By far the most common request in the WordCamp.org tools survey resultsย was for the ability toย write custom PHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. https://www.php.net/manual/en/preface.php. and JavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a userโs browser. https://www.javascript.com/.. This is definitely understandable, because being limited to only modifying CSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site.ย does significantly restrictย what youย can do with yourย site.
Why not allow custom PHP and JavaScript?
The reason that this restriction exists is because thereย would beย very serious security and maintenance implications if weย were to open things up.
Security is very hard, even for experienced developers. Everybody makes a mistakeย at least occasionally, and manyย developersย donโt realize how often ย they do.
Thereโs no doubt that allowing unreviewed PHP or JavaScript would introduce criticalย vulnerabilities, not just to WordCamp.org, but to the rest of the WordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ infrastructure as well, andย even to regularย WordPress sites interacting with the infrastructure.
WordCamp.org is connected to the rest of WordPress.org in severalย key ways, and the right kind of vulnerability (or combination of vulnerabilities) could allow an attacker to do some pretty scary things, likeย silentlyย stealing password hashes or authorization cookies.ย If they targeted someone with commit access to Core Core is the set of software required to run WordPress. The Core Development Team builds WordPress., WordPress.org, or a popular plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, then the results would be severe.
Of course, we have access controls, monitoring, and other systems in place to minimize the chance of an attack andย mitigate its effectiveness, but the essential threat is there and canโtย be downplayed.
ย
Why not just review custom code before itโs committed?
We just donโt have the resources to review that much code. There are only two developers who handle the vast majority of the work on WordCamp.org, and both of usย also have responsibilities on other projects. So, we haveย roughlyย the equivalent of oneย full time developer. There were 80 WordCamps in 2014, andย that numberย grows every year.
Conducting aย thorough security audit and code review takes a significant amount of time, and simply isnโt possible with the resources we have.
Imagine giving hundreds of developers access to one of your high profile sites, or committing to review hundreds of themes and plugins every year while still trying to build new features and iterate on existing ones.
ย
Other potential solutions
- Assemble a team of volunteers to review code โ Because of the security concerns,ย any volunteers would need to be very experienced and a trusted member of the community, and because of the volume of sites, we would need to have a lot of them. I donโt think weโd be able to keep up with the demand, and weโd also be taking those people away from contributing to other projects. Itโd be much more efficient and make a bigger impact if those people collaborated onย projectsย that could be shared between all camps instead.
- Let everyone host their own site โ This is how things were in the early days, but we moved to a centralized platform because it was common for domain names to expire, or for the current yearโs team to be unable to post an announcementย to the previous yearโs site, or for sites to be unmaintained and get hacked, etc. It would also mean that organizers would have to spend extra time setting up hosting, and, because of security concerns, anything that requires connecting to WordCamp Central Website for all WordCamp activities globally. https://central.wordcamp.org includes a list of upcoming and past camp with links to each. or the WordPress.org infrastructure would become much more complicated (e.g., centralized payment requestsย andย ticket revenueย collections, single sign-on, integration with Profiles.WordPress.org, etc).
- Create each site inside an isolated,ย virtual containerย โ That would require a lot of work from the Systems team, who are also very limited on resources, and it would have the same downsides as above, where anything that connects to Central or WordPress.org would become much more complicated.
- Only letย experienced developersย write custom codeย โ The security concerns would force us to set the bar very high, and evaluating a developerโs qualifications isย itself a time-consuming process,ย so this would only impact a small number of camps. It could also make it appear like certain camps wereย getting special treatment, and lead to hurt feelings when someone who feels like theyโre experienced enough isnโt accepted.
ย
What makes the most impact?
WordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what theyโve learned throughout the year and share the joy. Learn more. sites are tools that help organizers communicate with attendees. Itโs great to have a design the community can take pride in, and working on theย site can definitely be a community-building experience, but volunteer hours are limited. Itโs best to focusย on things that will inspire and connect attendees at the event, rather than makingย the website perfect.
At the end of the day, attendees will be helped the most by the sessions, workshops, networking, and contributing that goes on at the event.
The goal of WordCamp.org is to give organizing teams something that works out of the box and facilitates all of the basic conference services that most WordCamps need, so that you can spend your limitedย time on the event, rather than the website for the event.
ย
Solutions that benefitย everyone
Allowingย organizers to write custom PHP/JavaScript isnโt the real goal, itโs just a means to an end; and I think there are betterย ways to get there.
For the most part, all of our camps have very similar needs, so rather than each oneย re-inventing the wheel on their own, itโs much more efficient if we collaborate on solutions that work for everybody.
The survey results helped us identify the worst pain points with the current tools, and weโreย planning solutions toย improve the CSSย editing experience, to give more theme/template options to choose from, and to be able to easily clone another campโsย site instead of having to start from scratch. The feedback onย all of those was that theyโd have a huge impact on everyoneโsย ability to create the sites they want.
I think that focusing our time and energy there is going to be much better for everyone in the longย term. If youโd like to help moveย those projects forward, please check out the survey recapย for next steps.
And if thereโs a project that would benefit everybody, but itโs not on that list, you can alwaysย work with the Community Team to build a consensus for it, and organize a group of developers from local communities toย contribute it. You donโt have to be a developer yourself; many projectsย need peopleย to organize everything, createย designs, write documentation, perform user testing, etc.
#improving-wordcamp-org, #maintenance, #official-websites, #security, #wordcamp-org
