This is the first in a series of articles about improving the security and the performance of your WordPress site (or sites). We will be discussing several methods for increasing the speed of your page loads, some involving use of plugins and some requiring analysis of your pages. We will also be talking in more detail about how to secure your site against online attackers.

Improving the Performance of Your WordPress Site

Making sure that your website performs well is crucial to your success on the Internet. Multiple studies have indicated that if your page takes longer than 2.5 seconds to load, more than 25% of your readers will lose interest and click away. A sad commentary on the attention span of much of the public, but these are the facts of life. In addition, Google now favors sites that load more quickly, so improving the performance of your site can also improve your Google ranking.

The best methods for improving the performance of your WordPress site can depend on many different factors:

  • Your hosting provider
  • Your site's available bandwidth
  • How many (and which) plugins you have installed
  • The complexity of your WordPress theme
  • The size and performance of the WordPress backend database

Trying to account for all of these factors for anyone who might be reading this article is obviously impossible. But don't despair: there are things you can do to improve your WordPress performance that should help in pretty much all cases. We will be giving you an overview of the methods in this post, then breaking them down in detail over several subsequent posts. Please feel free to ask for more details in the comments section here; we will take your suggestions into account while completing the rest of the series.

Offloading Static Content

Most WordPress sites have lots of static content. This is content that does not have to be re-generated every time the page loads because something may have changed, content-wise, on your site. An example of dynamic content would be the overall contents of your main page; as you add new posts, older posts generally will be pushed "back" and their places taken on the main page. So, the main page needs to be rebuilt every time.

On the other hand, static content is content that you know will not change from one page load to the next. For example, there will definitely be graphics that you have added to your site, JPG and GIF images that may be embedded in your posts, and so on. The content of a GIF image will not change from one page load to the next, unless you deliberately replace the image file.

Since static content is not something you need to change or edit frequently, you don't need the same kind of access to it as you do to other content on your site. This means that static content can be served from a different server than your primary webserver. This involves just making sure that the src values in image tags or embedded videos point to the other website.

We mention graphics content in particular because you have a lot of options there, some of which are free. There are multiple sites on the Internet that provide free hosting of graphics (like Flckr) or will host your content and serve it for a very reasonable fee (for example, Amazon S3). Videos can be hosted by sites like YouTube or Vimeo. By moving large video files or graphics files to a separate host, you will improve your site's performance in two ways:

  1. You use less CPU power and bandwidth on your server directly
  2. You increase the number of "items" from your pages that a browser can load at the same time

More on these topics in a future post!

Optimize by Caching

The most important difference between dynamic and static content is that the dynamic content puts much more load on your server than static content. All the processor has to do for static content is grab the bytes off your local storage and send them out the network interface to the IP address that is requesting your page.

Generating dynamic content, on the other hand, will probably require a query to your backend database (sometimes more than one), and after the query returns its result, additional processing to format it and generate the final HTML. This takes time. As more and more visitors reach your site, generating the dynamic content can eventually overload your server.

Given that dynamic content is so much more resource-intensive to send from your server, what is the next logical step to improving the performance of your site? Well, why not try to turn as much of your dynamic content as you can into static content?!

This is the idea behind optimizing by caching. Caching is related to offloading but works in a different way. We are going to look only at local caching of content and not remote or "CDN" caching. We will probably have a post in the future that discusses remote caching in more detail.

As mentioned in the previous section, some of the content of your site is static and some is dynamic. But even the dynamic content often doesn't need to be generated on the fly every time, because the content of your site may not be changing much. We gave the example of how your WordPress main page's content will change as you add new pages to your site. But what about the times between updates? If you haven't added any new posts, the content of your main page probably won't change at all (or, not much). So why regenerate it every time? Do it once, cache the result, and send that out instead. Only regenerate it when something happens that you know will cause it to change!

speed up your site
There are several good, free plugins available for WordPress that operate on this idea. They generate a static copy of what would go out to the browser when someone loads a page from your site, and instead of re-generating it every time, they serve the static version until something happens that makes it necessary to re-generate the static copy (e.g. you add a new post or you change the content of an existing post). The ones we will cover are:

  • W3 Total Cache
  • Fastest WP Cache
  • Zen Cache

Yes, there are many others, including particularly "WP Super Cache," but those are not plugins we use here so we will not be covering them. Detailed information on these plugins will be the subject of another future post.

Security Issues With WordPress

Making WordPress Secure 270x300 PNG
So, you're using WordPress for your blog or other marketing website. Great! WordPress is a fantastic piece of software, and in and of itself is extremely secure. The WordPress team has made an especially serious effort to do good security audits of the code base over the last few years. If you are running any of the 4.X series of WordPress, you probably do not have to worry much about holes in WordPress itself.

The biggest problems come when you begin to extend the capabilities of WordPress with custom plugins and themes. Because of this extensible nature of WordPress, it is one of the most hacked platforms on the net.

The problem is that these add-ons often have not had nearly as much security vetting as they should, certainly not as much as the core code of WordPress itself. This leads to all sorts of potential security problems, and since the only security auditing done on most plugins is that done by the authors themselves, security holes can exist for months or even years.

How WordPress Sites Usually Get Hacked

There are two primary means that attackers use to compromise your site. One is very easily dealt with, the other is much harder.

Brute Force Password Attacks

The easiest type of attack to counter is a simple brute force attack. The attacker goes to your WordPress administration login page and simply tries to log in with a large list of common usernames and passwords, often with a programmed 'bot that does it automatically.

There are two things you should do to prevent this sort of attack on your site. The first, and most obvious, is to always use strong passwords for your WordPress accounts, especially any with editing or administration privileges. Strong passwords are a topic for a separate post, but if you follow this simple set of rules, you will probably be OK:

  • Never use a password that is a simple dictionary word
  • The rule against dictionary words includes words with number-for-letter substitutions
  • Always use a combination of numbers and letters
  • Add non-alphanumeric characters like "%" or "@" or "_" as well
  • Never base your password on personal information like birthdays, family names, and so on

The second thing you can do is to install one of the WordPress security plugins that prevents these attacks by limiting the number of login attempts. Without a plugin like this, attackers are free to just try passwords all day long until one works. With a lockdown plugin, after a certain number of failed attempts, they will be banned from loading the login page. Most such plugins allow you to "ban" an individual IP or an IP subnet range.

We will cover details about these plugins in a separate post, coming soon to the IMC!

Security Issues with Plugins and Themes

As mentioned previously, a lot of security issues crop up not from WordPress itself, but from add-ons like plugins and themes. Usually this happens when hackers discover a security vulnerability in the add-on and then develop an exploit for it. If you happen to be using that plugin or theme, you're now a target.

Generally, plugins will have identifiable "footprints" in the content that gets sent out to the web browser so that it will be fairly simple to identify whether that plugin is being used on a given site. So, would-be hackers can just pull main pages for a bunch of websites, look for the footprint, and build a list of sites to attack with their exploit.

As an example, there might be a plugin that adds social media "share" icons to your site (e.g. SexyBookmarks and such). The code that it produces and puts on the site may contain HTML comments that identify it as coming from that plugin. All the attacker has to do is look in the HTML for those comments. Properly crafted Google queries can search for sites that have the footprint; now Google is helping the hackers target their victims!

Backdoors And Other Fun Times

So, what can happen when someone hacks your site?

Usually, the hackers will install backdoors into your site. These are meant to provide access to the hackers on an ongoing basis, and worse, allow them to get back into your site if you try to fix it. These backdoors can be installed in many places: your .htaccess file (or files), your back-end database, and of course the PHP code files on the site.

Once the backdoors are in place, the most common things that will be done are traffic theft (by redirecting traffic from your site to theirs), using your site as a platform for attacking other sites, and simple malicious defacement of your site.

What Can You Do? Securing Your WordPress Site

Unless you're a computer security expert, you'll probably need some help with securing your site. Don't despair; help is available!

In a previous post, we discussed several different security plugins. We have used a lot of different security plugins over the years, but we have generally settled on one of these two: "Login LockDown" and "All In One WP Security & Firewall." The first one has a narrower focus and so is much simpler; the second is much more comprehensive and requires more effort, but is definitely worth it for any high-value sites you may have.

More on these plugins in a future post!

Thank you for joining us here at the IMC!

Author's Note: Some of the content in this post also appeared in a previous post; we have added new information on optimization and security plugins.

More posts filed under category: General Information

Like this post? Subscribe to our RSS feed and get loads more!