Add alert if site has a low cache hit ratio

[jms-pantheon]

Checks the Pantheon API for the last day's traffic on the Live environment.

If the Cache Hit Ratio is below 50% an alert will be shown on the WordPress dashboard and site health screens.

Results are cached for one day. If there is a curl failure it will be retried after two minutes.

[guardrails]

⚠️ We detected 2 security issues in this pull request:

Insecure Processing of Data (1)

Severity	Details	Docs
Medium	Title: Cross-Site Scripting with user input pantheon-mu-plugin/inc/pantheon-metrics.php Line 73 in 969f66b echo wp_kses_post( sprintf( __( 'The live site is currently only serving %d%% of traffic from the GCDN cache. See more details in the <a href="%s">Metrics tab</a> in your Pantheon dashboard.', 'pantheon-systems' ), $cache_hit_ratio, 'https://dashboard.pantheon.io/sites/' . $_ENV['PANTHEON_SITE'] . '#live/metrics' ) );	📚

More info on how to fix Insecure Processing of Data in PHP.

---

Hard-Coded Secrets (1)

Severity	Details	Docs
Medium	Title: AWS Secret Access Key pantheon-mu-plugin/inc/pantheon-metrics.php Line 27 in 969f66b $url = 'https:/api.live.getpantheon.com/sites/self/environments/live/traffic?duration=28d';	📚

More info on how to fix Hard-Coded Secrets in PHP.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[scottbuscemi]

Love the potential here. Would love for the notice to explain why someone would want a higher GCDN cache hit ratio and a direct link to docs for troubleshooting this.

Also curious if we could create a tool in the future that troubleshoots on behalf of the customer and makes recommendations. "You have a session cookie loading on every page..."

[jms-pantheon]

@scottbuscemi I was thinking to keep this simple and provide a link to more information as well as the graph of historical performance. The notice links to the Metrics tab, which in turn links to our public documentation on cache hit ratio.

I agree future work to provide recommendations would be great, perhaps by extending WordPress' site health page.

1. Curl the home URL and check for an appropriate max-age header
2. Similarly check that a set-cookie isn't cache-busting on that request

The more helpful but more difficult to attain piece of data would be what the top miss pages are, often that can lead to finding a specific issue.

[scottbuscemi]

Makes sense.

• Any idea of what % of Pantheon customers would see this notice?
• Would it make sense to exclude this notice for WooCommerce stores on the platform? We don't have a good solution for them to increase their cache hit ratio currently

[jazzsequence]

Now that we have a space for site health checks, it might be worth coming back to this and surfacing this in Site Health rather than with an admin notice.