We’ve spoken in the past about WordPress in the enterprise environment. If you are interested in that debate, journey over to this previous post we had written, which details the pros and cons of running WordPress in an environment that is much more stringent regarding its technical requirements and ongoing upkeep. This post, however, is meant to serve as a quick overview of some of the best practices we like to employ when utilizing WordPress in a high-availability atmosphere, such as those that you will typically encounter when working with or for an enterprise-sized company.
The usage of WordPress in such situations depends on two phases that require attention and planning. The first is the initial set up and configuration. As we’ll review shortly, there are things you can do to better prepare the platform for its mission. This includes specific steps from a security and infrastructure perspective to give you some peace of mind from the get-go. Secondly, we’ll highlight some of the ongoing commitment WordPress requires, as it is fair to state that the platform does require ongoing maintenance and oversight.
Before I get into it, I do want to review what we define as being an “enterprise” environment in the first place. In a previous post, I had defined enterprise CMS software as “a system that manages content for delivery on the Web in a multi-user and multi-team collaborative corporate environment.” For this post, that definition still holds, but I would like to expand on it just a bit. Enterprise environments are more complicated because in these scenarios there are typically higher standards for security, code review, access protocols and similar. In each enterprise setting, you will have IT teams which will have a series of checklists and standards that must be met. This, of course, can present a challenge for a marketing team that wants to utilize a platform to ease their burden of managing the corporate internet presence. The burden being in some cases so great that WordPress themselves charge up to $300,000 per year to manage it. Indeed, one of the biggest challenges to using WordPress in the enterprise is the lack of understanding WordPress end-users, and unfortunately, many agencies, have about the more advanced concepts of web development, security, and infrastructure. Hopefully, this post can bridge the gap between those disciplines a bit more and enable a better understanding of the subtler points of enterprise usage of WordPress.
With that said, let’s dig in!
Deploying WordPress in an Enterprise Environment
Setting Up WordPress for the Enterprise is much more complicated than almost any other environment in which the platform is used. While I can’t possibly write a post that details every single requirement your IT team may have and how to address it, I wanted to point out some simple, no-brainer techniques that you can utilize in your discussions with IT to bridge the gap between their requirements and your desired result. If you can conquer some of these issues early, you can save the more complex issues for your agency or technical partner to assist on, and possibly earn some respect from IT in the process!
This is something that should be mandatory at this point, and surely any capable IT team already has their company operating with one of these providers. For this post, I’ll recommend Cloudflare, which offers security services and DDoS protection. DDoS, or distributed denial of service, is an attack in which nefarious characters will hit your website from many different locations in an attempt to disable it. Cloudflare serves as an intermediary to dispel those attacks and keep your website operating. Also, they provide managed DNS services, caching to improve site speed, and several other tertiary capabilities as well. As I said, most companies are already utilizing them, but if by chance your company isn’t, it’s time to sign up. Installation is easy and takes almost no time, and best of all the license fees are minuscule in relation to the value they provide.
Every WordPress installation should have a thorough security sweep before deployment. This means two things: making sure that you have the best of breed software and it’s up to date, and also installing software to monitor your website and its activity continuously. First, ensure that when you launch, all of your software is up to date. This is a no-brainer. Also, try to install best-in-class plugins that offer professional support.
In many cases, we see security issues coming out of WordPress not because the base package has a vulnerability but because a plugin does. There is a good chance in an enterprise environment that you may be mandated to perform penetration testing. Honestly, this is problematic for WordPress as any issues found with licensed plugins will be difficult to correct. So, try to vet all plugins thoroughly and even go as far as asking the providers if they can pass the test you are going to be running
Secondly, you must install some level of ongoing protection that is monitoring your site for intrusions. I’ll be blunt: it’s challenging to prevent all types of malicious attacks, and there is a good chance that at some point you will deal with some level of intrusion. To best be ahead of this and have some access to a helping hand, consider utilizing tools such as Sucuri, WordFence or SiteLock – each provide some level of service that can mitigate your risk around these issues.
There are so many providers of hosting for WordPress that it’s hard to choose which way to go with your hosting choice. For our enterprise customers, we typically prefer AWS hosting. This provides the utmost control over the environment and minimizes the effect of sharing resources with other customers of a hosting provider. There are WordPress-specific hosts out there such as WP Engine which does an excellent job. However, for most enterprise clients, we’d rather they have a service where a dedicated instance is available to them, and they have “root-level” access to the server. Most managed hosts like WP Engine or similar are made very easy for most users but restrict power users from doing things the way they may prefer.
You need 24/7/365 monitoring on your site. This is available via a variety of providers. Your host may also provide this, or you can utilize companies such as Pingdom to provide you with updates when your site is not responding. At NPG, we prefer to have intensive monitoring, something that is possible when you have a dedicated instance. Installing local monitoring software that can track server performance typically means you can be alerted to issues with your site before they are even detectable by your end users. How is this possible? By monitoring more than just uptime and digging into more in-depth tracking of server performance, including memory usage, hard drive space, CPU usage, and similar. Whatever you choose to do, don’t go live without some tracking in place so you can be alerted quickly in the case of downtime.
Ongoing Maintenance & Support
As mentioned earlier, you have two things to consider when utilizing WordPress in the enterprise — the above section covered pre-deployment tasks. Now, let’s focus on what you need to be watching on an ongoing basis to ensure your site stays up to the task.
Updates / Upgrades
WordPress MUST be kept up to date. When you are not up to date, you are inviting trouble. The issue with updates is that they are never quite as easy as they sound. First, it’s important to note that updates can happen in three places: your theme, your plugins, and the core software. Each carries its challenges. Also, you have to consider that updates happen for two reasons. First, to handle security flaws that may arise. Secondly, to introduce new features. This makes updating a particularly sensitive topic. You need to run updates to fill security gaps, but you may or may not necessarily be ready to adapt to feature changes that come along with them.
Furthermore, you have the issue of dependencies. One plugin may require another to be updated or at least at a current version. This makes the entire scenario complex – and the more plugins you utilize, the more complex this can be. As such, it’s essential to have a realistic expectation of how plugins work and how you can approach them. We recommend all clients that have retainer maintenance agreements let us handle updates for them. There are just too many scenarios to consider, and if things go wrong, troubleshooting can be difficult. Case in point – when a plugin update goes awry, it isn’t unusual for the entire site to go into a broad HTTP 500 error. This is nearly impossible to diagnose without some development support.
My advice? If you have an agency, work with them to run updates and support that process. Also, if you don’t, at the very least make sure you have a development environment running where you can test any updates before you execute them on the live site. The goal is to mitigate downtime and expense – calling an agency or developer for help after you push a button is nearly always a more time consuming (and therefore expensive) proposition. Having a dev environment fail is a much less extreme scenario.
Emergency Response & Escalation
I spoke before about the importance of monitoring your website in the previous section. In that section, the importance was on having proper monitoring in place. Many clients are good at getting that part done – they use a third party such as Pingdom, which checks for website uptime or downtime. Then, the first time they get an alert, they panic and are unsure what to do. That’s when we get those 8 PM calls from annoyed customers upset that their site isn’t responding.
I want to reiterate something for you… Websites go down sometimes. It happens. We work to make these systems as redundant as possible, but it still can happen that a site becomes unavailable. In this case, this is why you must have an escalation plan in place. This means a documented plan, maybe even a flowchart, that details steps to be taken when a site goes down.
As an example, we provide 24/7/365 support to clients. Each client has a customized escalation plan. Usually, it means our monitoring has the freedom to contact their host, diagnose the situation, and take action to a certain extent as per client wishes to restore connectivity. I’ve seen very few customers that put an escalation plan in place when simply using third-party monitoring. They assume they are covered but when the worst happens, they are busily calling anyone and everyone they think can help. So, have an escalation plan in addition to monitoring. It’s a good insurance policy.
Something marketers tend to understand better than other clients is the need for continuous improvements to their digital presence. Marketers understand that the name of the game today is continually trying new tactics, making improvements based on analytics and honing their workflows. As such, I think it’s important to have a strategy set in place as to how and why continuous improvement will happen, and then have a procedure in place to oversee design, development, and deployment of changes as necessary. In the enterprise, many considerations may come into play. Complex layers of approval, in some cases compliance checks can slow down the CI process. Having a plan in place that helps lay out who is accountable for what, how long things usually take to work through all of the necessary processes. Everyone recognizes that continuous improvement is helpful, but frequently they get bogged down in process. Understanding your process and staying within the boundaries that are defined for you can help make continuous changes and improvements more sustainable in the long run.
I think enterprise marketers don’t always keep ongoing compliance regulations in mind when managing content in general. It’s important to realize that compliance with varying requirements is something you initially achieve but also something you also need to maintain. Many industries have a specific series of compliance requirements. Healthcare has HIPAA, and financial services have a plethora of compliance requirements. ADA compliance oversees pretty much everyone, and if you are facilitating e-commerce transactions, PCI compliance may apply too. As you work on a day-to-day basis, make sure the changes and amendments you are making are in line with the requirements of each layer of mandatory compliance you need to adhere to. ADA compliance is particularly tricky: as you add content, each piece of content must be amended to meet that standard. This isn’t a one-time task; it’s an ongoing commitment.
As WordPress continues its dominance throughout the web, I expect more and more enterprise organizations to do the cost-benefit analysis of comparing WordPress against its enterprise counterparts such as Sitecore, AEM, and other expensive licensed systems. Is it worth it to spend significant sums of money on those commercial CMSs when you can use something off-the-shelf such as WordPress and modify it to meet your needs?
Ultimately that debate will continue for the foreseeable future. However, as the next generation of marketers continue to take more and more decision-making roles, expect to see an uptick in the amount of larger companies embracing open-source. With that, the understanding of best practices is even more critical than before. It might be that the future of the WordPress platform may depend on how well it can be adopted into corporate use – therefore understanding how to configure the platform and then effectively maintain it will be essential to the future success of the WordPress project.