Richard Bevan, our Technical Director and Senior Systems Administrator, explains how we manage the idiosyncrasies of WordPress here at Imrehost.
It is estimated that there are more than 60 million WordPress websites worldwide. It is a very popular and widely used content management system. There are, however, certain features within WordPress that an ISP needs to manage skilfully to maintain a high level of performance and security.
WordPress is Opensource
This means that there are a high number of sophisticated attacks that are specifically tailored for WordPress. In recent weeks, several emails from our Web Application Firewall provider have informed us of 100,000+ websites that have been compromised by a recent Revslider plug-in.
Maintaining a WordPress site from all vulnerabilities can be challenging and time consuming.
Understanding that plug-ins can be the downfall of WordPress is key
The core of WordPress is widely agreed to be safe, but the ability to install any old plug-in, can leave unmaintained sites vulnerable to attack.
File system permissions
Many ISPs allow the files in the hosting file-system to be writeable by the web-server. This has the advantage of allowing anyone to update WordPress and its plug-ins, so bugs can appear, and can then be fixed. The big disadvantage of this is the potential for a compromised plug-in to be able to write or alter something within a WordPress website.
At Imrehost, we don’t allow our servers to write to the file-system, with the exception of the WP-content/uploads directory (where images go). This means that we only allow the web-server to upload images, thus protecting other files from being compromised.
If there is a successful hack, which changes something within the website, it can make the process of debugging very complicated or even impossible.
We always use a Web Application Firewall (WAF) when hosting WordPress. This allows us time to update known issues with Plug-ins, which often cause compatibility issues and can take time to fix. In our experience the WAF can sometimes have fixes for exploits before the plug-in developers.
One other major issues with WordPress – again focusing on plug-ins and themes, as these provide almost all of the functionality of a WordPress website – is performance. Very often a plug-in will work really well for about six months, depending on the site. Then as the site grows (with a greater number of on-line orders or the number of posts increases) performance can start to take a nosedive.
Object caching needs careful thought. There is an excellent file that can be dropped into WordPress that will place “transient” data storage into memcache. If you don’t know about memcache, then have a read of this. This stops many database operations from taking place.
In multi-server environments you will need to make sure the servers can communicate on specific ports to access the memcache. Setting this up correctly, is our number two tip for the continuing performance of your WordPress website. Our number one tip is to always have page caching.