This article will explore why backing up your Microsoft 365 data is not just a good practice but an essential one for ensuring business continuity and protecting against data loss.

The Myth of Built-In Backup

One of the most common misconceptions about Microsoft 365 is that because it’s a cloud service, data is automatically backed up and fully protected by Microsoft. While Microsoft does provide robust infrastructure and redundancy measures, these are primarily designed to ensure service availability and prevent data loss on their end—think hardware failures, natural disasters, and other large-scale events.

However, when it comes to specific instances like accidental deletion, malicious attacks, or compliance requirements, the responsibility to recover lost data often falls on the organization itself. Microsoft operates on a shared responsibility model, meaning that while they manage the infrastructure, the onus of data protection at the application level—emails, files, and other user-generated content—rests with you, the business owner.

Common Causes of Data Loss in Microsoft 365

Data loss can happen in many ways, and relying solely on the built-in recovery features of Microsoft 365 can leave you vulnerable. Here are some of the most common causes of data loss:

Accidental Deletion

It’s surprisingly easy for users to accidentally delete emails, files, or even entire folders. While Microsoft 365 does offer a recycle bin or similar feature for restoring deleted items, these are often only temporary solutions with retention limits. If a user deletes a file and doesn’t realize it within the retention period, that data could be lost permanently.

Malicious Insiders

While we like to think of our colleagues as trustworthy, insider threats remain a real concern. A disgruntled employee might delete critical files or emails, and by the time the issue is discovered, it may be too late to recover the data through traditional means.

External Cyber Threats

Phishing, ransomware, and other cyber threats are on the rise, and even with strong security measures in place, no system is entirely immune. In the event of a successful attack, data can be corrupted, encrypted, or deleted altogether. Having a backup ensures that you can restore your data to a point before the attack occurred, minimizing downtime and loss.

Legal and Compliance Requirements

Certain industries are subject to strict data retention and protection regulations. Failure to comply can result in hefty fines and legal consequences. Relying on the default settings of Microsoft 365 might not meet the specific retention needs for your industry, and without a proper backup solution, you could find yourself in violation of these regulations.

Retention Policy Gaps

Microsoft 365 offers configurable retention policies, but they can be complex to manage and may not cover all your needs. There might be gaps in what’s retained and for how long, leaving some data vulnerable to permanent deletion.

The Benefits of a Dedicated Microsoft 365 Backup Solution

Investing in a dedicated backup solution for your Microsoft 365 environment offers several key benefits that go beyond what the default settings can provide.

Comprehensive Protection

A third-party backup solution can provide more granular and comprehensive coverage across all Microsoft 365 applications, including Exchange, SharePoint, OneDrive, and Teams. This means you can protect everything from individual emails to entire Teams channels, ensuring that no critical data is left unprotected.

Extended Retention Policies

With a dedicated backup solution, you can customize your retention policies to meet your specific business needs, ensuring that data is kept for as long as required by your industry regulations or internal policies. This gives you greater control and peace of mind knowing that your data is safe, no matter how long it needs to be retained.

Quick and Easy Recovery

In the event of data loss, time is of the essence. A dedicated backup solution allows for quick and easy recovery, minimizing downtime and ensuring that your business can continue to operate with minimal disruption. Whether you need to recover a single file or an entire mailbox, the process is straightforward and efficient.

Protection Against Human Error

Accidents happen, but with a dedicated backup solution, you can easily recover from them. Whether a file is accidentally deleted or an entire folder is misplaced, having a backup means that you can restore the data quickly, without the need for complicated procedures or extended downtime.

Defence Against Cyber Threats

In the event of a ransomware attack or other cyber threat, a backup solution provides a reliable way to restore your data to its pre-attack state. This ensures that you can recover quickly and avoid paying ransoms or dealing with the extended consequences of data loss.

Meeting Compliance Requirements

For businesses in regulated industries, a dedicated backup solution can help ensure compliance with data retention and protection regulations. This not only protects your business from legal repercussions but also builds trust with your clients and stakeholders, who can be assured that their data is being handled with the utmost care.

Choosing the Right Backup Solution for Microsoft 365

When selecting a backup solution for your Microsoft 365 environment, there are several factors to consider:

Ease of Use

The backup solution should be user-friendly, with a straightforward interface that allows for easy management and recovery of data. It should integrate seamlessly with Microsoft 365, providing a consistent and reliable backup experience.

Scalability

As your business grows, so too will your data needs. The backup solution you choose should be scalable, capable of handling an increasing volume of data without compromising performance or reliability.

Security

The backup solution should offer robust security features, including encryption, access controls, and regular security updates, to protect your data from unauthorized access and other threats.

Data Residency

Ensuring data residency for Microsoft 365 backups in Australia guarantees that all backup data is stored within Australian borders, complying with local data residency and privacy regulations. This provides businesses with peace of mind, knowing that their data is protected in Australia.

Support and Reliability

Partnering with the right people who understand Microsoft 365 and the critical importance of backup can significantly enhance your business’s resilience and data security. An expert partner provides tailored backup solutions that align with your specific needs, ensuring that vital data is always protected and recoverable. With the right solution in place, you can focus on your business, knowing that your data is safeguarded by professionals who prioritize reliability, compliance, and seamless integration.

Conclusion

Backing up your Microsoft 365 data is not just a good practice; it’s an essential component of your overall data protection strategy. With the increasing reliance on cloud services and the growing threats to data security, a dedicated backup solution is the best way to ensure that your critical business data is protected, recoverable, and compliant with industry regulations.

Don’t leave your data’s safety to chance. Invest in a comprehensive backup solution for Microsoft 365 and safeguard your business against the unexpected.

Need Assistance?

Need to know more and find the right solution for you, reach out to one of our Conetix Web Hosting wizards and they can assist.

References:

Gartner’s Market Guide for Backup as a Service: Gartner

Microsoft Service Trust Portal: Microsoft Shared Responsibility Model

Veeam Data Protection Report 2024: Veeam

Cybersecurity Ventures: Global Ransomware Damage Costs Predicted To Reach $265 Billion By 2031

General Data Protection Regulation (GDPR): GDPR.eu and HIPAA Guide: HIPAA Data Retention Requirements

Probax MSP Backup for Microsoft 365: Probax.io

But, what is it really, what does it mean and is it really going to run the world? As much as I don’t want this to sound like a clickbait headline, the answer may shock you!

First, we need to start with the basics.

What is AI?

Artificial Intelligence is essentially defined as:

a simulation of basic human intelligence whereby the system can make decisions based on the information and then learn from decisions. 

Still doesn’t make sense right? 

Think back to something like the basics of riding a bike. From a human perspective, we start with training wheels until we work out balance. As our confidence builds, in a few months to a year we can ride without them.

If we had to write a software program to do the same thing, there’s an enormous amount of scenarios we need to write. We need to measure the basics such as speed to get inertia, if we drop below a certain speed we require more inputs to correct. If we ride on an uneven surface, that’s different to a bitumen one. If we ride on a slightly sloped surface, we need to compensate for it and adjust. Now put into context being on a road with others, we now need to be able to understand how cars move, what side of the road to be on and what happens at intersections and what to do if a car turns in front of us. Being Australian, we also have the added risk and complexity of being swooped by magpies (an Australian native bird which can be very territorial around nesting time).

As a programmer, if I have to write every scenario into a program on how to ride a bike this could be years and years of work, and the program would still only understand the exact scenarios I put in.

This is where AI fits in. Instead of writing every scenario line by line, we feed in the inputs (speed, ground surface, angle of the road, cars, magpies etc) and we allow the AI to build what’s called a “model” to understand how to deal with these scenarios. With a limited amount of information, the initial results won’t be perfect.

However, the AI advantage is that we can (quite efficiently) keep training this model based on more input data to generate better outcomes. It may take a toddler a year of training in the afternoon to outgrow the requirement for training wheels. As humans, we then need a few years of understanding traffic and cars before it’s safe for us to ride on the roads. AI? With the right data this could be a few hours of training to build the model. We can then put it in simulated environments to build more data and keep perfecting the model.

The key bit here is that a programmer didn’t have to write thousands of extra lines of code to keep improving the system.

Yeah OK, now I’m scared AI is taking over?!!

There’s no need to panic… yet. With the above scenario of riding a bike, what we’ve described is narrow AI. This is a system which can do a specific task and can learn to do that very well. And, this is a great thing. The more of the simple tasks which can be automated, the better. Especially in the early days of AI, this is a perfect fit for mundane tasks. For example, do you have to write a letter or email to staff in regards to cleaning the fridge out? This is a nice, simple one for AI.

One of the systems gaining the most hype recently (and for good reason) is ChatGPT. Produced by the OpenAI team, ChatGPT is a ​​generative pre-trained transformer AI system, which essentially means it can converse like a human where you can ask questions and even give feedback so it can adjust the answer.

For example, all I have to do ask for:

“Write an email to all staff, asking them to clean their items out of the fridge or it goes in the bin next Friday”

Using ChatGPT, this gives me:

Subject: Request for Fridge Cleanout

Dear All,

I hope this email finds you well. I am writing to request your immediate attention to the contents of the fridge. Over the past few weeks, the fridge has become cluttered with items that are past their expiration date or no longer needed.

In order to maintain a clean and organized workspace, I am asking that all staff remove any personal items from the fridge by next Friday, February 11th. Any items left in the fridge after this date will be discarded.

Please take a moment to check the contents of the fridge and make sure that you have removed all of your belongings. If you have any questions or concerns, please do not hesitate to reach out to me.

Thank you for your cooperation and understanding.

Best regards,

[Your Name]

You can see that with limited input, the ChatGPT system is able to expand this out into a verbose letter and even added the date (as at the time of writing this article).

What’s even better is that we’re able to tune and adjust quickly. What if this is the 5th time staff have been told? Lets ask ChatGPT to “make the letter angry”:

Subject: Urgent Request for Fridge Cleanout

Dear All,

I am writing to you with great frustration and disappointment. The contents of the fridge have become completely unacceptable and it is clear that some staff members are not taking responsibility for their own items.

I am completely fed up with the cluttered and unsanitary state of the fridge. As a result, I am giving everyone a final warning to remove their belongings by next Friday, February 11th. Any items left in the fridge after this date will be promptly thrown in the trash without exception.

This is not a request. It is an ultimatum. I expect all staff to act like professionals and take responsibility for their own belongings. If you are unable to do so, then I suggest you reconsider your place in this company.

I am beyond disappointed in the behavior of some staff members and the lack of consideration for the common area. This is a workplace, not a storage unit. I expect all staff to maintain a clean and organized environment.

Please take this email seriously and take immediate action to clean out your items from the fridge.

Best regards,

[Your Name]

You can see that we can near instantly change the tone by giving simple feedback to ChatGPT to produce the result we want. There area already tools which can analyse your existing emails and writing to mimic your personal writing style to further personalise the output too.

Is my job at risk of being replaced by AI?

This quick answer is, “it depends”.

Anything AI driven currently requires the inputs and outputs of the role to be reasonably well defined and/or ideally a repeatable process.

As shown in our letter above, it’s quite possible that positions such as Executive Assistants (EA’s) will certainly be augmented by AI but could quite genuinely be replaced within the next decade. 

Already, we have AI driven phone assistants whereby it’s able to wait on hold and then negotiate booking appointments such as a restaurant by cross-referencing a calendar to find a suitable time.

However, it’s not just EA’s. Again, thinking back to a repeatable process with defined inputs and outputs… one possible role which could be replaced is a Systems Administrator (sysadmin). I know that’ll have many in IT shocked, but let’s look at the basic flow at times:

1. An error occurs, generally a complex one which doesn’t make a lot of sense
2. Sysadmins scour Google and sites like Stack Overflow to find an exact match for the error
3. If an exact match doesn’t occur, ones similar are searched and a fix (hopefully) located.
4. A fix is then applied, then the system monitored for adverse events and to confirm if it worked.

This is of course one of many tasks sysadmins perform, but it shows how the input (the error) is defined and the output (the fix) is also able to be measured so there’s the ability to either semi-automate or replace sysadmin’s performing the role.

Other roles where this can be neatly defined include things like bookkeepers, accountants, lawyers, market research / data analysts and more.

And, this is all still narrow AI.

The shift to general AI will change all of this and quite dramatically. Essentially, at a general AI level there’s no difference between what AI can do compared to an adult human. This means being able to give it unfamiliar tasks and instructions yet still being capable of completing the job. Once we hit this point, every job can be potentially be replaced by AI.

Alright, if I’m not immediately being replaced… How can I use AI?

Excellent question and an excellent approach. We shouldn’t fear AI. Change is going to occur so it’s best we embrace it instead of avoiding it. 

Coding

Right now, the current hotness in AI is clearly ChatGPT. And with good reason. It’s a helpful tool which is simple to use yet very effective. Our letter is only one very small part of what it can do. ChatGPT can also code! For example, I asked ChatGPT to write a small function to extract the domain name from a URL. Here’s what I asked:

“Write a Groovy script to generate a filename safe, base 64 encoded URL”

Not only did it write the code, but it explained how it worked. As a programmer, even if this wasn’t 100% correct it’s a very good start! Being able to get 90% of the answer within 10 seconds and having a system explain it is an awesome start.

Image Generation

Want some images? This is where Midjourney comes in! In fact, other than the screenshots all images in this article have been generated by Midjourney. Put simply, it’s a text to image generation system. You describe the image or scene you’re trying to create, and it will start generating images which it thinks are a fit.

For example, here’s a prompt which was to create the cover image:

describe how artificial intelligence works, infographics, blueprint, detailed, line art, computing, graphics 

From this prompt, we received 4 images which Midjourney had created:

I could keep iterating through and generating variances of images and if I find one close, I can get the system to vary it or simply just generate a higher quality version. The good thing here is, for relatively low cost you can provide plenty of creative input to generate unique and hopefully very on-topic artwork and images.

Web Development

For web development, there’s already some very neat demos with the latest GPT-4 was turning a very rough sketch into a full website.

A few years ago it’d be inconceivable to think this sort of system would be available. Now in 2023, it’s instead going to be a reality. Even if the result isn’t perfect, we’ll be able to prototype and code the basics of some ideas to get rapid feedback. 

Imagine being able to quickly draw a website while sitting with a client, then present a working prototype to them minutes later? Even better, imagine if the code is of sufficient quality that you can actually build upon and implement it within hours instead of days? This is where AI will be heading in the world of web development.

… And more

Quite simply, the rate of new tools and concepts being released is hard to comprehend. There’s up to 1,000 new AI based tools and programs per week being released. Everything which was too niche and too specialised will have a number of tools developed and released within the next 12 months. Here’s just a very, very small snippet of a few tools which may be of interest:

• Jounce – AI copywriting and artwork for marketers
• 10web – AI powered WordPress
• HyperWrite – Personalised AI writing assistant
• Synthesia – AI video generation
• Superus – AI powered, automated mind mapping
• Seomatic – AI driven SEO
• Magical – AI powered meeting management
• Lavender – AI powered sales coach
• Channel – AI powered business analysis

Again, this is just a small fraction of the tools available which may help your business and assist with web development. By the time you read this article, there’s going to be thousands more .

Can AI be a villain too?

Any tool which can be used for good unfortunately also has some bad to it. There are a number of problems AI poses. It doesn’t mean we necessarily need to be afraid of it, but simply aware so we can plan around and look out for.

Firstly, in the context of narrow AI we have the issue of bias. AI doesn’t know ethics, if it’s fed millions of pages from books then it doesn’t necessarily understand views on things like racism have changed massively in the last 50 years. Some of the issues can also come from marginalised groups, whereby the content might only be very small and therefore not equally represented. It means these AI systems have to work around the issues and has certainly been one of the early issues.

Secondly, if you can get an AI system to write code for normal programs, then it can also write code for malicious programs. With ransomware being such a lucrative, criminal income then some of these tools (despite systems trying to block it) will be used to produce new and malicious code.

Move forward to general AI and we have a huge risk factor. A system making very complex and intelligent decisions. Anything we can train the system to do good, someone will have the capability to do the opposite.

The trouble here is, there’s nothing we can do to stop this. It’s like building stronger cars and expecting them not to be used in ram raids or as getaway cars. There’s simply always going to be an element of human society which will misuse and exploit for personal gain. 

Instead of fearing it however, we simply need to plan for it. We already (mostly!) secure our passwords and ensure systems remain locked down. There’s already scripts and hackers constantly scouring the internet to find systems to exploit, all that changes is how clever these systems could be. What may have been an optional lockdown will become a mandatory one to keep your system protected.

What’s next with AI?

As only the last two iterations of ChatGPT have shown, things are improving at an exponential rate. We haven’t seen a rise in technology change occur this quickly ever (even back to when computers were first invented), so there’s going to be lots of excitement and some definite bumps in the road.

My prediction is that things will change from “I wonder what AI could do here” to “how did we ever do without it”. Especially where AI can take away the ultra repetitive tasks, we’re going to see things advance and evolve rapidly and it definitely will disrupt a number of areas across different industries.

Even in the short term (within the next 12 months), if you’re not using ChatGPT or a similar system then you’re already falling behind. More and more programs are going to be integrating GPT style systems into their existing systems to give them an edge over the competition.

The important bit here isn’t to fear this change, but embrace and adapt. Government regulation will be very slow to adapt (as usual) and there’s going to be ethical questions about where AI should or shouldn’t be used but doing nothing simply isn’t viable. For example, can you trust an AI doctor over a human one?  

Unlike fictional things like Skynet however, we’ll remain in control so it’s all about the best use of the technology. As an avid technology enthusiast, I’m super excited to see how our AI future pans out!

Anchoring or focalism is a cognitive bias where an individual depends too heavily on an initial piece of information offered to make subsequent judgments during decision making. Once the value of this anchor is set, all future negotiations, arguments, estimates, etc. are discussed in relation to the anchor.

Source: https://en.wikipedia.org/wiki/Anchoring_(cognitive_bias)

The important part to remember here is that subconsciously your brain can and will fixate on the first piece of information it finds. When it comes to fault finding, this can be the first error we see or the first reported information provided. This information (and therefore bias) can then cloud our judgement when it comes to further diagnostics of a fault, as we gravitate back to that singular piece of information instead of considering the bigger picture.

An IT person’s job is normally 90% fault finding, 10% doing. As the saying goes: “I’m not a geek, I’m just better at Googling than you”. What’s more, the saying is right. Nobody wants to spend 3 hours diagnosing the cause of a fault if they can simply jump straight to the fix.

Programmers are no different here too, the moment there’s a fault or error message it’s straight to Google to try and find someone else who’s had the same issue so that they can copy and paste the code to fix.

While finding the right result in Google can and does lead to a quick fix in many cases, it can also lead to a fallacy in your decision making process. In many cases, the focus is then on finding the right result for the error message, not why the error message existed in the first place.

A real world example

This is where Anchoring bias will rear its ugly head. If we see an error message about backups failing because it couldn’t run a certain command, we’re straight onto Google to find someone else who’s experienced that error message. IT faults can usually be broken down into three parts:

To start with, we normally only have the result and the output. For example:

In this scenario (which was a real world one), it’s very easy to race to the conclusion that the filesystem has the wrong permissions and start to google for “Vendor X error file permissions” or to even start instantly running commands to widen permissions.

Scenarios like this are what have led to so many S3 bucket leaks, where the wrong fix is applied to a backup failure fault and while it may fix the problem it’s created a far worse one behind the scenes.

Because the focus was all on what the error said, we lost sight of the actual fault itself. In this real world scenario, here was the resultant fault:

The true fault ended up being that the backup system had run out of disk space. The particular vendor (seemingly) had no check in place to determine if it should try to create a new backup file and therefore failed during that particular area of the code.

But why the wrong error message? It’s normally because we see error messages where a try / catch or other similar error handling is too broad. For example, here’s some pseudo code for the above example:

try {
   create_backup_file();
   set_backup_permissions();
   start_backup();
}
catch (err) {
   panic("Failed to start the backup. Tried to set the backup permissions but couldn't do so");
}

Because there’s multiple potential points of failure handled by a singular error message, it means the error itself may not be enough to effectively fault find.

Those who remember Windows 95 and had filled their hard drive may have been greeted with this error:

This one is obvious of course, but a simple example of how the wrong conclusion to a fault has led to a scenario which doesn’t make sense.

It gets worse

Even worse, when there’s no corresponding error message or log output for the fault at all, we can sometimes attribute the fault to one of the other (unrelated) error messages. This scenario still involves Anchoring bias as we’ve fixated on the first message seen and means we drift even further off track trying to find the fault. Time is now spent chasing errors which aren’t even related to the original fault, leading to the possibility of applying fixes which will make things worse instead of better. These “fixes” can then induce further faults, leading to a huge mess or catastrophic failure instead of a minor one.

Biases can also be combined subconsciously with other cognitive faults as well. As it was distinctly put by Erik Dietrich, you can also have Expert Beginners:

The difficulty is that as you learn, you can fall into the false trap that you understand a system well enough that your learning plateaus. This is normally due to only having a narrow view or understanding of a system, whereby you’ve only dealt with a small component of a large system and therefore reach the logical fallacy that you’ve learnt everything there is to know.

This narrowed view combined with anchoring bias leads will often strip you of the ability to consider wider views of the systems and the complexities involved.

How do we get around it?

There’s a few quick steps we can take:

Acknowledge the existence of bias: Like any bias, the first step is to acknowledge the existence. Once you know to be wary of this bias, it means you can compensate for it. There’s more than a dozen different biases which can affect your fault finding and decision making processes too, so it’s worth understanding how and where they may affect your thinking.

Write the fault out on paper: In the same way that Rubber duck debugging can help you because it forces you to put all the pieces together, writing it out on paper can also achieve the same thing. I also find drawing a timeline or flow diagram also helps, again because your brain will skip parts unless you force it to explicitly detail each stage.

Treat error messages with scepticism. Unless you can see the code itself to confirm, expect that they may not cover every fault scenario fully and may be generic messages. Think about the error message in context, does it fit the fault scenario? Did it occur timing wise when you’d expect it to trigger? Could it be triggered by a different scenario?

Look for the cause, not the symptom: This is the most effective method. Many of these examples can be traced back to the fault if you look for the cause. This isn’t to say we ignore the symptoms as such, but in a broad sense we use them as guidance not as gospel. 

In our storage scenario, we can use the fact that it can’t set file permissions as a guide that the fault is to do with the filesystem and not as narrow as just file permissions themselves.

Running through rudimentary system checks in these scenarios (ie, looking at space, system load, network errors etc) can potentially serve as a quick sanity check and identify root causes early. At the very least, they will give you some confirmation that there’s not a high level or systemic fault.

The HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS) are the key protocols used to communicate between your web browser and the web server. For example, here’s a very basic example:

While this is a simplified view, when the web server returns the data it’ll also send back a status code so that the browser knows if it was successful (200) or not.

While the list below isn’t all of the status codes, these are the common ones you may experience as well as some easy to understand examples of when they occur and what you action you need to take (if any).

200 OK

Example

Any website which loads without error. This is the code you expect to see from your web server most of the time.

301 Moved Permanently

Example

If you’ve changed website platforms where the Uniform Resource Locator (URL) is now different, then adding 301 redirects tells the browser (or web crawler, eg Google) that the page, image or similar has moved permanently to a new location.

404 Not Found

Example

If you’ve deleted a page or renamed an image, it may generate a 404 if someone tries to access it. This is also common when you’ve built a new website and the URL structure has changed, so it’s important to analyse and redirect any broken links to the right location.

403 Forbidden

Example

403 means that the server received your request, but has denied access to it. This can be commonly seen if you’ve tried to login too many times with the wrong password or if you have blocks on specific pages or directories for your site.

500 Internal Server Error

Example

If you experience a 500 error, this generally means that there’s a bug or conflict in your website code. For example, if you’ve changed PHP versions and your website now throws 500 errors, it’s likely that the code isn’t compatible with the new version.

502 Bad Gateway

Example

This is generally a temporary error.

For example, if you change PHP versions for your site then you may experience 502 errors for a few seconds while the service is restarting. Make sure you refresh your browser and if the issue still persists after 30 seconds, contact your hosting provider.

503 Service Unavailable

Example

If you experience 503 errors, it can either mean that your site is hitting resource limits or that the webserver it’s hosted on doesn’t have enough capacity to respond (it may be overloaded).

When you see 503 errors, you can check your web server error logs for more details or contact your hosting provide for further assistance.

504 Gateway Timeout

Example

A 504 error generally means that the webserver talked to the process handling your website code (eg, PHP) but it took too long and didn’t return any information.

This can occur when you have a process which takes too long to run (eg it’s very resource intensive) or it relies on a third party system which may be down or slow to respond (eg image optimisation servers). You can check your web server error logs for further details or ask your hosting provider to see if they can provide further information.

522 / 524 Connection Timed Out

Example

This can be one you may see if your service is proxied through Cloudflare. It means that Cloudflare tried to talk to your server, but it never received a response in time. It may also appear as a 524 error, which virtually means the same thing.

If it’s a once off, it may that a service on your web server was restarting. This is expected behaviour for web servers and most will restart once a day to flush logs (generally early in the morning).

However, if it’s a continuous issue then it may be a script taking too long to process on your server or the server is overloaded. If you have your own Virtual Private Server, we recommend reviewing the Advanced Monitoring at the time you saw the 522 in order to determine if this is an issue or not.

Other Codes

With more than 50 specified codes, these are just the most common ones you may see when it comes to standard web hosting.

For a full list and basic description of each, we recommend also reading the Mozilla page on the status codes: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status

If there’s one we’ve missed that you see all the time, please feel free to let us know in the comments below!

Main Photo by Erik Mclean on Unsplash

While we performed some initial analysis when the attack first occurred, we’ve now taken the time to run though the data in detail to see if anything odd stands out. As this will be an analytical report, there will be lots of numbers. The first:

2.2 million requests in 15 minutes, which peaked at  4,500 requests per second.

This is a lot of traffic for a site which previously averaged around 20,000 requests a day and while it’s low in terms of global DDOS attacks, it was still a significant issue for the destination content management system (not WordPress).

How does the attack work?

Unfortunately, out of the box WordPress has one component which can be exploited for malicious use. By default, the pingback (which allows you to record who linked to your blog) doesn’t have any form of validation to ensure the “pingback” was from the requesting server. This means that a request can be made against a fully patched, clean server and the return request will go to your intended target.

The request from the attacker only needs to be a simple script or even a cURL based call, which is trivial to do.

Despite locking parts of it down, this option is still enabled by default and still an issue with version 4.6.1 (the latest as of this article). We highly recommend installing this plugin to disable the pingback: https://wordpress.org/support/plugin/disable-xml-rpc-pingback

This will still leave the remaining XML-RPC code functional, but prevent your site from being used in a pingback dos attack. Chances are, if you don’t know what a pingback is then you probably don’t need it.

For more information on how widespread the attacks are, Sucuri have two great blog articles about it:

• https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

• https://blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns.html

Attack Mitigation

To stop the effects of the attack, all we did was drop any user agent which was set to WordPress. The site itself wasn’t WordPress based, so there’s no reason to allow the pingback or any requests which originate from WordPress. This can be done with the following snippet in nginx:

if ($http_user_agent ~* "WordPress") {
    return 403;
}

As we hadn’t disabled logging for this code block, all requests were still logged and it gives us the opportunity to analyse the data further.

Ideally of course we’d tweak a rule within our Web Application Firewall (WAF) to detect and rate limit requests, however being time sensitive this was the fastest approach to bring the site back online.

The Data

To run through the data, we used our Elastic stack so that we could use a high speed index to manipulate. If you haven’t tried the Elasticsearch / Kibana combo for log analysis, I highly recommend looking at it sooner rather than later. It’s absolutely invaluable when it comes to analysing patterns and being able to perform further analysis.

Here’s a few key findings:

Unique Sites: 9,984

Unique IP’s: 10,268

The distributed nature of nearly 10,000 sites making the calls means it’s impossible to block via IP. This is why attackers favour a distributed attacks, as the blocks from both the originating ASN and the destination aren’t feasible to do manually.

Especially since the pingback is a layer 7 attack, this means any DDOS scrubbing service needs to be intelligent to block proactively.

WordPress Versions

WordPress Versions in the Attack: 1,795

The number of WordPress versions seemed abnormally high, which upon investigation showed that many seemed to be obfuscating their version.

Here’s an example from the raw log:

GET / HTTP/1.0" 403 455 "-" "WordPress/2359; https://<realsiteremoved>; verifying pingback from xxxx.xxxx.xxxx.xxxx

I’m not aware of any plugins which obfuscate the version numbers like this, however over 1,400 sites had version numbers which didn’t match a standard WordPress pattern. I manually checked around a dozen sites to see if they were simply faking being WordPress based and all were legitimately running WordPress. If anyone knows the reason for this, please let me know in the comments below!

If we run a very rudimentary filter on the results by simply scanning for a period in the vesion (eg so that 4.6 etc match), this reduced the number to a more sensible figure:

Filtered WordPress Versions in the Attack: 137

Even this is fairly high, considering how easy WordPress makes it to update your software I was hoping to see less of a spread.

If we look closer at the remaining versions, there’s some scary stats. The oldest version is 2.8.1, which was released back in 2009! Thankfully this was only one hit and one manually verified out of disbelief (it really was that old).

Disturbingly though, there were still a significant number of sites older than 3.0:

If we look at the top versions used (grouped by unique sites), we see a spread like this:

As a percentage overall, sites running 4.5.3 were 26% of overall sites and only 11% of sites were running the latest 4.6 release (the latest when the data was gathered).

The official WordPress stats (https://wordpress.org/about/stats/) show more sites which have updated (thankfully), but it’d be nice to see a much lower spread in the future.

Country Analysis

Being an Australian based hosting company, we were interested in seeing where the pingbacks originated from and performed a geo-ip lookup of the requesting server’s IP address.

Countries in the Attack: 109

We then analysed how many requests came from each country and graphed the top 15 by request:

Just to see if certain sites were being used more than others, we also plotted the country data against unique sites:

The spread remains roughly the same. Given that a significant amount of cloud services and hosting companies are based in the USA, this figure doesn’t seem out of place.

Origin IP Analysis

One enhancement WordPress added to the pingbacks in 3.7, which at least tracked the originating IP of the request. While this doesn’t solve the problem, it at least allows you to trace where the calls are coming from. Unless the attacker is very, very naive however, this IP will simply trace back to another infected machine or site. Generally these requesting systems are part of a botnet to mask and distribute the requests. The only information it does give is how distributed the requests are:

Originating IP’s: 149

Again, this simply highlights why the verification doesn’t really assist in any meaningful way. We at least know that there were 149 bots / infected sites used in generating the calls, which had a spread like this:

I’ve masked the real IP’s, and most of the requests came from two systems. There were also a number of sites which were using private IP’s and still a significant number of requests which weren’t from the two main IP’s. To give a bit more perspective, if we plot against the originating IP’s country, we see the following:

This plot shows that the majority of the botnet / originating IP’s came from Russia. I’m not sure if other attack analyses have found any correlation between where the botnets are located and where the attack originated from, but there’s no way to tell from the data we have. It could be that the random IP selection of the bot has some predisposition to certain IP ranges, which I have seen before in other attacks. Either way, it does highlight how much of a global problem DDOS attacks are and the difficulties surrounding the ability to close associated botnets down.

Conclusion

The pingback tool within WordPress still remains an exploitable system for any WordPress site which hasn’t explicitly stopped it. From a web host’s perspective, this is quite frustrating. With enhanced firewall rules in our system, we’re now logging around 2.5 million malicious pingback requests per month (inbound). In world hosting terms we’re only a small player too, no doubt the larger providers are seeing pingbacks in the hundreds of millions or more per month.

There’s two immediate changes WordPress could make to resolve the issue going forward. The first is to disable pingback by default. Those who require it would still be able to easily enable it. Chances are if you don’t know about it, then you probably don’t require it anyway. This would still leave those sites vulnerable to being used in attacks, so it’s only reducing the number of potential sites which can be used.

The second method is to consider the use of a third party system (such as Jetpack) to handle pingback requests as the default. It’s far easier for a centralised platform to be able to detect abnormal behaviour and implement basic rate limiting / blacklisting of bad requests. This is no different to their default installation of the Akismet plugin for spam handling, so it would be a sensible option for WordPress to adopt going forward.

With WordPress 4.7 just around the corner featuring a big upgrade to the REST API, we’re hoping that this is the catalyst to consider disabling XML-RPC by default. Those who still require it could still re-enable it, but it would at least reduce the amount of potential sites hackers can use for malicious use. At the end of the day we still absolutely love and recommend WordPress, especially since features such as the auto-updates are invaluable to patching security issues. If a few of the legacy issues like the pingback vulnerability are resolved then it’ll simply be even better.

You might be forgiven in thinking “where did Plesk 13 go”? This would have been the natural progression in naming from Plesk 12 and then again in Plesk 12.5 but instead the new version is Onyx. However, in line with the new Plesky thinking, traditional numbering of its versions has been changed in favour of a new naming convention after precious stones.

Onyx is used to defend against negativity that is directed at you. Black stones have protective energies in the sense that black is the absence of light, and therefore, can be used to create invisibility. For Plesk, that means that we are making web professionals more successful and handle your WebOps needs, nearly invisibly.  
Lukas Hertig @PleskDevBlog

Plesk Onyx release is packed with new features and improvements, and most of the focus has been around the Web Professional or Developer.  With this in mind a number of new integrations have been introduced which I will outline below; however, it is important to look at Plesk overall and the change in how Plesk have changed their development process.

With Onyx, we see a number of the features no longer being part of the core Plesk product rather an add on or in the Plesk world an extension.  Features such as the WordPress Toolkit (which was introduced in Plesk 12.5) are now part of the extension catalogue rather than the core product. This allows for the extensions and the core of Plesk to be individually developed and any enhancements to an extension can be rolled out independently of the core system.  This means we should see a more rapid turnaround of enhanced features within the extensions, rather than waiting for a full core upgrade.

I like to think that the strength and power of Plesk is at its core and the flexibility and functionality is in its extensions.

Core Changes

A number of key core features have been added in Plesk Onyx.  Some improvements that are noteworthy include: improvements to backups, improvements to API, HTTP/2 added support and added improvements to Plesk SDK.  For more details check out change logs. 
The major feature updates which I will cover below include: system updates, improved logging, system resource usage limiting, DNSSEC Support and SSL improvements.  One key aspect around some of the core improvements is what extensions are installed by default.  The Security Advisor Plesk extension was recently added in Plesk 12.5 but is now a default key extension, which is tightly integrated with Let’s Encrypt Plesk Extension to help secure your Plesk Onyx server. 

System Updates

Plesk Onyx provides server administrators with an easy-to-use tool for keeping their servers up to date.  You can update any system packages present on the server either manually or automatically without having to open the console.  The tool uses OS package managers (yum and apt) to perform updates, which makes the procedure of updating as robust as if it were done through native OS tools.

The tool provides extra flexibility if you don’t want to update certain packages. It is possible to prevent packages from being updated by locking them via two clicks in UI.

Plesk has a variety of components that were modified or built by the Plesk team itself (for example, PHP version packages). You can also use this tool to monitor and update these packages at any time you want without waiting for Plesk updates.

Improved Logging Tools

With the introduction of the Log Browser tool in Plesk 12.5, this gave web developers easy access to see their web access and error logs. Plesk Onyx now allows you to open any arbitrary log file (eg specific to your application) located on your virtual host for quicker and easier monitoring and debugging.  Users can save any opened log file in the list of logs for accessing it in the future. For example, we can even view WordPress debug logs:

Another key improvement of the Log Browser tool is the ability to highlight and filter in realtime various strings in your logs. This makes debugging websites even faster and finding potential issues much easier. 

System Resource Limits

Plesk Onyx introduces the ability to limit the amount of system resources per subscription via service plans and can be set specific limits by CPU, RAM and Disk I/O. Based on CGroups (Control Groups), this is a standard feature of modern Linux kernels and already used by other container based platforms for resource control.

You can see a sample of what’s available in the following screenshot:

This will help to stop the “noisy neighbour” scenario, where one website can adversely affect the performance of the others.

DNSSEC Support

The Domain Name System Security Extensions (DNSSEC), is a set of DNS protocol extensions that were introduced by IETF with the goal of signing DNS data to secure the domain name resolving process.

The goal of DNSSEC was to help make the Internet a safer and more secure place. Plesk Onyx now offers the support for DNSSEC, allowing users to protect the DNS data of hosted domains. The DNSSEC extension gives users the ability to do the following:

• Configure the settings used for key generation and rollover
  
• Sign and unsign domain zones according to the DNSSEC specifications
• Receive notifications related to DNSSEC records and keys
• View and copy DS resource records and DNSKEY resource record sets

DNSSEC will help reduce the possibility of DNS spoofing, which can potentially allow malicious users to divert traffic and/or emails from your domain or easily conduct phishing attempts to exploit end users.

Greater SSL Protection

Plesk Onyx can now provide greater protection of your services and now includes a security advisor to enable all your sites and services to be served from a valid SSL certificate. It does this through the Security Advisor extension, which provides an easy set of wizards to ensure your Plesk login has a valid certificate, help enable all sites to be served via HTTPS and even generate the certificates using Lets Encrypt.

• Quickly and easily secure your Plesk Admin
  

You can also use your existing certificates (including ones generated by Lets Encrypt) secure your mail services (SMTP, POP and IMAP), which means that email applications won’t complain about an invalid or self-signed certificate..

Connections to the Plesk webmail can now be secured with a valid SSL certificate with a simple drop-down menu now too:

Extensions Catalog

The Plesk Extensions catalog is not new, however as previously mentioned, Plesk is moving towards more flexibility by using Plesk Extensions.  This provides Plesk developers and third party developers the ability to quickly add their offerings and expand the functionality of Plesk paving the way for the ability to add more features without Plesk core updates. 

Some of the new noteworthy extensions that have been added are Docker Manager, Ruby Manager, Node.js Manager, Git Manager and Plesk Multi Server Extension. WordPress Management tools are now installed by default as an extension ready for WordPress Toolkit version 2.0 to be released in first quarter 2017.

UPDATE 28/03/17 WordPress Toolkit 2.0 released. Here is link to what’s new.

Docker Support

If you do not know anything about Docker here is an article on What is Docker? 
Just to give you a brief intro to Docker:  

Docker is an open platform for developers and sysadmins of distributed applications.

Plesk Onyx now has support for Docker via Plesk extension, some key features are:

• On-demand access to a wide range of modern technologies, such as redis, mongodb, memcached, and many more via Local Images or Docker Hub.
• Choose from a catalog of available images, or upload a custom image.
  
• Deploy and manage Docker containers straight from the Plesk interface.
  
  
• Install Docker containers locally, or to a remote node registered in Plesk.
  

If you want to know more about Docker, we have a series of articles to get you started:

• Docker Basics: A practical starters guide
• Docker Compose: A Quick Intro?
• More Articles

Nginx Only Hosting

If you’re looking for Nginx-only hosting for your websites, Plesk Onyx delivers.  By default, Plesk uses Nginx to proxy requests to Apache to allow Nginx to directly serve static files and act as the SSL terminator. If your stack is fully Nginx compatible (ie, you don’t use a .htaccess file etc), you can completely turn off Apache now to save on server resources.

Full Git Integration

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. – Extract taken from Git Website

In tune with Plesk Onyx focus on the Web professional and modern web deployment methodology, Plesk Onyx introduces integration with Git – the most popular source code management system which makes managing and deploying your website code even easier.

This feature enables you to do the following:

• Easily deploy your website content by either pushing it to a local Git repository or by pulling from a remote one.
  
• Use GitHub, BitBucket, Travis, or any other software engineering service of your choice.
• Deploy manually for complete control or enable automatic deployment to save time.
  

The trigger for the pull is a simple webhook, which allows you to remotely trigger this either from GitHub/BitBucket directly, or from your preferred Continuous Integration / Continuous Deployment tools. Scripts can also be triggered pre and post-pull, allowing you to run commands such as database merges, image optimisation or cache flushes automatically as well.

Ruby Support

Ruby is…
A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write.
 Ruby WebSite

Plesk Onyx introduces proper Ruby language support as a Plesk extension.  The Ruby extension allows users to quickly and easily deploy Ruby apps on their domains. Both Ruby on Rails and Sinatra frameworks are supported.

With this extension you can:

• Enable Ruby support on any given virtual host
  
• Choose which Ruby version should be used on a domain. Both UI and CLI calls use  the “rbenv” utility to ensure compatibility with your existing environment.
  
• Install gem file dependencies via the UI using the Bundler tool:
  
• Specify custom environment variables
  
• Edit configuration files
  

For a first release, this is quite a comprehensive set of functions. Ruby developers are no longer second class citizens when it comes to ease of administration through your favourite panel now!

Node.js Support

Node.js® is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js’ package ecosystem, npm, is the largest ecosystem of open source libraries in the world. – Extract from Node.js Website.

Node.js has been around for a few years, and has quickly gained popularity with developers who actively support the growth of Node.js community.  Node.js helps web developers code high-speed applications.  Node.js support in Plesk enables you to:

• Add Node.js applications to your websites with just a few clicks
• Easily manage the application from Plesk, Start/Stop/Restart the application, run scripts.
• Edit config files quickly and easily from Plesk.
  
• Easily install NPM packages.
  
• Have multiple Node.js versions installed on the server (Linux only).
  

Multi-server Administration

Multi-server extension is designed to give you and your clients a single entry point to control webspaces and subscriptions on multiple Plesk Onyx servers. 

Multi-server support include:

• Automatically distribute webspaces or subscriptions on connected service nodes
• Both admin and customers can log into to all your servers from one
• Centralized account management from across multiple Plesk instances
• Subscriptions distributed across service nodes.

Windows Server 2016

Windows Server 2016 is due to be released soon, Plesk Onyx already supports its latest available technical previews. With the introduction of IIS 10 web server a number of new features such as Wildcard subdomains, HTTP/2 support and new cipher suites and supported by Plesk Onyx.

For more details on Plesk Onyx and Microsoft Windows 2016 see current Plesk Onyx Release Notes.

Wrap Up

In a hosting environment, Plesk Onyx ticks a lot of boxes.  It not only adds more features and functions to our product suite offerings but it gives our Partners and End Users more control, better security and less time required to manage their websites.  Plesk Onyx also creates new and exciting opportunities to provide solutions to a wider web professional community. Shared hosting can sometimes be seen as the “old” way to do things, however with the neat Git integration as well as full Ruby and Node.js support Plesk becomes very relevant again to modern web development languages and methodologies.

Full release notes and change log on Plesk Onyx can be found on Plesk Web Site.

If you wish to try Plesk Onyx for yourself you can download a copy here.
If you wish to upgrade your existing Plesk server, upgrade notes can be found here.

Formatting shortcuts

So many websites forget the golden rule in the web world, that content is king. And what makes a great CMS is making authoring and publishing content simple and easy, with a clean workflow. Compared to all the major CMS’s this is where WordPress is the undisputed champion, and in this latest release we now have some great keyboard shortcuts for formatting on the fly. Now, settings “headings”, adding “ordered” and “unordered lists”, and adding italicised quotes can be added while typing, without needing to switch to the mouse for selecting formatting options, thus interrupting the work flow. While this might not seem significant, if you run a busy site, or you don’t have lots of time to spend to be on your business’s website making changes, little efficiencies add up over time, and who couldn’t use a few extra minutes in the day. 

Site Icons

One of the pillars of any modern marketing strategy is branding, and with the new “Site Icons” feature in WordPress, stamping your logo on your site just got that little bit easier. By adding an icon through the customizer, WordPress pushes your logo to the bookmark menu and browser tabs. And for mobile users, when they create a shortcut to your website your logo appears as a icon on their homescreen. Its quick and easy to do, but when it comes to building a brand, paying attention to detail pays off in the long run. 

Better password security

Password1 is a really bad password. I don’t care that ‘technically’ it’s got both an uppercase letter and a number, it’s terrible and it’s insecure. But yet every year it seems to top poor password lists. Password security is one of the most fundamental components of website security and the easiest to get right, yet it’s constantly overlooked.  Anyone who’s worked in the web industry that has seen first hand what happens when a password is compromised will tell you how important secure passwords are. WordPress has thus taken it upon themselves to help protect users by generating a difficult password for new users by default. Furthermore, if users change their passwords WordPress now displays how secure the new password is, so there’s no more excuses for your next password being ‘12345’!! 

Menu’s in the customizer

Tools are there to make work easier, but well designed, user friendly tools do more than that – they encourage creativity and experimentation. WordPress is full of these little gems (in my review of WordPress 4.2 I had high praises for the live theme preview) and Menu’s in the Customizer is one of the absolute highlights of this release. From within the Customizer you can now create a ‘menu’ where you can restructure your site’s navigation in a live test environment by simply dropping and dragging elements in order. Getting your sites flow can be critical to getting visitors what they need quickly or for streamlining the process between decision and purchase. But for anyone who’s tried this before it can quickly become a philosophical debate with lines and site models scrawled across multiple white boards. And until you actually see it on the site, and use it from the user perspective it can be hard to get in right. Now you can without needing to create a copy of the site in a development environment and spend hours doing restructure after restructure. 

Prior to publishing this article I was able to successfully update several WordPress sites all running 4.2+ with no issues, including using the new WordPress management tools integrated into Plesk 12. For customers on our Managed WordPress service, this latest update will be rolled out to you in the coming days.

There’s flat files, like CSV or text files. There’s databases, like MySQL, PostgreSQL, Oracle, Firebase, Sybase, and MS SQLServer. Then there’s the newer NoSQL data sources, including Hadoop, Redis, Cassandra, and MongoDb, amongst a range of other options. But today I want to consider the database question.

If you’ve been around PHP for some time you’ll know that right from the early days that PHP was in-effect wedded to MySQL as the default distribution came with a MySQL driver. As time progressed however this extension started showing its age and was deprecated in favour of MySQLi (i for improved).

But then PHP continued maturing at a very rapid rate and became (depending on your perspective) either fully database-aware or database-agnostic with the arrival of the exceptional PDO (PHP Data Objects) extension. So in this post, I want to look at why you should consider migrating away from MySQLi to PDO in your PHP applications.

What is PDO?

If you’re not familiar with PDO, or this is your first time hearing about it, here’s the definition from the PHP manual:

The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. Each database driver that implements the PDO interface can expose database-specific features as regular extension functions.

PDO provides a data-access abstraction layer, which means that, regardless of which database you’re using, you use the same functions to issue queries and fetch data. PDO does not provide a database abstraction; it doesn’t rewrite SQL or emulate missing features. You should use a full-blown abstraction layer if you need that facility.

From these two paragraphs, hopefully, you can begin to see just why PDO is the future, and why, in time, the MySQLi extension, might go the way of MySQL extension. Ask yourself: Why use a vendor-specific extension, when you can use one which supports multiple vendors? Why invest the time learning all about an extension, when it only supports one vendor; when you can learn an extension which supports up to 12?

I don’t want to come across as though I’m bashing the MySQLi extension. It’s a good library which offers a lot of functionality, and is well tested. However, PDO has some features which set it apart, ones which may be well worth your while considering. Specifically, I suggest the following three:

• Vendor flexibility
• Reduced learning curve
• Named parameters

Let’s consider each of these.

Vendor Flexibility

For years the mantra of being able to change database vendors, to not be locked in to any specific one, has been touted as a key requirement for professional applications, even as a veritable silver bullet of safety. But in reality, once chosen, how often do applications change vendors? Arguably, not that often.

However, should the need arise, it’s great to know that you can, without a whole lot of hassle. PDO, more than any other extension, offers a much shorter pathway to doing change, as it supports 12 database vendors, which includes:

• PostgreSQL
• SQLite
• MySQL
• Oracle
• ODBC
• MS SQLServer & Azure
• Firebird
• Informix
• IBM DB2
• Sybase
• Cubrid
• 4D

That’s an impressive list of databases supported out of the box. This flexibility is likely even more apt if your application supports multiple vendors, right from the outset. Sure, you do have to consider the SQL that you’re writing, and that it’s portable across each database, or is written in such a way that it only takes advantage of database-specific features when it’s able to do so.

But depending on your setup, were you to want to change from one vendor to another, depending on your SQL, all that might be required is to change the DSN (data source name).

Reduced Learning Curve

Now let’s consider the reduced learning curve, when one extension will support multiple database vendors. When you, or your team, only have to learn one library, instead of several, you can achieve both proficiency and mastery so much sooner. You don’t need to learn multiple libraries. Once you’ve mastered one, you’re done.

Sure, that’s an easy thing to say in theory, but in practise it will take time. However, by reducing the educational load, you reduce the overall investment required. The only thing which you need to know, is the vendor’s SQL implementation and their query testing tools. But this is the case no matter which vendor you’re working with.

I don’t think it can be overstated how, by investing in one library, instead of several, a range of benefits become present. These include:

• Reduced time to library mastery
• Reduced maintenance requirement
• Reduced potential points of failure and bugs

This is a simplistic set of benefits, granted. But they start to hint at the reduced investment required when mastering a universal library, instead of something vendor-specific. It’s worth noting that, whilst PDO is a universal library, it’s not lightweight or lacking. It’s every bit as powerful, in many cases more so, than vendor specific libraries.

Note: PDO doesn’t do everything which MySQLi does. So if you’re considering transitioning, if you’re heavily tied to MySQL, using specific features which other database don’t offer, or PDO doesn’t readily provide, please consider the transition with care.

Named Parameters

Yes, MySQLi has placeholders, but it doesn’t have named parameters. Not sure of the difference? Consider the following example.

php
<?php
// Named parameters in PDO
$sql = 'SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour';

This example contains a query with two named parameters, :calories and :colour. When the query is internally generated, the parameters can be reused as often as desired across a range of requests. They’re clear to read and semantically easy to understand.

php
// MySQLi parameterized query
$stmt = $mysqli->prepare("'SELECT name, colour, calories FROM fruit WHERE calories < ? AND colour = ?'"));

Now let’s consider MySQLi, recasting the example using MySQLi. You can see that the query is just the same, but instead of a named parameter, we have a question mark, or placeholder. Now sure, the query’s still legible. But a question mark as a placeholder doesn’t hold as much semantic meaning.

PDO Quick Introduction

Now that we’ve looked at a series of the reasons for using PDO instead of MySQLi, let’s have a look at the basics of how to use it. Specifically, let’s see how to perform some basic querying of database records.

Let’s try and make this a semi-real world example, by using the MySQL Employees Sample Database. This provides a series of tables which model a sample company payroll, covering employees, departments, salaries and so forth.

Dependencies

You don’t need a lot to following along with the examples. Just a project directory and at least PHP 5.4 (ideally 5.6).

Making a Connection

First we need to make a connection to the database. To do that, we’ll use the code below.

php
$dbh = new PDO(
    'mysql:host=localhost;port:33060;dbname=employees',
    'homestead', 'secret'
);

This creates a connection to my database on host localhost, using port 33060, connecting to a database called employees, using the credentials of homestead and secret. For more information, check out the PDO MySQL DSN documentation.

Select Data

With our connection established, let’s select a set of user records, filtering the users by those with a salary of between $40,000 and $50,000, who work in marketing, and were hired after the first of January, 1985. Here’s the query.

php
$sql = "SELECT e.*, s.salary
FROM employees e
INNER JOIN salaries s ON (s.emp_no = e.emp_no)
INNER JOIN dept_emp de ON (de.emp_no = e.emp_no)
INNER JOIN departments d ON (d.dept_no = de.dept_no)
WHERE (
  s.salary between :minSalary AND :maxSalary 
  AND d.dept_name = :department
  AND e.hire_date > :hireDate
)";
$sth = $dbh->prepare($sql);
$sth->execute([
    ':minSalary' => 40000,
    ':maxSalary' => 50000,
    ':department' => 'Marketing',
    ':hireDate' => '1985-01-01',
]);
$results = $sth->fetchAll();
foreach ($results as $result) {
    print_r($result);
}

Doing this will return an array of arrays, containing both an associative and scalar reference to each column in the resultset, as the example below shows.

php
Array
(
    [emp_no] => 10928
    [0] => 10928
    [birth_date] => 1961-11-01
    [1] => 1961-11-01
    [first_name] => Udaiprakash
    [2] => Udaiprakash
    [last_name] => Schmezko
    [3] => Schmezko
    [gender] => M
    [4] => M
    [hire_date] => 1991-04-07
    [5] => 1991-04-07
    [salary] => 40531
    [6] => 40531
)

What about making it simpler, by hydrating a simple value object per record in the resultset? To do that, first we create a value object to model a row, as below:

php
class employee {
    public $emp_no;
    public $birth_date;
    public $first_name;
    public $last_name;
    public $gender;
    public $hire_date;
    public $salary;
}

Then, to use the object, we pass two arguments to the fetchAll() method, as below, PDO::FETCH_CLASS, which tells it to hydrate an object, and the name of the class to hydrate.

php
$results = $sth->fetchAll(PDO::FETCH_CLASS, "employee");

Doing so, the results will now be hydrated objects, like the following example:

php
employee Object
(
    [emp_no] => 10928
    [birth_date] => 1961-11-01
    [first_name] => Udaiprakash
    [last_name] => Schmezko
    [gender] => M
    [hire_date] => 1991-04-07
    [salary] => 40866

I’d look at creating, updating, and deleting, but the functionality is largely the same as what we’ve seen so far; so we’ll end the examples here.

 Future of MySQLi

To the best of my knowledge, MySQLi isn’t going away anytime soon, and I’d hate to suggest that it is or should. It’s a well written and well tested library, which has a definite place in the PHP ecosystem. Additionally, as I’m not one of the maintainers, I can’t speak for them, nor make any pronouncements on their behalf.

What I can say though, is that, from my own perspective, I’d encourage you to become familiar with PDO, if you’re not already, in addition to what you’ve read here. There are several very compelling arguments for using it, instead of a database vendor-specific extension.

Wrapping Up

And that’s both an introduction to PDO, as well as three good reasons why you should consider using it, over a vendor specific library, such as MySQLi, for interacting with databases. Whilst, like any library of sufficient complexity, there’s a lot to digest and learn with PDO, the investment will be worth it; especially as PDO is the foundation for so many of the newer database-related libraries available in the PHP ecosystem.

What's old is new again?

For decades machines have contained micro controllers that enable them to perform their task(s), over the years more sophisticated machines evolved with proprietary software protocols and hardware to enable them to talk to each others or central control systems usually with hefty incensing and software costs. These early systems were often referred to as SCADA systems, "Supervisory, Control and Data Acquisition", they have been in existence for at least 20+ years and most oil & gas plants, power generation, building automation and automated factory systems have them.

They are not new by any stretch of the imagination but what has happened in the last 10 years is the growing introduction of cheap Ethernet and Wifi interface modules that have been very economically priced to warrant adding them into these small control systems. 

One area that has seen rapid adoption has been home automation and building control. Instead of wiring huge amounts of cable back to a central point,  de-centralised nodes linked via Ethernet or Wifi emerged, reducing installation and maintenance costs significantly. With the increase in control nodes there has been a corresponding increase in the data these nodes can provide. By using nonproprietary networking protocols (such as TCP/IP) and network hardware more device platforms can interface into them to utilise that data and open opportunities to provide control and monitoring.

For a typical building, there are 1000's of temperature zones that can be monitored, air-flow into rooms, floor humidity, chilling stages, re-heating stages as well as occupancy detection, lighting control, lift control, water monitoring and regulation and a host of other control and monitoring points for ancillary services. If you even just consider a house, each room could have half a dozen monitoring points, multiply that by the number of rooms as well as the outside environment and the number of connected devices and the data they generate is substantial. Now multiply that by a suburb, city or country! We haven't even started on cars, trucks, trains or our road and environmental infrastructure!

So where is IOT heading and where does "The Cloud" fit in?

Lets assume home automation is big in 2015, it might be if the purchases by Google are an indication. Over the last few years Google has been buying up the cream of the worlds Robotic companies and adding to the list of acquisitions is a (growing) number of home automation companies. My guess is that the future thinkers at Google can see a fully interconnected world where factories are automated, cars drive themselves and people basically work to solve the future problems, robots do the manual labour and systems interact to serve us. Sounds almost futuristic, but its only been 50 years since we travelled into space and the explosion of technology in the last 20 years has outpaced all previous periods in history. Owning the technology that delivers this could be very rewarding. But back to the Cloud, the key outcome of all this information is data generation and control, ideally centralised and ideally secured.

Opening all those devices to open slather access to the Internet for anybody to see is a receipt for disaster and in terms of security would see homes, commercial buildings and any other IOT system the subject of all kinds of security threats. Cloud based servers that provide secured central points of access limit the threat of attacks to IOT systems, Cloud Servers can provide central points of authentication, provide web interfaces for IOT devices that might need to talk different protocols like MQTT or REST and they can be the repository of data generated by IOT devices. We already entrust huge volumes of data to Cloud storage providers so this creates new and exciting opportunities to Cloud Vendors for value added services.

Some Technical Scenarios to consider

Lets get technical, lets assume you have spent $1000's adding automation to your house, you can see the temperature in any room, the attic and outside, you can turn on the lights, the garden sprinklers and regulate the time the pool pump is running as well as monitor your overall power usage. You announce it on a Blog and suddenly 30,000 people go to your home automation page and flood your home Internet link, assuming you have a fixed IP address and a public facing web server! Obviously the traffic load will be an issue, so in reality you don't want people to connect to your home, but while you are home you will need some level of Intranet access to do neat things like enable your security lighting, reduce cooling and air flow to un-occupied rooms and make sure the pool PH level is correct. Even on an intranet using Wifi, there are dangers.

Security for IOT systems is going to be a nightmare!

What protocol should these devices talk? While Internet Protocol (IP) is the defacto transport layer, high level protocols like MQTT are being promoted as the way forward and is sending your data to the Cloud a realistic idea and of any benefit?

Lets say a company offers you money for your power usage data, from this data a real time usage map could be produced that shows power consumption for a collection of streets, a suburb or an entire city. Not only is the data about power usage but its smart enough to report power usage for lighting, heating, cooling, cooking etc brokering this data and being paid for it might produce additional house hold income and create new economic models. Technically data needs to be delivered to those who wish to use it, Cloud Servers could be employed to store the data and broker it onwards to other interested parties, this could be done independently of the data source (your home or office building). If those devices also identify themselves then a whole new marketing segment opens up as well, this might be an unwelcome side effect for future consumers.

For data gathering use cases, pushing data to a Cloud Based server using a protocol like MQTT or a Publish/Subscribe protocol like RabbitMQ or some "yet to become popular" protocol needs to be identified early so the bugs can be ironed out. Personally I like the idea of generating data in JSON format and pushing that to a web service running on the Cloud Server, this data can then be brokered to third parties at a cost that reduces my server bill and subsidises my investment in technology.

Since WordPress is one of the most popular hosting platforms in the world, we have a significant amount of customers who use and trust WordPress for their websites. Throughout the years, we’ve spent a considerable amount of time working with the platform from a server perspective to optimise, tune and ensure that we offer a great WordPress environment. What we haven’t seen completed recently was a comparison as to what effect plugins have to performance, as well as various PHP versions. So, we’ve written this article so that we have some reliable performance metrics to measure the effect of adding plugins, PHP versions and what effect caching has on performance.

The speed of your website is a critical component of the success of your website. Fast sites lead to better user experience and in turn gives greater confidence in your business or company. If you’re running an eCommerce site, the statistics are even harder to ignore. According to KISSmetrics 40% of consumers will abandon a cart for a website which takes longer than 3 seconds to load. Nearly 80% who have experienced performance issues with a website are less likely to buy from the same shop again. There’s also the SEO component too, Google uses the speed of the site as one of the factors for ranking your website.

If you ignore your website performance then your competitors will get the upper hand.

Test Environment

For this testing, we’ll be using a minimal CentOS 6 (64 bit) build using our container based hosting. We’ve ensured that the resource allocation is dedicated to ensure repeatable performance during testing. Unless otherwise specified below, we’ll be using stock configurations.

Note: The premise of the testing is aimed at smaller sites with less than 10,000 hits a day, since this is where many WordPress users start to run into issues. We’ve aimed the specs on what we see for many “typical” small and medium-sized enterprise (SME) based systems. Of course, if we were talking about high end sites then the testing, environment used and optimisation techniques would be quite different. We’ve recently provided WordPress infrastructure platform which sustains over 1Gb/s of traffic, so it’s all about the right deployment for the right environment.

This base configuration includes

• MySQL 5.1
• PHP 5.3.3
• Apache 2.2.15

This is running on a VPS with 1GB of RAM and 2 CPU’s allocated (E5 based Xeons).

Basic Install

We then quickly install WordPress 4.0 by downloading the zip from the WordPress site and running through a standard configuration. I won’t document how to do that for this article, if you want instructions on how to install it manually you can read the guide here.

The only item we changed from the standard configuration was “AllowOverrides” within the html directory so that the mod_rewrite rules could be set in the .htaccess file.

Initial Benchmarking

For a clean build, we now have a basic reference to run. All tests are repeated three times to ensure consistency. We’re simply using the Apache Benchmark tool, which solely focuses on the performance of the server and application and not necessarily what occurs in real world performance. It will give us the Time To First Byte (TTFB), which is only one part which needs to be considered when looking at overall website performance. What it does give is a good indication as to how the server and server code performs, so it’s the main focus of this article. 

We’re using the same test for each step, which is to use one concurrent thread to make 50 requests to the main WordPress page. This is a very low workload but will give a reasonable and repeatable metric to measure the performance. These tests are being run from a different VPS on the system server, so that network performance isn’t a factor.

ab -n 50 -c 1 https://wpserver/wordpress/

The output looks like this:

ab -n 50 -c 1 https://wpserver/wordpress/ 
This is ApacheBench, Version 2.3 <Revision:655654> 
Copyright 1996 Adam Twiss, Zeus Technology Ltd, https://www.zeustech.net/ 
Licensed to The Apache Software Foundation, https://www.apache.org/

Benchmarking wpserver (be patient)…..done

Server Software: Apache/2.2.15 
Server Hostname: wpserver 
Server Port: 80

Document Path: /wordpress/ 
Document Length: 7716 bytes

Concurrency Level: 1 
Time taken for tests: 15.253 seconds 
Complete requests: 50 
Failed requests: 0 
Write errors: 0 
Total transferred: 398250 bytes 
HTML transferred: 385800 bytes 
Requests per second: 3.28 [#/sec] (mean) 
Time per request: 305.059 [ms] (mean) 
Time per request: 305.059 [ms] (mean, across all concurrent requests) 
Transfer rate: 25.50 [Kbytes/sec] received

Connection Times (ms) 
min mean[+/-sd] median max 
Connect: 0 0 0.0 0 0 
Processing: 273 305 15.2 299 349 
Waiting: 273 305 15.2 299 349 
Total: 273 305 15.2 299 349

Percentage of the requests served within a certain time (ms) 
50% 299 
66% 306 
75% 318 
80% 320 
90% 331 
95% 334 
98% 349 
99% 349 
100% 349 (longest request)

This gives us our mean starting value of 305ms for the server response time. Not too bad, but certainly far from perfect if we want to provide the best customer experience and allow the website to scale.

Adding Plugins

So, lets do what most WordPress users do and install a few plugins. I must make this extremely clear: We don’t consider these plugins bad, nor should you avoid using them. Extra functionality can create further overhead, so it’s simply something you need to consider when installing plugins. This testing is simply to help quantify the difference and how to mitigate any drop in performance.

The first is the WordPress SEO Plugin by Yoast. All we enabled was the permalinks, which is what is typically used. The mean response is now 375ms. 

Next, we’ve added Contact Form 7 (without doing anything but enabling the plugin) and the mean response time has now inceased to 401ms.

Installing Jetpack brings this up to 441ms. You can see that each plugin adds a small, but measurable performance overhead.

Now lets add a full e-Commerce solution to our site, using wooCommerce. This now brings our mean time up to 595ms. 

Just to confirm that it’s not external factors and to validate the results, I then disabled these additional plugins and re-ran the testing. The mean response dropped back down to 301ms, which is virtually the same value we started with.

Again, there’s nothing wrong with any of these plugins. This build is what I see many typical small business websites, so it’s nothing out of the ordinary. What must be noted is that these plugins effectively doubled the time the server takes to render a page. This means we need to look at what we can do to optimise and speed up our WordPress installation.

Upgrade PHP / MySQL

The first steps are to see what impact running the latest variants of PHP and MySQL do, since this is something you should do from a “best practices” perspective anyway. As we’re an official mirror for the Remi repository, this is the method we’re using.

Lets upgrade PHP to PHP 5.4: 

yum upgrade php

This will also upgrade MySQL to version 5.5 (5.1 is stock), since it’s a dependency of the PHP 5.4 build for the Remi repo.

Then, restart the MySQL server and Apache and upgrade the MySQL database:

service httpd restart 
service mysqld restart 
mysql_upgrade

What difference did this make? Our mean is now 593ms (with the plugins enabled), basically no change.

Rattling through the tests, I then upgraded to PHP 5.5, restarted Apache and re-ran the test (3 times of course). Result? 579ms. A little bit better, but not enough to be statistically significant. The reality is this wouldn’t be noticed by the user and certainly won’t increase the amount of users the server can handle concurrently.

Since we now have PHP 5.6.0 released as a stable build, let’s give it a go. The result? A mean of 576ms. Not a notable improvement here. This isn’t to say that running the latest PHP isn’t worth doing, just don’t expect that it’s going to instantly boost your performance. There are other advantages to running newer versions of PHP, especially when it comes to updates and security.

MySQL Tuning

A basic install of WordPress isn’t overly database intensive, but what’s the effect of a bit of basic tuning? We can use MySQL Tuner as reference to go forth with, but before making changes you should ensure you read our MySQL Tuning Guide.

The first main item to look at is query caching. We enable it by adding the following field into /etc/my.conf:

query_cache_size=8M

This gives the server a modest amount of memory in which to cache lookups. We restarted MySQL and re-ran the testing, which resulted in a mean of 568ms. Again, no huge performance gain. Let’s enable all of the suggestions, so the extra parts to our my.conf file look like this:

query_cache_size=8M 
tmp_table_size=16M 
max_heap_table_size=32M 
thread_cache_size=4 
table_open_cache=800

Result: 571ms. Clearly, MySQL isn’t a limiting factor for these tests. To confirm our results, I even disabled all the plugins temporarily to see if the result is the same as our starting reference. This brought the mean average back down to 297ms, so again perfectly consistent with the base results.

Conclusion: MySQL gives you pretty good performance right out of the box. The performance difference between PHP 5.4 / 5.5 and 5.6 isn’t significant for WordPress.

A lot of this tuning will assist with a site which is heavily loaded, especially with a number of widgets displayed or shopping carts. The age old ethos of avoiding “premature optimisation is the root of all evil” sings strong and loud here.

Server Caching

If simply running the latest software and a bit of tuning of MySQL hasn’t given us performance gains, what else can be done then? The answer is caching. WordPress have a guide on this here, with their top recommendation being W3 Total Cache. Here at Conetix, this has always remained our answer to those having WordPress performance issues, but there’s one option to benchmark first. PHP 5.5 and above now have the OPcache library, which stores the pre-compiled bytecode in memory. Without this, every time you call a PHP based site it has to compile the PHP code into machine code before executing. OPCache stores this result in memory, which therefore reduces the overhead every time you call a PHP script.

Firstly, lets install and enable the PHP OPcache:

yum install php-opcache 
service httpd restart

So does it make much of a difference? We now have a mean time of 151ms, with the plugins enabled. That’s a response time decrease of nearly 75%, which will not only be noticed by your clients by also increase your server capacity. This is the sort of optimisation we need to achieve!

Running against the WordPress server with all the plugins off again drops this down to 69ms, which is again about a 75% decrease against the stock figures. This is a great improvement and therefore we highly recommend using PHP 5.5+ with OPcache enabled. It can be installed on previous versions via PECL as well, but it’s a much easier task to simply upgrade to PHP 5.5.

Is this all we can achieve? Of course not! W3 Total Cache takes this caching a step further and covers areas such as object and page caching. After installing W3 Total Cache, I enabled the Object Cache to see if this makes any difference. Result? 190ms. Those who are following the figures carefully will note that this is slower. The reasonable conclusion to draw from this is that the PHP OPCache is more efficient at optimisation then just at the object level.

Now lets try the Page Cache. This stores a complete compiled version of the whole page, rather than having to run the database queries and compile the templates and plugins each time. The result? 2.9ms. There’s no typo here, that’s 2.9ms! Clearly, this has provided the most significant performance gain yet. Not only will the user experience dramatically increase, but the resource drain on the server will also significantly decrease.

Conclusion: Installing W3 Total Cache and enabling the Page Cache gives a 99% decrease in server response times. The difference is literally that black and white.

There’s a few caveats with caching of course, it needs to be tightly coupled to your platform in order for changes to become live. In the case of WordPress, if you’re modifying data outside of the framework (not recommended anyway!), W3 Total Cache won’t be aware of the change. As long as you stick to a well planned system then this shouldn’t be a problem.

Further Optimisation

Once you have WordPress running at optimal levels on your server, the next parts to focus on are client side caching and optimisation. Anything which can be done to reduce the amount of files download and the size of the downloads will have a positive impact on all clients. Especially now that mobile devices make up nearly 30% of website traffic, this impact can be significant. A good source of information on this topic is Browser Diet, which outlines not only how to reduce the size of your site but how to best optimise the performance of areas such as Javascript and CSS as well. Before starting any optimisation, we highly recommend reading through this site. We’ll cover the impact this can have in a future guide, but for now we recommend a site like GTmetrix in order to get a basic overview of how your site is performing.

Conclusion

The results are pretty clear, we took a very basic WordPress instance (including commonly used plugins) and improved the server response from nearly 600ms down to 3ms, a 99% decrease in response times. While this may only be for a test site, similar results should be possible from your website as well. As a picture says a thousands words, here’s a graph of the results:

The effect of adding various plugins, PHP version changes and caching can be quite clearly seen. The real world experience is noticeable as well, so the performance increase extends beyond a few basic benchmarks.

So, as our takeaway points for this article:

1. Variations in the PHP versions don’t provide any performance gains for lower traffic sites.
    
2. Plugins can slow down your website, but this doesn’t make them a bad thing.
    
3. OpCache makes a big difference to performance.
    
4. W3 Total Cache makes the biggest difference and is the largest contributing factor to performance on your WordPress based site.
    
5. Optimisations beyond the server level are needed to make your website perform optimally.
    

Again, I want to re-iterate that these apply to SME level deployments of WordPress only. If you’re looking at optimising your WordPress based installation for hundreds of thousands of users, the level of optimisation and work required to sustain this requires a completely different approach. This is something we have experience with too and we may look to detail how we’ve achieved this for some of our clients in a future article.

If you have any questions or other suggestions, please feel free to add them below!