Put an “S” on it

by Zack Tollman, https://speakerdeck.com/tollmanz

Issues & Challenges

MIXED Content Issues

• Passive
• Active
  • insecure requests loaded on the page that can be hi-jacked
• States (lock color in Chrome, e.g.)
  • green = OK
  • yellow = passive mixed content
  • red = not secure, active mixed content

Strategies For Migration

1. HTTPS everywhere
   1. hi risk / hi security
2. HTTPS somewhere
   1. low risk / low security
3. HTTPS with HTTP (can access either)
   1. medium risk / medium security

Application Preparation

• Basically look for ALL THE THINGS that reference http -> https
• Keep old http sitemap for short period, update new https sitemap (SEO recovered in about 4-6 weeks)

Content Security Policy

• Response header telling the browser what can/can’t be loaded

default-src: https:;
upgrade-insecure-requests
report-uri https://report-domain.com/receive

report-uri allows you to notify when violation occurs (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)

Web Performance: Measure Like You Mean It

by Joseph Scott

Treat performance complaints like bug reports

Process

• Set a goal (SMART)
• Always measure before & after
• Make one change at a time
• Test in a controlled and consistent environment
• Be consistent

What can I do today?

• WebPageTest
  • Block requests
  • Single point of failure (SPOF)
  • Scripting
  • Network packet capture
• SpeedCurve

What to measure?

• Speed Index
• TTFB
• Start Render
• Fully Loaded Time & Bytes
• User Timing API
• RUM: https://github.com/SOASTA/boomerang?files=1

Example

Goal: TTFB in < 100ms

1. Start with ideal conditions (no throttling, etc) – this is to determine if your goal is even realistic
   1. If you can’t re-assess
2. Keep the raw data
3. Beware of averages, which can hide extremes/data – favor consistency

A Conscious Uncoupling: WordPress as a Headless CMS

by Krissie VandeNoord

Why Go Headless?

• Freedom, no rules to follow (on front-end)

Going Headless with WordPress

• WordPress installed in sub-directory
• React in root
• Headless theme installed

Problem: Routing

Default WP routing does not work with React

• Configure .htaccess in root
• React Router – dynamic routing with:

  <Route path=":page" component="{Page} />

Maintaining a usable dashboard experience

• Disable features not being used
• Plugins
  • ACF to REST API
  • WP REST API force SSL
  • WP Rest Api Menus

Taking the leap

• Going headless is not the right choice for all sites
• Still new technology, will require more hands-on maintenance

Code Review: Why It Matters

by Brad Campeau-Laurion

Why?

• Maintain code quality
• Boost collaboration
• Knowledge-sharing

Tools

• Peer Review
  • Slack integrations (review assigned, approved)
  • Github
• Automated Testing
  • CI
  • PHPCS
• Peer Review
  • Performance
  • Security
  • Optimization

Next Generation WordPress

by Ryan McCue

Resources and Reading

• https://www.ssllabs.com/ – SSL site vetting – NerdWallet = A
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP – Content Security Policy
• https://www.reporturi.io – free HTTPS/CSP violation reporting