Lines of ‘Open source’ code have long knocked on the closed doors of state institutions. Shady vendors of closed source software have fueled myths of open solutions, including web development tools. One of these tools is WordPress, and we will show that such open applications are a great solution for the development of national Internet headquarters and the communication of interactive information.
At the end of 2012, a state institution announced a tender for the production of a new web portal. Their existing (domestic) solution proved to be technologically obsolete, editorially complicated and closed to meaningful upgrades. Well known #VendorLockIn situation, classically adopted at important state addresses. A team of our designers and programmers was invited to a consultation where we had to analyze the situation and propose a modern solution, tailored to new needs.
In the first meeting, IT forces were compared, nodding in memory of 2FA, CMS, DMS, SSL, GIT and other techno-abbreviations. The fuse lit up with far more vital questions – “Who will approve the content when we are on annual leave?” / “In which room will the server be located (!)?” / “We want to control the size of the logo”… and so we agreed how to publish and edit the online content with their marketing department. But the bomb only went off when we suggested to their IT that we work on open source technologies and that WordPress is the best platform for a new government project. At that moment, the nods turned into anxious glances, accompanied by a barrage of subjective questions stemming from the myths of the open source world.
Putting the client into the world of open source technologies
Honestly, we weren’t able to get along in a fiery situation with an obvious unpreparedness for that kind of conversation. Our problem was that we took modern online publishing for granted, without the need to get the client into the whole world of open technologies.
Hold on a little longer through this introduction, as experience with other proprietary CMS tools was crucial… We started programming in 2007 as a team primarily developing custom digital solutions on then-closed Microsoft ASP.NET technology. After that, we worked with DotNetNuke and Umbraco to start experimenting with LAMP (Linux, Apache, MySQL, PHP) layers and its children such as Joomla, Typo3 and finally WordPress in 2010.
WordPress – flexible enough, open and high quality
The motive for switching to WordPress was simple but very significant. We no longer wanted to recreate the same functions with every project: user role definition, authentication, authorization, content architecture creation, and management of all (mostly eCommerce) content. WordPress performs all the above functions to the highest quality, and we were aware that the alternative popular CMS tools are really technologically lagging behind (in addition to having the cost of limiting licenses). This path from our own or someone else’s closed CMS to open source solutions was evolutionary – WordPress was the only one that was flexible, open and high quality enough to realize everything the client wanted, and for designers and developers to develop a modern web solution – whether a complex eCommerce platform (such as WooCommerce), a media portal, or a BaaS (Backend-as-a-service) REST API layer for a mobile application.
Most importantly, a large group of enthusiasts began to gather around WordPress, occupying epic proportions with 50% CMS cake. Excellent documentation, countless upgrades (plugins) and cordial community support are just some of the benefits of an open ecosystem, in one word even described as a “movement”.
What was the stumbling block?
At that time, the government, unfortunately, did not see all the benefits of an open source platform and the entire tender was eventually assigned to another contractor with a proprietary solution. Looking back, the stumbling block were four ubiquitous topics:
1. Using open source within institutions in any way
2. Security concepts and myths about open applications
3. Development and possibilities of interactive content
4. Design of open source online applications
The topics are also the focus of the entire article. Through each of them, in the next two sequels, we will explain the advantages of open source platforms and why open technologies are a better solution than more sophisticated enterprise-grade systems. Nevertheless, during 2016, the state shifted and accomplished three projects on the WordPress platform – Enu.Hr, Ncvvo.Hr and HBOR.Hr. These projects will serve as practical examples, and we will start with the basics of open source applications and how their development concepts go hand in hand with the desired development of state institutions.
Open source tools within institutions
“Software eats the world” shines from all conference powerpoint presentations, and this statement is more pronounced in the context of open technologies – open source software is what eats the world. A colorful team from Black Duck Software and North Bridge conducted another traditional annual study in April 2016 that included over 1,300 (senior level) respondents. The results showed that 65% of IT organizations actively develop or support open source technologies. There has been a notable shift in the reasons for choosing open source solutions – in 2015, the primary reason for choosing open source was the ability to adapt and flexibility of tools, but in 2016 the focus shifted to avoiding the previously mentioned Vendor-Lock-In situations. Regardless, 90% of respondents implement a variety of open source solutions and believe that open technologies improve efficiency, innovation, and most importantly for this article – cooperation.
OpenSource projects have 4 basic features that enable such processes (and survey opinions). We will describe the characteristics later in the article, and I hope that you will recognize some of them as desirable behaviors of state institutions themselves. My goal is to show that open source has the necessary logical place in a modern country, basically for the same development foundations:
- Consensus and democracy, not authority
Open source code is better quality when it is coordinated, not dictated. That way, the knowledge and quality of several developers is built into the application. Although such a process is more inconvenient than simpler direct management, it leads to a market “stronger code” in the long run, with more experience and knowledge. The acclaimed WordPress editor and simplicity of content editing is a typical example of the built-in knowledge of the entire community of bloggers, developers and designers, colleagues who have a broad and deep knowledge of all aspects of online publishing.
- Decentralization above centralization
Decentralization is the Sancho Panza of consensus. It enables the tactics and strategy of project development to remain layered, deep and based on the knowledge of a large number of developers. Decentralization also enables a multi-perspective view and attention to market details unnoticed from hidden corners of dark centralization. Decentralization achieves stronger project dynamics and faster response to market needs, whether from the design, programming or business side. In particular, WordPress is a system that has been on the market for 14 years – more than Facebook, Twitter or Uber.
In the world of operating systems, Linux, which is twice as old, has been dancing in the open source market for 28 years while listening to other competitors. Decentralized and harmonized “code” is the backbone of defense against security threats, a topic that we will discuss more in the second segment of this article.
- OpenSource builds the entire market, not one company
Along with decentralization, one of the main features of real open source projects is that they develop the whole market rather than just a single company. Linux, Apache, and WordPress have democratized and strengthened online publishing in the broadest sense. WooCommerce does the same for eCommerce and web sales through digital channels. All these open tools enrich the whole market because WordPress can be used by small retailers with just a few products, but it can also be done by large government portals with millions of users. The latter, on the other hand, requires a tailored approach and needs the help of an external experts community. They are a small army, and that is what brings us to the last feature…
- WordPress ie. open source, independent and portable
Open source loves to grow, evolve and transcend boundaries. The more open it is, the greater is the chance that you will find a qualified programmer, implementer or consultant for your business needs. The other side of this medal, the so-called Vendor-Lock-In, experienced by all entities that based their business on systems maintained by “irreplaceable” developers. The Croatian market and the local ways of doing business have been fertile soil for such integrators, and that situation leads to program code that is difficult to maintain and in fact does not evolve.
Jumping out of your own box is, after all, the greatest feature of open source software. Continuous development of projects by the large community is a concept that the state should embrace. Android, Linux, WordPress and other similar platforms go hand in hand with government strategy, and if we use the right tools in the right way, ideas turn into useful projects that an entire market benefits from, especially the public who craves quality online services. In the following sections of the article, we will touch upon the operational topics of the implementation of open source tools (WordPress) within the traditional state institutions – with the goal of providing quality online services.
Security aspects of open source applications
WordPress is a popular platform. The latest data from the beginning of 2017 shows impressive figures for one software distribution:
- WordPress is implemented on 27.3% of all world websites
- Of the top 1,000 websites, WordPress drives 30.3%
- The share of websites that have at least some kind of CMS is 58.5% (for the purposes and context of the article, this is the most important figure because we are referring to the use of content management systems (CMS))
- WooCommerce (eCommerce platform for WordPress) drives 42% of all web stores in this world (55% in Croatia)
But WordPress pays for its popularity in the form of inaccurate myths and misconceptions. As with Windows or Flash, it’s more cost-effective for attackers to write malicious “code” for popular platforms. This does not mean that these platforms are a priori insecure, simply that the volume of attacks on them is higher.
The measurable number of detected security threats with the WordPress platform is relatively small. MacOS, Windows, various Linux distributions, Adobe Flash and even PDF format have far more reported security threats than WordPress, and these are tools used on a daily basis. For example, Debian has about 7,500 reported CVE (Common Vulnerabilities and Exposures) security historical threats, while Joomla, Drupal and WordPress each have about 1,000. Of course, that number doesn’t say much about the severity and severity of the threats, but security of open source tools like WordPress – its “core” system itself is not more or less secure than ordinary software that you will use for everyday work.
The trick is in the implementation and daily care, and it is the fast and efficient community, the main flywheel of preventing security vulnerabilities.
Hundreds of active distributed developers have been polishing every aspect of the WordPress core for 13 years. The system itself is automatically upgraded if a security risk occurs, and the time required to apply the patch is a maximum of one day (from the moment the problem is reported). Potential real security issues lie in two additional pillars: external modules (plugins) and external visual content templates (themes).
External open source modules
The biggest security threat for any open source project are optional external software modules called plugins. They allow developers to install ready-made functionality – creating forms, complex menus, forum management tools or entire eCommerce functionalities. All this is realized with the help of additional plugins so that WordPress “core” remains focused only on basic CMS functions.
The plugin can be made within the development team working on the project and thus does not pose an additional security risk. But the devil lies in the details. Namely, you can download the plugin from an unknown external author (for free or for a certain amount if it is a premium plugin) and thus as a “bonus” you get an additional security problem since the program code must be security audit and detailed functionality check. The challenge of verification is the huge amount of ready-made plugins – currently there are about 48,488 free plugins on the WordPress repository and the same number of external authors. The quality of their program code and security settings oscillates quite a bit so be careful which authors you work with.
There are two main rules when including 3rd party plugins – use premium paid plugins that have official support with clear SLA rules. If you use free plugins from external authors without an SLA contract – always use only well-tested modules and their authors such as Yoast SEO, Akismet, iThemes security and Google XML sitemaps. This is also a recommendation for implementing the plugins you need to have on every WordPress installation. When additional functionalities need to be built into a project, develop them within your own development team, with the possible exception of multilingual systems. Then feel free to use the premium plugin WPML (WordPress MultiLanguage) which has proven to be a stable and robust solution in the WordPress ecosystem.
Open source visual content templates
The appearance and interactivity of the WordPress project is defined using the so-called “Topics”. Just like with plugins, you have three options – you can create a theme within your own team, download it for free from the repository of ready-made themes or buy it from a (quality, premium) external developer. The rules are the same as for plugins, but the development of the theme is different – the whole design and interactivity are defined using it, so it is recommended that you start with internal development and not buy ready-made solutions.
All major government projects on WordPress – NCCVO, HBOR, ENU have their own WordPress theme produced exclusively for their needs, and designed based on the design process – something we will talk more about in the second sequel of this article.
Servers and scalability
Big part of the security settings are also related to the Linux operating system, FTP / GIT permissions, MySQL engine features, or the Apache / NGINX web server. These items are not directly related to WordPress, so we’ll just touch on them.
An important factor in “hosting” is the scalability and customer service with the eternal question – does WordPress support a large number of visits? In short, the answer is “yes”, WordPress supports a huge number of users, and the exact data depends on the choice of hosting and the quality of implementation.
TechCrunch, New Yorker, Reuters, BBC and NewsCorp Australia deny the rumor that WordPress cannot be scaled. Even sudden traffic growth is not a problem – XeroShoes started receiving millions of inquiries on their AWS infrastructure after appearing on Shark Tank in 2013, and WordPress and WooCommerce implemented on top of EC2 successfully realized all orders received. You can study this interesting event in more detail on WordPress TV and the WooConf 2016 report.
All of these websites successfully serve millions of users daily, while for example NewsCorp Australia has a database of 7 million published articles in the WordPress (MariaDB) database. Articles, publications and the amount of content are also related to the issue of scalability, especially in government applications, and it is precisely the architecture of content that is the topic of the next article – What the design and development of ‘open source’ online applications looks like