WordCamp US 2017 Presentation: Security, The VIP Way

This past Friday, I gave a 20-minute presentation on WordPress security, giving a high-level overview of things you can do to help keep your sites secure.

The Presentation

Here's a SlideShare embed of the presentation deck:

And you can download the Keynote source file for my presentation, including presenter notes.

Twitter Questions

As part of my talk, I asked attendees to submit any questions they might have had via Twitter using the hashtag #wpvipsec. Here are the questions I received, and some brief answers to them as best I can provide.

As we have been transitioning some of the WordPress.com VIP platform to our next-generation VIP Go platform, we've had to reinvent some of this stuff slightly. :) You'll be pleased to know that we have made the mu-plugins we use on VIP Go publicly-viewable on Github, and you can see our custom two-factor module here.

I don't know very much about securing sites via VPN, but I'm assuming here that you have site access (even front-end) locked to internal IPs only based on that VPN connection. That should handle a large portion of your security from outside attack, assuming the VPN is using appropriate security precautions.

At this point, your chief enemy is likely to become human error. This is where portions of the talk surrounding things like limiting user capabilities and access to certain settings pages can really help you out. Making sure your users are following good account security processes for connecting to the VPN is also critical.

As I suggested in the Q&A after the talk, I highly recommend that user roles and capabilities be in your WordPress engineering toolbox. They are enormously useful.

Multisites are interesting because they have additional layers of user access. Let's look at the two admin roles:

Super Admin: This should be as limited as humanly possible. The only users who should have superadmin powers on a multisite IMO are system administrators, your development team, and support users who will be assisting other users with account-level actions regularly. (An additional user or two might be necessary if you have people who need to spin up new sites on-demand rather than contacting your support team.) You should certainly require two-factor authentication here, and if you can require proxy or VPN access at this level, you absolutely should look into that as an option.

Administrator: This is going to be on a site-by-site basis within the multisite. If you can craft custom roles and their capabilities finely enough for your needs so that non-development users who are "in charge" of a site can use those roles instead of full admin, you should absolutely do this. Ideally, this user group and the Super Admin user group are as close to identical (and as limited) as possible.

The remainder of the roles are easier to parse. I'd like to especially recommend here (as I did during the talk) the use of an audit trail plugin; as you will have many users working on sites, and some with superadmin powers, the helpfulness of knowing which users performed which actions increases.

Additional Questions?

If you have any questions that haven't been covered above or in the talk, please send me a reply on Twitter and I'll be happy to drop them in the post and let you know when I have updated it.

I'll be updating this post occasionally with new information, as well as a link to the talk's video archive when it's available. To be notified of this, please either follow my blog or follow me on Twitter.

Advertisements

Destiny Discussion Stream: Bungie’s December Roadmap Post

Bungie dropped a pretty big blog post today regarding where they are with updates and changes to Destiny 2, which seems to be in a spot with some hardcore players.

My son and I hopped in-game tonight and had a chat about the changes while we were playing. We keep things positive and talk about the changes and a bit about the things others seem to want but aren’t yet getting (and may not get).

Garden Glow 2017

We took the family to the Missouri Botanical Gardens this evening for the yearly Garden Glow, where the front half of the grounds is lit up with various Christmas light displays.

I took a host of pics with my phone and didn’t do any editing on them—just posting them up now because if I wait much longer, I won’t make the post. :)

If you are in the St. Louis area, I highly recommend the walk; it’s quite nice and it’s very different being in the gardens at night, which you normally cannot do.

Bracket Running: Avoiding Disappearing Players

Bear dropped this on Twitter in reply to PerfectLegend, and I thought it worth it to mention something about how I handle it. Using this method, I have never had a problem with the following problem:

Here’s how you make this less of a problem:

Talk about this with your players before you start your bracket.

Issue clear expectations for things like bathroom and smoke breaks, because players will ask you for these things. Let them know that they need to ask for them immediately after one of their matches, and that you have to OK them by looking at the bracket and seeing what time is available for people to do so. Also let them know that when you and they agree on a time limit for these activities, and they go over the time limit, they can be DQ’d.

Know where you are in the bracket and how long matches take.

You can’t be honest with players regarding the time available to them for a break unless you know how much room you have in a bracket for those things. You’re generally only going to be able to give them break time in the first couple of rounds, because that is the only time you have a lot more matches to play than stations.

Make sure you are playing out matches by rounds as much as possible to give players time to rest between their matches. Don’t run one person way through the bracket before you have had other players get their matches in.

Write breaks down on the bracket sheet or a notebook/notepad (if using electronic bracketing, which you shouldn’t be in most cases), and make sure the player sees you do it.

When I have a player ask for a break, I talk to them briefly about what they are leaving to do and ask them how long it will take them to do it. I check the time on my watch, and then tell them exactly when I expect they will be back for their next match. I then write their player name and the agreed-upon return time on the bracket, showing them as I do this, and let them go have their break.

This becomes a two-way agreement; I let them take the break, and they agree they’ll be back by that time. If they aren’t back by that time, I generally give them two to three minutes’ grace period before issuing a DQ loss. (This also means that when budgeting the time for their break, I give them two to three minutes less than I actually have for them.)

Above all, be fair and respectful.

Before every bracket I run, I set expectations that I’m going to respect players’ time, and that in return, I expect certain courtesies from them. It’s only in partnership with your players that you’ll be able to run an efficient and well-received bracket. Respect your players’ time and communicate with them clearly, and they will respect the decisions you may have to make.

Extra Life 2017 – A Change of Plans!

If you’d like to contribute regardless of what I’m doing, please donate here! Otherwise, read on for more information.

Hello, friends!

In most years, this is the post where I would tell you that I’m running my Extra Life marathon tomorrow, as that’s the assigned Game Day for the program.

However, I have outstanding commitments for the entire weekend that will prevent me from doing the Extra Life thing on the assigned day. So this year, I’ll be moving it around a bit and am also planning on doing more than one of these. I may not be able to do anything 24-hour based on my various commitments, but I’m looking at a handful of 12-hour-plus runs.

The first one of these is going to be on November 11th, and will start at 9:00 a.m. Central. I’ll be starting Super Mario Odyssey, and will take it as far as I can. I’ll stay on Super Mario Odyssey for the marathon series as long as people continue to donate – for every $5 donated to my Extra Life campaign, I’ll find one more moon in Odyssey, up to 100%ing the game before the end of the year.

You are guaranteed I’ll get the minimum number of moons for a game clear. Money donated will go to moons past the minimum.

I’ll post more information as we get closer to the marathon and will also post more regarding additional mini-marathon dates as they are going to happen. (Expect something around Destiny 2’s first DLC release.)

Destiny 2: Month Two Gallery

I find myself hitting the screen capture button fairly often in this game, which is kind of nice. It gives me a record of what I’ve been doing and the things I’ve been messing with in the game.

My son and I are still playing together almost nightly, and it’s been a lot of fun. And we recently joined SafeGamers, giving us some groups we can play with who are respectful of our time and of us—a welcome change from a lot of online gaming experiences.

I’ve managed my first Destiny series raid, and cleared it a few times since then. I expect fewer screenshots next month, if only because I’m exhausting a lot of the content in the game prior to the first DLC release coming this December. (And I included the Legacy screenshots, which showcase some pretty neat art from various experiences I completed in the first game. I’m hoping my next Legacy is much more complete.)

Also, I’m aware there are some resolution problems with the carousel for these images; if you want to see the (much sharper) originals, use the button that appears when you are browsing the images in carousel.

macOS Command Line Tips

As previously mentioned, one of my favorite exercises is to avoid using system transfers when I move to a new MacBook, and instead start over from scratch, as I learn something new every time.

One big difference this time around has been that I am in the command line much more now than I have been in the past. I’ve been working actively on this as a skill, and as a result, it means more time sitting at a prompt.

The default terminal in macOS is fantastic, at least for the reason that it’s a modern OS with UNIX-like command line syntax—but there are some way it falls short, based on either its BSD roots or choices made by Apple.

The good news is that you can make up for a good number of those shortcomings with a bit of work, and find some neat tricks at the same time. I asked on Twitter for some additional tips:

I’ll be sharing any tips that I’m pointed to there for the first time in this post and subsequent edits, so if you have any tips of your own, drop me a reply on that tweet and I’ll check them out.

Optional Step One: Install a Terminal Replacement

This is very greatly a matter of personal preference, but I usually replace the Terminal app with an alternate solution. (This is where we pour one out for TotalTerminal a.k.a. Visor, of blessed memory.)

I prefer iTerm2 and its advanced features such as split panes, shell integration, and more intelligent buffering and options, but you may find something of your own you prefer. iTerm2 is also open source under the GPLv2.

Install Xcode Command Line Tools

Before we can do anything else of note with the command line, we should install some command line stuff that’s left out by default in macOS but very useful for a lot of the other things we’ll want to do. Thankfully, Apple made this bit pretty easy.

Open your command line and run:

xcode-select --install

You’ll be prompted to confirm this installation with a GUI dialogue. Accept it, and macOS will download the developer tools for you. (You will possibly end up upgrading some of these tools, but that’s OK. This will get you started and give you the basics you need.)

Get a Monospaced Font That’s Not Monaco

Monaco as a font is OK, but not great. There are two alternative options I usually recommend.

The first is the monospaced font that comes bundled in with the default Terminal app:SF Mono. Apple doesn’t distribute this font outside of either Terminal or Xcode from what I can tell, but you can extract it from the Terminal app if you would like. Get to the folder containing the font files using this:

open /Applications/Utilities/Terminal.app/Contents/Resources/Fonts/

Select all the files in that folder and open them, which will take you to Font Book to try and install them. Font Book will tell you there are problems with the font files. Font Book is lying. The installation will work, and I haven’t seen any reports of it being problematic.

(I think the warning is because doing this might possibly be against the terms of use for the font.)

If you would rather not pull SF Mono out of Terminal, or if the errors give you pause, another great option is to install Anonymous Pro, which has been my go-to fixed width font for years. It’s a great option and has a free license. You can download it here.

Get Homebrew for Package Management

Modern Linux distributions often use package managers to add and remove installed software with ease.

Now, when you run into a command line tool or other utility someone’s pointed out to you, you can usually install it more or less automatically with Homebrew. Here’s an example for wget, which quite honestly should be included with macOS, but isn’t:

pathfinder:nodecg ryanmarkel$ wget
-bash: wget: command not found
pathfinder:nodecg ryanmarkel$ brew install wget
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/core).
==> Deleted Formulae
kibana@4.1

==> Installing dependencies for wget: openssl@1.1
==> Installing wget dependency: openssl@1.1
==> Downloading https://homebrew.bintray.com/bottles/openssl@1.1-1.1.0f.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring openssl@1.1-1.1.0f.sierra.bottle.tar.gz
==> Using the sandbox
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl@1.1/certs

and run
  /usr/local/opt/openssl@1.1/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local,
because this is an alternate version of another formula.

If you need to have this software first in your PATH run:
  echo 'export PATH="/usr/local/opt/openssl@1.1/bin:$PATH"' >> ~/.bash_profile

For compilers to find this software you may need to set:
    LDFLAGS:  -L/usr/local/opt/openssl@1.1/lib
    CPPFLAGS: -I/usr/local/opt/openssl@1.1/include

==> Summary
🍺  /usr/local/Cellar/openssl@1.1/1.1.0f: 6,421 files, 15.5MB
==> Installing wget
==> Downloading https://homebrew.bintray.com/bottles/wget-1.19.1_1.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring wget-1.19.1_1.sierra.bottle.tar.gz
🍺  /usr/local/Cellar/wget/1.19.1_1: 11 files, 1.6MB

Suggested Homebrew Packages

You can get pretty fancy with Homebrew. My colleague Jeremy Herve has a great script he uses to run it when spinning up a new system, and he posted about that here. I don’t install that many things via Homebrew, but there are a handful of things available through it that I use with some regularity.

If you know of any cool utilities I don’t; feel free to ping me on Twitter and tell me about them.

mas

(source on GitHub; MIT license)

mas is a great utility that helps you with both installing and maintaining apps you have installed through the Mac App Store (which, admittedly, is fewer and fewer apps over time). You can even use it to search for apps and manage your authentication status.

pathfinder:nodecg ryanmarkel$ mas list
409183694 Keynote (7.2)
408981434 iMovie (10.1.6)
485812721 TweetDeck (3.9.889)
443987910 1Password (6.7)
904280696 Things3 (3.0.3)
803453959 Slack (2.6.2)
442007571 AntiRSI (3.3.0)
557168941 Tweetbot (2.5.1)
407963104 Pixelmator (3.6)
409201541 Pages (6.2)
682658836 GarageBand (10.2.0)
409203825 Numbers (4.2)
692867256 Simplenote (1.1.8)

cloc

(source on GitHub; GPLv2 license)

At work, we do a lot of code review and scheduling those code reviews. If I have a bundle of code and I want to size it up quickly to see what it does, I use cloc to do this. It’s a great first-look at how much work a review could end up being.

pathfinder:Development ryanmarkel$ cloc ryanmarkel-v2/
    1933 text files.
    1905 unique files.
     146 files ignored.

github.com/AlDanial/cloc v 1.72  T=8.46 s (211.5 files/s, 32469.1 lines/s)
----------------------------------------------------------------------------------------
Language                              files          blank        comment           code
----------------------------------------------------------------------------------------
PHP                                    1305          18979          44697          79398
CSS                                      79           5329           2056          32684
JavaScript                              149           4631           5865          20148
PO File                                  73           8254          12486          20091
XML                                      74            869            926           5606
Markdown                                 40           1512              0           3896
JSON                                     31             14              0           3282
HTML                                      9             14              0           1444
Velocity Template Language                1             11              4            470
Bourne Shell                              6            114             40            468
Maven                                     1             30             21            305
YAML                                     10             52            111            262
Ant                                       1             19             30            140
INI                                       7             27             89             95
DTD                                       1             25             54             69
XSLT                                      1              5             14             19
make                                      1              1              0              3
----------------------------------------------------------------------------------------
SUM:                                   1789          39886          66393         168380
----------------------------------------------------------------------------------------

streamlink

(source on GitHub; BSDv2 license)

streamlink is a forked successor of livestreamer, which unfortunately became a dead project but is insanely useful. It uses command line instructions combined with (normally) an install of VLC to open streaming video using a method that tends to be much lighter-weight than using a browser. It will help you identify various transcodes as well, and can be used even to load authentication-required video for some services.

pathfinder:Development ryanmarkel$ streamlink https://twitch.tv/gamesdonequick
[cli][info] Found matching plugin twitch for URL https://twitch.tv/gamesdonequick
Available streams: audio_only, 160p (worst), 360p, 480p, 720p, 720p60 (best)

Bring Some Color to bash

Some of the tools that are included with macOS at the command line and its default configuration are slightly altered from defaults you may be used to in other UNIX-like environments. One that tends to bother me is that by default, ls doesn’t have any color indicators for output. By default, it looks like so:

This really isn’t helpful. Let’s add at least some color marking by adding this to our ~/.profile:

export CLICOLOR=1

Now, when I’m in a terminal session in any terminal app, I should see my directories like so:

You may also wish to customize your prompt using the information you can find here, but the number of options there are a bit much for me to get into.

Using pbcopy/pbpaste

Mark Jaquith replied to me with this tip:

Straight up: I did not even know about pbcopy and pbpaste, but reading the man pages for them, it’s crazy I went this long without knowing what they were and how to use them.

You can use the commands to move text back-and-forth between your terminal session and the macOS Clipboard. This should be self-explanatory, but for example, I just realized that I could have used it to put large chunks of the output from commands in this very post without having to select it and copy it.

What Am I Forgetting?

If there’s a neat trick or setup tip you think I’m missing, please let me know! Drop a reply to either the tweet for this post or the one I posted earlier and let me know what I can add!

Summer Games Done Quick 2017 Viewing Guide

My summer vacation has started, which usually means it’s almost time for Summer Games Done Quick. GDQ is a twice-annual speedrunning marathon, and each one lasts for a week. The summer one tends to be my favorite; the runs can be a bit more laid back and the charity is preferable to the one they use for the winter marathon.

You can find the channel for GDQ on Twitch any time you want to watch. The full event schedule is posted here, and there are some things you should know about it:

  • The schedule can and will change throughout the event, so if there is a game you are really interested in watching, you should check the schedule the same day of that game and also a bit before it’s supposed to come on the air. Runs are unpredictable, so there’s natural fluidity to the time slots.
  • For different types of games, there are different run categories. Pay attention to things like:
    • 100% or any%, the two most frequent run completion types – one involves collecting or doing everything a game has to offer; the other is just getting to the end of the game as fast as possible.
    • Restrictions like glitchless, 2 players 1 controller, co-op, and the like. This will give you more information regarding the general atmosphere of the run.
  • Runs have an estimated time to completion, which will give you the approximate time you’ll need to watch the run.

Keep in mind when watching these speedruns that many of them will involve the players going through the game in ways you haven’t in the past. If a run doesn’t call for glitchless or other restrictions, you’re likely to see things done to intentionally break the game and skip large amounts of the actual intended gameplay. This takes some getting used to and can look really weird the first time you watch a run for a favorite game.

That said, if you just relax and watch some people play games while using quite frankly amazing execution, muscle memory, and crazy amounts of practice, you can have a pretty good time. I suggest you find games you have played and liked on the schedule and trying to watch those to get started.

If you aren’t sure, here are some runs I think are likely to be great this week:

  • Sunday
    • Luigi’s Mansion any%, no OOB (out-of-bounds). The restriction means the runner can’t break the constraints of the levels to get places the game didn’t intend, so this requires going through a decent amount of the game, and is estimated at around an hour.
    • Metroid Prime 100%. Some people really find these runs interesting because there is good execution necessary, but I frankly find them boring because large amounts of the run take place out-of-bounds. If you want to see a game get broken, watch this.
    • Castlevania: Symphony of the Night, any% glitchless. One of the all-time great games, played to full extent, in 36 minutes. Should be fantastic.
  • Monday
    • Super Monkey Ball Deluxe, Ultimate. Watch people wreck this game with what is essentially playing angles very carefully. Looks reckless, is actually super-controlled.
    • Mirror’s Edge, any% glitchless. A game that was designed with multiple paths in mind. Speedrunners have no doubt found all the super-fast ones, and the execution necessary for this should be impressive.
  • Tuesday
    • I Am Bread, any%. I say this because I tried playing this game and found it inscrutable and impossible, and this runner is going to beat it in 15 minutes and make me feel really old in the process.
    • Pokemon Puzzle League, 1P Stadium, Super Hard. Puzzle game execution at this high a level is always impressive.
    • FPS Block of games, starting with Half-Life. Every game here should show super-impressive play, even with glitches.
  • Wednesday
    • Ninja Gaiden 3, any%. Watch this and then remember how hard these games are and hate yourself immediately.
    • Marble Madness, any%. See above.
    • Castlevania: Rondo of Blood, Richter any%. The finest 2D Castlevania pre-Symphony, done in 25 minutes. It’s likely you aren’t familiar with this entry in the series (it was on Turbo CD), so you should give it a peek.
    • Mega Man X2, any% race. Four runners play side-by-side, trying to finish first in a live situation. X2 has a super-optimized run that is really impressive to watch and easy to grasp.
  • Thursday
    • Shadow of the Colossus, NTA. I personally don’t think this game is as awesome as a lot of people do, but the run should be impressive.
    • Portal, inbounds. Should be one of the more amazing-looking runs of the whole event.
    • Chrono Trigger, any%, no wrong warp. Puwexil is one of the best RPG runners to watch. His commentary during the run (and the “couch commentary” helping him along) will be great and will explain exactly what’s going on as he does the run. CT is also a great run.
    • Tetris: The Grand Master block. You should watch this because I won’t; once you have seen these runs once, you have seen them all, but this is Tetris at a level that’s more instinct than reaction. TGM is way harder than any Tetris you have played (they will play on arcade hardware).
    • The Legend of Zelda: A Link to the Past, all dungeons, swordless. I don’t even know how you would do this, so I’m going to be watching this one with fascination.
  • Friday
    • Super Mario Series Warpless Relay Race. Great games, done head-to-head, and with relay handoffs to boot.
    • Metroid Block. Always one of the highlights of any GDQ. Usually tight races, high execution, sequence breaking in a lot of cases.
  • Saturday
    • Dark Souls 3, All Bosses. Watch someone rip through this game with way less health than you would ever try to play with and weird items you didn’t think about using.
    • Super Mario 64, 120 star. Every star. Every level. A game that requires crazy-cool execution and looks rad when people pull it off.
    • Earthbound any%, glitchless. An RPG to send the marathon into the sunset, and a run that even today is still being rerouted and changing to be more efficient.

There’s plenty more I could have put in here, but these are the things I’d suggest to anyone who asked me about GDQ and what they should peek in on.

I hope you watch and have some fun doing so. Please consider donating to the event!