Advanced techniques for testing and updating WordPress core and plugins to avoid regressions
Updating WordPress core and plugins is an important and often recurring maintenance task, that many often neglect due to the inherent risk of regressions and potential downtime. At Seravo.com we update hundreds of enterprise grade WordPress sites in a production-proof way using automated testing with RSpec and Phantom.js. In this talk I will show you how we do it and what are the open source tools anybody else can use as well to test their own sites before and after updates.
Presentation delivered at WordCamp Copenhagen 2017
https://2017.copenhagen.wordcamp.org/session/advanced-techniques-for-testing-and-updating-wordpress-core-and-plugins-to-avoid-regressions/
2. ● Linux and open source advocate
● Contributed to WordPress Core,
translations, Linux, Docker,
Nginx, Redis, MariaDB…
● CEO, sysadmin and developer at
Seravo.com – WordPress
hosting and upkeep
Otto Kekäläinen
5. WHY NOT TO UPDATE?
1. New security bugs
2. New other bugs
3. Old features
6. Example case: Mossack Fonseca aka Panama papers
● The site www.mossfon.com was running WordPress
● Unauthorized access of WP lead to unauthorized access of MS Exchange
email server on internal network and other sites at *.mossfon.com
● The intruders most likely came through an old and insecure version of the
Revolution Slider plugin.
○ Well known vulnerability, WordPress.org even has a patch as a separate plugin
(https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not
available at WordPress.org.
7. Example case: Mossack Fonseca aka Panama papers
● Case analysis at
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner
able-slider-revolution/
8. WP PLUGIN REVIEW GUIDELINES FOR
CAPITALISTS*
If the logo is red and
name contains revolution,
don’t install it on your system!
* a small dose of parody can’t hurt?
12. UPDATES IN WORDPRESS
● WordPress core minor version updates (4.7.4 -> 4.7.5): security
● WordPress major version updates (3.9 -> 4.0, 4.6 -> 4.7): features
● WordPress plugin updates can contain anything
● There is just one WordPress.org update channel
○ No separate security updates channel like in Linux distros
● Plugins and themes from other places than WordPress.org might
have automatic update channel
○ No guarantee: worst case scenario is that there are no update
notifications and you need to do everything about updates
manually
16. FILES VS. DATABASE
Updates install new files, and they might
upgrade the data format in the database to
become backwards incompatible.
Reverting by putting the old files in place might
not work because of the database contents!
cp -ra /data/backups/wordpress /wordpress
wp db import /data/backups/db/site.sql
17. ROLL-BACKS IN PRODUCTION
ARE BAD
1. Downtime between bad update and
roll-back
2. Lost database contents
(WooCommerce orders, anybody?)
3. If the site broke so badly that you
could not access WP-admin, was that a
bad or actually a good thing?
18. INTRODUCING SHADOW UPDATES
1. Make an identical copy of the
production site (same URLs etc)
that is not visible to the public
2. Update the shadow
3. Test the shadow
4. Only if tests pass, run the same
updates in production
19. REGRESSION TESTING WORDPRESS
Open source tools
● RSpec – test runner
● Capybara – navigate the site virtually (headlessly)
● PhantomJS – headless browser
● GraphicsMagic – visual comparison
Tests part of our project template:
https://github.com/Seravo/wordpress/tree/master/tests/rspec
Docs: https://seravo.com/docs/tests/integration-tests/
20. INTERGRATION TEST EXAMPLE 1/2
before do
visit WP.siteurl('/wp-login.php')
end
it "There's a login form" do
expect(page).to have_id "wp-submit"
end
21. INTERGRATION TEST EXAMPLE 2/2
if WP.user?
it "Logged in to WordPress Dashboard" do
within("#loginform") do
fill_in 'log', :with => WP.user.username
fill_in 'pwd', :with => WP.user.password
end
click_button 'wp-submit'
# Should obtain cookies and be able to visit /wp-admin
expect(page).to have_id "wpadminbar"
end
end