Getting your Trinity Audio player ready…
|
Today is just another Saturday in rainy November in Kuala Lumpur. Two months back, our junior developer Jinny informed me about WordCamp KL and asked if I would sponsor her to attend. I said yes, paid the RM70 (A$30) and as a result became a volunteer myself and wrote the press release for the conference and published it via PRNews.gointernationalgroup.com – a website built on WordPress!
Welcome to WordCamp KL 2018!
The organisers; Sam Suresh Lead for WCKL2017, David Wang WCKL Meetup Organiser and WCKL2018 Lead Rindy Portfolio welcomed everyone and we were all ushered into the Roti Canai Room. First up, was keynote speaker Asif Rahman, a very very young retiree, serial entrepreneur and startup investor. Bragging rights, he has, of being 34 and retired after building a series of companies. WeDevs. Check out his LinkedIn profile – retired at 34! was his intro, and that surely captured the attention of many yearning the same.
Asif spoke about being an entrepreneur in the WordPress industry. He recently retired as CEO of weDevs, and is also the founder of ARCom, Analytify, Alo Ventures, WPDeveloper (a WordPress product marketplace) and many more. What I found most interesting is his passion about WP. He’s appeared in nearly 100 WordCamps all around the world and spoken in over 20 WordCamps.
WordPress Dev Resource by Lorna Timbah
The next track I joined was one which featured Community Manager @ Google Developer Group Kota Kinabalu, Lead @ Women Techmakers Kota Kinabalu, Lead Organiser @ Startup Weekend Kota Kinabalu, Curator @ Startup Digest Kota Kinabalu, Microsoft Certified Systems Engineer, G Suite and Google Cloud consultant and HRDF Certified Trainer – Lorna Timbah. She’s an entrepreneur, freelancer, hustler and Mom. And other cool stuff.
Lorna shares with us how web development is her first love after her children, and has been building websites for 20 years. She advises new developers to learn PHP first, then only go into JavaScript. Making your transition from being a web developer to building an app can be frustrating. How do you even start? One can quickly pick up new technologies like hybrid apps like Ionic, or build apps using CSS, HTML and JavaScript.
She loves plugins, and page builders, but as you use more of that the slower your site becomes. Her favourite is widgets!
Make sure all of your JS files appear right before the closing of the files at the bottom.
The bootstrap theme she uses depends on the jquery.
Question time!
- Lorna, do you prototype? Lorna says, if you build quickly, you won’t have time to prototype. Use page builders to be quick, but… that is an issue as loading time can be long. My prototype technique would be to download an existing theme then change the codes one by one.
- Where do I start? Backend or frontend first? Hehe. OK, here’s how she replied. It depends on what you like doing first. If you like designing, and have an eye for it, work on the front-end first. But if you prefer troubleshooting and coding then work on the backend first. Then again, templates are great!
Fitgear Malaysia
This isn’t in the conference structure. But you know, when you’re sitting in a conference, your mind tends to wander. I kept thinking about my own platform, a WordPress-based website that offers a one-stop activation platform for fitness, sport and wellness enthusiasts. While listening to her, I got distracted and found this company on LinkedIn. I checked out their site to find that they used a chat bot – https://www.tidiochat.com/ which was pretty neat. Then I realised this was a shopping site founded by a friend! What a small world.
Now, let’s get back to the conference.
Themeum
One of the sponsors, got up and spoke and tells us that she spends 10 hours a day to talk about WordPress. Turns out, she’s from Themeum, according to their website, it’s a state of the art WordPress themes and plugins development company on a mission to upgrade your WordPress experience with high quality WordPress themes and plugins. They’re the guys behind WP Page Builder – a tool I’ve used before in the WordPress environment. I wonder about their relevance once Gutenberg kicks into place.
The guy that sat next to me was fidgeting. So I asked him where he was from. Gave me his card, and I checked out his site: https://rekamy.com/. Interesting who you meet at these conferences.
WordPress Theme for Academics
I jumped across to the other side of the ballroom and walked into the Char Keow Teow (CKT) Track, only to find Dr. Hafiz Hanif – an Instructional Education Technologist from Universiti Pendidikan Sultan Idris who has been teaching educational technology for future teachers. UPSI was a teacher’s college and has evolved into a university and is the largest producer of teachers in Malaysia. He’s a proud autodidact, meaning self-taught, an educationalist and a Google Certified Trainer. As a student at the University of Warwick (UK), he found work as a Project Developer in the Digital Humanities Dept. During that time, he learnt about UK REF (Research Excellence Framework), where research is made public as a part of the KPI. That was when he started working on WordPress and immediately fell in love with it. One of the earlier projects he worked on was the front-end design for a Drupal-based site: bbashakespeare.warwick.ac.uk. Lifting inspiration from Pokemon styled playing cards, he created the website to feature the actors in that fashion. His next site was hpl.warwick.ac.uk where he designed the front-end and also worked on the back-end, which was his first, and admits that it’s quite messy and may be buggy. Finally, he worked on a website called The Last Stand that documents Napoleon Bonaparte’s 100 days in 100 objects – 100days.eu. After leaving the university, he worked on a website for a museum, to be fashioned on The New Yorker. A very complex website project, where he used WordPress, Custom Post Type UI, Advanced Custom Fields, Underscore Starter Theme and Foundation Studies.
On returning to UPSI, the university found out that he knew how to code, and gave him a task to design a website for the mobility unit. After a month working on it, http://mobility.upsi.edu.my was launched to accept applications from students as well as accepting new exchange programmes / summer camp submissions from faculties. This allowed the university unit to bring everything online.
He shared the development framework he uses, and encourages developers to establish a visual handshake before proceeding to the development. Using Envision Mock-up, and also the ‘Above the fold’ concept to manage customers and their expectations.
Most importantly, adhere to milestones!
10 First Steps to Secure your WordPress Assets
Presented by sanjay@teleawan.com
Twitter/LinkedIN/FB/Gmail/IG sanjayws
I first met Sanjay at the Teleawan and AWAS booth. He’s a consultant with national security board, cloud computing. So what are WordPress assets? Security has to be first and foremost easy to understand. Do you really know what your assets are? It’s not just WordPress source that you place into your website. If you understand the physical server, the network, the providers, the switchers – it’s not just the binary of WordPress itself but an entire ecosystem of running the site.
At the last WordCamp, we discussed IoT implementation to complement the website requirements. He gave the example of a guy who ran a plantation and fed data from his business directly into WordPress. Now those, are his company’s WordPress assets too.
He then talks about the importance of APIs and how so many sites now includes APIs. But most of all, he mentions that security is for all. Economic impact is one of the key factors in getting governments and corporates awakened.
Did you know, more than 50% online hacks result from websites!!! That’s some damning stats! He goes on to talk about Cross site scripting (source: cvedetails.com). Then he goes on to quote:
If I have seen further than others, it is by standing upon the shoulders of giants – Isaac Newton
Don’t forget, the success of all of us, is a domino effect from each other. WordPress was open source and developed by PHP coders, created by the people. When you’re starting, start right and consider the following.
Hosting it on a Shared Hosting Provider (e.g. a server company)
- Providers do not care about your site, its generic ‘love’ to all
- Shared resources also mean shared problems too
- Difficult to perform OS level mods
- Likely maintained (except WordPress levels) by provider
versus Hosting it in Bare Metal Hosting (i.e. on your own)
- Could potential make trivial mistakes in setup
- Higher difficulty level require higher understanding of what’s being done and its implications
- Maintenance at all levels
- With great power, comes great responsibility
Alrighty, next he discussed is Authentication.
- Using two form factor authentication.
- Use complex and long passwords for privileged accounts
- Avoid/rename common administrative users
- E.g. admin, administrator, God, boss,
- Consider OAuth, email-based authentication
- Limit log-in attempts
- Try to change the admin login URL (e.g. wp-admin). So try guess why 98% of websites are vulnerable? It’s because most of you are using default settings. So it’s machine bots who are used to scan sites, and not humans. So they would be using all of the generic logins and passwords.
- Use salts (for passwords etc). Never save passwords in clear text. Hashing is a way that hides and encrypts passwords from humans and bots.
- Enable SSL/Https
Game time! Which password is ‘better”?
- prettywp1
- what password? someone help
- W0rDpr3$$
Authorization & logging
- Audit privileged accounts
- Turn firewall on!
- Turn access logs on
- Geofencing for admin folders (wp-admin geofenced to Malaysia only for e.g.)
Quality Coding and site integrity
- Follow WordPress coding guidelines
- When writing products, themes/plugins etc, take into consideration possible attacks such as Cross Site Scripting (XSS), Input validation, buffer overflow, SQL injection, local file inclusion and Cross Site Request forgery.
- SPamming also can reduce your SEO, so ensure you look into this
Monitoring and Visibility
- Knowing is key, and time is of the essence
- Initial things to monitor are availability, response time, defacement, DNS resolver, SSL expiry
- Get notified in email and SMS
- Monitoring IS a part of security
- Use free site monitoring method
Backup and Restore
- Use plugins in combo with physical files/db
- Use full on backup solution if you can
- Checkout iThemes Security, UpdraftPlus etc
Updates
- Close to 80% government sites are still on WP2.0!
- Before you update, you might want to test the updates, and backup your site.
- Be sure to update not just WordPress but also themes, plugins and other add ins
- Check out: WP Dashboard, Easy Update Manager
Auditing your Site
- One click free audits
- They are usually non-intrusive
- Google WordPress Security Scanner and look at some of the options
- Checkout: https://awas.io
Distributed Denial of Service (DDOS)
- Attack
- Floods your actual website
- Act/behave like real access
- Forcing website/apps/network devices get overwhelemed
- Actual users cannot access
- Mitigation
- White/black listing
- Use to different lps
- Explore and checkout CloudFlare (easiest), Amazon CloudFront, Azure
Local Security
- Turn on firewalls!
- IPS/IDS
- Antivirus
- Follow Security Hardening Guides
- Load Balancers (e.g. CloudFlare)
- Setup proper error handling
- Change WordPress database prefixes
- Reduce surface attacks
To recap, follow all of the steps above and your site should be as secured as it could be. Don’t, and you’ll be knocking on doors and your own head once your sites get compromised.
Sec_rity is incomplete without “u”.
Thanks, Sanjay!
Asif.im
I took a little break and went outside to eat some pineapples. Then found Asif Rahman, and decided to chat with him further. We discussed the WP plug-ins and themes business. He shared quite a lot and it was great because I had the face time with him for over 40-minutes.
Turns out, Asif may consider moving his global operations to Malaysia. So I reached out to a key player in the technology ecosystem – Jack Chan of DOJO KL, which would be the venue partner for the following day’s WordPress Developer Day Meetup.
Read his 10,000 word essay in Heropress here. I certainly look forward to meeting him again!
Content Creation in WordPress 5.0
In the Nasi Lemak Room by David Wang @blogjunkie, the Chief Caretaker of clickWP, providing WordPress tech support for users and small businesses.
WordPress 5.0 will introduce a BIG change to the post editor… a code name called Gutenberg and it’ll be the most advanced content editor in the web!
Tadaa! In Gutenberg, every piece of content on a page is actually a block, and blocks can be moved up and down easily, change its alignment in settings. Seemingly even more simple WYSIWYG with built-in settings.
So what are you waiting for? Get going on Gutenberg and seriously, if you’re considering building a site and would like to get your hands in action, go for a WordPress site as it’s open source and you’re free to customise and it feels like an Android Ride. There are others like Wix and Square Space, but they’re just pretty but back-end wise, not really customisable. A little like an Apple product if I may say.
Shameless Advertising Need help to install or maintain your site? Hire our team – Webprojx.com. Happy WordPressing!
Other people in the fraternity
I also met a few other people and I’d like to mention them because we had some quick bantering sessions that were fruitful fun nuggets.
Meet Regina Foo. I didn’t get to talk to her much, but I sure hope we’ll meet again. Sounds like a enthusiastic and helpful person – one you’d love to have on your team!
Como estas Leonardo Losovitz founder of a Lego-inspired PHP / Handlebars powered by WordPress building block style framework – Let’s Pop. I’m checking this out and playing with the demo. It’s actually pretty awesome! Great job, Leo!
Finally, I would like to mention co-founder of ECInsider.my and my lunch buddy, Adrian Oh. We shared some insightful stories about customer handling, customer complaints and expectations. It was great hearing about his experience, and sharing mine. At the end of the day, there’s really no point in trying to win emotional battles when there’s an obvious supplier vs. customer scenario. What’s important is to stick to the facts, the job scope and deliver happiness. Ultimately, we’re all trying to get a job done.
That’s all, folks! Now, have you got your gravatar done yet?