Ever wonder what it’s like being the Director of Innovation at one of the world’s most visionary companies? Wonder no more. We sat down with Jesse Friedman, Director of Innovation for Jetpack at Automattic. We picked his brain on all things Jetpack, WordPress, Automattic, open source, botnets, and woodworking.
This article was originally published on the BruteProtect blog. BruteProtect was a plugin designed to stop malicious IPs from accessing WordPress websites. The technology behind BruteProtect is now part of Jetpack’s security features, protecting millions of website from brute force attacks every day.
To date, the majority of the feedback we’ve received about our acquisition by Automattic has been positive, but we’ve continued to hear from some of our users that they’re concerned about being forced to use Jetpack if they want to continue to receive the protection offered by BruteProtect. Most of these objections are due to the perceived “Bloat” of Jetpack, a plugin that has the capability to add over 30 discrete features to your WordPress site.
We’ve just passed the four-month mark as a part of the Jetpack team at Automattic, and I’d like to address the “Bloat.”
Is Jetpack Bloated?
The power of Jetpack is its ability to provide functionality which can’t (or shouldn’t) be included in core for one reason or another. The primary reason for many of the features is their need to be connected to outside servers in order to function well – tools like
Photon (which provides a free content delivery network to your site using WordPress.com’s extensive global infrastructure),
Related Posts (which uses Automattic’s large Elasticsearch cluster to calculate similarity between your posts),
Monitor (which provides uptime monitoring from a number of servers around the world),
Stats, Publicize, Subscriptions, Single Sign On, etc.
Most, if not all, of these are features are tools that make your site faster, more secure, keep visitors on your site longer, create a better user experience, help you build more traffic, and help you know more about the traffic that is currently coming to your site.
On top of those core heavy-duty features, Jetpack adds a number of smaller but still useful features – items like Custom CSS, Omnisearch, Beautiful Math, Markdown, Spelling and Grammar tools, Widget Visibility, integrated notifications, contact forms, and more. These are features that add no weight to your WordPress install if you choose not to utilize them.
This doesn’t even begin to touch on the new site management features. You can now manage plugins, posts, and pages on all of your WordPress sites from one interface, keeping your sites automatically up to date and secure.
It’s worthwhile to consider the fact that nearly all of Jetpack’s functionality shares a codebase with the same functionality on WordPress.com, so this code is under constant load and testing by tens of millions of users around the world and is being written by some of the best WordPress developers in the world including public contributors (everything we do is public on Github). Every line of code has eyes on it from multiple developers who are looking at it to be both well-performing and secure.
Since joining Jetpack, Derek and I have written a series of 35 tests which are run against Jetpack EVERY TIME there is a commit to the master branch. This tool will immediately raise red flags if there are any code changes which negatively impact the performance of the a WordPress site running Jetpack. We’ll be releasing all the results of these tests to the public in the near future. Every member of the Jetpack team is committed to making sure that performance is a high priority for the project.
Time for Testing
In an effort to look at exactly what effect Jetpack has on a site, and determine whether Jetpack slows down WordPress, we decided to create a test site and run tests against it in two situations.
In situation 1, a user is running only Jetpack, with the 19 Jetpack modules that are activated out of the box (After The Deadline, Contact Form, Custom Content Types, Custom CSS, Gravatar Hovercards, Latex, Notes, Omnisearch, Post By Email, Publicize, Sharedaddy, Shortcodes, Shortlinks, Stats, Subscriptions, Vaultpress, Verification Tools, Widget Visibility, Widgets).
In situation 2, a user is running five plugins that replicate some of our most used functionality: Contact Form 7, Google Analytics Dashboard for WP, Simple Custom CSS, Share Buttons by AddToAny, NextScripts: Social Networks Auto-Poster. Each of these plugins has the most downloads in the WordPress.org plugin directory for its functionality.
So, does Jetpack slow down WordPress?
The results:
Jetpack, First load, TTFB: 773ms
Jetpack, First load, Complete page load: 1876ms
Jetpack, Repeat view, TTFB: 143ms
Jetpack, Repeat view, Complete page load: 322ms
Other Plugins, First load, TTFB: 797ms
Other Plugins, First load, Complete page load: 2609ms
Other Plugins, Repeat view, TTFB: 460ms
Other Plugins, Repeat view, Complete page load: 529ms
The only place running the standalone plugins even gets close is time to first byte on a first page load. Complete first page load is 28% faster, complete repeat page load is 39% faster, and time to first byte on a repeat page load is 69% faster! So you can see that Jetpack (with 19 active modules) offers SIGNIFICANT load time improvements over these five other tools combined. If you start replicating additional functionality, these improvements get even more pronounced.
At the end of the day, it’s very easy to have a negative reaction to Jetpack because of its size and scope, but, thankfully, those fears don’t tend to be realized in the real world.
As to the questions about if we’ll keep supporting BruteProtect as a standalone tool, the answer is “not forever.” If you are currently running BruteProtect Shield’s botnet protection on your site, it will continue to function until at least the end of 2015. At some point during the year, we’ll remove the ability to generate new API keys from BruteProtect, and at some point in 2016 we will completely discontinue BruteProtect as a standalone service.
If you’ve had issues with Jetpack in the past, please don’t write it off – come back and give it another shot, I’m pretty sure that you’ll be glad you did.
I’m excited to announce that Automattic has acquired BruteProtect, a plugin and service that protects your sites from malicious logins, saves server resources so your site runs faster, and keeps all your sites on the latest and greatest versions of WordPress core, plugins, and themes.
The plugin and service are currently available, but over the coming months we’re going to build their functionality into Jetpack and retire BruteProtect as a standalone thing.
BruteProtect also has a premium service that starts at $5 a month per site — effective immediately, that will be free for every BruteProtect user and Jetpack-enabled site. If you’re already a BruteProtect subscriber we’ll be in touch soon to send you a surprise thank you for your early support. You can download and get started with Jetpack here.
The BruteProtect team is based in Bath, Maine and they’re long-time contributors to the WordPress community. We’re excited to see them join forces with the Jetpack team and up the level of security, protection, and peace of mind we’ll be able to bring to the millions of sites already using Jetpack.
Though Automattic is known for its consumer-facing services like WordPress.com and Jetpack, the infrastructure behind them is the bottom part of the iceberg. Taking services to web-scale is another one of Automattic’s specialties, whether it’s the 8 billion Gravatars we serve every day, the Simperium sync service, or the countless spam that Akismet has blocked (and time it has saved).
This is internet plumbing: when it works it’s completely invisible, and we love that. We’re now pushing 450 terabytes of data a day from 9 datacenters around the globe.