Nginx – Single Site

Category: WordPress

Tips, news and how-tos for the WordPress platform.

  • Hardening Your WordPress Site: Security Basics

    Hardening Your WordPress Site: Security Basics

    Most WordPress sites are not compromised by some exotic zero-day. They are compromised through weak passwords, outdated plugins, and file permissions that are far more generous than they need to be. The good news is that the same handful of basic measures stops the overwhelming majority of real-world attacks.

    Start with accounts. Every administrator should use a long, unique password and two-factor authentication. Delete the default “admin” username if it still exists, and limit the number of accounts that hold the administrator role to the few people who genuinely need it. An editor cannot install a malicious plugin; an administrator can.

    Lock Down Accounts First

    Next, keep everything updated. The vast majority of hacked sites were running a plugin with a known, already-patched vulnerability. Enable automatic updates for minor core releases and for plugins you trust, and make a habit of removing plugins you no longer use rather than leaving them deactivated but present on disk.

    Finally, tighten the filesystem. Files should be 644, directories 755, and wp-config.php can be locked down further still. Disabling file editing from the dashboard with DISALLOW_FILE_EDIT means that even if an account is taken over, the attacker cannot paste PHP straight into your theme. None of this is glamorous, but security rarely is.

  • A Practical Guide to WordPress Caching

    A Practical Guide to WordPress Caching

    Caching is the single highest-leverage change you can make to a WordPress site, and yet it is also the easiest to get subtly wrong. The goal is simple: avoid doing work twice. If a page does not change between two visitors, there is no reason to run PHP, query the database, and assemble the HTML all over again for the second one.

    There are really three layers worth knowing. Page caching stores the finished HTML so repeat requests skip PHP entirely. Object caching stores the results of expensive database queries in memory, using Redis or Memcached, which helps logged-in and dynamic pages that cannot be fully page-cached. Browser caching tells the visitor’s browser to keep static assets locally so they are not re-downloaded on every navigation.

    Know Your Layers

    A content delivery network sits on top of all of this. Rather than every request travelling to your origin server, a CDN serves cached copies from a location near the visitor. For a global audience this cuts hundreds of milliseconds off the connection before a single byte of HTML is sent.

    The mistake people make is enabling everything at once and then being unable to tell which layer broke when a price or a cart total goes stale. Turn them on one at a time, confirm the cache is actually being hit by reading the response headers, and set sensible exclusions for pages that must stay dynamic, such as checkout and account pages.