SPEED & UPTIME with
WORDPRESS
by Todd Dow
Who is Todd Dow?
Senior Digital Specialist at Postmedia Digital
CISA & PMP certified
15 years industry experience: Postmedia, AOL
Canada, numerous small business websites.
Etiquette
Don’t be shy!
Ask questions right away.
If you disagree, say so.
A discussion is more interesting than a lecture.
Overview
Why do we use WordPress?
What if my WordPress site fails?
Causes of failure
Mitigation Strategies:
Hosting
Backups
Monitoring
Security
Why do we use WordPress?
Communication
Education
Productivity
Entertainment
To make money
Customers Expect Fast Pages
< 1 sec3%
1 - 5 sec16%
6 - 10 sec30%11 - 15 sec
16%
16 - 20 sec15%
20+ sec20%
Abandonment Rate based on page speed
Source: Kissmetrics.com
Time = Money
-11%
-7%
-16%
-18%
-16%
-14%
-12%
-10%
-8%
-6%
-4%
-2%
0%
Page Views Conversions Customer Satisfaction
Average Impact of One Second Delay in Response Time
Source: gomez.com
What if my WordPress site is slow or
non-responsive?
Communication
Education
Productivity
Entertainment
To make money
No communication
No education
Lost productivity
No entertainment
Loss of revenue
Costs of speed & uptime issues
“For a $100,000/day
ecommerce site, a
one-second delay
means $2.5 million
in lost revenues in a
year” (Gomez.com)
Loss of reputation
Loss of revenue due
to customer refunds
Additional damages
(SLA penalties)
Loss of future
business
Large Enterprises Small/Medium Business
Sources of speed & uptime
issues
Power
Networks
DNS
Servers
OS
Software
3rd parties
Traffic
Unoptimize
d content
Human
error
Hackers
How do we minimize risk?
Minimize our footprint:
Site Content
Application
Platform
Infrastructure
Outsource
Customize
Full Control
Platforms:
PHP, Python,
Apache
OS
Servers
DNS
Networks
Power
Wordpress, 3rd
parties
User accounts
Content
How do we minimize risk?
Hosting Backups
Monitoring Security
Operational best practices, focusing on:
Hosting needs:
Keep it simple – minimize your footprint:
Host with experts
Avoid hosting your own hardware
Get your vendor to manage OS & application patching and maintenance
Expect the following from your vendor:
99.999% uptime
24x7 support
System health dashboard
Off-peak-hours maintenance windows
Hosting
Hosting Options – free or low
cost
WordPress.com:
Free
For $43 a year:
custom domain
Fonts
Colours
CSS
Hosting
Low Cost Hosting
Numerous hosting
options
Start at $5/month
Full blog
customization
Risks:
Shared
infrastructure
ScalabilityHosting
Dedicated Hosting
$50 to $100/month
Full blog
customization
Risks:
Scalability
Hosting
Volume Based Hosting
Focus is on traffic
Don’t worry about
servers, network, et
c.
Start at $100/month
Full or partial blog
customization
Hosting
Tier 1 Hosting
Enterprise-level
hosting
Start at
$3,750/month
Full blog
customization
High volume, high
availability
Hosting
Other Hosting Options
Scalable hosting:
Amazon Web
Services
Microsoft Azure
Pros:
Scalable, full control
Cons:
Management
overheadHosting
Other Hosting Considerations
Static content hosting:
Amazon S3
Use a CDN:
Amazon CloudFront
Akamai
Brightcove
Cachefly
Limelight
Hosting
Backup needs:
Why do backups?
Protect against site corruption
Protect against hosting failure
Ensure business continuity
How often should you do backups?
As frequently as you post new content.
Backups
Backup options:
Roll your own script
to copy files & DB
VaultPress Service
& Plug-in
Backup Buddy
Plug-In
Numerous other
solutions.
Backups
Backup options – source code:
Use a source code
repository to store
your code (plug-
ins, themes, etc.)
Options:
Github
Assembla
Bitbucket
Backups
Types of monitoring
Heartbeat = uptime monitoring
Log = diary of all activities
Performance = page speed, weight, etc.
Security = vulnerability scanning
Traffic = site visits
Monitoring
Heartbeat Monitoring
Heartbeat = uptime
monitoring
Verelo.com
Pingdom.com
Etc.
Monitoring
Log Monitoring
Log = diary of all
activities
Splunk.com
LogRhythm.com
Etc.
Monitoring
Performance Monitoring
Performance = page
speed, weight, etc.
Browser Tools
Google PageSpeed
Webpagetest.org
Gomez
Keynote
Monitoring
Security Monitoring
Security = vulnerability
scanning
Nessus
Qualys
VaultPress
Monitoring
Traffic Monitoring
Traffic = site visits
WordPress stats
Google Analytics
Monitoring
Security Considerations
We can all be hacked.
We are all vulnerable.
Accept it.
Security
Security
Security Considerations:
Our goal: minimize our surface area:
Site Content
Application
Platform
Infrastructure
Outsource
Customize
Full Control
Platforms:
PHP, Python,
Apache
OS
Servers
DNS
Networks
Power
Wordpress, 3rd
parties
User accounts
Content
Security Considerations
Some current trends:
DDOS attacks are becoming more and more
common
Password theft and human engineering
Top 5 OWASP Vulnerabilities in 2013:
SQL injection
Broken authentication and session mgmt
Cross-site scripting
Insecure direct object references
Security misconfigurationSecurity
What can we do?
DDOS attacks:
Work with your hosting provider
Use a Content Delivery Network (CDN)
Architect for scale
Security
What can we do?
Password theft and human engineering
Create and maintain secure passwords:
More than 8 chars, alpha-numeric & symbols, etc.
Change your password regularly (every 90 days, at
most)
Two factor authentication
Education & Awareness:
Don’t click on links or visit sites that you don’t trust.
Don’t share your password with others
Beware of phishing attacksSecurity
What can we do?
Secure coding to mitigate issues like these:
SQL injection
Broken authentication and session mgmt
Cross-site scripting
Insecure direct object references
Security misconfiguration
Google this term: “secure coding”
Security
WordPress VIP Guidelines
Wordpress.com VIP checklists for security & best
practices:
http://vip.wordpress.com/documentation/security
/
http://vip.wordpress.com/documentation/best-
practices-introduction/
Security
WordPress VIP Guidelines
WordPress.com security guidelines in a nutshell:
Use strong passwords
Connect to your site using SFTP/SSH, SSL or some other secure channel
Restrict admin access
Disable plug-in/theme editing
Move wp-config.php file
Use salts on passwords
Properly administer permissions on directories
Change the DB prefix
Avoid direct php script & DB queries
Don’t leave comments in your code
Don’t write to the file system
Security
What can we do?
Ongoing best
practices:
Scan for
vulnerabilities:
Nessus
Qualys
VaultPress
Patch
Password changes
EducationSecurity
I’ve been hacked! What now?
http://codex.wordpress.org/FAQ_My_site_was_hacked
In a nutshell:
Stay calm.
Contact your hosting provider
In cases of significant damage, contact a security consulting firm and/or police
Scan your local machine for malware
Change your passwords
Identify and fix the issue(s)
Restore from last good known backup
Security
Review
Hosting: Build a
stable, scalable
infrastructure
Backups: Make sure
backups happen and test
them often.
Monitoring: Measure your
critical performance data.
Security: Monitor and
respond to threats.
Thanks for listening! Questions?
@toddhdow
http://toddhdow.com/
When in doubt, look for “toddhdow” at <insert
social media site here>