Altis 3: Extensibility, hardened security and enhanced developer experience

We’re thrilled to announce the latest version of our next-generation digital experience platform: Altis 3 features Pre-Approved Plugins list, hardened security, and enhancements to developer experience.

Release highlights

Pre-Approved Plugins

Do more, code less smarter

Use plug-and-play extensions to expand your platform capabilities, rely on smart integrations and access 1-1 support when you’re stuck.

  • Pre-Approved Plugins
  • Zero-config integration testing with Travis CI support
  • Clickable traces in the Developer Tools panel
  • Support access directly on the Altis Dashboard
Block Editor enhancements

Design beyond today

Create experiences that scale for the new decade.

  • Safe SVG image uploads
  • Predefined layouts for the Columns block
  • New Group Block
Person, Human, Poster

Protect your users and content

Harden your sites, protect user data, enhance user privacy, host public next to private content.

  • Subresource Integrity (SRI)
  • Content Security Policies (CSP)
  • Various HTTP security headers
  • More secure password hashing (Bcrypt)
  • Require Login per site
Human, Person, Leisure Activities

Developer resources

Altis is open source! If you’re ready to give it a glance, we’re keen to hear your feedback – drop us a line via emailLinkedIn, or Twitter!


Pre-Approved Plugins

Pre-Approved Plugins

The new Pre-Approved Plugins list provides a reliable source for our customers, engineers and partners to know which functionalities and capabilities can be added ‘out of the box’ to Altis without any further code review.

Relying on already existing, proven and pre-approved solutions can reduce the cost of custom development for your site – in some cases dramatically. It can also reduce the risk of accidental misallocation of developer resources, i.e. one plugin receiving unnecessary duplicate code reviews from different members of a team.

Pre-Approved Plugins on Altis

While we’re not vouching for the functionality of any particular third-party product, we’re considering extensions installed from the Pre-Approved Plugins list safe to run on Altis.

Custom Chassis configuration

Developers are now able to easily configure additional options for the local configuration file such as VirtualBox memory and ElasticSearch settings. This makes it easier to add extensions and override, or modify extension configurations, for example extending memory for ElasticSearch.

Editorial experience

Art, People, Team

SVG uploads

When it comes to vector-based illustrations and animations, the markup-based SVG image format has become the industry standard in terms of performance and scalability. However, granting users uncontrolled permission to upload and display SVG images can expose a site to potential SVG/XML vulnerabilities.

Altis 3 enables SVG uploads and sanitizes their output in the background to make them secure. This introduces even broader, state-of-the-art editorial and design capabilities for your teams while keeping your site performant and secure.

Block Editor enhancements

Altis 3 introduces major new design capabilities in the Block Editor: the Columns block now offers a range of predefined column layouts and the new Group block lets you define sections of your page as groups and style them coherently.

Select from predefined column layouts in the Block Editor

In addition, we’ve added a number of improvements to media management. Instead of generating intermediate image size files upon upload, Altis 3 now lets Tachyon handle image sizes completely, for much faster uploads. Responsive images now use a configurable array of zoom multipliers and maintain aspect ratio.

Developer Experience

Person, Poster, Code

Testing framework

Altis 3 now provides zero-config support for PHPUnit tests. The new command composer dev-tools phpunit will look for test classes in your project and run them on the local environment. This enables developers to quickly write integration tests with all the features available in production including caching, ElasticSearch, S3, Tachyon, and analytics.

In addition, built-in support for Travis CI is included so tests are easy to run on pull requests in the exact same environment as they’re run locally.

Contact support on the Altis Dashboard

We fixed a number of performance issues in Altis Dashboard and added a Support panel. You can now create support tickets directly from the client dashboard page.

Altis 3 Dashboard
Creating a new support ticket on the Altis Dashboard

Improved deployment process

The deployment process has been revamped and redesigned to allow easier deployment. You can now easily view deployment and build logs, and progress is more clearly visible.

New deploy on the Altis Dashboard
Expanded deployment configuration
Deployment configurations on the Altis Dashboard
Deployment configurations on the Altis Dashboard

In addition, you can now rebuild commits if a failure occurs, and the build cache will now be automatically cleared if needed.

Developer tools

AWS X-Ray traces

AWS X-Ray provides an end-to-end view of requests on their journey through an application, and shows a map of underlying components. It enables developers to better understand their application’s performance and troubleshoot performance issues and errors.

Working on X-Ray locally can be tedious, as it requires either hooking it up to a live AWS account, or manually printing out data that would be sent to the daemon.

AWS X-Ray flamegraph in Altis Developer Tools
AWS X-Ray flamegraph in Altis Developer Tools

Altis 3 features a new panel in the Developer Tools for all the segments sent to AWS X-Ray for inspection. It also adds a flamegraph for the request in a new panel, so it can be used as a profiling tool.

Clickable stack traces

Many panels in Altis’ Developer Tools display function names or stack traces. You can now click a function name and the file opens up in your text editor or IDE at the correct position. 

Altis 3 supports one-click configuration for this feature for common editors including PhpStorm, VS Code, Atom, Sublime Text, and Netbeans. These are based on contributions made by Altis to the open-source Query Monitor project.

Enhanced configuration

Developers who don’t require XML-RPC for their project can now disable it via configuration file. Batcache can now be configured via configuration as well.

Enhanced local environments

Altis 3 adds a number of enhancements to local environments (Local Server and Chassis):

  • When setting up a local environment, the username and password for the first login are now displayed at the end of the installation process.
  • The full theme path is now displayed on the default Altis front page after installation.
  • Local Server now supports the --xdebug flag that starts the main PHP server with XDebug activated. (Note: Having this always on is not ideal in all situations as PHP will run considerably slower.)
  • Local Chassis and Local Server now support an exec command. This allows for running arbitrary commands on the server such as vendor/bin/phpcs.


Person, Human, Poster

Browser security

Altis 3 features various new capabilities around HTTP security and browser technology to help safe-guard your site or web application against malicious third-party content and cross-site scripting attacks (XSS).

Harden your site with Subresource Integrity (SRI)

Subresource Integrity provides a way to mitigate risks of attacks that would compromise files delivered via Content Delivery Network (CDN). It ensures that the files fetched from a CDN (or anywhere) have been delivered without any changes of any kind – e.g. without a third-party injecting any additional, malicious content into those files.

Altis now automatically adds subresource integrity hashes where possible. These will be generated for any files on the same server – i.e. any plugin or theme assets – and they will be automatically cached in the object cache. Plus, Altis 3 includes a framework to allow you to configure SRI for any external assets, such as fonts loaded from a CDN.

Guard against cross-site scripting with Content Security Policy (CSP)

The Content Security Policy framework is a tool which allows locking down how browsers load resources on sites. This helps guard against cross-site scripting attacks (XSS) and other injection attacks by specifying which sources to treat as legitimate. For example, a CSP can tell the browser to only execute JavaScript served from the website itself, or from its CDN, but not from any other sources.

Altis now can gather and send a CSP for you automatically. Out of the box, only basic policies are sent, with a full framework provided to add additional rules for your site, allowing you to build your rules the way you want.

Rely on smart defaults enabling best-practices for web security

In addition to CSP headers that will only be sent if explicitly configured, Altis now adds a number of security headers by default (X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection). 

These follow best-practices for web security and aim to provide a sensible, secure default setup. Like every part of Altis, these can be configured and disabled if your use case differs.

Require Login per site

The Require Login feature requires visitors to sign before they can see a website. In a network of sites (multisite), this feature used to be applied on the network level, so all sites in the network would require a login. 

In Altis 3, Require Login can now be specified on a per-site basis simply by marking a site as ‘private’.

More secure password hashing

Robust hashing functions are vital in the event that an attacker is able to gain access to the database. They make it practically impossible (or at least much harder) to extract plain-text passwords from hashes, helping to secure user access data on the server.

Altis 3 improves password hashing, using Bcrypt, an industry-standard algorithm specifically designed for cryptographic purposes. This improvement is fully backwards-compatible, allowing you to use higher security without requiring a migration.



Cached redirects and errors

Redirects that are not being cached could cause spikes in page loads and potentially bring down a site.

Altis 3 now stores redirects in the page cache for even more robust site performance, and sets a default TTL (Time to Live) value for a number of HTTP responses on the CDN.

Tachyon isolated per stack

Altis 3 provides an isolated Tachyon instance for each environment. This helps ensure your stack remains self-contained and can be upgraded with zero cross-client downtime.

Create for a new decade with Altis 3

Request a demo