How Can You Optimize WordPress For Speed & Security In a Shared Hosting Environment?
This is a question that we get a lot. How can you, optimize wordpress to run as fast and as secure as possible in a shared hosting environment? Well, don’t fret, as this guide is squarely aimed at you. Follow it religiously, and you’ll have what we believe to be the best wordpress setup to run on a shared environment, without spending a dime.
WordPress is a great Content Management System (CMS). One of its key advantages over others is its flexibility. You can pretty much run and turn wordpress into anything you want. A social media website? Done. An online shop with a powerful cart management backend? Done. A forum? Done! A wiki? You got it.
This flexibility to become anything its users want unfortunately also comes with a caveat. WordPress, in the wrong hand, can be dangerously unsecure, primarily because its modularity is powered by plugins written by 3rd party developers with varied code quality, and security. When it works, it works, is a great saying if you just want something that runs, but to run something that won’t result in headache and money cleaning up a compromised site, is something entirely different.
What This Guide Is
Having said that 3rd party plugins are most probable cause of insecurity in WordPress sites, there’s also good that comes with easy to install plugins, in that there’s also lots of them that can help you optimize your site for security and speed without paying anything. This guide tries to compile some of the plugins that you can use in your default wordpress installation, to help you and us streamline the process of securing your site.
What This Guide Isn’t
This guide isn’t meant to be the end all, be all of all WordPress setup. With how modular WordPress is, there will always be edge case or things that is not compatible with your default WordPress setup. For this, we suggest looking into the best way to optimize your site yourself. That being said, we deeply believe that these collections of steps can be used in the majority of WordPress websites, and will help a lot into pointing you to the right direction in optimizing your wordpress website.
Now of course, there are even more ways to secure and optimize your wordpress in a non-shared hosting environment such as a VPS or Dedicated Server, but this guide is meant to be used in a shared hosting environment.
Anyway, let’s get this guide started.
Step 1. Keep Your WordPress Core Updated
There’s simply no avoiding it. Outdated WordPress installation is very, very, dangerous. Take a look at this list of vulnerabilities that can at any time compromised your outdated WordPress installations.
We understand, that you’re afraid of breaking things when you update WordPress. But believe us when we said that the old unreliable WordPress auto-updater that breaks things isn’t there anymore. Since the last six months, we have maintained and updated hundreds of wordpress sites without any issue whatsoever.
And even if the wordpress updater breaks things, trust us when we said that closing down your site for a couple of hours and chasing the rabbits that break the cage so to say, is totally worth it. A compromised wordpress installations or a data breach will cost you much, much, more than the couple of hours you spend trying to fix things that break after a WordPress upate.
Step 2. Password Protect Your WP-Admin Folder
Here’s a pretty simple tip that can increase your security tenfolds, at least against people who tries to brute-force your login page. Simply password protect your wordpress wp-admin! The way you can do this with cPanel is pretty simple, just click on Directory Privacy, and click on Public_HTML icon to open the folder, and then in the corresponding panel, create a user that’s authorized to access the wp-admin folder, and then check the Password protect this directory box above, add some scary name like “RESTRICTED AREA”, and save. You’re done.
Step 3. Minimize Visitor’s Input As Much As Possible
Another tip that is pretty simple but can greatly enhanced your wordpress installations security is to minimize and limit the use of input area on your website that’s accessible by the users. A real life example would be contact form, which we believe to be the bane of WordPress existence, due to how easy it is to exploit them to spam, or if you have attachment enabled, inject malware into your site. Just disable attachment, use captcha (a strong one), and minimize input as much as possible. In fact, if you can use 3rd party contact form and avoid WordPress contact form plugins as much as possible, we’d advise you to do that.
Step 4. Use Two Factor Authentication
Two Factor Authentication is awesome. The way it works is, anytime you want to login with a site that has two factor authentication (2FA) enabled, you’ll have to to a second action that confirmed that it is indeed really you that’s trying to login. For WordPress, Authy has a pretty awesome plugin that quickly add and enabled this feature for absolutely free of cost to your wordpress site. After you installed the plugin and the corresponding apps either in your computer or smartphone, now everytime there’s a login attempt, you’ll be notified and have to confirm in order to gain access to the wordpress admin dashboard.
Step 5. Use Wordfence
Wordfence is an incredible plugin. In one single installation, you get a Web Application Firewall that tries to block typical wordpress attacks, and blocks all IP Addresses that tried to attack your site. One of the key features of wordpress is its Live Traffic feature, that enables you to see a live feed of your site visits, that includes bots from search engine, uptime monitoring, and or real visitors. The issue with Live Traffic is it can consume quite a bit of resources, so we recommend disabling it, but remember to configure the firewall. Sooner or later, you’ll get a new panel in your dashboard that shows how many IP addresses and login attempts that Wordfence successfuly blocked. It can be scary looking at the amount of bots attempting to break into your site, but it can also help build up a sense of responsibility in securing your site.
Make WordPress Fast
Step 1. Use PHP7
PHP 7 has been out for quite some time, and for GOODHost customers, you can already used PHP 7 through PHP Selector in our panel, but unfortunately adoption rates hasn’t quite rise up yet. This is unfrotunate because the performance boost offered by PHP 7 is quite tremendous. Some have benchmark WordPress on PHP 7 vs PHP 5, and the result shows that PHP 7 increase response time to only 4ms from the 400ms on PHP 5. This number has been proven from our internal benchmark as well. So what prevents you from upgrating to PHP 7? Well, fear of breaking things is one good reason, but we don’t think it’s a good enough reason to hold back on attempting an upgrade. It’s more than worth your time, and since google now takes page load time to their search results, if you care at least a bit about your SEO, upgrading to PHP 7 from PHP 5 would be our number one recommendation to make WordPress fast.
Step 2. Cache Everywhere, Cache Everything, Cache Whenever You Can
WordPress gets quite a bit of bad reputation in the old days when Digg was still a thing. Oftentimes, when a WordPress site gets hit with a surge in traffic, the server, even the most powerful ones, would bend down and go down in an instant due to how much dynamic request it has gotten. Caching solves that issue, and solve it by making your site static for as much as possible, so that the server would only have to serve a static html page instead of generating a page every single time a visitor arrives.
There’s quite a lof of good caching solutions for WordPress, some are so powerful that misconfiguring it might make things worse. So if you’re a newbie, we recommend two plugins: Cachify, and Comet Cache. We have tested these two plugins and it has boosted the performance and response time of WordPress site we managed by quite a bit, even if what you did is just click an option, and add a bit of code to your .htaccess files.
Now, if your site has quite a bit of dynamic content in it, caching can be an issue, but this can be solved by offloading the dynamic and often-updated content like comments to a 3rd party service like Disqus. That way, you can reduce server load and get even more visitors to your site without straining your site’s performance.
Step 3. Use GTMetrix, Pingdom Tools, to Troubleshoot
Oftentimes we get a support request from our customers who thinks their site loads slow, only to find out that it’s due to a redirection misconfiguration, something that should be easily caught early if you use an objective tools to measure your site’s performance. GTMetrix and Pingdom Tools are two of the most used tools to do this. Just submit your site URL, and these tools will measure and give you a score based on how your site perform, and a list of recommendations to improve them.
But one thing that’s even more useful than those score is the waterfall tool. From here, you’ll get a bird-eye view of what resources load the longest, and if and where do you need to prioritize changing your site.
Step 4. Use 3rd Party DNS & CDN
Now, if you take a look at waterfall tools, you might find that resolving the content might took some Milliseconds out of your page load time. There’s a pretty simple way to reduce this. Use 3rd Party DNS, and a CDN. Why? Well, because 3rd party DNS sometimes have multiple servers that is closer than where your, or our hosting nameservers are located. Some, like Cloudflare, for example, have so many locations for their DNS service that makes resolving content only took an instant. Even better, Cloudflare, even the free plan, also act as a reverse proxy that cache your static content and serve them from a closer location to your visitors. Coupled with a good static caching plugins, like Cachify or Comet Cache, you get blazing speed performance for absolutely free. We absolutely recommend it.
Step 5. Optimize Images
The last recommendation is something that should be known to almost all web admin these days but due to the increase of bandwidth given from ISP these days, are quite often forgotten. Optimize your image, because they are the one thing that will take the longest to load. WordPress users are lucky on this one because there are quite a bit of image-optimizing plugins that can be used to easily rectify the problem. One of them is EWWW Image Optimizer. Just install, and follow all the steps, and you’ll be good.