WordPress Security and Performance FAQs

What configuration of WordPress provides optimal performance for a high traffic, transactional website?

We host many high traffic WordPress websites, and have found that several key techniques must be leveraged to achieve high performance. It is very difficult/impossible to load balance a transactional WordPress website, so one must rely on a single server.

  • Varnish cache. Using varnish is an excellent way to cache both static pages and static content, and force browser caching.
  • Opcache. The opcache must be used to cache PHP strings. However, opcache must be tuned so that it doesn't fill up, which will cause performance degradation. The OPcache Status page can be used to monitor key opcache parameters such as used memory, free memory, the number of strings, etc. This fine tuning article recommends tuning memory_consumption, interned_strings_buffer, and max_accelerated files.
  • Redis. Redis and the Redis Object Cache plugin are essential for caching objects and database calls. Another advantage of Redis is that get_transient and set_transient will use a memory cache instead of database. Tuning Redis with an eviction policy and max memory threshold are essential ways to keep Redis fast.
  • Moving the database to another server or a hosted database server, such as RDS. This can provide additional security and redundancy.
  • Blocking or throttling bots or excessive users. A throttling plugin such as Bottle can help in high traffic scenarios or DDOS attacks. CloudFlare is an alternative solution in which your domain is proxied through CloudFlare to your web server and may also be beneficial. If you choose a plugin-based solution, we recommend one that is a mu (must-use) plugin and evaluates the HTTP client request before all of WordPress is completely loaded.
What is the best technique to prevent WordPress website bot attacks?

You can use CloudFlare or a security plugin to mitigate bot or DDOS attacks on your WordPress website.

What is the best security plugin for WordPress?

Most WordPress plugins are insufficient to provide the performance necessary to repel bot and DDOS attacks. There are several reasons for this:

  • Many security plugins use database tables to log requests, favoring a sophisticated UI over performance.
  • WordPress + theme + plugin load is computationally expensive and time consuming, and loading all of WordPress to block an attack is not desirable.
  • Many security plugins rely on user agent to determine the identity of a bot. This is problematic for requests that spoof the user agent.

It is possible to design a plugin that can offer good performance, however, if the following architecture is followed:

  • Logging should be minimized.
  • WordPress loading should be short-circuited as early as possible. This is possible to do with a mu "must use" plugin as it can load before all of WordPress and plugins have loaded.
  • No request should be trusted.

One such plugin that meets these criteria is Bottle.