ExpressionEngine | EECI

Simple Steps to Performance and SecurityCHRIS WELLS – CEO – NEXCESS.NET LLC

Detroit, MI USA

WEST

SOUTH

NORTH

MID-WEST???

NORTH-EAST

NORTH?NORTH-

CENTRAL?MIDDLE?

Quick Facts About Michigan• Michigan has the longest fresh water shoreline in the

U.S. (world?) at 3,126 miles.• Four flags have flown over Michigan:• French• English• Spanish• USA

• Michigan is split into an “upper” and “lower” peninsula• The upper is dubbed the “U.P.”

• Detroit had the 1st mile of concrete road laid in 1909• Detroit is the potato chip capital of the world• Based on consumption

Today’s Topics

•Why performance / security?

•A few simple performance steps

•A few simple security steps

Why Care About Performance / Security?

They Affect Your Bottom Line DIRECTLY(even if you think you don’t have one)

Example Performance Wins• Firefox browser website noted:

• Slow page loaders downloaded the browser less often• 1 second of increased page load performance increased

downloads by 2.7%.

• Shopzilla.com• Had page load times of ~7 second• Optimized to yield a 5 second decrease in page load time (7 ->

2 sec)• 25% increase in page views• 7 – 12% increase in revenue• 50% decrease in hardware costs!

• Google tested a page 1 with 30 entries instead of 10 and got:• 20% less clicks

Performance Step #1 – Tune the Environment

Tune the Environment

•What

•About

•PHP???

PHP Choices• ExpressionEngine supports a variety of PHP versions

(5.3.10+)

• So… Isn’t PHP just PHP?• NO!

• PHP 5.4 is a good deal faster than 5.3• Empty hash table optimizations

• Literal tables

• Interned strings

• Zend Engine VM tuning

• But what does this mean for ExpressionEngine?

Benchmarking PHP

PHP 5.3.24

~550 t/sec

PHP 5.3.24 vs. PHP 5.4.28

~615 t/sec(~12%

increase!!)

PHP 5.3.24 vs. PHP 5.4.28/.14

Even upgrading from 5.4.14 shows

gains of ~4%

Let’s Push Things a Little Further...

PHP 5.4.28 vs. PHP 5.5.12~781 t/sec

~25% better than 5.4

~41% better than 5.3WOW

Notes On PHP 5.5.x+• APC goes out

• OPcache is introduced• OPcache is the name of the bundled ZendOptimizer+ opcode

caching system

• Seems to work out of the box without too much fuss

• More research is needed here – was very surprised with the performance results

• For developers PHP 5.5+ adds:• “finally”

• Finally!! New password hashing API

• The empty() built-in now supports arbitrary expressions

Let’s Push Things a Little Further…

PHP 5.5.12 vs. PHP 5.6.0-BETA

Essentially equal within margin of

error

Let’s…

PHP 5.5.12 vs. PHP-NG

• We couldn’t get it running in a stable manner

Notes on PHP-NG• Removes numerous heap allocations (and de-allocations)

• Stores more native data directly on the stack

• Removes the need to garbage collect basic primitives (bool, long, etc)

• PHP’s reported Wordpress benchmarks show very good results• 26.75 sec -> 14.10 sec (~48% improvement)

• 9.5M instructions -> 3.4M internal instructions executed (HUGE reduction)

• Take some comfort in knowing that more gains are on the way from PHP folks directly

Short story: use PHP 5.4+, 5.5 if you’re able

Performance Step #2 – Tune ExpressionEngine

Basic ExpressionEngine Tuning• Out of the box ExpressionEngine performs!

• Cache Cache Cache! Ensure you use all available caching• Tag caching

• Template caching

• Dynamic channel query caching

• Query disabling

• Use in-memory caching if at all possible (CE Cache, memcache)

• See our whitepaper for an in-depth look at caching options

• Use a CDN

We’re Performing! Now What?• Performance is not a one-time activity (monitor

often)• The 80/20 rule is a good guide (Pareto’s Principle)• “…roughly 80% of the effects come from 20% of the causes…”

• Make performance part of your design/development process• Choose add-ons based on a performance SLA• Make sure your developers understand how to design/code for

performance

• All 3rd party add-ons are not created equal!• Software/code optimization can only go so far –

hardware can help• Dedicated database and web servers may be needed

Side Effects of Good Performance• Faster sites are stickier – Wikia.com’s re-

architecting found:• ~15% exit rate for a 2 second page load• ~10% exit rate for a 1 second page load

• Faster sites yield higher search engine placement• Google / Bing / Yahoo! use speed as a metric in their

algorithms

• You’re more ready for that OMG day• Check out EE’s “Handling Extreme Traffic” page regardless

• Faster doesn’t have to mean more expensive• Costs can often be lowered as a result of caching &

optimization• Remember shopzilla.com?

On to Security!(Make hackers sad)

Security Step #1 – Secure the Environment

Environment Security• Practice least-privilege in all aspects of the environment

• Use a firewall (and actually configure it)

• Use an intrusion prevention system (and actually configure it)• Mod_security works well!

• Applies matching vs. URL requests to thwart many attacks

• Choose correct file permissions• 600 for PHP/configuration files(if able)

• 700 for directories (yep, if able)

• Use HTTPS

• Lean on your hosting provider for help (it’s their job!!!)

Security Step #2 – Secure ExpressionEngine

Basic ExpressionEngine Security• Follow the EE best practices

• Keep ExpressionEngine up to date• I know, I know – easier said then done … but do it

• ExpressionEngine is very secure by default (but really, keep it updated)

• Keep PHP up to date (or patched)

• Keep add-ons up to date• Add-ons are often forgotten as a source of vulnerability

• Restrict admin access• Limit by IP and/or by renaming admin.php

• Rename the system directory

• Create unique user accounts (i.e. don’t share!)

Security Step #3 – Secure Your Workflow

Basic Security• Password security• Passwords do not necessarily need to be complex

• PillowCarpetTelevision32 24 characters!!

• Don’t reuse passwords on other sites

• I hate this slogan but…• The most secure password is the one you don’t remember

• Use Lastpass or something like it.

• Use 2-factor authentication if available

• Use a secure means to publish• Avoid FTP!

• Ensure backups exist (and are recent)

• Trust but verify your hosting arrangements

Performance and Security are NOT Spectator Sports!(do your best!)

Questions?