Security : Disable XMLRPC

Unless you are absolutely sure that you are using it (in particular if you are using Jetpack), disable XMLRPC. XMLRPC is a sort of "remote control" for Wordpress and is widely used as an attack vector for Wordpress : bruteforce, denial of service, scans and other nasty things.

Save yourself from the unexpected, disable XMLRPC either with a module or web server rules.

Security : Enable Brute Force Protection

Brute force is a technique that aims at guessing the administrator password by testing common or stolen passwords. Even if they have little chance to succeeed, they are sucking CPU and network acess for your users.

Many modules are offering basic brute force protection, please check that your WAF (if you have one) does not provides one already.

Performance : Install a cache plugin

Caching is very important. It can save you hours of CPU and database access time, and is widely standardized. There are various techniques :

  • Static cache : the web page is stored "as the user sees it", and is served immediately without executing all the databases queries
  • In-RAM (object) cache : the PHP processor keeps in-memory objects, to load faster. Some assets like images or CSS files can also be cached in-memory by the web server.
  • Browser cache : expiry time can be set for static elements or pages, so that the browser does not query back the file when it is not needed.

All these techniqes are widely known and used in cache plugins. Please use (and configure) one of them.

Security : Install a WAF

A WAF (Web Application Firewall) is a sort of filter that will prevent your website from being attacked, scanned, or inflitrated by hackers. It is not an absolute protection,  but it easily kicks out script kiddies that could scan your website, saving you resources for real users.

A WAF can be available from your hosting provider, in that case a simple button can enable it. Several modules are also available for Wordpress to do it.

Beware, these modules are often heavy as they filter every requests, use it combined with a properly configured cache system.

Performance : Watch database size and optimize

You probably does not need so many content revisions. The revisions are backups of your articles and pages, stored in the database. You can regularly delete older revisions.

Some modules can do it for you, for instance WP-Optimize. It is advised to do a backup before executing the purge.

It should not be a problem, but if your hosting provider does not optimize databases automatically, it can become one.

Performance : Use a CDN if possible

A CDN is a server designed to give you static content faster that the original site, by using well-located servers, and long retry-times.

You can have many benefits on using a CDN : caching, faster loading of assets, default compression and optimization, etc.

If you can afford and configure one, you can really see a performance improvement.

Performance : Tweak Apache settings

Some actions can be taken if you have access to Apache configuration :

  • Enable gzip compression : gzip compression can be enabled on top of Apache configuration, to compress assets and pages and improve the network overload.
  • Set high expiration duration : you can tell the user's browser to cache the content by setting Expiration headers in your htaccess.
  • Enable Google's mod_pagespeed : Google provides an auto-optimization module that can help if your theme is messy. Warning : you must have a good I/O rate in order to use this plugin, it makes many accesses to disks.