Configure Wordpress for Performance and Stability
Par Mathieu le mardi 11 juillet 2017, 10:05 - Hacks - Lien permanent
Wordpress is a very common CMS nowadays, and works well out-of-the-box. But when it comes to Performance and Security, its default options are not hardening it enough.
This topic has been discussed a lot on Internet, but here are my tips, as a web developer and sysadmin.
Performance : the main culprits
On a public websites, the slowness can com from :
- Network : your provider has as slow network, a huge traffic load, or the user simply has a bad connection
- Database access : the provider's database may be under load, you query's sizes may be too important, or the access time between the script and the datbase is just "usually slow".
- Disk access : the disk where is stored your files may be slow, or does not have proper in-ram caching
- CPU : the CPU of the machine where you site is hosted may be slow, or you are on a low-cost VPS
There is no "miracle solution" for a badly designed website, but in the vast majority of cases, we could help a bit with simple solutions.
Security : the main threats
The main threat in a Wordpress installation is the updates execution. You should update your modules, themes, and core as soon as possible.
Custom and unmaintained modules and themes can also become a threat as they are not updated anymore, and can contain exploitable leaks.
There are several way to prevent your site from leaking too many informations on its "healthiness". It can give you some time to update your website before its exploitation by hackers.
Security : Disable XMLRPC
Unless you are absolutely sure that you are using it (in particular if you are using Jetpack), disable XMLRPC. XMLRPC is a sort of "remote control" for Wordpress and is widely used as an attack vector for Wordpress : bruteforce, denial of service, scans and other nasty things.
Save yourself from the unexpected, disable XMLRPC either with a module or web server rules.
Security : Enable Brute Force Protection
Brute force is a technique that aims at guessing the administrator password by testing common or stolen passwords. Even if they have little chance to succeeed, they are sucking CPU and network acess for your users.
Many modules are offering basic brute force protection, please check that your WAF (if you have one) does not provides one already.
Performance : Install a cache plugin
Caching is very important. It can save you hours of CPU and database access time, and is widely standardized. There are various techniques :
- Static cache : the web page is stored "as the user sees it", and is served immediately without executing all the databases queries
- In-RAM (object) cache : the PHP processor keeps in-memory objects, to load faster. Some assets like images or CSS files can also be cached in-memory by the web server.
- Browser cache : expiry time can be set for static elements or pages, so that the browser does not query back the file when it is not needed.
All these techniqes are widely known and used in cache plugins. Please use (and configure) one of them.
Security : Install a WAF
A WAF (Web Application Firewall) is a sort of filter that will prevent your website from being attacked, scanned, or inflitrated by hackers. It is not an absolute protection, but it easily kicks out script kiddies that could scan your website, saving you resources for real users.
A WAF can be available from your hosting provider, in that case a simple button can enable it. Several modules are also available for Wordpress to do it.
Beware, these modules are often heavy as they filter every requests, use it combined with a properly configured cache system.
Performance : Watch database size and optimize
You probably does not need so many content revisions. The revisions are backups of your articles and pages, stored in the database. You can regularly delete older revisions.
Some modules can do it for you, for instance WP-Optimize. It is advised to do a backup before executing the purge.
It should not be a problem, but if your hosting provider does not optimize databases automatically, it can become one.
Performance : Use a CDN if possible
A CDN is a server designed to give you static content faster that the original site, by using well-located servers, and long retry-times.
You can have many benefits on using a CDN : caching, faster loading of assets, default compression and optimization, etc.
If you can afford and configure one, you can really see a performance improvement.
Performance : Tweak Apache settings
Some actions can be taken if you have access to Apache configuration :
- Enable gzip compression : gzip compression can be enabled on top of Apache configuration, to compress assets and pages and improve the network overload.
- Set high expiration duration : you can tell the user's browser to cache the content by setting Expiration headers in your htaccess.
- Enable Google's mod_pagespeed : Google provides an auto-optimization module that can help if your theme is messy. Warning : you must have a good I/O rate in order to use this plugin, it makes many accesses to disks.
