag and you've got some javascript You use escape js and it will make sure that all that's in there is valid javascript and nothing dodgy The good news is for people who are kind of early running their process of being a developer Most wordpress functions are going to handle this for you So things like the underscore title the underscore content those things are going to automatically escape anything that you're That you're using so you don't have to worry about it So don't start having to wrap like everything you do around with these escaping functions They're only for custom content Anything that's coming from the core stuff is fine that you're to worry about it. It's all good And yeah, I said about escaping late and why is that? The reason that sanitizing early is important is because the minute you're getting user data You might start doing something with it. So you want to sanitize it as early as possible So there's no chance of anything leaking into any other part of your code and your program That's obviously going to be bad news at the other end It's good to escape late because hopefully the data is already sanitized All you're already doing is checking as a final check that it is what it says it is One of the reasons we do it late is that it's safe because Yeah, because if you escape it earlier It might actually cause you some problems because escaping it might break certain other things that way you need the raw code Because for example, if you're doing escape text area, it's going to strip stuff out But you don't necessarily want stripped out And it's easier to read because if you're escaping late you can see if something has been escaped So you would normally escape at the very last minute. So say when you use echo in php, you're going to go echo Escape attribute and then the attribute and that way you can see if something's escaped If you've escaped it earlier and then you're echoing the variable that's already escaped You don't actually you have to then like someone else or you has to go back and work out where you did escape something So It's best to escape late Oh, uh, yeah, it's best to escape late So that you can actually just see that that is what you've done and that's what you intended to do Type juggling does anyone know what type juggling is? Literally, no, cool. Right. So have you ever done something like this? Is anyone seen something like this? So wordpress has the standard sorry not wordpress php has a standard comparison operators They are things like equals equals and exclamation mark equals, which means it doesn't equal This is how a lot of people will start out using php but the problem here is that Equals equals doesn't actually check that two things are exactly the same. It kind of works out types automatically, so When you do something like zero equals equals a string called anything Uh, php actually thinks they are they are the same because they're not because zero is not false Um, and anything is true as a boolean. So basically it will juggle those two types and give you true equals equals true Uh, just pretty bad news if this isn't what you wanted If you did if it is what you wanted then that's fine Uh, there's a load more very scary things. Uh, if you go to this link, which again, you'll see on my slide Uh php website has demonstrations of all these different things that can equal the same thing when they really don't equal the same thing There's a very easy way around this And it's strict comparison operators. So equals equals equals checks of two things are exactly the same So in this situation a string with anything is the only thing that is exactly the same as a string with anything So that would come back as false which is much better This is kind of a bit of a weird example because you'd almost never actually do this, but oh actually Yeah, there are plenty of checks that you probably have throughout your code where You're looking for things that are equal to each other and obviously this could be very insecure If you're checking that a password That someone has entered is the right password that the user has on the uh, that you have on your database Using equals equals it might they could put zero in and they'd be able to hack into your website. Uh, it's pretty bad news Again, if you are building a login system really do understand these things because that would be bad Um, so yeah strict comparison operators the equivalent is is don't equals exclamation mark equals equals Which is something doesn't equal and there are some more. Um So you can see here we have equals equals equals exclamation mark equals equals hash underscore equals I'll explain that one in a second and Inarray so in array as a function people use quite a lot. You're checking that one thing Isn't an array so you've got this needle haystack thing If you don't put true as the third argument for the in array function, it's not strict So it will do the same thing as above So if you say in array zero And pretty much any array it will say that that zero is in that array even though it isn't Um, because it's looking for true Which is terrible. Anyway, so you put true at the end like I've done here and then it will be strict Hash equals I can't think of a reason why I would ever do that. No, and so I'm webpress.com VIP We we don't allow it. So we insist that you strict comparison operators. Um Yeah, I mean we do we do I think we say in our documentation unless you have a good reason I can't think of a good reason But uh, I suppose I suppose it's okay if you are just checking booleans, maybe because like booleans, uh, Yeah, like false won't equal equal true. So you you're okay there But uh, but generally speaking I would always use strict comparison operators. Um So then we get into something really crazy and I'll just take a slight easter on this But hash equals is a new function that was introduced to wordpress. Sorry php 5.6. So by by virtue, it's obviously part of webpress as well um And Hash equals is a is an even stricter form Of the strict comparison operators. It's effectively exactly the same But what people may not know is that equals equals equals the way that we'll check if two things are the same Say say it's two strings and say it's a password And one string is password and one string is password or something What equals equals equals will do I hate saying this equals equals equals it will check that P and P are the same. Yeah, and then it will say a and a are the same. Yeah S is the same. Yep. S is the same. Yep. W is the same until it gets to D And then it will say oh D is not f. So return false And that's how I think it works the same in ruby and a lot of other languages. Um And the problem there and this is pretty outside But if someone was trying to brute force your website, uh, they can actually It's kind of like cracking a safe because if they're brute forcing passwords They can tell by how long it's taken for your server to respond If they've made any progress or not on cracking a password They can tell if they've got the first character right or not Now don't worry too much because this is pretty crazy And I think for the most small website says it's very unlikely you're going to have this But it has happened at like at the enterprise level And it is worth worrying about because yeah that like although there's latency and everything on the network It is possible for them to measure if they are cracking a password or not Hash underscore equals will always take the same amount of time So it will finish doing the complete comparison before it returns So there's no way anyone who's as clever as they want to be can work out if they are cracking a password or not So that's like that's the craziest form Of a strict comparison operator But it's worth knowing about it was quite exciting when it was introduced in php 5.6 Um, and obviously on the web It's pretty hard like you're going to have to brute force something It's going to take absolutely ages and you're you're probably going to pick up on someone constantly trying lots of different passwords Hopefully you have some sort of reporting that's like this guy's entities password about 800 billion times So there's probably a problem going on there But it does get if you ever build anything in php that might be used offline like if they're able to run WordPress on their own system with your data or something like that, but they can't log in Then they could if they if they could just hammer it until they've until they've got through it So it's worth considering if anyone's building a crazy complex online banking system or something But hopefully no one is so it's all fine So I talked about scalable code as well. What do I mean by that? um WordPress has a load of uncached functions um And right at the start actually because I haven't got a link on here But when I put my slides up we have a really great resource Which is what what the vi team looks for when we do code review. So again, this isn't a full list This is some of the more common ones, but you can get the full list on on our on our um documentation page But getpost is one of the most one of the ones that beginners often use and they don't realize the problem with getpost is It will always do a mysql query Whereas wp query won't wp query will actually cache what it finds and store it for the next time So it's kind of a heck of a lot safer than using getposts and getposts can have some really Nasty queries in it which can become very problematic All of these things are totally fine when you have like five posts Like you can do a lot of the kind of Scalability stuff that we talk about on the VIP team. It's just like not even remotely a problem If you only have a handful of posts, uh, but I learned the hard way like I had a Not really a startup, but I built a site for writers That was a bit like flicker but for people to share their creative writing And it was powered by wordpress and it was for sharing like poetry and that kind of thing and um And I it was all working really well. It was it was quite nice. Everything was going a little bit swimmingly And uh, steven fry tweeted about it. He's like very famous in the uk Well, he's now left with it, but he had a lot of followers And uh, and they are my database just started falling over Constantly and the thing was no matter how much I scaled up the resources behind the database. It just kept falling over um And it wasn't till a friend of mine who knows a little bit about running systems This was some time ago. So I was young and dangerous and uh, and he was running. Um Oh, there's a query you can run which checks for slow queries on limits So you can run it like on the server and he did it's like mysql slow or something And it will bring up and I had a query that was taking about 48 seconds every single time Someone hit the site and obviously what it was actually doing was just crashing Um, and it was just a crap query that I was able to rewrite to do exactly the same thing And suddenly everything was running really smoothly again. And in fact, I also cashed the responses from it which I'll talk about. So, um Yeah, so if any if your site gets big and people start putting loads of stuff on it Then you really need to worry about these things because it does get out of hand really fast Uh, and you only need a few thousand posts So you might be running something that's not massive But like if you're if you're signing off on a project for a client and they go away And it's a magazine or something and they're adding loads and loads of stuff Like they could get to a few hundred posts and problems could really start to occur for them And the the scary part of all this is it can be really expensive because you might be thinking Oh, we need to up the server resources So you might be putting loads and loads and loads of more resources into your server When actually you're just in a completely losing game Like you're just going to be paying out like way more than you need to when you could just use something else So pretty much you never need to use get posts Um, you don't really need to use any of these other ones either What we normally recommend is that you use um There's a function called wppluglist So there's ways of getting all the categories from from the uh Yeah, getting all the categories Uh from your database and then just plucking the ones that you actually want. I think it's a plot list times It's on this site. Yep Yes Or Yes Exactly and there's a whole load of functions like wp cash set wp cash get So if you are using something like this you should just do it like once an hour or something It's or even once every five minutes is better than like just having it every time And then you can just cash the response from it and serve the response from Sort of serve the cached data instead of the actual thing The other good news is for all of these The vip team have written helper functions So we've basically written a plugin which you can use which turns all of these are so like wp get recent posts becomes wp vip get recent posts and it's a cached version Of these uncached functions So again, I will share all the resources But this is kind of really cool stuff that the vip team does that I was working at the same company and didn't even realize And because we open source like loads of the work we do So if you want like the best practice thing here You can just get it straight from us and you can use it and then you can have all vip stuff in your In your site and yeah and not even have to worry about doing that But uh, that was that was kind of my next thing. So yeah, you don't have to worry about Trying to work out different ways of doing it necessarily um And kind of linked to this we have really gnarly queries there are Things within wordpress that are just known to be really really bad and for reasons of backwards compatibility and other things They can't be taken out So the worst ones are category not in which is put you can use as part of like a get post query tag Not in tax query no limit queries because obviously initially if you've got 10 posts and you're saying Get pages per post like minus one post for page whatever it is Yeah, you set that in like in your query you can say minus one which will get an infinite number Which is fine when you've got like 10 posts or even 100 posts But even getting beyond a few hundred posts like things start to get pretty pretty messy Um and can start to break stuff and then order by rand is like one of the worst things in my sql because uh It basically has to get everything So it does it does a no limit query and then randomizes So say you want five posts and you want them to be random What it's going to do is get your whole all the posts of your data in your table And then it's going to randomize them and take the top five. So it's so mad Never ever use order by rand If you do want to do something like that the easiest way to do it is to get a certain number of posts And randomize them yourself and then pluck some off the top like that So so you're gonna and you could even like you could do it by A category or something if you wanted it to go back a long way, but yeah order by rand absolutely terrible never do that Another thing that's a bit more hidden and people don't necessarily think about this But doing like an ajax call on every single page load So by that I mean if you've got some javascript that's going to run off and get something Every single time someone hits your website. It's okay at a small scale But if you start getting even a few hundred people a minute that are coming to your website Then you're running all these extra queries And if that's something on your site if it's going to like a rest api or something It can be really really bad It's uh, so again, you want to be trying to cash stuff that's coming back So the two functions I don't actually have if I have a slide for them, but it's wp cash set wp cash get And if you just look up if you just google like wordpress caching, you'll get the codex page Which explains all of these things better than I can do it Um So yeah, these are these are key things that we look for that we try to avoid And again, I want to I want to like restate here that these are things that I didn't necessarily know that much about coming onto the VIP team And I've been working with wordpress for years And uh, this was some of these things were quite scary And the best the link I'll put up at the end, which is just excellent Is the what we look for page on the VIP teams documentation It's just this amazing list of all the slightly weird things about wordpress that you want to be wary of And uh, about half of it. I was not familiar with it. It was it was mind-blowing Um, and it's all public. It's all just on the epida wordpress.com slash documentation So yeah, it's really really handy. It's just free use it. It's great um I'm going to finish up by talking about some of the tools that that I also discovered through working on the VIP team Um, and I wanted to demonstrate how to set some of them up But one of them is actually quite it's not that difficult to set it up But it's too hard to explain it in a talk So I'm going to write a blog post about it and share it Um, but I haven't done it yet But I'm going to show you it because it's really really cool As anyone heard of x debug has anyone used x debug john Robert Cool. Okay, right. So um, actually I'll go through the three of them. Then I'll show you the my little demos. So X debug is the first one It basically allows you to live debug what's happening on your wordpress website and it's it's pretty crazy It's uh, it's very very useful very handy. And when the first time I use this it it blew my mind um PHP code sniffer Has anyone anyone using this? John Very good John It's growing top marks PHP code sniffer is just basically like a spell check for your PHP It really like everyone should use this and so many people who commit code to webpress.com VIP Don't use it and it drives me mad because I can tell when someone's not using it Um, and you can you can plug it into the wordpress coding standards So just like a spell check when you're typing they all just point out stuff You're doing that doesn't mean the webpress coding standards And the best thing about the webpress coding standards is they have there's like five different bits There's like the core coding standards. There's then the VIP coding standards a couple of other community ones I think maybe one for buddy press or something Um And so the VIP coding standards are also in there by default So for example, if you're echoing a variable that you haven't escaped the whole late escaping I was talking about it will tell you and it will say you should probably be escaping this And if you're using a variable that you haven't sanitized it will tell you and it's so great Because just like while you're typing it's just pointing out problems And it's just and it's so quick and easy and it tells you exactly what the problem is It doesn't just like highlight it. It actually says the problem And then you can look it up and work out how to fix it The other tool which I'm guessing more people might have used is beyond compare I'd heard of this years ago, but it's just like changed my life since I've been doing VIP stuff It's just a really really handy tool for comparing Anything so you can take like two directories and it will tell you if anything's changed So it's particularly useful if you're for example If you want to check a new plugin versus the old version and a new version's been released You can just use beyond compare and it will show you all the little things that have changed It's really handy. There are things in code that says to do this But I've never seen anything quite as quick and easy as beyond compares tools for doing Diff is all it is really, but it's just really nice And you just pick like any file on your computer any other file and it will show you how they're different It's really handy So extra bug Let's see what happens. This is a It's a pretty like unwieldy tool. So um, so hopefully I did test it before I came up. Let's hope this works So We have a VIP test site Which uh, so this is a site that has all the same things as all the other VIP sites But it runs like 2011 and we just test it for random things So someone's put like bacon as the strap line and stuff, you know, it's just uh, just anything But and I'll also bring over my text editor It's a bit Bit cody, uh, I'll make it a bit actually So yeah configuring extra bug is not actually that difficult But none of the Demos I could find explained it very well. We have some internal documentation for how we use it Um, so that's how I got it set up Uh, so it works very well with wordpress.com for developers at wordpress.com But um, but yeah, I know it can be used for working on core And I just want to show you very briefly one of the cool things it can do. So I'm probably gonna need to actually Right, so This is our test site This is a file that is used at some point in this test site. I might actually yeah, it's okay that big, isn't it? um, now what we can do If we come down to a bit of code, let's say that we are having a problem with a variable And we want to know what that variable is So you can see here. I've got this little check that goes on that says Is calipso compatible vip and then we do this check and we say like Does vip calipso Calipso compatible Equals equals equals gray list flag blog id. It's a bit awkward with the line break. I should come down slightly inside Yeah, I will do actually slightly do that because it looks Even harder to read than it should be I appreciate this may seem like really complex stuff. You don't really need to say anything about the code It's not it's just lots of it. Um But what I've done here So in my text editor and it works in loads of other text editors PHP storm is the one that's the most easy to get set up. I'm doing it within you can also do it with like sublime text and anything else to use Um, I think actually classically Exeter bug is designed for using with the clips, which is like the really old java editor So, um, you may have used it and it works with other languages. It's not just php But so I've got everything set up for this to work. Hopefully so I can set break points So I set a break point there, which you can see by the green thing in the in the uh My margin so I've now turned the break point off. I turned the break point on So now what I can do Let's just double check this is set up to work. I think it is All right, if I press so for me I press f5 which makes it start listening and again like if you're using php storm It's a nice interface where you press like record. It's more of a kind of human Understandable thing whereas vim which is designed for idiots is uh, you press like just random keys So f5 and now it starts listening If I now refresh this page As this page starts to refresh Vim has now completely changed. So we're now in like this extabug view So it's now stopped what vim will do. Sorry. What extabug will do by default is it will stop at the first line It hits in your in your code. So the first line It's going to hit in any WordPress website is index.php define wp use themes true So that obviously that's just a standard break point. Nothing's happened. There's no variables or anything if I hit a five It's going to run to my break point. So my first break point, which is the one that you saw me set So here we go. We can now see this first break point in the code. Meanwhile, the page is just still loading So you can see it's actually loading up on the top of pan corner. It's just hanging waiting for me to do stuff It's the same as when you try and debug javascript using like chrome You can do that within the browser, but it's doing it within my php So at the moment because I've stopped it before this variable gets defined It's just uninitialized like the variable exists, but there's nothing in it If I press f5 f2, sorry, it will go to the next line of code And in doing that, there we go. Isclip to compatible VIP is set as a Boolean. It's false And if we carry on that I can just press f2 and run line by line through this code So each bit of code it executes It will just take me to it and then I can see what else is happening over on the left hand over on the right hand side So we still yet have a blog id if we carry on it will just like continue to set these things up So now we actually have for example this instance variable and we can now see what that is And if I go across to that window on my screen normally, it's a bit easier to read this because we don't have a I'm not having to deal with this massive font, but if we go over Well Here we go Oh, it's actually it's wrapping so you can see yeah, so it's post type is a post We see the edit capability of this instance thing. I didn't know what this is But it's just interesting. I can now actually see this like variable being put together Um, it's pretty pretty amazing. Um, and when you are dealing with a much simpler problem to say you just have um A variable that's kind of that's not being set to what you expect it to be set to You can sit here and work out exactly what line it gets set to the wrong thing It's really really amazing showing it to you in vim. It's probably not a good idea because it's just like looks overwhelming and crazy, but um Yeah, php storm has a really nice interface for dealing with it. Um, I like this, but yeah, not everyone does So that's the bug and if I press f6 It's gonna we're gonna finish debugging. So it's now not connected anymore for six again It takes me back to where I was and I can take the break point off and I could maybe edit some stuff here And what will normally happen is Because if you take more than I think 60 seconds, then what php is going to time out So you can actually carry it. I could have carried on debugging it, but normally it's taken too long to load So as far as WordPress.com's concerned this website's broken, but I just refresh And it just comes back as it normally would So this is like remote debugging. I'm debugging something live over the internet It's it's pretty crazy and the way it actually knows where the code is is that I've got a replica of the entire WordPress.com code base on my laptop and I've mapped them So it knows that like wherever WordPress.com is doing this on my laptop It should find it here and that's how it's telling me which lines it's getting to it's like no It's it's just brilliant, but you could use it if you ever want to get involved in working on WordPress core It's really great for that. Um It is a bit of a power tool. So don't worry like if you're just like this just looks crazy I don't I don't care. That's fine. Um, I understand But uh, I just I'll show you anyway So, um Yeah, it's exactly what it is. Yeah, so you can be you can live debug something On the internet and it's it's it's not massively complicated to set it up But it just requires a bit more than I can explain in a talk But but yeah, it's it's that and setting it up locally is actually easier as well If you just want to debug like something in manpower If using like vvv or something it's it's right. I guess you're leaving something up from the picture I'm leaving the setup Yeah, so Yeah, so but I can tell you the basics about it actually so all that's all that really happens is that um the most the most pivotal thing here is that I connect to Uh my wordpress sandbox my webpress.com sandbox on port 9 000 so My computer is using port 9 000 to connect to that website simultaneously as I'm looking at it through the browser So they then kind of x debug controls the whole thing talking so it knows via that port what's happening Yeah, so it's like he's refreshed and then they're like, right? Yeah, your browser is normally port 80. So you're doing like a synchronous thing Yeah, you actually install x to bug yourself it's it's not a third party service It's a module within Yes, so you install it on your server, which is not too complicated but a bit too hard to say. Yeah, so you install it on your server You collect on you connect on port nine port nine thousand is the default for x to bug You can change it to whatever you like from nine thousand and one whatever Uh, but yeah And if you have like it can get really complicated It uses an ide key as well You can set that to nothing and then it will just listen on everything But if you were debugging loads of different sites simultaneously You can theoretically have loads of different ide keys and have like loads of different things going on It just gets like way over. I mean, it's like when I'm using Uh x to bug. I often feel like I'm at the very limit of My ability because it's just like wow, this is this is pretty crazy But I have found it really handy in debugging certain problems where just like normally what people would do is Use an error log or something and then you just start error logging and then you run through the error log See if that's like and it just takes ages whereas with this you can just like live Where does the variable go funny there that's the problem Um, yeah, it's cool. So, uh, I think I lost where I was in the slides, but the next one It's go to nifer I won't even bother. Yeah, so go to nifer demo. So this should be a bit easier to do So I actually like remove this while I was doing the last demo, but if I now do a little command Again, like if you're using something like uh, like vim. That's sorry like sublime text This is not coming back It's it's more like human friendly And I'll close this and open it again I tried to show you this file. This is fine Uh Yeah, this works I realize this just looks nuts, uh But what is happening here is the bottom half of my screen is showing me the current errors So, um, let's just like create some space here and get rid of all of this. So it just looks a bit easy to understand So Let's say I want to try something. Let's say I'm going to uh echo dangerous Variable And let's say I save that The php code sniffer has picked up a problem It does this weird little s thing like a spelling mistake and it's pointing at the problem And if I go over to where that problem is on that It's at this dollar sign Down at the bottom behind the fan It's saying and let me just open this up a bit It's probably quite hard to use to see this it says expected next thing to be an escaping function Um, again, it's because I'm using vim that it's this kind of really Weird looking matrix style view But like if you're using sublime text or something it'll it'll tell you this in a more like neat way and like sublime text and uh PHP storm and all the other coder they all have like really good ways of using php code sniffer But yeah, fundamentally it's going to tell me there's a problem there And it'll tell me loads of other things like if I for example Do Now let's say now in the web rescoding standards. We should have a space Uh, whenever we're opening some parentheses after a function like this. So if I do, um This doesn't even make any sense, but I think it'll do this if I do that and It's safe It's gonna have a new problem. Oh, yeah, I didn't see php There you go. That's actually quite handy as well. So it doesn't it's not just web rescoding standards It'll also find just general problem. So it's saying but no one can't see it's noticed that there shouldn't be an opening angle bracket here Because I'm already I'm already in php. So if I That save it again It's probably now I'm gonna say Oh, I'm actually I'm just breaking the rules it would normally oh No, it hasn't it's not selling it It would normally now say that I should have a space and it will say by the way you need to put a space between your brackets and Yeah, we'll leave that but it's really handy. I'd highly recommend using it And uh, it's much easier to set up the next debug like everyone can do this today. It's really good right and my last thing oops, sorry is beyond compare I have quite a nice demo with beyond compare I was recently reviewing a plugin the bright cave plugin, which is the video platform Some of you may be familiar with Um, so we've been sent a diff. It was just an update to the bright cave plugin for wordpress We've been sent a diff and then actually the developer had realized they wanted to make a few more changes So they sent me a new diff, which was almost exactly the same thing But with a few minor changes And that kind of thing is quite annoying because you're just like I've just reviewed the first one Which was like 10 000 lines now. I've got to review the same thing again But there's a couple of little things that have changed. How would I find those things? There are various ways of doing it but beyond compare just makes it super easy. So if I click on open here There we go. It's just found all the differences and they were hardly any So all I needed to know was that at this part of the file What you've got on the left is the new updated version What you've got on the right is the old version And so it's just like, ah, here we go. So I just need to review that And tell him if that's okay or not, which is what I did and it was great And you could even say like the the pot creation date thing here You probably can't see because it's too small But it was like seven o'clock over there seven twenty five over here So I can see when he was working on it only it's the 13th of April there 15th of April here You can literally see all the little changes he's made and then any any little extra thing he's added in Which is really good. So beyond compares a really good tool So let's get back to my slides a final thing I wanted to talk about Which is kind of an elephant in the room. Well, there we go. Um I was talking about uncashed functions and I was talking about how There are certain things WordPress does that are not particularly optimal for us If we're doing like especially for a newspaper and we maybe want to be getting all sorts of weird and wonderful post combinations We maybe want to be doing things that are sort of more akin to search or maybe even we want to have a search facility I probably don't need to tell anyone here that the WordPress search functionality is pretty dreadful out the box Like it just doesn't really work. It'll just find it doesn't rank anything quite relevant So if you type in like coffee, it will just find all of your posts that have coffee in And then it's given back to you in like data order, which is just totally useless Um because you want to know like something that's getting into more detail about coffee um So a key thing that we use on webpress.com and on webpress.com VIP Is another piece of open source software, which is not too difficult to set up But i'm going to set it as further reading because I was going to try and do a live demo of it And I started going through this afternoon and I just thought this is just a bit messy There are some really good tutorials that will explain to you how to do it. Um, the product is called elastic search It's open source anyone can use it. It's absolutely brilliant It will basically bring google like searching to webpress Um, and it's totally free totally open source. You just need to configure it and set it up Which is not too difficult, especially if like it does need its own server So digital ocean and there are other brands available. I'm sure but digital ocean is one of my favorite things for testing this sort of thing um Digital ocean allows you to set up like micro servers It's like amazon do a very similar thing and there are I think rack space do one as well Uh, and there's loads of other competitors But it's basically like these kind of micro servers digital ocean call them droplets and the cheapest ones are five dollars a month And the reason that's relevant is because setting up elastic search can initially initially seem like a big pain You've got to have another server. So you're like, oh man, I've got to set up another server That's going to cost me loads of money, but with something like digital ocean It's five dollars a month, which is like three pounds in the uk It's almost nothing and you can actually have multiple things working on it. Uh, they have also an absolutely insanely amazing Database of tutorials and of how to use and documentation And it just goes on and on if you go to digital ocean dot com slash community and type in like anything in the search box They will have how you set up this with this with this with this and they string the whole thing together So if you've never set up a server before they tell you how to do that They tell you how to get like WordPress running how to get engine x going if you want to use that How to install my sql like all the different parts of what power WordPress? Again, those things are more complicated than you even need because the setup elastic search is actually really easy There's this tutorial here Which is how to configure it and then there's a plug-in called fantastic elastic search for wordpress Which basically allows you to link the two things together once you've got your elastic search server You connect it to fantastic elastic search And then it will automatically replace all of your search boxes on your website with elastic search searches And they are like the differences. It's just night and day. Uh, it's so handy. Yes Once the search index of your content Exactly and fantastic elastic search does quite a lot of that automatically So it will actually automatically replace. I think it replaces wp query with that with elastic search because it's like once it once It has your indexes. It's like right. We're fine. We're ready to go. Um Yeah, and then you can like you can just go and go and go with that and it obviously just gets and that's what That's what we've done So the funny thing about a lot of these things I was talking about is the way that we mostly mitigate these problems Is using elastic search just because it's it's just better anyway Like it's just so fast compared to using my sql to win stuff Yes, yeah, there is quite some actually. Yeah, it's uh, but I think there's more in the web press community There's a lot more that's been done for elastic search. So you'll find more tutorials. You'll find more Uh, yeah, just more date. There's more plugins for it. For example There are some others you can use alie interactive, which are a big new york based agency They like they've written the book on how to use elastic search with wordpress basically So they they've they actually built the plugin that we run on vip The only reason I would recommend fantastic elastic search is that it's a bit easier to To approach as a beginner But the coolest thing as well about fantastic elastic search is if your elastic search server is not working It falls back to all the standard stuff. So it won't even like break You can like your this elastic search server could fall over that you set up and it just goes back to working how it normally would Um, so it's really good and for that source of reason it's good to still stick to all the best practice I was talking about because Don't just track everything on elastic search and forget about it. Like it's because you know, you might have problems um But yeah, sorry if I've spoken to you quickly. Uh, I'm around and if you want to get in touch with me Uh, I'm at jaclemics on most things on twitter and other things Um, it's jack at automatic.com if anyone wants to email me I'll put my slides up and I'll try and share as many of the other resources Uh, I find with most of this kind of stuff. It's it's a lot to like you're all sitting here Just like listening so you're not going to remember all this anyway Uh, but there's some like the main thing is like go to the vip.com documentation. It's absolutely amazing Uh, and if anyone wants to work with us go to automatic.com slash work with us Thank you And any question? Oh, did you question? Does anyone have any questions? If there is something uh interesting that you would like to share about Actually, I'm interested about the VIP enterprise I know architecture Interesting to share over there or because I So I can talk a little bit about that I'm I'm kind of I'm not the expert on that kind of thing So but I can talk yeah in terms of overall data. So so at the moment, obviously we have wordpress.com Which is the big platform. So that's what most of our VIP stuff is on um We've actually very recently been working on a new platform for vip. So I was talking to um, I've got your name to Spencer about this earlier and uh, Because we've there are certain limitations that we've been hitting By having everything on this one massive architecture And certain clients want to do very bespoke things We're also finding that I think we we found we could actually get more performance benefits But we did start to break things off. So we've been working on a new platform Which we call wordpress.com vip go Um, and we're using docker and we're creating these containerized instances For our VIPs. So at the moment, it's only a handful of of our VIP clients that are on it But like Microsoft studios is one of them if you go to the Microsoft studios website It has a even better response times than the ones I was saying at the start. So I know for that we're using For anyone interested. Uh, so it's a varnish layer. We've got what load balancers Then varnish and engine x and we're using like the reverse proxy thing with varnish To yeah to get like stuff in the engine x and beneath that we have two app servers two mysql servers And we have that replicated among about 14 data centers around the world. So wordpress Dot com has I think it's 14 now data centers. There's one in singapore now And yeah, that's how go is working and I actually probably know a bit more about go So the whole the rest like in those same data centers We then host the rest of wordpress.com and The key things that you might find interesting About how we deal with that We created a there's a plugin called hyperdb which Is for kind of sharding your database across Like one database across multiple databases basically so it's um And we cut like a barry automatic. I think wrote most of that and um Yeah, it's very interesting if you want to know like if you're wondering about high level scale problems like hyperdb is a big thing We also uh, donica automatic wrote a plugin called wp super cache Which is a really simple caching plugin really, uh, which basically creates static html Pages for like every page of a webpress site. So and we we run that on webpress.com So for anyone who's not logged in sorry, what was the name? It's called, uh, wp super cache Um, it's on the it's on the plugin repository Uh, so that's that's one of the caching plugins. We use Like the overall architecture. I don't know much technically about how we do it. I'm pretty I know we use nginx um But I think it's pretty old school because it's one of these things that we've been like gradually Obviously it started in 2005 So it's kind of like we've had the same thing as facebook where we've been trying to kind of backwards compatibility that sorry. No, what's the word like? reverse engineer PHP to kind of make things about it better and obviously PHP has been really catching up these days with like PHP 7 Uh, and ph the PHP project actually use wordpress as like their main benchmark control because it's it's so popular um, but yeah, I know we've been uh Before PHP 7 we've been using hhvm um Is that answering your questions or is anything more specific that you think I might be Yeah, I'm I'm not uh on that front. I'm not I'm not the expert the most crazy thing about it Which I find really mad is that having told you all the figures and everything our systems team is eight people Uh, and they are just located around all the signs. So we have like people they're they're intentionally we have like two in the states Um, a guy in Lithuania, I think there's a guy in Sri Lanka It just kind of like and they all just cover each other. So we have this like constant thing um And they are just absolute ninjas like I don't I don't know how and I know that barry is very well known in the world of scalability and systems because I think other comparable services to us have systems teams of hundreds of people um But barry is like the man for scalability and as I was saying for instead of throwing resources at things working at how We can optimize things to make you know to stretch our systems further um Yeah, they're incredible and they won't like they can't fly on a plane together because uh That you may The inherent risk. So when we have like our ground meetup once a year when we all get together They all have to stagger their flights and it's uh, yeah, it's pretty crazy. But they're um In fact, I think they have trouble even all being in one location because obviously they need to keep guard but yeah, so um That's that's about as much as I know about how we work I know more about the IP code than I know about the current system because like it's it's just magic And I think most people automatic they worry about it because they just like I don't know they did it It's it's incredible. But we'd have to worry about it, which is nice. Um Any other Oh, I don't know. I was speaking about it in the video. Oh, sorry. Yeah. Yeah. So thank thank you jack. Yeah, cool. Okay