Bulgaria PHP Conference – Day 1 Recap

Bulgaria is hosting its first official Bulgaria PHP Conference this weekend and I was honored to attend and present my WordPress Core Architecture talk today.

I usually don’t do recaps here – mostly because lots of my readers attend WordCamps with me, watch the talks on WordPress.tv, follow Twitter hashtags and so forth, or I go to other conferences that focus on different areas unrelated to what I tend to blog about here. PHP, however, is the core of the WordPress platform, and the line-up this year is magnificent, which is why I feel obliged to share a quick overview about some of the talks I’ve attended.

Business Logic Security

Ilia Alshanetsky is a PHP Core Developer since 2001, and a Release Master of PHP 4.3, 5.1 and 5.2 among other titles and accomplishments. He presented about security – but not the day-to-day security talks that you’re used to listening to covering the OWASP top 10’s vulnerabilities and standard best practices such as nonces or prepared statements (somewhat beaten to death). Instead, Ilia covered various attack vectors closer to social engineering and different strategies used by hackers to get access to a given system, or brute force different accounts even after they’re locked out of a certain username 5 failed attempts later.

The business logic talk touched on the rationale behind late night hacks – the fact that the server load is lower and monitors aren’t triggered even after hacker attempts since they don’t add up to the standard load, system administrators are usually asleep, and AWS’s CPU usage costs are lower at night.

Ilia suggested different ways to prevent brute force attacks, or slightly tighten the process by displaying captcha, or introducing 2FA after a few failed attempts; avoiding the standard ‘login’ and ‘password’ field names in HTML, and proposed different ways to autogenerate form field names and validate them with sessions.

Click-jacking was discussed as well, together with transport security policies, session security (less applicable in WP but still), ACL management strategies and transactional operations. Best practices for log auditing and analysis were also mentioned.


MVC is a hot topic in the web development world since the majority of the web frameworks are MVC-based, and various libraries and framework stress on their innovative architecture whenever they are MTV (Model-Template-View), MV, MVVM or HMVC. And SOLID are the five popular software engineering principles covering Single Responsibility, Open-Closed, Liskov Substitution, Interface Segregation and Dependency Inversion.

Those are not unfamiliar terms for anyone working in the web development world, but Stefan Priebsch – the co-founder of The PHP Consulting Company and a scalability expert – took an unpopular approach while reviewing them today.

What Stefan did in his SOLID MVC talk was introducing a broken MVC controller defining a number of actions and refactoring it in a series of steps by applying popular methodologies complying with the best practices in the software design world.

This was a pretty solid (pun intended) talk discussing the flaws of a common software application built on top of an MVC framework and the SOLID violations occurring in most applications. Funnily enough, most use-cases lead to either over-abstractionism, or purely using the wrong tool for a job.

Yet, a good quote about MVC 🙂


Stefan challenged the significance and design paradigms behind some frameworks, and trapped everyone in the room by stating that migrating to another framework is “doing it wrong”, because a well-separated business logic would be easier to maintain and wouldn’t require a framework switch. He mentioned several warning signs that would hint a developer for a need of major refactoring.

Beyond PHP : it’s not (just) about the code

Wim Godden and I had to swap our slots since he had a personal event to attend later today, and we had a great chat with him during the Speakers Dinner on Friday. Wim is a great guy who joined the PHP world in 1997 and is the author of OpenX (now Revive Adserver that we’re using with clients) and PHPCompatibility. Well, and a few other great projects of course.

In his Beyond PHP talk Wim shares his experience scaling massive projects on different layers – code, infrastructure, networks, databases and more, and stresses on the fact that code is not the only bottleneck for a project (despite of the fact that it often leads to problems).

We went over several scenarios with tricky SQL queries lacking indices, or iterating with for loops through database inserts by multiplying a project’s queries per page view 50 times. Standard logging approaches such as the slow_query_log were mentioned, SQL’s EXPLAIN for analyzing queries, together with the pt-query-digest toolkit. For high-scale applications Wim reminded that enabling the general log and forgetting to disable it quickly may lead to tens of GBs (or more) of logs, blocking I/O operations, disturbance in the Force or crashing the entire server altogether.

Master-Slave replication gotchas were discussed with real world examples, delays transferring data, network bottlenecks, bandwidth exhaustion, concurrency issues and other goodies during the talk.

Going Crazy with Caching

I missed half of David Buchmann’s talk, but we discussed that the night before and it’s a great topic. In “Going Crazy with Caching” David talks about the concept of reverse proxies and Varnish in general. He gets into details about the flow of a request going through Varnish, the receiving request, hits and misses, and dealing with responses.

He mentioned most of the challenges that we’ve had with cookies and sessions and trying to cache those requests which seem to be a common issue within this context. Going through the slides I found a lot of the VCL rules that we’ve used for our SaaS applications in order to handle caching for authenticated users or deal with advertising cookies or analytics data.

Additionally, David digs into ESI or the so called “fragment caching”, which seems to be supported in Symfony out of the box (he is a famous Symfony developer working at Liip). He did provide sample snippets for implementing fragment caching with AJAX as well.

WordPress Code Architecture

I’ll blog about my talk separately once the videos are up, slides are available at http://talks.devwp.eu/code-architecture/#1

Shift Left – Find Bugs As Early As Possible

Emanuil Slavov gave both an entertaining and educational talk about QA, testing automation, and various steps that could be integrated with a Continuous Integration server.

One of Emanuil’s main points in “Shift Left – find Bugs As Early As Possible” was the fact that humans’ time is expensive and machines are meant to support our efforts and assist us whenever possible. That reminded me of the 90s when hardware (especially servers) was way more expensive and development efforts were mostly focused on optimization – in terms of speed and memory. Since technical debt is becoming a significant problem nowadays when things live on a cloud and you can expand resources infinitely in order to save development time, being able to automate different processes and solve problems is an important task in a development team.

Emanuil explained the QA pyramid with three layers – static analysis, unit tests and black box tests. He provided various examples with Linter, older versions of HHVM, PHPMD and their own PHP Reaper for static analysis, PHP Unit for unit testing, and different strategies around implementing API tests on top of that. Slavov reminded that 100% code coverage is not a guarantee of a stable code and issues could arise at all times, on higher levels of the hierarchy.

Their target in Komfo is running all automated tests in the CI for under 5 minutes, which seems to be working fine. We’ll need to match that since our Jenkins CI setup with PHP Code Sniffer, phpmd, some linters, custom unit tests and a few more automated tools takes a bit longer so that’s a good goal to match.

Eating ElePHPants

The keynote session “Eating ElePHPants” was led by Larry Garfield, Senior Architect at Palantir.net, a Drupal 8 Web Services Lead and Rep, and honorable PHP-FIG lead member.

Since Drupal is the closest cousin of WordPress, I’ve been following their development for a while. I spoke at a Drupal Camp in 2011 and shared my first experience with Drupal 4 over a podcast recorded for Acquia. Since Drupal 8 has been in development for 5 years now, Larry shared numerous important lessons of their journey, decisions that had to be made and challenges they’ve faced over the years.

Larry noted that this is an ongoing process that should be taken one bite at a time, with friends. He has provided a large number of examples for architectural decisions they’ve made in the Drupal community, and how was the leadership organized and aligned in a way that allows for moving forward.

I was aware of the fact that they’re embracing Symfony and integrating some components, but today I learned that they have integrated multiple Symfony2 components: HttpFoundation, HttpKernel, DependencyInjection, EventDispatcher, Routing, Serializer, Validator, Yaml. They’ve embraced other components and libraries such as Zend Feed, Doctrine Annotations, Twig and Guzzle, which is a great way to support and collaborate with other communities, invite framework and library developers to a more specific community and improve the overall quality of the end platform.

After a long day of talks and plenty of notes, I’m looking forward to several presentations tomorrow as well, and the grande keynote by Cal Evans himself.

Looking for Day 2 Recap?

Leave a Reply

Your email address will not be published. Required fields are marked *