ExpressionEngine - Simple Steps to Performance and Security (EECI 2014)
1. ExpressionEngine | EECI
Simple Steps to Performance and
Security
CHRIS WELLS – CEO – NEXCESS.NET LLC
2. Detroit, MI USA
WEST
SOUTH
NORTH
MID-WEST???
NORTH-EAST
NORTH?
NORTH-CENTRAL?
MIDDLE?
3. Quick Facts About Michigan
• Michigan has the longest fresh water shoreline in the U.S. (world?) at
3,126 miles.
• Four flags have flown over Michigan:
• French
• English
• Spanish
• USA
• Michigan is split into an “upper” and “lower” peninsula
• The upper is dubbed the “U.P.”
• Detroit had the 1st mile of concrete road laid in 1909
• Detroit is the potato chip capital of the world
• Based on consumption
4. Today’s Topics
• Why performance / security?
• A few simple performance steps
• A few simple security steps
6. They Affect Your Bottom Line DIRECTLY
(even if you think you don’t have one)
7. Example Performance Wins
• Firefox browser website noted:
• Slow page loaders downloaded the browser less often
• 1 second of increased page load performance increased downloads by
2.7%.
• Shopzilla.com
• Had page load times of ~7 second
• Optimized to yield a 5 second decrease in page load time (7 -> 2 sec)
• 25% increase in page views
• 7 – 12% increase in revenue
• 50% decrease in hardware costs!
• Google tested a page 1 with 30 entries instead of 10 and
got:
• 20% less clicks
10. PHP Choices
• ExpressionEngine supports a variety of PHP versions (5.3.10+)
• So… Isn’t PHP just PHP?
• NO!
• PHP 5.4 is a good deal faster than 5.3
• Empty hash table optimizations
• Literal tables
• Interned strings
• Zend Engine VM tuning
• But what does this mean for ExpressionEngine?
16. PHP 5.4.28 vs. PHP 5.5.12
800
700
600
500
400
300
200
100
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 20 25 30 35 40 45 50 55 60
Siege transac ons / second
Dura on (in minutes)
PHP 5.4.28
PHP 5.5.12
~781 t/sec
~25% better than 5.4
~41% better than 5.3
WOW
17. Notes On PHP 5.5.x+
• APC goes out
• OPcache is introduced
• OPcache is the name of the bundled ZendOptimizer+ opcode caching system
• Seems to work out of the box without too much fuss
• More research is needed here – was very surprised with the performance results
• For developers PHP 5.5+ adds:
• “finally”
• Finally!! New password hashing API
• The empty() built-in now supports arbitrary expressions
21. PHP 5.5.12 vs. PHP-NG
• We couldn’t get it running in a stable manner
22. Notes on PHP-NG
• Removes numerous heap allocations (and de-allocations)
• Stores more native data directly on the stack
• Removes the need to garbage collect basic primitives (bool, long, etc)
• PHP’s reported Wordpress benchmarks show very good results
• 26.75 sec -> 14.10 sec (~48% improvement)
• 9.5M instructions -> 3.4M internal instructions executed (HUGE reduction)
• Take some comfort in knowing that more gains are on the way from
PHP folks directly
25. Basic ExpressionEngine Tuning
• Out of the box ExpressionEngine performs!
• Cache Cache Cache! Ensure you use all available caching
• Tag caching
• Template caching
• Dynamic channel query caching
• Query disabling
• Use in-memory caching if at all possible (CE Cache, memcache)
• See our whitepaper for an in-depth look at caching options
• Use a CDN
26. We’re Performing! Now What?
• Performance is not a one-time activity (monitor often)
• The 80/20 rule is a good guide (Pareto’s Principle)
• “…roughly 80% of the effects come from 20% of the causes…”
• Make performance part of your design/development
process
• Choose add-ons based on a performance SLA
• Make sure your developers understand how to design/code for
performance
• All 3rd party add-ons are not created equal!
• Software/code optimization can only go so far – hardware
can help
• Dedicated database and web servers may be needed
27. Side Effects of Good Performance
• Faster sites are stickier – Wikia.com’s re-architecting
found:
• ~15% exit rate for a 2 second page load
• ~10% exit rate for a 1 second page load
• Faster sites yield higher search engine placement
• Google / Bing / Yahoo! use speed as a metric in their algorithms
• You’re more ready for that OMG day
• Check out EE’s “Handling Extreme Traffic” page regardless
• Faster doesn’t have to mean more expensive
• Costs can often be lowered as a result of caching & optimization
• Remember shopzilla.com?
30. Environment Security
• Practice least-privilege in all aspects of the environment
• Use a firewall (and actually configure it)
• Use an intrusion prevention system (and actually configure it)
• Mod_security works well!
• Applies matching vs. URL requests to thwart many attacks
• Choose correct file permissions
• 600 for PHP/configuration files(if able)
• 700 for directories (yep, if able)
• Use HTTPS
• Lean on your hosting provider for help (it’s their job!!!)
32. Basic ExpressionEngine Security
• Follow the EE best practices
• Keep ExpressionEngine up to date
• I know, I know – easier said then done … but do it
• ExpressionEngine is very secure by default (but really, keep it updated)
• Keep PHP up to date (or patched)
• Keep add-ons up to date
• Add-ons are often forgotten as a source of vulnerability
• Restrict admin access
• Limit by IP and/or by renaming admin.php
• Rename the system directory
• Create unique user accounts (i.e. don’t share!)
34. Basic Security
• Password security
• Passwords do not necessarily need to be complex
• PillowCarpetTelevision32 24 characters!!
• Don’t reuse passwords on other sites
• I hate this slogan but…
• The most secure password is the one you don’t remember
• Use Lastpass or something like it.
• Use 2-factor authentication if available
• Use a secure means to publish
• Avoid FTP!
• Ensure backups exist (and are recent)
• Trust but verify your hosting arrangements
