speed & uptime with wordpress

SPEED & UPTIME with

WORDPRESS

by Todd Dow

Who is Todd Dow?

Senior Digital Specialist at Postmedia Digital

CISA & PMP certified

15 years industry experience: Postmedia, AOL

Canada, numerous small business websites.

Etiquette

Don’t be shy!

Ask questions right away.

If you disagree, say so.

A discussion is more interesting than a lecture.

Overview

Why do we use WordPress?

What if my WordPress site fails?

Causes of failure

Mitigation Strategies:

Hosting

Backups

Monitoring

Security

Why do we use WordPress?

Communication

Education

Productivity

Entertainment

To make money

Customers Expect Fast Pages

< 1 sec3%

1 - 5 sec16%

6 - 10 sec30%11 - 15 sec

16%

16 - 20 sec15%

20+ sec20%

Abandonment Rate based on page speed

Source: Kissmetrics.com

Time = Money

-11%

-7%

-16%

-18%

-16%

-14%

-12%

-10%

-8%

-6%

-4%

-2%

0%

Page Views Conversions Customer Satisfaction

Average Impact of One Second Delay in Response Time

Source: gomez.com

What if my WordPress site is slow or

non-responsive?

Communication

Education

Productivity

Entertainment

To make money

No communication

No education

Lost productivity

No entertainment

Loss of revenue

Costs of speed & uptime issues

“For a $100,000/day

ecommerce site, a

one-second delay

means $2.5 million

in lost revenues in a

year” (Gomez.com)

Loss of reputation

Loss of revenue due

to customer refunds

Additional damages

(SLA penalties)

Loss of future

business

Large Enterprises Small/Medium Business

Sources of speed & uptime

issues

Power

Networks

DNS

Servers

OS

Software

3rd parties

Traffic

Unoptimize

d content

Human

error

Hackers

How do we minimize risk?

Minimize our footprint:

Site Content

Application

Platform

Infrastructure

Outsource

Customize

Full Control

Platforms:

PHP, Python,

Apache

OS

Servers

DNS

Networks

Power

Wordpress, 3rd

parties

User accounts

Content

How do we minimize risk?

Hosting Backups

Monitoring Security

Operational best practices, focusing on:

Hosting needs:

Keep it simple – minimize your footprint:

Host with experts

Avoid hosting your own hardware

Get your vendor to manage OS & application patching and maintenance

Expect the following from your vendor:

99.999% uptime

24x7 support

System health dashboard

Off-peak-hours maintenance windows

Hosting

Hosting Options – free or low

cost

WordPress.com:

Free

For $43 a year:

custom domain

Fonts

Colours

CSS

Hosting

Low Cost Hosting

Numerous hosting

options

Start at $5/month

Full blog

customization

Risks:

Shared

infrastructure

ScalabilityHosting

Dedicated Hosting

$50 to $100/month

Full blog

customization

Risks:

Scalability

Hosting

Volume Based Hosting

Focus is on traffic

Don’t worry about

servers, network, et

c.

Start at $100/month

Full or partial blog

customization

Hosting

Tier 1 Hosting

Enterprise-level

hosting

Start at

$3,750/month

Full blog

customization

High volume, high

availability

Hosting

Other Hosting Options

Scalable hosting:

Amazon Web

Services

Microsoft Azure

Pros:

Scalable, full control

Cons:

Management

overheadHosting

Other Hosting Considerations

Static content hosting:

Amazon S3

Use a CDN:

Amazon CloudFront

Akamai

Brightcove

Cachefly

Limelight

Hosting

Backup needs:

Why do backups?

Protect against site corruption

Protect against hosting failure

Ensure business continuity

How often should you do backups?

As frequently as you post new content.

Backups

Backup options:

Roll your own script

to copy files & DB

VaultPress Service

& Plug-in

Backup Buddy

Plug-In

Numerous other

solutions.

Backups

Backup options – source code:

Use a source code

repository to store

your code (plug-

ins, themes, etc.)

Options:

Github

Assembla

Bitbucket

Backups

Types of monitoring

Heartbeat = uptime monitoring

Log = diary of all activities

Performance = page speed, weight, etc.

Security = vulnerability scanning

Traffic = site visits

Monitoring

Heartbeat Monitoring

Heartbeat = uptime

monitoring

Verelo.com

Pingdom.com

Etc.

Monitoring

Log Monitoring

Log = diary of all

activities

Splunk.com

LogRhythm.com

Etc.

Monitoring

Performance Monitoring

Performance = page

speed, weight, etc.

Browser Tools

Google PageSpeed

Webpagetest.org

Gomez

Keynote

Monitoring

Security Monitoring

Security = vulnerability

scanning

Nessus

Qualys

VaultPress

Monitoring

Traffic Monitoring

Traffic = site visits

WordPress stats

Google Analytics

Monitoring

Security Considerations

We can all be hacked.

We are all vulnerable.

Accept it.

Security

Security

Security Considerations:

Our goal: minimize our surface area:

Site Content

Application

Platform

Infrastructure

Outsource

Customize

Full Control

Platforms:

PHP, Python,

Apache

OS

Servers

DNS

Networks

Power

Wordpress, 3rd

parties

User accounts

Content

Security Considerations

Some current trends:

DDOS attacks are becoming more and more

common

Password theft and human engineering

Top 5 OWASP Vulnerabilities in 2013:

SQL injection

Broken authentication and session mgmt

Cross-site scripting

Insecure direct object references

Security misconfigurationSecurity

What can we do?

DDOS attacks:

Work with your hosting provider

Use a Content Delivery Network (CDN)

Architect for scale

Security

What can we do?

Password theft and human engineering

Create and maintain secure passwords:

More than 8 chars, alpha-numeric & symbols, etc.

Change your password regularly (every 90 days, at

most)

Two factor authentication

Education & Awareness:

Don’t click on links or visit sites that you don’t trust.

Don’t share your password with others

Beware of phishing attacksSecurity

What can we do?

Secure coding to mitigate issues like these:

SQL injection

Broken authentication and session mgmt

Cross-site scripting

Insecure direct object references

Security misconfiguration

Google this term: “secure coding”

Security

WordPress VIP Guidelines

Wordpress.com VIP checklists for security & best

practices:

http://vip.wordpress.com/documentation/security

/

http://vip.wordpress.com/documentation/best-

practices-introduction/

Security

WordPress VIP Guidelines

WordPress.com security guidelines in a nutshell:

Use strong passwords

Connect to your site using SFTP/SSH, SSL or some other secure channel

Restrict admin access

Disable plug-in/theme editing

Move wp-config.php file

Use salts on passwords

Properly administer permissions on directories

Change the DB prefix

Avoid direct php script & DB queries

Don’t leave comments in your code

Don’t write to the file system

Security

What can we do?

Ongoing best

practices:

Scan for

vulnerabilities:

Nessus

Qualys

VaultPress

Patch

Password changes

EducationSecurity

I’ve been hacked! What now?

http://codex.wordpress.org/FAQ_My_site_was_hacked

In a nutshell:

Stay calm.

Contact your hosting provider

In cases of significant damage, contact a security consulting firm and/or police

Scan your local machine for malware

Change your passwords

Identify and fix the issue(s)

Restore from last good known backup

Security

Review

Hosting: Build a

stable, scalable

infrastructure

Backups: Make sure

backups happen and test

them often.

Monitoring: Measure your

critical performance data.

Security: Monitor and

respond to threats.

Thanks for listening! Questions?

@toddhdow

http://toddhdow.com/

toddhdow@gmail.com

When in doubt, look for “toddhdow” at <insert

social media site here>