 My name is Taylor. Love it. I am the director of web engineering for a company called 10 up I'm a WordPress plugin creator and core contributor and an open source community member Just a quick plug before I get started 10 up as always is hiring see is 10 up hiring calm We work with a lot of really cool clients. We're a distributed web agency We are hiring engineers Javascript people php people designers project managers everything So if you like anything that I talked about today and you want to work with any of those clients, please see me after So before approaching how we build what are websites for enterprise I think we should probably define what is enterprise and I think this this term means a lot of different things to a lot of different people So I'm going to run through some traits, which I think many of which are probably true for for most enterprise organizations So to start the obvious one is is traffic So websites receiving millions of page views per day are ones that I would consider to be enterprise Websites producing high dollar revenues Websites worked on by large teams So so I think organizations that have a large team and in a large amount of stakeholders involved in a web property That that can sort of constitute this this enterprise definition Websites providing critical sign time sensitive data Websites involving many complex integrations and what I mean by that is like lots of third-party APIs and Stuff like that So kind of the bottom line is what however you wanted to find enterprise large organizations and high dollar business Objectives require that no matter what that websites are performant efficient scalable maintainable Definitely highly available data centric and of course scalable. That was a mouthful Here's a bunch of websites that are actually running WordPress I'm sure you you know some of these are running WordPress like that the obvious ones like tech crunching and variety in the New York Times But these these other organizations are also running WordPress in some form. So pretty cool, huh? I think Just a side note WordPress, you know is doing a lot of growing up in the past couple years and in the platform Traditionally started as we all know is a blogging platform But it has been has grown to be much more and you see these WordPress talks at that work camps about You know WordPress is a framework and all this stuff and WordPress is in my opinion a fully full Fully fledged framework and is fully capable of powering, you know, any of the biggest websites in the world. So anyways Like I said, I work for a company called 10 up the top of this slide is cut off. Unfortunately, so you can't see the top but These are our best practices and we open source them. I would say about a year and a half ago and they cover HTML CSS JavaScript PHP How we structure like themes and files and stuff like that to the tools we use the frameworks How we version control this this this lays this is a blueprint of how we build websites for enterprise to 10 up And a lot of the stuff I'm going to talk about today are things that are pulled directly from this So anyone any WordPress developer in this room whether advanced or more junior I would highly encourage you to check out these best practices and like I said, they're open source So if if you think, you know, we should be doing something differently or something's not right create a pull request So first thing I want to talk about is caching Redis so we use Redis as a persistent object cache Many of you probably know WordPress is is sort of caching agnostic. You can drop in your own custom object cache I Would say memcache is probably the most popular thing that people use for that nowadays We like Redis It basically it basically lets you store things in memory so you can quickly read and write to to those caching buckets I think Redis offers a lot of built-in features that memcache doesn't specifically around failover So when it comes to building like a serious cluster for enterprise on the systems level Redis works for us and I have a link Down below which is cut off. Unfortunately So I know my slides are at tailorleve it.com. So if anybody wants to follow along feel free to do so There's a WordPress plugin called WP Redis. So that's that's the drop and you can use the to connect your WordPress site to Redis Page caching so page caching is the act of caching entire html outputs or page pages Into an object cache. So in this case it would be Redis And then rather than having to do all the database queries and all the crazy php stuff We can just say is this request one that we've seen before if so then let's go directly to the object cache and pull that entire HTML generated HTML piece of cache out so Page caching is something that we use heavily to to make websites Scale and and run when they're being viewed million times millions of times a day So I would highly utilize page caching as much as possible obviously like when you get into like personalization and Community type sites you have to get clever and use JavaScript and do all sorts of tricks And you may or may not be able to use this but generally speaking page caching is the way to go And I have a link below to the bat cash plugin. Thank you Which is? Automatic page page caching plugin that they actually use on WordPress comm so check that out Fragment caching similar to page caching except we're just gonna cache snippets of HTML on the page or maybe an object That was generated on the page Generally the way we were this in our best practices is anything on the front end involving a database read like a WP query thing You should Save the HTML cache it and then output that later And a good example This is like a post carousel like a featured post carousel like rather than running through that WP query every time the page loads to Pull those posts out like do it once cache it for a certain amount of time and Just pull from the cache so that it's it's much faster that way remote calls A remote call is like using the WP remote request Function so any call to a third-party API any any call that's blocking those can be huge performance bottlenecks And this is something I see in a lot of community plugins that on every page load like they're Sending some sort of request to a third-party API and it's making your website run slowly so cache remote calls as long as possible if you have to make them and A lot of people don't know this but the WP remote request function lets you make non blocking requests So if you don't need to wait for your request you can set it that way and it won't stop the you know PHP from continuing to execute This is a pretty cool one. So priming cache asynchronously If a user hits your page and you have something that needs to be generated on the fly and then cached There are better strategies for doing that such that you can do that asynchronously So maybe when a user visits the page and the cache is stale Show them the old cache and then send out like an Ajax request which sets up like a cron job to prime That same cache bucket Asynchronously so the user doesn't have to wait So you can get really really clever with stuff like this to just keep performance super super high This is a really common one Admin Ajax dot PHP is is for Adam admin use only it is not cached as aggressively is stuff on the front end page caching On it won't work at all So if you have a website on your home page and it you have it set up all real nice with page caching And you're really confident and you start making admin Ajax requests You're hitting an own cached endpoint every single time you do that. So Obviously, I have the JSON REST API if you do need to make Ajax calls Do so on a cached endpoint and in the JSON REST API would work with that So it ten up a little bit opinionated, but off-the-shelf caching plugins We don't really use them the ones that we use our our that cache and we use the reddest drop-in a Lot of these off-the-shelf caching plugins can be very difficult to install And even more difficult to remove and there's a lot of horror stories with with stuff like that Generally these plugins are they're created for public use and thus they have like 8 million features and you only need like two of them Try to keep it simple if you're building a website for enterprise You probably have the budget to really think about what you're trying to do and do it effectively rather than throwing like You know some huge bloated plug-in at it So let's talk about database reads and writes a general rule. You should avoid front-end writes Database writes in general are slow with my sequel Front-end writes can cause race conditions Page if you're using any sort of page caching then a front-end right may or may not happen because if your page is cached then that front-end Right isn't isn't going to execute if you really need to write data on the front end use some sort of Ajax request WP query is Pretty much the the way and WordPress to pull content out of the database And if anybody's seen the WP query codex, it's it's massive and there's a lot to learn I'm just going to touch on a few parameters for WP query to make your queries much more performant One of the biggest ones is no found rows So if you set no found rows to true in your query that will tell WordPress not to pass that sequel calc found rows Thing into the query and basically what that does is If you're doing a limited query sequel calc found rows will be able to determine the total number of pages in your query So if you're not doing pagination then you do not need to do that and that will make your query much more performant Update post meta cache update term cache set those to false if you're not going to be using terms or posts post meta They're going to have to blast through cash, and you probably don't need that If you're only needing the post ID you can set fields IDs and this will make your query much faster post per page Do not set post post per page negative one. That's just asking for trouble Something like that on the front of a web page if there was too many posts could could take down a website very easily So I would recommend setting post per page to a reasonable number And finally don't use post not in this tells my sequel to run a not in query Which is just inherently inefficient to my sequel Here's just a quick example, so new WP query. We have no found rows fields IDs We're not updating post meta or term cache, and we're setting up a reasonable upper limit for our posts to 200 of lesser known sort of performance thing Auto loading so update option and add option take a third parameter, and that is the auto load parameter By default options are auto loaded in WordPress meaning on every page load Where press is going to bootstrap those options on the page in case you want to use them But if you're setting something in the options table that you're not going to need on every single page load Then set auto load to false and that will give you a performance boost Okay so browser performance CDNs very very important so Content delivery networks they enable you to serve static assets From servers other than your own so your servers don't get blasted and when you use some of these big CDN networks You can you know they have servers all over the world so you can serve those assets in Locations that are closer to your visitors so they have huge huge performance benefits on the front end and I don't want to recommend any specific one because I think Needs really really vary from project to project so Reduce the number and size of HTTP requests. This is one of the biggest reasons why front-end websites are running slowly We try to minify all JavaScript and CSS files can cat not can sorry can catnate all JavaScript and CSS files Optimize images and I have HTTP to question mark because that's a really really cool way to reduce the number of requests We use grunt WordPress core uses grunt There's a lot of opinions on this most most of them outside of the WordPress community on different Build runners we like grunt and it works well for us Okay, so maintainability and stability So it ten up we build a lot of big projects for a lot of big websites And we find that maintainable code improves stability So code that is is maintainable and extendable are less susceptible to bugs I Also think that bugs and maintainable and extendable code bases are solved quicker And of course as well new features are added more easily to code bases that that are written Well and are maintainable and the final one, which I think is really cool Is is happy engineers are more productive and we all know like his developers It's it's just it's so hard jumping into a code base that is not maintainable and is messy and it just It puts frown frowny faces on on everybody's So modern PHP design patterns WordPress gets a lot of flack outside of the outside of our community for being backwards compatible backwards compatible all the way to PHP 5.2.4 Because everybody wants to use the latest coolest stuff in PHP which like as the developer I totally get that But I think a lot of them don't realize that when you're maintaining your own web server Especially for an enterprise client, which you probably have a you know a pretty complex setup You can control whatever versions of languages you want you want to run PHP 7 you want to run like The latest PHP build or whatever like go ahead and you know, you can do that. I wouldn't recommend it You can do it so Use the cool features in PHP that we have available to us namespaces traits compose or you use all that like cool new stuff Developers like it. It's gonna make iterations on your code base quicker like that stuff's great at the end of the day You can't I mean you can but you probably don't want to distribute that to like the word press that or plug-ins or themes are Positive or because that actually is meant to be compatible back to PHP 5.2 But use that on your own projects use that on your client websites This one's slightly opinionated Don't obsess over MVC and PHP. So in this context MVC is model view and controller It's a really awesome pattern. It works really well for a lot of frameworks that that aren't wordpress Wordpress is it's just not an object-oriented platform And we find that forcing MVC with tools like twig and these other things Ultimately just lead to more confusing code and make it hard for harder for new developers to come on to a project and understand What's going on? Working at a big agency like 10 up and building enterprise-level websites We have huge teams of engineers And with huge teams means that people are going to be coming on and off the project So if you build a website in such a way that only five people in the world understand it and it takes like Three months for anyone to wrap their head around your code base You're setting yourself up for failure. So so we have to build code that that people can understand easily Javascript so there's been a lot of Javascript talk at the conference All this stuff is great modern Javascript design patterns common JS not only ES6, but you can use ES7 Use stuff like webpack and browser fi to package up your Javascript and make it compatible and some of the older versions of browsers We think that grouping distinct pieces of functionality in the plugins is a great move It lets us use those plugins elsewhere And it also makes deployments a lot simpler because when we have code broken out in this in the distinct Repositories in distinct areas if we iterate on one feature we can deploy that feature without having to like deploy the entire Website with all the things So this this workflow really works for us Documentation is super important for keeping a code base maintainable As developers like I know I have a tendency to just tear through code and not want to document things and hate myself afterwards But we all need to work together to document the code that we're writing Especially working on a project with a huge team of people where you're not going to be the only one looking at that code documentation super important So it ten up we actually make documentation part of our code review process Which I'm going to talk about later So I have the PHP documentation standards there from from WordPress make and I also have the the Javascript documentation standards This this one is one of my personal favorites wrapping wrappers WordPress has a really awesome rich easy to use API that lets you Create post types and insert posts and create meta boxes and send HTTP requests and do all this magical all these magical things as Developers personally speaking especially like what I'm new or like for whatever reason it strikes me that creating these complex wrapper classes To wrap up functionality existing functionality this in WordPress can seem appealing But we find that that creating these wrappers around existing API is more often than not just makes the code more confusing It adds another library that you may need to maintain and then whenever you bring somebody else in the project now instead of learning this like This API that WordPress already has they have to learn the API that you built around the API So something to think about Testing codes so automated tests are crucial. We use PHP unit for PHP just like WordPress core There's the core unit testing framework and there's also WP mock which is a ten-up project check out that github link We use mocha for JavaScript Which is one of the newer JavaScript testing frameworks that's gotten a lot of popularity and is very easy to use and Something really cool, which I just popped into slides last second is codeception for acceptance test And we've actually open sourced a codeception WPC li wrapper So you can scaffold out codeception tests and that's by a developer of ours named Eugene Manilov This is really cool what what we're doing with codeception This is just a code snippet from one of my My form plugins that I that I have for free in the dot org repository and what this just does it's the code speaks for itself but basically the test puts you on an admin page clicks a link and Then you know either I see or don't see and makes assertions that way So if after this is this actually tests a JavaScript modal, so clicking ad form opens up a JavaScript modal And then you know After clicking that special fields thing You're not supposed to see single line of text and you're supposed to see this and and you can do a lot of really fancy things with testing complex JavaScript interactions and complex Applications so codeception is really cool. I have the github link down there again for scaffolding tests for WordPress So check that out Security So this is a big one It's absolutely critical that the websites we build for enterprises are secure And one of the biggest parts of this is making sure that we clean input so validate or sanitizing data We need to validate and sanitize all data that's being inserted in the database to make sure there's nothing harmful Quick code snippet When updating post meta, we're using this Santa sanitize text field or press function to sanitize a post variable Very similar Rather than we're We're validating in the next example, so if an option is posted We're just we're setting true and to meta and if it's not posted then we're just deleting the post meta rather than setting false So that's an example of validation We also need to secure all outputs so anything that's being outputted to the screen should be escaped We practice late escaping The WordPress codex has these this whole library of escaping functions that you can check out and I have a link in the slides quick code example So We're getting something from post meta and we're outputting it at the screen and we're using that escape html function And we're just echoing that and Then in the second example, we're we're again getting something from post meta And we're echoing it using escape attribute and that's making sure that whatever is being pulled from the database is safe to be on the Screen and isn't like some sort of nasty JavaScript So this is an important one and one that I think is often overlooked Inner HTML and jQuery selectors. You can do some dangerous things with those You do not want to insert arbitrary data into into inner HTML or jQuery selectors Like I said, you can do some dangerous things through jQuery selectors You can actually create elements on the DOM so you can execute our arbitrary JavaScript through jQuery selectors Same thing with inner HTML. So rather than using those two things in the first example, we're getting This class name from the DOM and rather than using inner HTML We're using inner text and setting it to our arbitrary text string And then in the second example where we need to insert HTML into the DOM We were we are actually using the create element function and creating a div then using inner text to set the Inside of that div to this arbitrary text string and then we're appending that node to the DOM So that's a safe way to add HTML to the DOM without using inner text or inner HTML. Sorry So nonsense nonsense help you ensure the intent of actions So anything any sort of like database modification should always have a nonce to ensure that the user is actually Intending to do what what they're supposed to be doing and WordPress provides some functions to do that WP create nonce WP verify nonce and WP nonce field Just a quick example We're setting up the nonce with WP nonce field and then whatever actions being performed when it's being performed We're verifying that that that nonce is valid We encourage limiting login attempts so this can help avoid a lot of attacks and brute force type situations You know come up with an upper limit on the reasonable number of attempts attempts that somebody should be able to to fail their password on and Requiring strong passwords so weak passwords are one of the most common exploits that people get in through So a good good sort of best practices to require users to create strong passwords Okay, so third-party code We review every single line of code that we push to a client site There are over 40,000 community plugins Plugins are reviewed when they're submitted to the WordPress.org database revisions are not and The review guidelines for those plugins are aren't really geared toward enterprise and they're not really looking for like super important performance things Same thing with themes. There's thousands of community themes. They have a little bit more stringent of guidelines than plugins But the review guidelines are not geared to enterprise. So at 10 up code reviews a very very important part of our workflow We we review every line of code that we push to a client We also review third-party plugins and themes if we use them Understanding your library very very important jQuery and underscores. They're great tools all these cool JavaScript libraries are great But if you're using a library and you don't really understand how it works That can lead to bad results in the end if that library changes So we encourage people to have a real understanding of the libraries they're using and to actually have an understanding of vanilla JavaScript, which is very important I'm moving a little bit quickly because I'm running low on time. Sorry So workflows Keeping track of code history with something like git is absolutely important And I'm sure everybody knows that making sure to use descriptive commit messages You can see how our workflow works exactly in the best practices and it goes into detail We're basically using a modified version of the git flow workflow I Mentioned we do code reviews We actually do peer code reviews. So we have engineers region review each other's code And sometimes we have sort of like engineering managers review their code as well but code reviews help ensure reform and security maintainability and scalability and That is all I have so let's do questions. I know there's at least one So as as you implement Additional practices for example further QA or code review processes Obviously, this adds a lot more time into your development cycle How do you approach the addition of these while trying to meet deadlines which were maybe met You know agreed to previously Great question. I think as we've matured as an organization that's stuff that we account for in the sales process So generally we're not going to sell a project if we can't deliver a solid project I mean there are times where client, you know needs shift and all of a sudden it's like hey We need to deliver this much faster Sometimes we have to make tough decisions But I think at the end of the day like there's always time to do a code review Like maybe maybe the code reviews not as thorough Maybe the QA is not as thorough But there's always time to do something and making sure the clients understand the risks in deploying earlier Then then we might be comfortable with and making sure they sign off on those risks Thank you Yeah on a similar note How do you handle clients who are maybe enterprise level and you pitch them some things like hey We want to roll unit testing in and they say we don't want to have the budget for that or you know, we don't think that's necessary How do you kind of sell them to get on board with everything right? Great question certain things we push harder than others unit testing is one of those things where if clients Don't want unit tests. It really depends on the project We will try to sell them on it If it's a much larger scale project, and we actually think it'll save us time in the long run We might just write unit tests and not even include it in part of the sales process because we know at the end of the day It's gonna help us, you know do better on the project. So Really really depends on the project. But yeah, great question Anybody else? Is that is that a question Paul? What are some of your favorite tools for linting code and measuring code quality? Well php code sniffer of course for php, and I guess js lint for for javascript great question Those personal favorites one more time for one more question if there is one. I Think there's one more All right, this is fairly specific to my personal situation Our company is just cutting our teeth right now on I Wouldn't say that it's up to the the levels of what you're defining enterprise up here, but We're dealing for the first time with a WordPress site where there's a ton of people logged in all the time and a lot of these a Lot of tips that I'm seeing and best practices apply often to Serving up content on the front end and we're struggling really hard to have our site scale And Have it not get totally bogged down by tons of administrators and people logged in on the back end. Do you have any tips? Yeah, first of all if you haven't already update to php 7 which is supposed to give you like out of the box and massive performance boost Try using something like Maria DB, which is just like a drop in replacement for my sequel which is supposed to give you I don't know like 5% and Improve performance on my sequel and then I would look at the plugins that you're using and what exactly you know It's happening code-wise use something like xt bug and and I don't know like QQ cash grind to really find out where like Where the users are getting bogged down in the code and if it's truly that you just have a lot of users Then you need to up your you know your system resources Thank you. Thanks everybody