USG Rock Eagle 2017 - PWP at 1000 Days

WORDPRESS MULTISITE AT
1000 DAYS
P R O F E S S I O N A L W E B P R E S E N C E  
AT G E O R G I A T E C H

• Web Manager @ Georgia Tech’s College of Engineering
ERIC SEMBRAT

• Let’s talk about your campus web entities in 2017.
• More and more campus entities are consuming web to
market, communicate, and fund:
• Research / Labs / Centers
• Events / Conferences
• Faculty / Staff / Graduate Students
• Organizations / Groups / Initiatives
• Experimental / Media
WEB ON CAMPUSES

• Our work is increasingly turning to building more websites
for a wider variety of use-cases.
• Fortunately, the marketplace for website building
scaffolding (content management systems) helps us stay
afloat.
WE HAVE TO DO MORE

• However, we must be aware of two potential issues that
pop up as a product of proliferation of ease-of-use website
tools:
• Resource Repetition
• Security
MAINTAINABLES

• Building the same resource repeatedly without sharing
sources.
• Resources aren’t equal.
• Resources aren’t visually cloned.
• Resources aren’t identically structured.
• Resource fracturing occurs.
RESOURCE REPETITION

• All of this equals wasted time and resources.
RESOURCE REPETITION

• Security is king. And it’s not just about data.
• Two vectors as consequence of bypassing security:
• Processing workload (DDOS, mail spam, etc)
• Data theft (privacy information, student information)
SECURITY

• Let’s talk about how websites at Georgia Tech progressed,
and what led to the creation of PWP.
TO GEORGIA TECH

• Professional Web Presence
PWP

• Web at Georgia Tech is decentralized.
• That is, any staff/faculty can request and receive
virtualized hosting for any website.
• Any virtualized hosting can install virtually any web
platform or system for development.
• As a consequence of this, websites can take many forms…
GT WEB

• These are websites that are live and active as of… today.
NOTE

• Each of these websites* is using a content management
system to build and maintain their website.
• Each has their own theme*.
• Does anyone else see a problem with that?
LET’S CONSIDER

• Each system needs to be maintained.
• Not only the core content system, but every plugin and
theme.
• Custom code must be checked to ensure it is compatible
with updates.
FRIGHTENING

• Our fine folks in the Office of Information Technology could
sniff each website to find out what system they are using.
• A good way to gauge what systems, platforms people are
using for websites.
• What we found is…
THE GOOD NEWS IS

• We don’t have any centrally-maintained WordPress
resources on campus.
• No:
• Theme
• Login Help
• Plugin Recommendations
• Security Recommendations
• Help
BUT…

• There’s got to be a better way.
HMM…

• WordPress, like many CMSs, have the ability to create a
multi-site installation.
MULTISITE

MULTISITE
WordPress Codebase
Website Website Website Website

• WordPress Multiuser has a shared codebase of: 
• Plugins
• Themes
• WordPress Core
• Configuration
• Spread out between all websites under its umbrella.
WORDPRESS MU

• PWP came about from a discussion on WordPress security
and existing needs for ‘plug-and-play’ webdev:
• 1. Find a use-case for development.
• 2. Test multiple products with heterogenous test group.
• 3. Reflect and analyze on how each product was utilized.
• 4. Select product and move forward.
CONDENSED PWP DEV

• We tested: 
• Open Scholar
• Drupal Multisite (Drupal Express)
• WordPress Multiuser
CONDENSED PWP DEV

• We chose WordPress, and thus PWP was born.
• 1. Discover our original needs-assessment.
• 2. Develop low-hanging fruit assets and plugins.
• 3. Pass off first release as a ‘pilot phase’ to early on-
boarders.
• 4. Engage in active feedback to locate strengths,
weaknesses, and needs.
CONDENSED PWP DEV

• Finally, add in server-side development and configuration
for ease-of-use:
• 1. Locate configuration and plugins for new features.
• 2. Test on development and for use-cases.
• 3. Roll out and announce to end-users.
SHORT DEV CYCLE

Websites Hosted, Archived by PWP
BY THE NUMBERS
700

GT User Accounts on PWP
BY THE NUMBERS
1404

Themes Available for Usage
BY THE NUMBERS
28

Theme Georgia Tech Maintains
BY THE NUMBERS
1

Plugins and Extenders
BY THE NUMBERS
77

Plugins that Georgia Tech Maintains
BY THE NUMBERS
7

Visitors to pwp.gatech.edu
BY THE NUMBERS
33682

Attacks Blocked on PWP (last 30 days)
BY THE NUMBERS
22510

Threat vectors identified and checked against
BY THE NUMBERS
9883

Unique visitors visited our documentation
BY THE NUMBERS
753

Unique visitors visited our documentation  
on custom Georgia Tech domains
BY THE NUMBERS
378

Non gatech.edu custom domains.
BY THE NUMBERS
7

gatech.edu custom domains.
BY THE NUMBERS
291

Staff Members Who Maintain PWP
BY THE NUMBERS
1.5

• PWP is meant to be self-sufficient in that:
• Additional features can be added through WordPress’
plugin directory as requested.
• Georgia Tech theme is stable barring any campus branding
changes.
• Updates are applied as submitted by maintainers.
• New Georgia Tech features are road-mapped for inclusion,
but not critical to website success.
PWP

• We used to run monthly training sessions and help-desks,
but found:
• In person help desks received < 1 person on average (3
hour windows).
• Virtual help desks received < 1 person on average (3 hour
windows).
• Most support is better left to on-demand requests and
suggestions through email.
WHAT WE FOUND

• Custom domains ({blah}.gatech.edu)
• Plugin requests
• Theme requests
HELP REQUESTS

• We ran school/college tours to introduce PWP and provide
information for faculty and staff.
• While some faculty and staff responded, on boarding
successes were much greater with:
• Incorporation of PWP into documentation and
recommendations for campus.
• Working directly with IT staff to migrate websites from
old custom hosting to PWP.
SCHOOL/COLLEGE

• Our largest concern thus far is separating ‘website storage’
from ‘secure storage’.
• Just because you host a PDF on a PWP website (or any
website with a world-facing interface) does not mean it is
secure.
• Do not ever assume security by obfuscation.
LARGEST CONCERN

• For sensitive data and private documents, we strongly
recommend an actual intranet or private repository in the
cloud for sharing:
• i.e. SharePoint, OneDrive
LARGEST CONCERN

• We leverage multiple layers of security: 
• WordFence (automated checks, filters, active monitoring)
• ASAP Updates
• GT-Login Only (with two-factor)
• Security hardening on .htaccess, wp-settings
SECURITY

• PWP currently operates in a ‘set it and forget it’ mode.
• Current features and plugins are stable enough in most
situations.
• Security and updates are automatically applied as quickly
as possible.
• Users can self-enroll and create websites.
• User accounts can be created for any GT account.
SET IT & FORGET IT

• The last remaining steps are:
• 1. Tackle SSL.
• 2. On-board on campus custom applications.
NEXT STEPS

USG Rock Eagle 2017 - PWP at 1000 Days

More Related Content

USG Rock Eagle 2017 - PWP at 1000 Days