Some notes from last night’s MWUG meeting. Something I don’t get along to often enough, as Mike has mentioned on occasion. :)
Mike’s intro…
4.1 is out:
- New default theme: TwentyFifteen, but watch out for the lack of a default menu
- New template tags, e.g. get_the_archive_description
- Taxonomy, date, comment and meta queries improved (including meta now taking nested queries)
- Revamped Distraction Free Writing (DFW) mode
Security issues around:
- RevSlider plugin vulnerability… code from this plugin was included in many many themes, check your theme code, documentation, and settings for this, and if it’s there you may well be compromised, so seek advice
- InfiniteWP Client security issues
General news:
- New version of Jetpack introduces Jetpack Manage, which allows you to manage a number of WordPress sites from one place, allowing you to write to self hosted and WordPress.com blogs all from the WordPress.com interface
- WordPress Foundation has created a Travelling Scholarship in memory of Kim Parsell, a very active member of the , to assist women in WordPress to travel to WordCamps
- VersionPress released to early backers, similar to a Git repo of your WordPress install with every action a commit and allows you to revert a single configuration change amongst other changes (e.g. not just the last change)
- BuddyPress Global Search Plugin provides unified search of all BuddyPress components
- New design for the WordPress Themes directory try it here. This is part of a revamp of WordPress.org to hopefully make it multilingual. Give feedback if you’ve got any.
- WordPress 4.2 will automatically enable pretty permalinks on activation
- Better Search and Replace plugin; based on Interconnect IT’s work
- Remember to check out WordPress StackExchange as a resource for technical questions alongside https://WordPress.org/support
- Jenny Wong has badges, not badgers
- ACF v5 changes the paid licence to a single Premium version on a per site basis, and there may be some changes which break backwards compatibility
- If you are running an ecommerce store, you need to look into the new EU VAT changes, see HMRC and see this note on Gov.UK for details and check for plugins which may help; this is a legal requirements
WordCamps:
- WordCamp Birmingham 7-8 Feb (buy before noon tomorrow to get a tshirt) http://2015.birminghamuk.wordcamp.org/
- WordCamp London 20-22 March (tickets on sale) http://london.wordcamp.org/2015/ including a Not For Profit track
- WordCamp Europe rumours abound… suffice to say it’s in Europe
- WordCamp Manchester at some time later this year
Plugins which caught people’s eye:
- Prevent Concurrent Logins – good for membership sites to constrain multiple logins on the same account from different locations (https://wordpress.org/plugins/prevent-concurrent-logins/)
- User Session Control – also based on the new session control API in WP 4.1, allows session control (natch) (https://wordpress.org/plugins/user-session-control/)
- Export Plus – allows additional controls over your export, but does it work through the WP CLI (https://wordpress.org/plugins/export-plus/)
- Stream – (http://wpstream.com) … beware that the monthly subscription are storing the data outside of the EU, see also The Auditor from Interconnect IT which is a premium plugin, see also WP White Hat Security
- New Relic is a much more technical product, which allows you to check into the running of your server and the server programs like PHP and MySQL (http://newrelic.com/)
- See also Z-Ray, a Zend Server development platform which allows you a lot of debugging, profiling, etc information as you develop (http://www.zend.com/en/products/server/z-ray)
Moving into the second, more technical half of the evening…
Technical News
- WP Engine HHVM product Mercury, have released a Vagrant, HGV, in conjunction with 10Up
- Tim Nash is speaking on HHVM at WordCamp Birmingham
- Features as Plugins article on WP Tavern covers some issues with the development process (http://wptavern.com/the-features-as-plugins-first-model-is-a-mess), and check out the Feature Plugins which are nominated for inclusion in 4.2 and beyond
- Access Monitor plugin tests WordPress sites for compliance using the Tenon.io web accessibility service
- UpFront Conf buy early bird tickets now! 19 May 2015
- PHP UK (in that London) including Jenny Wong keynoting and Aaron Jorbin speaking on WordPress 19-20 February 2015
Main technical talk: Hosting Sites on Nginx by Mike
Mike’s going to be posting his Nginx config files, but I’m not sure if it’ll be on his blog or the MWUG site.
Nginx is a lighter weight, faster alternative to Apache as a web server. Switching to Nginx in a high intensity situation allowed Mike to half the processors on a server, some code optimisation too but the main difference was using Nginx rather than Apache.
Mike uses a Vultr VPS, 100% SSD VMs. Lower tier is adequate for many types of sites.
First thing Mike does is install an open source web admin control panel called Virtualmin, which even handles the installation of the web stack for you. Some manual setup needed with Nginx, but it mostly does it for you. There are some docs on Nginx setup on Virtualmin. Mike likes to setup the files as owned by root, so unwritable by PHP, meaning even if something does “get in” it can’t write code.
Virtualmin allows you to set up a new virtual server to contain your user, first step being to set up with just Nginx and MySQL (turning everything else off). From this point, WordPress will run fine (but without pretty permalinks).
Some good tutorials for WordPress on Nginx at RT Camp, but they do assume one site on one server. Here you can grab the equiavalent of the WordPress .htaccess rewrite rules.
Mike’s not logging robots.txt, favicon.ico access to avoid logging information he’s not interested in. He’s also banning access to debug logs, and specific locatoins where WooCommerce adds log files (so these aren’t publicly accessible).
RT Camp have a tutorial to create a rule to block certain types of BruteForce attacks on your WordPress login.
Virtualmin sets up a unique socket for each site, and assigns a unique set of PHP threads to that site, to avoid rogue code altering other sites.
Mike pronounces “dir” as “dear”, which makes his explanations nice to listen to (I always say “durr”, which is much less kind on the ears).