The document details Marko Heijnen's journey in optimizing and evolving his website's hosting over the years, starting from shared hosting to a complex multi-server setup. It discusses the implementation of microservices for improved functionality and performance, along with security measures enforced at both server and application levels. Key technologies mentioned include Nginx, MariaDB, Memcached, and image processing via Thumbor.

1. Marko Heijnen CODEKITCHEN
My complicated site
WordCamp Croatia, Rijeka 2015

2. Who can remember how their
site was hosted 10 years ago?

3. Web isn’t the same as
it was in the nineties

4. Internet Users 1990
© Copyright Sasi Group (University of Sheffield) and Mark Newman (University of Michigan).

5. Internet Users 2002
© Copyright Sasi Group (University of Sheffield) and Mark Newman (University of Michigan).

6. Now around 43% of the world is
connected
And almost 50% users living in Asia

7. So shared hosting isn’t
enough anymore

8. My site’s history

9. My site’s history
• Started in 2008
• Hosted on a crappy shared host
• Switched to another shared host
• Switched to a VPS in 2010 with Directadmin
• Start using nginx in 2012 on another VPS
• In 2015 switched to Digital Ocean with multiple servers

10. Mistakes during the years
• Updating Ubuntu breaking the server due to
incompatible kernel
• Wrong configuration of Apache that slowed down
the site
• Updating PHP version on Directadmin caused
hours of downtime
• Running Debian testing causing dependency
issues

11. Builded up my own cluster

12. Multiserver setup
Public Private
Loadbalancer
Webserver 1
Webserver 2
Memcached
Elasticsearch
MariaDB

13. Every server
• apt-dater-host
• apticron (only 1 per matching type)
• fluentd (future for logging)
• ufw (firewall)

14. UFW (firewall)
• ufw default deny incoming
• ufw default deny outgoing
• ufw allow out http(s)
• ufw allow out DNS
• ufw allow from {your.home.ip}
• other specific rules

15. Loadbalancer
• nginx mainline (from nginx.org)
• apt-cacher-ng
• modsecurity

16. Web server
• nginx mainline (from nginx.org)
• PHP7 with no fallback
• OPcache
• WP CLI
• Syncing uploads directory (NFS)
• CDN for assets through MaxCDN

17. OPcache
• Turned of check for updated scripts
• Increased max_accelerated_files to 8000
• Increased memory_consumption to 192M
• Enabled fast_shutdown
• enable_file_override = 1

18. Service server
• MariaDB as database
• Memcached as object cache
• Moving to Redis when PHP7 is out
• Elasticsearch to make search better/faster

19. Multiserver setup
fail2ban
modsecurity
ufw
apticron
apt-dater-host
ufw
apticron (web1)
apt-dater-host
ufw
apticron
apt-dater-host
Loadbalancer
Webserver 1
Webserver 2
Memcached
Elasticsearch
MariaDB
Public Private

20. Additional microservice
server

21. What are microservices
• Microservices are small, autonomous services that
work together
• Small, and Focused on Doing One Thing Well

22. Benefits
• Offload functionality from WordPress
• Different services can use different programming
languages
• High level separation
• If WordPress breaks, the services still keep running
• Ease of Deployment

23. Benefits
• Scale services that require more resources
• In general they have an (REST) API
• Reusable
• Other microservices could call the service to run a
task

24. What I currently have
• Handles all cronjobs for the network site
• Node.js services running for WP Central
• Like getting checksums for plugins/themes

25. Additional server for
image manipulation

26. Thumbor
• A python server that can manipulate images
• Done by passing the image url to Thumbor
• A lot like Photon from Jetpack
• Build in image optimizers
• Several kinds of image storages
• Second CDN zone for .webp support

27. Thumbor installation
• apt-get install python python-dev python-pip
libjpeg-dev libpng-dev libtiff-dev libjasper-dev
libgtk2.0-dev python-numpy python-pycurl webp
python-opencv libwebp-dev libjpeg-progs
• pip install pillow
• pip install thumbor
• thumbor-config > /etc/thumbor.conf

28. Loadbalancer
Memcached
Elasticsearch
MariaDB
My setup
Micro
services
Webserver 1
Webserver 2
Thumbor
Public Private

29. Security

30. First level server security
• Using firewall which blocks all
• Adding rules for opening ports
• SSH is key only
• No PHP execution in wp-content/uploads

31. First level app security
• Super admins are forced to use IPs
• Soon admins are forced to use two factor
authentication

32. Second level security
• All log files are stored in a database
• Failed login attempts getting logged

33. Detection layer
• Detection layer when files are added/changed
• What is in your uploads folder (PHP files)
• Detect required updates
• Detect security issues in core/plugins/themes
• List plugins/themes that aren’t used

34. See also my presentation:
Protecting your site by detection

35. Play, break and learn

36. Marko Heijnen
• Founder of CodeKitchen
• Lead developer of GlotPress
• Core contributor for
WordPress
• Organizer for WordCamp
Belgrade

37. Marko Heijnen
info@markoheijnen.com
@markoheijnen

38. Thank you for
listening
Questions?
@markoheijnen
markoheijnen.com
codekitchen.eu