WordPress

WordPress is by far the world’s most popular Content Management System. And it makes sense with its ease of use. It’s famous for letting anyone have a blog setup within 5 minutes.

For the initial setup you just create an account for the admin panel. And set things like the base URL/domain for the web page.

After that you’re free to explore the /wp-admin and make the content for the page. There is also the healthy plugin and theme marketplaces for WordPress that you may access from within the admin pages of a standard WordPress setup. So without any technical skills one should be able to make a WordPress page or blog that looks fine and even has web store integration against stripe or some alternative payment provider. By far the most popular option for having a simple web store is WooCommerce using stripe.

Anyway, while this is all cool, fine and dandy. WordPress is super slow. Because it’s a PHP web-app where all requests should be run through the same index.php file. The problem with this is that it has heavy implications for the security setup of the web server hosting the thing. But also performance as that index.php would load the whole WordPress setup, including plugins and theme.

So what can we do about it?

Well as it turns out, a lot!

Simple WordPress improvements

The first and easiest thing to do to a WordPress page is adding caching of the page. The best WordPress cache plugin is WP Fastest Cache. Any cache should help with page load, but that one is for sure the best option. And of course I’d recommend going through all the configuration options, but the defaults should be fine. This and any other self-respecting WordPress cache plugin should be able to automagically detect when pages need re-rendering and if not show the cached version of the page.

WordPress security

When it comes to securing a WordPress setup, it’s important to make sure the actual web server in use is configured properly. Here I’ll showcase some example nginx and Apache configs for a hardened WordPress installation. If your WordPress is installed in some shared hosting solution. Then it’s up to the hosting provider to configure the web server and potentially php-fpm or something properly.

Nginx site for hardened WordPress;

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32


server {
  listen 443 http2 ssl;
  server_name yowpdomain.example.com;

  index index.php;

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
  }

  # hide any hidden files
  location ~ /\. {
    deny all;
  }
  # except for .well-known
  location ^~ /.well-known {
    allow all;
  }

  # limit xmlrpc access
  # this is a management API
  location ~* /xmlrpc.php$ {
    allow 127.0.0.1;
    deny all;
  }
}

Apache/LiteSpeed virtual host directives for a simillar setup;

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


<VirtualHost yowpdomain.example.com:443>
  AddType text/html .php
  DirectoryIndex index.php

  <FilesMatch \.php$>
    SetHandler "proxy:unix:/run/php-fpm/www.sock"
  </FilesMatch>

  # Dotfiles
  <FilesMatch "^\.">
    Deny from all
  </FilesMatch>
  # Dotdirs
  <DirectoryMatch "^\.|\/\.">
    Deny from all
  </DirectoryMatch>

  <Location /xmlrpc.php>
    Allow 127.0.0.1
    Deny from all
  </Location>
</VirtualHost>