Hosting WordPress within your institution: Notes from a conversation with Joss Winn (University of Lincoln)

WordPress is a free and open source blogging tool and a content-management system (CMS) based on PHP and MySQL, which runs on a web hosting service. Features include a plug-in architecture and a template system. WordPress is used by more than 18.9% of the top 10 million websites as of August 2013. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites [Source: Wikipedia]

WordPress is becoming much more than a blogging and content management platform. A combination of its very strong developer community, excellent documentation and solid core means it is increasingly being used as the framework for some very interesting projects. Within the education sector not only is it an excellent blogging platform but the ability to rapidly develop and evolve solutions is very powerful. As far back as 2006 I marvelled at the work Dumfries and Galloway College did turning WordPress into a campus e-Portfolio system.  One of my own interests is how WordPress can be used for an open course platform (MOOC, if you prefer). The advantage in both of these examples is that you are not restricted by the VLE in both functionality and availability (depending on your license agreement institutions may be restricted to registered students).

One concern I’ve had is how do you scale the use of WordPress within an institutional context? How do you go from offering one course to multiple courses? This challenge isn’t specific to just my scenario but applicable more widely. How do you go from supporting one WordPress blog to multiple blogs?

Fortunately this is something University of Lincoln have been doing for a couple of years and Joss Winn, who has led this development, kindly took some timeout to explain how they’ve gone about host over 1,800 WordPress sites (and counting). Below is the audio from our conversation embedded in a YouTube clip (mainly to add machine captions to help you with navigation – to use this visit the video and click on the transcript button image ) followed by my written up notes:


Institutional installations of WordPress - The University of Lincoln story

Notes

Background

blogs.lincoln.ac.uk

Joss started in 2008 with a web server to experiment with various web applications. As part of this he installed, what was then, WordPress Multi User*. Joss and his team slowly grew usage with informal awareness raising before submitting a proposal for a dedicated server and web address (http://blogs.lincoln.ac.uk/) for a WordPress Multiuser Site. Since then the offer has become more formalised with the option for all staff and students to create their own WordPress powered site. Staff and students are encouraged to help themselves but technical and pedagogic support is available from the  Centre for Educational Research & Development, where the project is based, or through regular workshops.

*Multi User was a fork of the WordPress code that allowed multiple concurrent sites from the same installation. Since WordPress version 3.0 this has been added to the core code. The trend appears to be towards calling this mode Multisite.

From early on Joss and his team were keen to experiment with the social networking plugin BuddyPress. This feature isn’t overly used by staff and students but one of the primary advantages of using it is it allows activity from across created sites to be displayed on the main landing page.

Joss highlighted one of the big advantages of their configuration is that it is one of the few University systems where users can invite others (including external institutions, consultants, members of the public) to join and collaborate on sites. With this the owner can also assign them the level of permissions they want for their site from subscriber to administrator.

Technical

blogs.lincoln.ac.uk sits on a dedicated Red Hat server with 8Gb RAM (Joss mentioned that if you are starting out you’ll get away with 4Gb). The database (MySQL) is now hosted on a separate cluster, but initially it was on the same one. All 1,800 WordPress sites run off the same WordPress install making it easy for them to update the core software and plugins (Joss also noted that they have never had a problem with automatic upgrades).

Within a Multisite configuration the default is that all the sub-sites include the same plugins and themes. To allow more control over this Lincoln use the Multisite Plugin Manager to control which plugins are available on different sites. Initially Joss and his team freely added plugins on request and prior to this summer there were a selection of over 70 approved plugins. Recently a usage audit (there’s a plugin for that) pruned this down to 7 for all new sites phasing out the other plugins used in existing sites over time.

Plugins/themes

The current list of plugins to new sites is:

* Joss is reviewing both of these as functionality now exists in Jetpack

Whilst there is a limited selection staff can still make requests for additional plugins which are activated on a per site basis using the Multisite Plugin Manager. The usual caveat is that the plugin must be in the wordpress.org plugin directory although premium plugins bought by individuals are occasionally used.

Additional plugins/themes used for the administration of Multisites include (there are 35 they use in total):

  • Multisite Plugin Manager – allows administration of the plugins installed by default and on a per site basis
  • WPMU LDAP Authentication - enables Lincoln staff and students to login with University credentials and if required create new sites
  • Akismet – used to prevent spam comments ($550/year)
  • Multisite Analytics -  site wide Google Analytics tracking (individual sites can also additionally specify their own tracking code)
  • Domain Mapping – allows individual sites the ability to specify a different domain name
  • More Privacy Options – adds three extra site defined visibility options: network users only, blog members only and admins only
  • BuddyPress – primarily used to bring together activity from across the platform
  • Farms 133 theme pack – curated set of themes from WPMU Dev (WPMU Dev has an annual member subscription of $588/year. This gives you access to a collection of premium themes/plugins as well as support)
Spam and ‘brute force’ attacks

Lincoln use the Akismet service (run by Automatic who also develop/own WordPress.com) to prevent spam comments. Joss explained previously they had used the free personal plan which permits non-commercial sites and blogs. There has been a bit of a grey area around this given the commercial nature of some University activity and they now subscribe to the Enterprise package which costs $550 a year.

Recently WordPress has become the target of brute force attacks. These hammer servers with multiple username and password combinations to gain access to sites. One reason for WordPress becoming the focus of these attacks is the relative ease in which they can be discovered (just search for ‘Powered by WordPress’). Apart from the potential security risk these attacks can act like denial of service and bring the server down. Lincoln hadn’t experienced any issues with these types of attacks.

WordPress provide guidance on hardening against brute force attacks. If Lincoln were to experience any problems because of the Multisite configuration it would be easy to apply these solutions

Caching

Initially Joss was using the Super Cache plugin but has recently switched to Alternative PHP Cache and MySQL caching. As this caused conflicts with Super Cache the plugin was removed.

Community guideline and acceptable use

Joss has experienced very little abuse on blogs.lincoln.ac.uk and from early on developed Community Guidelines. The University’s general IT usage guidelines are also highlighted to users

Costs

Apart from the staff (Joss has handled most of the Lincoln project plus doing other things) and server the other oncosts are $550/year for Akismet spam protection and $588/year for membership to wpmudev.org which specialises in multisite plugins and support (these costs work out as 60¢ a site per year)

Alternatives – Managed Hosting

When I asked Joss about Managed Hosting (Edublogs, WPEngine et al.) his main concern was not being able to run the LDAP authentication as a local application. He would also want to make sure he had the same level of control over things like plugin selection and deployment. For example Edublogs appears to have fixed list of plugins while services like WPEngine give you control over this.

Summary

So hosting your own multisite installation of WordPress is relatively possible even on a small budget. Given the flexibility of the platform there are opportunities to use it in other ways including establishing your own ‘cMOOC as a service’ empire. There is a growing list of institutions going down the WordPress Multisite route by either hosting internally or committing to a managed hosting solution. One of the big advantages of using WordPress for this, which we didn’t mention when I chatted with Joss, is that with the existing export tools it’s easy to export your site from the network onto wordpress.com or another WP host.

It would be interesting to hear your WordPress Multisite experiences. If you’ve used it does managed hosting work for you or has it thrown up problems? What is your institutional provision for WordPress training and support? As a multisite user are you experiencing problems with IT services imposing artificial barriers? Or more simply what current multisite plugin list?

Finally a big thank you for Joss taking time out to speak to me!

5 thoughts on “Hosting WordPress within your institution: Notes from a conversation with Joss Winn (University of Lincoln)

  1. Thanks for this :)

    Would be really interested to know what those 1,800 sites were used for: categorically, guessing, personal blogs would be the most.
    - How many personal blogs?
    - How many uni courses use WP as the VLE?
    - How many of these are distance courses?
    - How many of these are open online courses?
    - What other uses? (clubs? societies?)

    We have a tiny (by comparison) WP installation with a few blogs on it. I would like to push it out more widely and have it adopted as a component of an open online course platform.

    Maybe I should contact Joss!

    1. Post author

      From Joss via George:

      Joss wrote (and I repost with permission):
      It's difficult to answer this. The number of sites ever created, as of today, is 1970. There are currently 1715 sites still live on the platform (not deleted, not archived). Of those, you'll see from here http://blogs.lincoln.ac.uk/blogs/ that just 853 of those are public. If you look down that list and page across, you'll see the type of current activity. You'll also see that only about 100 sites have been updated in the last two months. The summer is slow, so that changes over the year. The variety of uses started off with personal blogs and class related blogs either to support a class or as a method of students writing up their work. This has changed as the platform has been adopted across the university as a general purpose CMS. A lot of the activity recently has been research groups setting up sites in preparation for the REF. There are no online courses that I know of. Yes, it's used in parallel with the VLE and to support distant/work-based learning. There maybe some societies using it too. I lost track a long time ago. I am waiting on someone in ICT to write a script to help me identify what sites are effectively dead so that I can archive them and get a better sense of genuine site and user activity. Of the 4000+ users, that includes old students and basically anyone who has ever logged in.

      Sorry I can't be more specific, but do look for yourself. These days it just ticks over and I support staff in getting to grips with it. One day I might examine its use in more detail. I think it's become popular because it answered a need felt by various people/dept across the university. The Web Manger loves it because it has reduced the amount of time his team spend building websites for people.

  2. Huge thanks for this post - really practical and very interesting to see what others are up to.

    We are using WordPress Multiside to deliver the EDINA Blogs (aggregated view and feed available here: http://blogs.edina.ac.uk/) and we've found it works really well. It is also much easier to manage since the move to WP3.0!

    In terms of recommended plugins both Akismet and More Privacy Options are essential for anyone managing more than a few blogs I think. Like Joss we have found FeedWordPress and WPTouch have also been very useful. As our users are a smallish group of staff (fewer than 100) and blogging mainly for projects and services we have implemented various plugins for video, slideshare, storify and similar embedding functionality. This makes sense on our relatively contained set up but might be more risky across a larger/less security-aware context.

    Since set-up we have imported/moved blogs from other platforms and found both Blogger Importer and FeedWordPress useful for this. I would also recommend the Google Analytics for WordPress Plugin (makes tracking code addition more straightforward for the SuperAdmin) and Google XML Sitemaps Plugin (useful for SEO - as is careful choices of URL that include title and date rather than the =?p123 type format).

    It is worth notice for Akismet, BuddyPress and especially JetPack you are transmitting a fair amount of data back and forth to wordpress.com. With these - any any sharing plugin etc. - you will definitely want to update your cookies statement (I am in the process of gathering the data to update ours to accommodate newer plugins) as much of the functionality comes with a complex suite of cookies.

    Whatever plugins or themes are requested I would certainly endorse Joss' restraint and thoughtful selection of plugins that are useful, reusable and safe. This is particularly important since plugins in particular seem to drop out of maintenance/ownership fairly regularly, and the more numerous and obscure the plugins, the more risk of that you incur.

    We try to ensure any plugin we install for our set up has wider usefulness for our other blogs, appears to be well supported in the WordPress forums, is acceptable in terms of security and risk, and fulfills a genuine purpose. We've also found a few very flexible themes - Suffusion is a favourite - that allow a lot of scope to control look and feel from the dashboard interface, and helps us to have many different looking sites but only require a few themes and plugins to be updated.

    Although we have had good experiences of automatic updates it must be said that anyone managing a WordPress multisite installation should expect to be running WordPress or plugin updates pretty regularly. Our blogs are an important part of communicating our work and even act as the core web presence for some projects so we replicate and also back them up, particularly ahead of updates. It's an obvious thing to do but well worth planning for!

    1. Post author

      Hi Nicola,

      Thanks for the note about Jetpack and other tips. It easy to forget (or even know) that plugins like these can be sending data back to the provider. Your note about cookie/privacy makes me wonder if having a sitewide announcement to this effect regardless is Jetpack was used would be good practice (fortunately there appears to be a plugin for that ;).

      [Probably less of an issue for you as you've got a smaller site network but noticed WPEngine block Google XML Sitemaps plugin due to performance issues and have suggested some alternatives]

      Thanks,
      Martin

  3. Martin, thanks for this. And I shall have a look at those Google XML Sitemaps alternative recommended by WPEngine - we haven't seen performance issues but I'm always up for reviewing/improving practice!

    - nicola.

Comments are closed.