Optimize a Wordpress Site (July/2022)
Wordpress is a very comfortable framework to create a site on.
You automatically inherit a slew of amazing plugins which enable you to create many sorts of dynamic sites with statistics, admin site and many other benefits.
But unfortunately, you also inherit many problems which come with the Wordpress installation.
Just to name a few
- Wordpress is a heavy framework, instead of having a lean HTML/PHP site, you now have this monster you need to reign in. - I am talking optimization/speed wise
- Wordpress is very popular (it powers more than 30% of the internet sites as of today), so it is a target to many a hacker.
- Wordpress has lots of security issues as each plugin is created by a different developer and you won't know where the security breach came from.
- Wordpress is slow as it does lots of tasks behind the scenes (as it has lots of not-so-needed functionalities).
So what are the initial steps one should do when creating a fresh wordpress site ?
- Make sure you have a SSL certificate
- Use a fast DNS (Cloudflare)
- Consider the web server in use, Apache WWW has the worst performance while nginx is much better but might be complicated to configure. (OpenLiteServer seems like the best fit)
- Take care of the www redirect
- Have a backup plugin (Updraft, or maybe a server backup [not controlled in WP])
- Use CloudLinux for much better security
- Block all not used ports on your server
- Your server should have a good firewall (waf?), putting in jail all of those knocking on the ftp/ssh/mail ports.
- Use a CDN (cloudflare?) with a DDOS attack protection service.
- Wordpress security Plugins
- Blackhole (J. Karr)
- Remove all unneeded parts from wordpress - this also helps against attackers (Machete/Unbloater, Block XML-RPC, Block Rest-API)
- Plugin with a firewall, plugin/theme integrity check, login protection, virus scan (Wordfence, consider offloading protection to the server instead of WP)
- Browser side caching (wprocket/htaccess editing) - so browsers will not even ask for some of the site's assets
- DB caching - Object caching (Redis)
- CDN (Cloudflare with proxied DNS)
- Server Brotly compression (better than GZIP)
- Server side caching (Opcache)
- Remove all unneeded parts from wordpress (Machete/Unbloater)
- Wordpress caching plugin (WPRocket/LSCWP)
Additional points to consider
- Convert all DB tables to InnoDB instead of MyIsam
- Disable WP cron jobs (using wpconfig.php) and enable Linux cron jobs every 15m
- Disable pingbacks or even all comments sitewide
Enable (Cloudflare?) image hotlinking protection
- For large sites, enable more memory: define( 'WP_MEMORY_LIMIT', '256M' );
- Consider eliminating automatic updates
- Define PHP workers smartly (heavy sites can use 4 static workers per CPU) while small sites might use dynamic workers