expressionengine - simple steps to performance and security (eeci 2014)
DESCRIPTION
TRANSCRIPT
![Page 1: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/1.jpg)
ExpressionEngine | EECI
Simple Steps to Performance and SecurityCHRIS WELLS – CEO – NEXCESS.NET LLC
![Page 2: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/2.jpg)
Detroit, MI USA
WEST
SOUTH
NORTH
MID-WEST???
NORTH-EAST
NORTH?NORTH-
CENTRAL?MIDDLE?
![Page 3: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/3.jpg)
Quick Facts About Michigan• Michigan has the longest fresh water shoreline in the
U.S. (world?) at 3,126 miles.• Four flags have flown over Michigan:• French• English• Spanish• USA
• Michigan is split into an “upper” and “lower” peninsula• The upper is dubbed the “U.P.”
• Detroit had the 1st mile of concrete road laid in 1909• Detroit is the potato chip capital of the world• Based on consumption
![Page 4: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/4.jpg)
Today’s Topics
•Why performance / security?
•A few simple performance steps
•A few simple security steps
![Page 5: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/5.jpg)
Why Care About Performance / Security?
![Page 6: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/6.jpg)
They Affect Your Bottom Line DIRECTLY(even if you think you don’t have one)
![Page 7: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/7.jpg)
Example Performance Wins• Firefox browser website noted:
• Slow page loaders downloaded the browser less often• 1 second of increased page load performance increased
downloads by 2.7%.
• Shopzilla.com• Had page load times of ~7 second• Optimized to yield a 5 second decrease in page load time (7 ->
2 sec)• 25% increase in page views• 7 – 12% increase in revenue• 50% decrease in hardware costs!
• Google tested a page 1 with 30 entries instead of 10 and got:• 20% less clicks
![Page 8: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/8.jpg)
Performance Step #1 – Tune the Environment
![Page 9: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/9.jpg)
Tune the Environment
•What
•About
•PHP???
![Page 10: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/10.jpg)
PHP Choices• ExpressionEngine supports a variety of PHP versions
(5.3.10+)
• So… Isn’t PHP just PHP?• NO!
• PHP 5.4 is a good deal faster than 5.3• Empty hash table optimizations
• Literal tables
• Interned strings
• Zend Engine VM tuning
• But what does this mean for ExpressionEngine?
![Page 11: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/11.jpg)
Benchmarking PHP
![Page 12: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/12.jpg)
PHP 5.3.24
~550 t/sec
![Page 13: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/13.jpg)
PHP 5.3.24 vs. PHP 5.4.28
~615 t/sec(~12%
increase!!)
![Page 14: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/14.jpg)
PHP 5.3.24 vs. PHP 5.4.28/.14
Even upgrading from 5.4.14 shows
gains of ~4%
![Page 15: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/15.jpg)
Let’s Push Things a Little Further...
![Page 16: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/16.jpg)
PHP 5.4.28 vs. PHP 5.5.12~781 t/sec
~25% better than 5.4
~41% better than 5.3WOW
![Page 17: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/17.jpg)
Notes On PHP 5.5.x+• APC goes out
• OPcache is introduced• OPcache is the name of the bundled ZendOptimizer+ opcode
caching system
• Seems to work out of the box without too much fuss
• More research is needed here – was very surprised with the performance results
• For developers PHP 5.5+ adds:• “finally”
• Finally!! New password hashing API
• The empty() built-in now supports arbitrary expressions
![Page 18: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/18.jpg)
Let’s Push Things a Little Further…
![Page 19: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/19.jpg)
PHP 5.5.12 vs. PHP 5.6.0-BETA
Essentially equal within margin of
error
![Page 20: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/20.jpg)
Let’s…
![Page 21: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/21.jpg)
PHP 5.5.12 vs. PHP-NG
• We couldn’t get it running in a stable manner
![Page 22: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/22.jpg)
Notes on PHP-NG• Removes numerous heap allocations (and de-allocations)
• Stores more native data directly on the stack
• Removes the need to garbage collect basic primitives (bool, long, etc)
• PHP’s reported Wordpress benchmarks show very good results• 26.75 sec -> 14.10 sec (~48% improvement)
• 9.5M instructions -> 3.4M internal instructions executed (HUGE reduction)
• Take some comfort in knowing that more gains are on the way from PHP folks directly
![Page 23: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/23.jpg)
Short story: use PHP 5.4+, 5.5 if you’re able
![Page 24: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/24.jpg)
Performance Step #2 – Tune ExpressionEngine
![Page 25: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/25.jpg)
Basic ExpressionEngine Tuning• Out of the box ExpressionEngine performs!
• Cache Cache Cache! Ensure you use all available caching• Tag caching
• Template caching
• Dynamic channel query caching
• Query disabling
• Use in-memory caching if at all possible (CE Cache, memcache)
• See our whitepaper for an in-depth look at caching options
• Use a CDN
![Page 26: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/26.jpg)
We’re Performing! Now What?• Performance is not a one-time activity (monitor
often)• The 80/20 rule is a good guide (Pareto’s Principle)• “…roughly 80% of the effects come from 20% of the causes…”
• Make performance part of your design/development process• Choose add-ons based on a performance SLA• Make sure your developers understand how to design/code for
performance
• All 3rd party add-ons are not created equal!• Software/code optimization can only go so far –
hardware can help• Dedicated database and web servers may be needed
![Page 27: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/27.jpg)
Side Effects of Good Performance• Faster sites are stickier – Wikia.com’s re-
architecting found:• ~15% exit rate for a 2 second page load• ~10% exit rate for a 1 second page load
• Faster sites yield higher search engine placement• Google / Bing / Yahoo! use speed as a metric in their
algorithms
• You’re more ready for that OMG day• Check out EE’s “Handling Extreme Traffic” page regardless
• Faster doesn’t have to mean more expensive• Costs can often be lowered as a result of caching &
optimization• Remember shopzilla.com?
![Page 28: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/28.jpg)
On to Security!(Make hackers sad)
![Page 29: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/29.jpg)
Security Step #1 – Secure the Environment
![Page 30: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/30.jpg)
Environment Security• Practice least-privilege in all aspects of the environment
• Use a firewall (and actually configure it)
• Use an intrusion prevention system (and actually configure it)• Mod_security works well!
• Applies matching vs. URL requests to thwart many attacks
• Choose correct file permissions• 600 for PHP/configuration files(if able)
• 700 for directories (yep, if able)
• Use HTTPS
• Lean on your hosting provider for help (it’s their job!!!)
![Page 31: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/31.jpg)
Security Step #2 – Secure ExpressionEngine
![Page 32: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/32.jpg)
Basic ExpressionEngine Security• Follow the EE best practices
• Keep ExpressionEngine up to date• I know, I know – easier said then done … but do it
• ExpressionEngine is very secure by default (but really, keep it updated)
• Keep PHP up to date (or patched)
• Keep add-ons up to date• Add-ons are often forgotten as a source of vulnerability
• Restrict admin access• Limit by IP and/or by renaming admin.php
• Rename the system directory
• Create unique user accounts (i.e. don’t share!)
![Page 33: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/33.jpg)
Security Step #3 – Secure Your Workflow
![Page 34: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/34.jpg)
Basic Security• Password security• Passwords do not necessarily need to be complex
• PillowCarpetTelevision32 24 characters!!
• Don’t reuse passwords on other sites
• I hate this slogan but…• The most secure password is the one you don’t remember
• Use Lastpass or something like it.
• Use 2-factor authentication if available
• Use a secure means to publish• Avoid FTP!
• Ensure backups exist (and are recent)
• Trust but verify your hosting arrangements
![Page 35: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/35.jpg)
Performance and Security are NOT Spectator Sports!(do your best!)
![Page 36: ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)](https://reader033.vdocuments.us/reader033/viewer/2022061121/546f0af7af79593c0d8b6065/html5/thumbnails/36.jpg)
Questions?