Otto Kekäläinen, profile picture
Uploaded byOtto Kekäläinen
PDF, PPTX656 views

Testing and updating WordPress - Advanced techniques for avoiding regressions

This document discusses techniques for safely updating WordPress core and plugins to avoid regressions. It recommends setting up a "shadow" test site to first update and thoroughly regression test plugins and themes before deploying updates to the production site. Integration tests can automate aspects of regression testing by programmatically interacting with and validating the site. Visual regression testing can additionally detect layout or design changes. While most updates can be safely automated, some human oversight is still important to determine if changes constitute failures.

Download as PDF, PPTX
AVOIDING REGRESSIONS Advanced techniques for testing and updating WordPress core and plugins WordCamp Stockholm 2016 Otto Kekäläinen Seravo.com @ottokekalainen
● Seravo.com – WordPress hosting and upkeep ● CEO, sysadmin and developer ● Linux and open source advocate ● Contributed to WordPress Core, fi and sv translations, Linux, Docker, Nginx, Redis, MariaDB... Otto Kekäläinen
WHY UPDATE? 1. Security bugs 2. Other bugs 3. New features
WHY NOT TO UPDATE? 1. New security bugs 2. New other bugs 3. Old features
Example case: Mossack Fonseca aka Panama papers ● The site www.mossfon.com was running WordPress ● Unauthorized access of WP lead to unauthorized access of MS Exchange email server on internal network and other sites at *.mossfon.com ● The intruders most likely came through an old and insecure version of the Revolution Slider plugin. ○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.
Example case: Mossack Fonseca aka Panama papers ● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner able-slider-revolution/
WP PLUGIN REVIEW GUIDELINES FOR CAPITALISTS* If the logo is red and name contains revolution, don’t install it on your system! * a small dose of parody can’t hurt?
You must keep your WordPress site secure.
THE PROBLEM: WHY AREN’T EVERYBODY UPDATING THEIR WORDPRESS AND PLUGINS?
BECAUSE OF THIS:
UPDATES IN WORDPRESS ● WordPress core minor version updates (4.6.0 -> 4.6.1): security ● WordPress major version updates (3.9 -> 4.0, 4.6 -> 4.7): features ● WordPress plugin updates can contain anything ● There is just one WordPress.org update channel ○ No separate security updates channel like in Linux distros ● Plugins and themes from other places than WordPress.org might have automatic update channel ○ No guarantee: worst case scenario is that there are no update notifications and you need to do everything about updates manually
THE PROBLEM IS THE PLUGINS.
SOLUTION: ROLL-BACK BAD UPDATES?
YOU HAVE NIGHTLY OFF-SITE BACKUPS, RIGHT?
FILES VS. DATABASE Updates install new files, and they might upgrade the data format in the database to become backwards incompatible. Reverting by putting the old files in place might not work because of the database contents! cp -ra /data/backups/wordpress /wordpress wp db import /data/backups/db/site.sql
ROLL-BACKS IN PRODUCTION ARE BAD 1. Downtime between bad update and roll-back 2. Lost database contents (WooCommerce orders, anybody?) 3. If the site broke so badly that you could not access WP-admin, was that a bad or actually a good thing?
INTRODUCING SHADOW UPDATES 1. Make an identical copy of the production site (same URLs etc) that is not visible to the public 2. Update the shadow 3. Test the shadow 4. Only if tests pass, run the same updates in production
REGRESSION TESTING WORDPRESS Open source tools ● RSpec – test runner ● Capybara – navigate the site virtually (headlessly) ● PhantomJS – headless browser ● GraphicsMagic – visual comparison Tests part of our project template: https://github.com/Seravo/wordpress/tree/master/tests/rspec Docs: https://seravo.com/docs/tests/integration-tests/
INTERGRATION TEST EXAMPLE 1/2 before do visit WP.siteurl('/wp-login.php') end it "There's a login form" do expect(page).to have_id "wp-submit" end
INTERGRATION TEST EXAMPLE 2/2 if WP.user? it "Logged in to WordPress Dashboard" do within("#loginform") do fill_in 'log', :with => WP.user.username fill_in 'pwd', :with => WP.user.password end click_button 'wp-submit' # Should obtain cookies and be able to visit /wp-admin expect(page).to have_id "wpadminbar" end end
VISUAL REGRESSION TESTS $ gm compare -highlight-style assign -highlight-color purple -file diff.png *.png
VISUAL REGRESSION TESTS $ gm compare -verbose -metric mse *.png Image Difference (MeanSquaredError): Normalized Absolute ============ ========== Red: 0.0319159868 8.1 Green: 0.0251841368 6.4 Blue: 0.0278537225 7.1 Opacity: 0.0000000000 0.0 Total: 0.0212384615 5.4
Where do you draw the line between acceptable changes and failures/regressions?
AUTOMATING UPDATES: 90 % BY ROBOTS 10 % BY HUMANS
THANK YOU! SERAVO.COM wordpress@seravo.com @Seravocom @ottokekalainen

More Related Content

PDF
Find WordPress performance bottlenecks with XDebug PHP profiling
byOtto Kekäläinen
 
PDF
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
byOtto Kekäläinen
 
PDF
WordPress security 101 - WP Turku Meetup 2.2.2017
byOtto Kekäläinen
 
PPTX
Improving WordPress Performance: Xdebug and PHP profiling
bySeravo
 
PDF
Jakarta WordPress Meetup #9: Introducing VVV 2
byWordPress
 
PPTX
Drupal Development Tips
byChris Tankersley
 
PDF
PHP SA 2014 - Releasing Your Open Source Project
byxsist10
 
PDF
Technical SEO for WordPress - 2017 edition
byOtto Kekäläinen
 
Find WordPress performance bottlenecks with XDebug PHP profiling
byOtto Kekäläinen
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
byOtto Kekäläinen
 
WordPress security 101 - WP Turku Meetup 2.2.2017
byOtto Kekäläinen
 
Improving WordPress Performance: Xdebug and PHP profiling
bySeravo
 
Jakarta WordPress Meetup #9: Introducing VVV 2
byWordPress
 
Drupal Development Tips
byChris Tankersley
 
PHP SA 2014 - Releasing Your Open Source Project
byxsist10
 
Technical SEO for WordPress - 2017 edition
byOtto Kekäläinen
 

What's hot

PDF
8 Ways to Hack a WordPress website
bySiteGround.com
 
PPT
Secure All The Things!
byDougal Campbell
 
PDF
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
byOtto Kekäläinen
 
PPTX
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
byBastian Grimm
 
PDF
WordPress modern development
byRoman Veselý
 
PDF
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
byAndrea Cardinali
 
PPTX
The GiveCamp Guide to WordPress
bySarah Dutkiewicz
 
KEY
Higher Order WordPress Security
byDougal Campbell
 
PPTX
A crash course in scaling wordpress
byGovLoop
 
PDF
Word camp2011 introwordpresssecurity
byDavid Wilemski
 
PDF
Plugins at WordCamp Phoenix
byAndrew Ryno
 
PPTX
WordPress Development with VVV, VV, and Vagrant
byMitch Canter
 
PDF
Why it's dangerous to turn off automatic updates and here's how to do it
byOnni Hakala
 
PPTX
WordPress Hardening
byMaurizio Pelizzone
 
PDF
Continuous Integration and Deployment Patterns for Magento
byAOE
 
PDF
Introduction to phone gap
byDanet Krueng
 
PDF
How to Build a Pure Evil Magento Module
byAOE
 
PDF
Basic Plugin Recommendations to get your WordPress Website Started
byNile Flores
 
PDF
Continuous Integration @ MeetMagento Germany 2015
byAleksey Razbakov
 
PDF
Introduction to PhoneGap and PhoneGap Build
byMartin de Keijzer
 
8 Ways to Hack a WordPress website
bySiteGround.com
 
Secure All The Things!
byDougal Campbell
 
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
byOtto Kekäläinen
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
byBastian Grimm
 
WordPress modern development
byRoman Veselý
 
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
byAndrea Cardinali
 
The GiveCamp Guide to WordPress
bySarah Dutkiewicz
 
Higher Order WordPress Security
byDougal Campbell
 
A crash course in scaling wordpress
byGovLoop
 
Word camp2011 introwordpresssecurity
byDavid Wilemski
 
Plugins at WordCamp Phoenix
byAndrew Ryno
 
WordPress Development with VVV, VV, and Vagrant
byMitch Canter
 
Why it's dangerous to turn off automatic updates and here's how to do it
byOnni Hakala
 
WordPress Hardening
byMaurizio Pelizzone
 
Continuous Integration and Deployment Patterns for Magento
byAOE
 
Introduction to phone gap
byDanet Krueng
 
How to Build a Pure Evil Magento Module
byAOE
 
Basic Plugin Recommendations to get your WordPress Website Started
byNile Flores
 
Continuous Integration @ MeetMagento Germany 2015
byAleksey Razbakov
 
Introduction to PhoneGap and PhoneGap Build
byMartin de Keijzer
 

Viewers also liked

PDF
Tietoturvan huomiointi järjestelmähankinnoissa
by2NS
 
PDF
Koodikerho PEPE Pajapäivä 6.9.2016
byOtto Kekäläinen
 
PDF
Sosiaalinen media & sisältömarkkinointi
byC2 Advertising
 
PDF
Git essentials
byOtto Kekäläinen
 
PDF
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
byOtto Kekäläinen
 
PDF
Wordpress -sivusto nollabudjetilla
byLumoLink
 
PDF
MariaDB Developers Meetup 2016 welcome words
byOtto Kekäläinen
 
PDF
MariaDB in Debian and Ubuntu: The next million users
byOtto Kekäläinen
 
PDF
Collaboration in open source - examples from MariaDB
byOtto Kekäläinen
 
PDF
MariaDB Foundation presentation and membership info
byOtto Kekäläinen
 
PDF
Top 8 priorities for websites in 2014
byOtto Kekäläinen
 
PPTX
WordPress ja markkinointiautomaatio (DigitalTre-esitys)
byOtto Kekäläinen
 
PDF
Avoimet innovaatiot tietoyhteiskunnan eteenpäin vievänä voimana
byOtto Kekäläinen
 
PDF
Verkkosivujen 8 tärkeintä asiaa 2014
byOtto Kekäläinen
 
PDF
Hakukoneoptimointi helposti ja ilmaiseksi
bySusanna Neiglick
 
PDF
Salasanahygienia - jokamiehen kybervelvollisuus
byOtto Kekäläinen
 
PDF
Koodikerho: ohjelmointia alakouluissa
byOtto Kekäläinen
 
PPT
Verkkokampanjointi Kepa 26.10. 2011
byPerttu Iso-Markku
 
PDF
Sosiaalisen median rooli ja merkitys
byC2 Advertising
 
PDF
C2 ÄfterWörk – Tapahtumamarkkinointi
byC2 Advertising
 
Tietoturvan huomiointi järjestelmähankinnoissa
by2NS
 
Koodikerho PEPE Pajapäivä 6.9.2016
byOtto Kekäläinen
 
Sosiaalinen media & sisältömarkkinointi
byC2 Advertising
 
Git essentials
byOtto Kekäläinen
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
byOtto Kekäläinen
 
Wordpress -sivusto nollabudjetilla
byLumoLink
 
MariaDB Developers Meetup 2016 welcome words
byOtto Kekäläinen
 
MariaDB in Debian and Ubuntu: The next million users
byOtto Kekäläinen
 
Collaboration in open source - examples from MariaDB
byOtto Kekäläinen
 
MariaDB Foundation presentation and membership info
byOtto Kekäläinen
 
Top 8 priorities for websites in 2014
byOtto Kekäläinen
 
WordPress ja markkinointiautomaatio (DigitalTre-esitys)
byOtto Kekäläinen
 
Avoimet innovaatiot tietoyhteiskunnan eteenpäin vievänä voimana
byOtto Kekäläinen
 
Verkkosivujen 8 tärkeintä asiaa 2014
byOtto Kekäläinen
 
Hakukoneoptimointi helposti ja ilmaiseksi
bySusanna Neiglick
 
Salasanahygienia - jokamiehen kybervelvollisuus
byOtto Kekäläinen
 
Koodikerho: ohjelmointia alakouluissa
byOtto Kekäläinen
 
Verkkokampanjointi Kepa 26.10. 2011
byPerttu Iso-Markku
 
Sosiaalisen median rooli ja merkitys
byC2 Advertising
 
C2 ÄfterWörk – Tapahtumamarkkinointi
byC2 Advertising
 

Similar to Testing and updating WordPress - Advanced techniques for avoiding regressions

PPTX
Best Practices for WordPress in Enterprise
byTaylor Lovett
 
PPTX
How to Optimize WordPress Performance and Uptime.pptx
byCS Web Solutions
 
PDF
Best Practices for WordPress
byTaylor Lovett
 
PDF
Seravo.com: WordPress Security 101
bySeravo
 
PPTX
WordPress.org & Optimizing Security for your WordPress sites
byGovLoop
 
PPTX
Best Practices for Building WordPress Applications
byTaylor Lovett
 
PPT
WordPress Security
byBrad Williams
 
PDF
Updating WordPress Themes, Plugins, and Core Safely
byAngela Bowman
 
PPTX
WordPress Insider Meetup Group - Jan, 7, 2016 meeting
byMichelle Castillo
 
PDF
Security? hey, it's only word press!
bystk_jj
 
PDF
Converted Website To WordPress Development Company!
byHireWPGeeks Ltd
 
PPTX
Converted Website To WordPress Development Company!
byHireWPGeeks Ltd
 
PDF
How I Learned to Stop Worrying and Love the Update Button
bychris-koerner
 
PDF
Best practices-wordpress-enterprise
byTaylor Lovett
 
PPTX
How to prevent big disasters when updating WordPress
byRodolfo Melogli
 
PDF
Emergency WordPress Troubleshooting
byTiffany Bridge
 
PPTX
5 things to know before updating word press version
byNishant Desai
 
PPTX
Professional WordPress Security: Beyond Security Plugins
byChris Burgess
 
PDF
WordPress updates - Why You Can't Live Without Them
byWarren Denley
 
PPTX
Wordpress backing Up and Updating
byNorthern Initiatives
 
Best Practices for WordPress in Enterprise
byTaylor Lovett
 
How to Optimize WordPress Performance and Uptime.pptx
byCS Web Solutions
 
Best Practices for WordPress
byTaylor Lovett
 
Seravo.com: WordPress Security 101
bySeravo
 
WordPress.org & Optimizing Security for your WordPress sites
byGovLoop
 
Best Practices for Building WordPress Applications
byTaylor Lovett
 
WordPress Security
byBrad Williams
 
Updating WordPress Themes, Plugins, and Core Safely
byAngela Bowman
 
WordPress Insider Meetup Group - Jan, 7, 2016 meeting
byMichelle Castillo
 
Security? hey, it's only word press!
bystk_jj
 
Converted Website To WordPress Development Company!
byHireWPGeeks Ltd
 
Converted Website To WordPress Development Company!
byHireWPGeeks Ltd
 
How I Learned to Stop Worrying and Love the Update Button
bychris-koerner
 
Best practices-wordpress-enterprise
byTaylor Lovett
 
How to prevent big disasters when updating WordPress
byRodolfo Melogli
 
Emergency WordPress Troubleshooting
byTiffany Bridge
 
5 things to know before updating word press version
byNishant Desai
 
Professional WordPress Security: Beyond Security Plugins
byChris Burgess
 
WordPress updates - Why You Can't Live Without Them
byWarren Denley
 
Wordpress backing Up and Updating
byNorthern Initiatives
 

More from Otto Kekäläinen

PDF
Improving WordPress performance (xdebug and profiling)
byOtto Kekäläinen
 
PDF
Improving WordPress Performance with Xdebug and PHP Profiling
byOtto Kekäläinen
 
PDF
10 things every developer should know about their database to run word press ...
byOtto Kekäläinen
 
PDF
Automatic testing and quality assurance for WordPress plugins and themes
byOtto Kekäläinen
 
PDF
How to investigate and recover from a security breach in WordPress
byOtto Kekäläinen
 
PDF
Git best practices 2016
byOtto Kekäläinen
 
PDF
Automatic testing and quality assurance for WordPress plugins
byOtto Kekäläinen
 
PDF
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
byOtto Kekäläinen
 
PDF
Less passwords, more security: unix socket authentication and other MariaDB h...
byOtto Kekäläinen
 
PDF
DebConf16 BoF on MariaDB/MySQL packaging
byOtto Kekäläinen
 
PDF
The 5 most common reasons for a slow WordPress site and how to fix them
byOtto Kekäläinen
 
PDF
Search in WordPress - how it works and howto customize it
byOtto Kekäläinen
 
PDF
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
byOtto Kekäläinen
 
PDF
Technical SEO for WordPress - 2019 edition
byOtto Kekäläinen
 
PDF
Technical SEO for WordPress
byOtto Kekäläinen
 
PDF
MariaDB adoption in Linux distributions and development environments
byOtto Kekäläinen
 
PDF
WordPress-tietoturvan perusteet
byOtto Kekäläinen
 
PDF
MariaDB quality assurance in Debian and Ubuntu
byOtto Kekäläinen
 
PDF
DebConf 2019 MariaDB packaging in Debian BoF
byOtto Kekäläinen
 
PDF
FOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
byOtto Kekäläinen
 
Improving WordPress performance (xdebug and profiling)
byOtto Kekäläinen
 
Improving WordPress Performance with Xdebug and PHP Profiling
byOtto Kekäläinen
 
10 things every developer should know about their database to run word press ...
byOtto Kekäläinen
 
Automatic testing and quality assurance for WordPress plugins and themes
byOtto Kekäläinen
 
How to investigate and recover from a security breach in WordPress
byOtto Kekäläinen
 
Git best practices 2016
byOtto Kekäläinen
 
Automatic testing and quality assurance for WordPress plugins
byOtto Kekäläinen
 
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
byOtto Kekäläinen
 
Less passwords, more security: unix socket authentication and other MariaDB h...
byOtto Kekäläinen
 
DebConf16 BoF on MariaDB/MySQL packaging
byOtto Kekäläinen
 
The 5 most common reasons for a slow WordPress site and how to fix them
byOtto Kekäläinen
 
Search in WordPress - how it works and howto customize it
byOtto Kekäläinen
 
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
byOtto Kekäläinen
 
Technical SEO for WordPress - 2019 edition
byOtto Kekäläinen
 
Technical SEO for WordPress
byOtto Kekäläinen
 
MariaDB adoption in Linux distributions and development environments
byOtto Kekäläinen
 
WordPress-tietoturvan perusteet
byOtto Kekäläinen
 
MariaDB quality assurance in Debian and Ubuntu
byOtto Kekäläinen
 
DebConf 2019 MariaDB packaging in Debian BoF
byOtto Kekäläinen
 
FOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
byOtto Kekäläinen
 

Recently uploaded

PDF
Test Driven Development with mORMot 2 with Delphi and FPC
byArnaud Bouchez
 
PDF
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
PDF
Working with Machine Learning in Production
byFrederick Apina
 
PPTX
How John started to like TDD (instead of hating it) (Devcon, October'25)
byNacho Cougil
 
PDF
One HTTPS server in Modern Pascal to Rule Them All
byArnaud Bouchez
 
PDF
Workshop about mORMot 2 during EKON: write a clean-architecture TDD sample
byArnaud Bouchez
 
PDF
Hiring Dedicated Laravel Developers: Cost Breakdown
byShiv Technolabs Pvt. Ltd.
 
PDF
The Ultimate Guide to Software POC Development and Validation
byShiv Technolabs Pvt. Ltd.
 
PDF
Build Web, Mobile & Desktop Apps with Flutter
byShiv Technolabs Pvt. Ltd.
 
PPTX
power point presentation of Soft computing
byyashhjain24
 
PPTX
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
PPTX
Streamline Your Business with BUSY Software.pptx
byMoving Cloud
 
PDF
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
PDF
How App Developers in London UK Empower Digital Businesses – US APP Developer...
byIndia App Developer
 
PDF
Everything You Need to Know About White Label Analytics platform.pdf
byVarsha Nayak
 
PDF
How White Label Analytics Platforms Are Transforming Data Insights.pdf
byVarsha Nayak
 
PPTX
Advanced Risk Assessment Module for Enhanced Workplace Safety
byEHA Soft Solutions
 
PPTX
B2B Marketing Attribution Solutions - VALiNTRY360
byVALiNTRY360
 
DOCX
Everything You Need to Know About White Label Analytics platform.docx
byVarsha Nayak
 
PDF
VADY AI-Powered Business Intelligence — Turning Raw Data into Strategic Growth
byNewFangledVision
 
Test Driven Development with mORMot 2 with Delphi and FPC
byArnaud Bouchez
 
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
Working with Machine Learning in Production
byFrederick Apina
 
How John started to like TDD (instead of hating it) (Devcon, October'25)
byNacho Cougil
 
One HTTPS server in Modern Pascal to Rule Them All
byArnaud Bouchez
 
Workshop about mORMot 2 during EKON: write a clean-architecture TDD sample
byArnaud Bouchez
 
Hiring Dedicated Laravel Developers: Cost Breakdown
byShiv Technolabs Pvt. Ltd.
 
The Ultimate Guide to Software POC Development and Validation
byShiv Technolabs Pvt. Ltd.
 
Build Web, Mobile & Desktop Apps with Flutter
byShiv Technolabs Pvt. Ltd.
 
power point presentation of Soft computing
byyashhjain24
 
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
Streamline Your Business with BUSY Software.pptx
byMoving Cloud
 
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
How App Developers in London UK Empower Digital Businesses – US APP Developer...
byIndia App Developer
 
Everything You Need to Know About White Label Analytics platform.pdf
byVarsha Nayak
 
How White Label Analytics Platforms Are Transforming Data Insights.pdf
byVarsha Nayak
 
Advanced Risk Assessment Module for Enhanced Workplace Safety
byEHA Soft Solutions
 
B2B Marketing Attribution Solutions - VALiNTRY360
byVALiNTRY360
 
Everything You Need to Know About White Label Analytics platform.docx
byVarsha Nayak
 
VADY AI-Powered Business Intelligence — Turning Raw Data into Strategic Growth
byNewFangledVision
 

Testing and updating WordPress - Advanced techniques for avoiding regressions

  • 1.
    AVOIDING REGRESSIONS Advanced techniques for testingand updating WordPress core and plugins WordCamp Stockholm 2016 Otto Kekäläinen Seravo.com @ottokekalainen
  • 2.
    ● Seravo.com –WordPress hosting and upkeep ● CEO, sysadmin and developer ● Linux and open source advocate ● Contributed to WordPress Core, fi and sv translations, Linux, Docker, Nginx, Redis, MariaDB... Otto Kekäläinen
  • 3.
    WHY UPDATE? 1. Securitybugs 2. Other bugs 3. New features
  • 4.
    WHY NOT TOUPDATE? 1. New security bugs 2. New other bugs 3. Old features
  • 5.
    Example case: MossackFonseca aka Panama papers ● The site www.mossfon.com was running WordPress ● Unauthorized access of WP lead to unauthorized access of MS Exchange email server on internal network and other sites at *.mossfon.com ● The intruders most likely came through an old and insecure version of the Revolution Slider plugin. ○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.
  • 6.
    Example case: MossackFonseca aka Panama papers ● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner able-slider-revolution/
  • 7.
    WP PLUGIN REVIEWGUIDELINES FOR CAPITALISTS* If the logo is red and name contains revolution, don’t install it on your system! * a small dose of parody can’t hurt?
  • 8.
    You must keepyour WordPress site secure.
  • 9.
  • 10.
  • 11.
    UPDATES IN WORDPRESS ●WordPress core minor version updates (4.6.0 -> 4.6.1): security ● WordPress major version updates (3.9 -> 4.0, 4.6 -> 4.7): features ● WordPress plugin updates can contain anything ● There is just one WordPress.org update channel ○ No separate security updates channel like in Linux distros ● Plugins and themes from other places than WordPress.org might have automatic update channel ○ No guarantee: worst case scenario is that there are no update notifications and you need to do everything about updates manually
  • 12.
    THE PROBLEM ISTHE PLUGINS.
  • 13.
  • 14.
    YOU HAVE NIGHTLYOFF-SITE BACKUPS, RIGHT?
  • 15.
    FILES VS. DATABASE Updatesinstall new files, and they might upgrade the data format in the database to become backwards incompatible. Reverting by putting the old files in place might not work because of the database contents! cp -ra /data/backups/wordpress /wordpress wp db import /data/backups/db/site.sql
  • 16.
    ROLL-BACKS IN PRODUCTION AREBAD 1. Downtime between bad update and roll-back 2. Lost database contents (WooCommerce orders, anybody?) 3. If the site broke so badly that you could not access WP-admin, was that a bad or actually a good thing?
  • 17.
    INTRODUCING SHADOW UPDATES 1.Make an identical copy of the production site (same URLs etc) that is not visible to the public 2. Update the shadow 3. Test the shadow 4. Only if tests pass, run the same updates in production
  • 18.
    REGRESSION TESTING WORDPRESS Opensource tools ● RSpec – test runner ● Capybara – navigate the site virtually (headlessly) ● PhantomJS – headless browser ● GraphicsMagic – visual comparison Tests part of our project template: https://github.com/Seravo/wordpress/tree/master/tests/rspec Docs: https://seravo.com/docs/tests/integration-tests/
  • 19.
    INTERGRATION TEST EXAMPLE1/2 before do visit WP.siteurl('/wp-login.php') end it "There's a login form" do expect(page).to have_id "wp-submit" end
  • 20.
    INTERGRATION TEST EXAMPLE2/2 if WP.user? it "Logged in to WordPress Dashboard" do within("#loginform") do fill_in 'log', :with => WP.user.username fill_in 'pwd', :with => WP.user.password end click_button 'wp-submit' # Should obtain cookies and be able to visit /wp-admin expect(page).to have_id "wpadminbar" end end
  • 21.
    VISUAL REGRESSION TESTS $gm compare -highlight-style assign -highlight-color purple -file diff.png *.png
  • 22.
    VISUAL REGRESSION TESTS $gm compare -verbose -metric mse *.png Image Difference (MeanSquaredError): Normalized Absolute ============ ========== Red: 0.0319159868 8.1 Green: 0.0251841368 6.4 Blue: 0.0278537225 7.1 Opacity: 0.0000000000 0.0 Total: 0.0212384615 5.4
  • 23.
    Where do youdraw the line between acceptable changes and failures/regressions?
  • 24.
    AUTOMATING UPDATES: 90 %BY ROBOTS 10 % BY HUMANS
  • 25.