Date post: | 21-Nov-2014 |
Category: |
Software |
Upload: | nexcessnet-llc |
View: | 822 times |
Download: | 0 times |
ExpressionEngine | EECI
Simple Steps to Performance and SecurityCHRIS WELLS – CEO – NEXCESS.NET LLC
Detroit, MI USA
WEST
SOUTH
NORTH
MID-WEST???
NORTH-EAST
NORTH?NORTH-
CENTRAL?MIDDLE?
Quick Facts About Michigan• Michigan has the longest fresh water shoreline in the
U.S. (world?) at 3,126 miles.• Four flags have flown over Michigan:• French• English• Spanish• USA
• Michigan is split into an “upper” and “lower” peninsula• The upper is dubbed the “U.P.”
• Detroit had the 1st mile of concrete road laid in 1909• Detroit is the potato chip capital of the world• Based on consumption
Today’s Topics
•Why performance / security?
•A few simple performance steps
•A few simple security steps
Why Care About Performance / Security?
They Affect Your Bottom Line DIRECTLY(even if you think you don’t have one)
Example Performance Wins• Firefox browser website noted:
• Slow page loaders downloaded the browser less often• 1 second of increased page load performance increased
downloads by 2.7%.
• Shopzilla.com• Had page load times of ~7 second• Optimized to yield a 5 second decrease in page load time (7 ->
2 sec)• 25% increase in page views• 7 – 12% increase in revenue• 50% decrease in hardware costs!
• Google tested a page 1 with 30 entries instead of 10 and got:• 20% less clicks
Performance Step #1 – Tune the Environment
Tune the Environment
•What
•About
•PHP???
PHP Choices• ExpressionEngine supports a variety of PHP versions
(5.3.10+)
• So… Isn’t PHP just PHP?• NO!
• PHP 5.4 is a good deal faster than 5.3• Empty hash table optimizations
• Literal tables
• Interned strings
• Zend Engine VM tuning
• But what does this mean for ExpressionEngine?
Benchmarking PHP
PHP 5.3.24
~550 t/sec
PHP 5.3.24 vs. PHP 5.4.28
~615 t/sec(~12%
increase!!)
PHP 5.3.24 vs. PHP 5.4.28/.14
Even upgrading from 5.4.14 shows
gains of ~4%
Let’s Push Things a Little Further...
PHP 5.4.28 vs. PHP 5.5.12~781 t/sec
~25% better than 5.4
~41% better than 5.3WOW
Notes On PHP 5.5.x+• APC goes out
• OPcache is introduced• OPcache is the name of the bundled ZendOptimizer+ opcode
caching system
• Seems to work out of the box without too much fuss
• More research is needed here – was very surprised with the performance results
• For developers PHP 5.5+ adds:• “finally”
• Finally!! New password hashing API
• The empty() built-in now supports arbitrary expressions
Let’s Push Things a Little Further…
PHP 5.5.12 vs. PHP 5.6.0-BETA
Essentially equal within margin of
error
Let’s…
PHP 5.5.12 vs. PHP-NG
• We couldn’t get it running in a stable manner
Notes on PHP-NG• Removes numerous heap allocations (and de-allocations)
• Stores more native data directly on the stack
• Removes the need to garbage collect basic primitives (bool, long, etc)
• PHP’s reported Wordpress benchmarks show very good results• 26.75 sec -> 14.10 sec (~48% improvement)
• 9.5M instructions -> 3.4M internal instructions executed (HUGE reduction)
• Take some comfort in knowing that more gains are on the way from PHP folks directly
Short story: use PHP 5.4+, 5.5 if you’re able
Performance Step #2 – Tune ExpressionEngine
Basic ExpressionEngine Tuning• Out of the box ExpressionEngine performs!
• Cache Cache Cache! Ensure you use all available caching• Tag caching
• Template caching
• Dynamic channel query caching
• Query disabling
• Use in-memory caching if at all possible (CE Cache, memcache)
• See our whitepaper for an in-depth look at caching options
• Use a CDN
We’re Performing! Now What?• Performance is not a one-time activity (monitor
often)• The 80/20 rule is a good guide (Pareto’s Principle)• “…roughly 80% of the effects come from 20% of the causes…”
• Make performance part of your design/development process• Choose add-ons based on a performance SLA• Make sure your developers understand how to design/code for
performance
• All 3rd party add-ons are not created equal!• Software/code optimization can only go so far –
hardware can help• Dedicated database and web servers may be needed
Side Effects of Good Performance• Faster sites are stickier – Wikia.com’s re-
architecting found:• ~15% exit rate for a 2 second page load• ~10% exit rate for a 1 second page load
• Faster sites yield higher search engine placement• Google / Bing / Yahoo! use speed as a metric in their
algorithms
• You’re more ready for that OMG day• Check out EE’s “Handling Extreme Traffic” page regardless
• Faster doesn’t have to mean more expensive• Costs can often be lowered as a result of caching &
optimization• Remember shopzilla.com?
On to Security!(Make hackers sad)
Security Step #1 – Secure the Environment
Environment Security• Practice least-privilege in all aspects of the environment
• Use a firewall (and actually configure it)
• Use an intrusion prevention system (and actually configure it)• Mod_security works well!
• Applies matching vs. URL requests to thwart many attacks
• Choose correct file permissions• 600 for PHP/configuration files(if able)
• 700 for directories (yep, if able)
• Use HTTPS
• Lean on your hosting provider for help (it’s their job!!!)
Security Step #2 – Secure ExpressionEngine
Basic ExpressionEngine Security• Follow the EE best practices
• Keep ExpressionEngine up to date• I know, I know – easier said then done … but do it
• ExpressionEngine is very secure by default (but really, keep it updated)
• Keep PHP up to date (or patched)
• Keep add-ons up to date• Add-ons are often forgotten as a source of vulnerability
• Restrict admin access• Limit by IP and/or by renaming admin.php
• Rename the system directory
• Create unique user accounts (i.e. don’t share!)
Security Step #3 – Secure Your Workflow
Basic Security• Password security• Passwords do not necessarily need to be complex
• PillowCarpetTelevision32 24 characters!!
• Don’t reuse passwords on other sites
• I hate this slogan but…• The most secure password is the one you don’t remember
• Use Lastpass or something like it.
• Use 2-factor authentication if available
• Use a secure means to publish• Avoid FTP!
• Ensure backups exist (and are recent)
• Trust but verify your hosting arrangements
Performance and Security are NOT Spectator Sports!(do your best!)
Questions?