This document provides an overview of the WordPress Professional Web Presence (PWP) platform at Georgia Tech. PWP was created to address issues with resource repetition and security across the many decentralized websites at Georgia Tech. It utilizes a WordPress multisite installation to share plugins, themes, and other resources across 700 hosted websites. Some key facts are that PWP serves over 1,400 user accounts, maintains 1 theme and 7 plugins, and blocks over 22,000 attacks per month. The document discusses the development and growth of PWP over its first 1000 days of operation.
8. • Let’s talk about your campus web entities in 2017.
• More and more campus entities are consuming web to
market, communicate, and fund:
• Research / Labs / Centers
• Events / Conferences
• Faculty / Staff / Graduate Students
• Organizations / Groups / Initiatives
• Experimental / Media
WEB ON CAMPUSES
9. • Our work is increasingly turning to building more websites
for a wider variety of use-cases.
• Fortunately, the marketplace for website building
scaffolding (content management systems) helps us stay
afloat.
WE HAVE TO DO MORE
10. • However, we must be aware of two potential issues that
pop up as a product of proliferation of ease-of-use website
tools:
• Resource Repetition
• Security
MAINTAINABLES
11. • Building the same resource repeatedly without sharing
sources.
• Resources aren’t equal.
• Resources aren’t visually cloned.
• Resources aren’t identically structured.
• Resource fracturing occurs.
RESOURCE REPETITION
12. • All of this equals wasted time and resources.
RESOURCE REPETITION
13. • Security is king. And it’s not just about data.
• Two vectors as consequence of bypassing security:
• Processing workload (DDOS, mail spam, etc)
• Data theft (privacy information, student information)
SECURITY
14. • Let’s talk about how websites at Georgia Tech progressed,
and what led to the creation of PWP.
TO GEORGIA TECH
17. • Web at Georgia Tech is decentralized.
• That is, any staff/faculty can request and receive
virtualized hosting for any website.
• Any virtualized hosting can install virtually any web
platform or system for development.
• As a consequence of this, websites can take many forms…
GT WEB
18. • These are websites that are live and active as of… today.
NOTE
34. • Each of these websites* is using a content management
system to build and maintain their website.
• Each has their own theme*.
• Does anyone else see a problem with that?
LET’S CONSIDER
35. • Each of these websites* is using a content management
system to build and maintain their website.
• Each has their own theme*.
• Does anyone else see a problem with that?
LET’S CONSIDER
36. • Each system needs to be maintained.
• Not only the core content system, but every plugin and
theme.
• Custom code must be checked to ensure it is compatible
with updates.
FRIGHTENING
37. • Each system needs to be maintained.
• Not only the core content system, but every plugin and
theme.
• Custom code must be checked to ensure it is compatible
with updates.
FRIGHTENING
38. • Each system needs to be maintained.
• Not only the core content system, but every plugin and
theme.
• Custom code must be checked to ensure it is compatible
with updates.
FRIGHTENING
39. • Our fine folks in the Office of Information Technology could
sniff each website to find out what system they are using.
• A good way to gauge what systems, platforms people are
using for websites.
• What we found is…
THE GOOD NEWS IS
41. • We don’t have any centrally-maintained WordPress
resources on campus.
• No:
• Theme
• Login Help
• Plugin Recommendations
• Security Recommendations
• Help
BUT…
42. • Each of these websites* is using a content management
system to build and maintain their website.
• Each has their own theme*.
• Does anyone else see a problem with that?
LET’S CONSIDER
47. • WordPress Multiuser has a shared codebase of:
• Plugins
• Themes
• WordPress Core
• Configuration
• Spread out between all websites under its umbrella.
WORDPRESS MU
49. • PWP came about from a discussion on WordPress security
and existing needs for ‘plug-and-play’ webdev:
• 1. Find a use-case for development.
• 2. Test multiple products with heterogenous test group.
• 3. Reflect and analyze on how each product was utilized.
• 4. Select product and move forward.
CONDENSED PWP DEV
50. • We tested:
• Open Scholar
• Drupal Multisite (Drupal Express)
• WordPress Multiuser
CONDENSED PWP DEV
51. • We chose WordPress, and thus PWP was born.
• 1. Discover our original needs-assessment.
• 2. Develop low-hanging fruit assets and plugins.
• 3. Pass off first release as a ‘pilot phase’ to early on-
boarders.
• 4. Engage in active feedback to locate strengths,
weaknesses, and needs.
CONDENSED PWP DEV
52. • Finally, add in server-side development and configuration
for ease-of-use:
• 1. Locate configuration and plugins for new features.
• 2. Test on development and for use-cases.
• 3. Roll out and announce to end-users.
SHORT DEV CYCLE
68. • PWP is meant to be self-sufficient in that:
• Additional features can be added through WordPress’
plugin directory as requested.
• Georgia Tech theme is stable barring any campus branding
changes.
• Updates are applied as submitted by maintainers.
• New Georgia Tech features are road-mapped for inclusion,
but not critical to website success.
PWP
69. • We used to run monthly training sessions and help-desks,
but found:
• In person help desks received < 1 person on average (3
hour windows).
• Virtual help desks received < 1 person on average (3 hour
windows).
• Most support is better left to on-demand requests and
suggestions through email.
WHAT WE FOUND
71. • We ran school/college tours to introduce PWP and provide
information for faculty and staff.
• While some faculty and staff responded, on boarding
successes were much greater with:
• Incorporation of PWP into documentation and
recommendations for campus.
• Working directly with IT staff to migrate websites from
old custom hosting to PWP.
SCHOOL/COLLEGE
72. • Our largest concern thus far is separating ‘website storage’
from ‘secure storage’.
• Just because you host a PDF on a PWP website (or any
website with a world-facing interface) does not mean it is
secure.
• Do not ever assume security by obfuscation.
LARGEST CONCERN
73. • For sensitive data and private documents, we strongly
recommend an actual intranet or private repository in the
cloud for sharing:
• i.e. SharePoint, OneDrive
LARGEST CONCERN
74. • We leverage multiple layers of security:
• WordFence (automated checks, filters, active monitoring)
• ASAP Updates
• GT-Login Only (with two-factor)
• Security hardening on .htaccess, wp-settings
SECURITY
76. • PWP currently operates in a ‘set it and forget it’ mode.
• Current features and plugins are stable enough in most
situations.
• Security and updates are automatically applied as quickly
as possible.
• Users can self-enroll and create websites.
• User accounts can be created for any GT account.
SET IT & FORGET IT
77. • The last remaining steps are:
• 1. Tackle SSL.
• 2. On-board on campus custom applications.
NEXT STEPS