The 4 Step Guide to Securing/Optimising Wordpress, for Lazy Web Admins
I run a bunch of Wordpress sites through a shared webhost and recently my sites have been getting absolutely hammered:
- CPU usage almost constantly at 100% in Cpanel
- Site running really slowly - adding a menu item was taking like 3-5 minutes
- Web logs indicate wp-login and xmlrpc brute force attempts, as well as a number of other exploit attempts
This has been really frustrating for me, as while I've had the odd site hacked here and there, this time it's really slowing down my websites, to the point where they're unusable, and I can tell my webhost is not happy about the recent attacks.
So, I decided to finally sit down to learn this properly, and to wade through the thousands of blog articles on the topic to sort fact from fiction. I was surprised that it essentially comes down to 4 key activities.
1. Update Everything.
This really doesn't need to be said. It's something I do as a matter of course, and you probably do as well. But, the first thing I did was to run through my sites and double-check that core/themes/plugins were all up to date. I've also set myself a reminder to do this on a weekly basis.
Also, double check the plugins you're using and make sure they've been updated fairly recently. If a plugin hasn't been updated in over a year, consider using a different plugin. Deactivate/Delete any plugins/themes not in use.
2. Install a Caching plugin.
I'd read about caching plugins for a long time, but I'd never had issues with speed and figured this was just something for those that thought loading 0.01s faster would improve their Google ranking.
Essentially what it does is cache your database content into static HTML so that when a user visits your site they get served the cached copy rather than having to hit the database every time. I installed WP Fastest Cache and it also minimizes your HTML/CSS/Javascript, combines falls together to reduce web calls, and a few other things to speed up your site.
With a site and database being hammered, installing a caching plugin made a HUGE difference to my site load scores:
- Pingdom: C (76%) -> B (84%)
- GTmetrix page speed: E (54%) -> A (97%)
- GTmetrix 'Yslow': D (61%) -> B (88%)
- Google Page Insights (Desktop): 20/100 -> 85/100
And this was all from a site that was under attack, with a high server load. I was definitely impressed.
3. Cloudflare. No, really, check it out.
People have been talking about Cloudflare for a while, and I roughly understood the concept, but didn't realise exactly what they did for me. Essentially it comes down to three things:
- DoS protection: They stop malicious behaviour before it even gets to your website
- CDN: Your files will load faster for visitors, no matter where in the world they are
- Additional Caching: More caching!
You need to know how to change your Nameserver settings with your domain registrar, but other than that setting up Cloudflare is a breeze. Don't forget to install the free plugin for further optimization.
4. Wordfence
24 hours after moving to Cloudflare, I can see they've stopped a few attacks, but there are still see some bruteforce attempts against my Wordpress login page, coming from Cloudflare IPs (which means they're getting through the basic DoS protection Cloudflare offers in their free plan... not exactly an endorsement for their paid plans), and so it's time to up the anty a bit with a dedicated Wordpress security plugin.
Wordfence seems to be the one that's recommended most often. It has the standard bruteforce defences, and also has a few features that allow you to further secure your web server (eg, preventing php execution in the uploads folder).
My main concern with Wordfence is the extra resources it can potentially consume on the site... but I have a feeling there's going to be a pretty massive trade-off here between the resources it consumes + the attacks it blocks (which in turn will lower resource usage).
Other / Bad Advice
If you really want to dig deep into hardening Wordpress, there is an official guide on the Wordpress Codex, but it seems that if you do the above 4 steps that you'll be covering off most of the points. There were also a few other possible steps/plugins I found in my exploration, but again I figure if you do the above 4 you're going to be pretty well covered.
Also, just a word of warning - be careful what you read on some of the blogs around optimisation and security. A lot of these people appear to just be parroting other advice they've read, which may be wrong or out-dated at beast. Things like password protecting your wp-admin directory will block a lot of AJAX controls from working (even for non-admin users). Deleting xmlrpc.php will affect certain plugins like Jetpack. Etc.
Hope you've found this useful - I know I'll be setting aside some time to run these steps against my sites this weekend!
Damn.. sorry for posting to #news everybody. Steemit had some tags pre-populated from a draft for a different post I'd been writing yesterday and I hit post before realising.
Why is this not #news? #news to me!
Hey Ross, I've also been working in this area a lot recently as well. I would stick with Wordfence despite the resources it uses, nothing compared to Jetpack, for example. A few further points about security:
It shouldn't need saying but use hard to guess usernames and passwords. NEVER use the same password twice.
Put your email address in Wordfence > Settings so you're informed of software when it needs to be updated and of any other security concern on your site
Use two factor authentication when logging into WordPress, this negates the need to protect the wp-admin directory and a lot of other measures that are recommended.
Backups!! I'm sure you do them but they are an essential weapon against hackers and will solve many problems that may come up.
I hope this helps. Let me know if you have any questions.