The document is about an Italian WordPress conference in 2012. It discusses various topics around WordPress security and performance. Some of the key topics covered include protecting wp-login.php with .htaccess rules, changing the WordPress directory structure for security, using blackholing to block bots, monitoring files for changes, avoiding FTP, using caching and transients, reducing plugins, minifying files, and using a CDN and server tuning.

1. ITALIAN WORDPRESS CONFERENCE 2012
16th June 2012
Turin - Italy

2. ITALIAN WORDPRESS CONFERENCE 2012
WORDPRESS
SECURITY
AND PERFORMANCE

3. Happy Birthday!!! #WPCON2012
About me
 37 years old
 Born in Turin (Italy)
 Co-Founder mavida.com
 WordPress Lover
 http://maurizio.mavida.com
 http://www.linkedin.com/in/mauriziopelizzone

4. #WPCON2012
SECURITY

5. HTACCESS #WPCON2012
Protect wp-login.php

6. HTACCESS #WPCON2012
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^my-login wp-login.php?loginkey=HR5SKG&redirect_to=
http://%{SERVER_NAME}/wp-admin/index.php [L]
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/my-login
RewriteCond %{QUERY_STRING} !^loginkey=HR5SKG
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login.php http://%{SERVER_NAME}/? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
</IfModule>

7. HTACCESS #WPCON2012
Deny .php execution

8. HTACCESS #WPCON2012
Order Allow,Deny
Deny from all
<Files ~ ".(xls|doc|rtf|pdf|zip|rar|mp3|flv|swf|png|gif|jpg|js|css)$">
Allow from all
</Files>
#
# manage exception
#<Files filename.php>
# Allow from all
#</Files>

9. #WPCON2012
CHANGE DIRECTORY
STRUCTURE

10. WP-CONFIG.PHP #WPCON2012
Rename wp-content
define( 'WP_CONTENT_DIR', dirname( __FILE__ ) . '/asset' );
define( 'WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/asset' );

11. WP-ADMIN –> MEDIA #WPCON2012
Change Upload Directory

12. WP-CONFIG.PHP + INDEX.PHP #WPCON2012
Move WordPress Core
/*
* add to wp-config.php
*/
define( 'WP_SITEURL', 'http://' . $_SERVER['SERVER_NAME'] . '/wordpress-core/');
define( 'WP_HOME', 'http://' . $_SERVER['SERVER_NAME']);
/*
* change in index.php
*/
define('WP_USE_THEMES', true);
require('./wordpress-core/wp-blog-header.php');

13. MY CUSTOM STRUCTURE #WPCON2012

14. #WPCON2012
BLACKHOLE

15. BLACKHOLE #WPCON2012
http://perishablepress.com/blackhole-bad-bots/

16. HTACCESS #WPCON2012
RULES FOR BLACKHOLE
RewriteEngine On
RewriteBase /
RewriteRule ^(admin|wp-admin|wp-content)$ blackhole/ [L]
RewriteRule ^(phpinfo|phpmyadmin)$ blackhole/ [L]

17. PLUGIN #WPCON2012
BLACKHOLE PLUGIN
<?php
/*
Plugin Name: blackhole
Plugin URI: http://maurizio.mavida.com/
Description: blackhole
License: GPL
Version: 0.1
Author: Maurizio Pelizzone
Author URI: http://maurizio.mavida.com
*/
if (!is_admin()){
include($_SERVER['DOCUMENT_ROOT'] . "/blackhole/blackhole.php");
}

18. #WPCON2012
FILE MONITOR

19. FILEMONITOR PLUGIN #WPCON2012

20. #WPCON2012
AVOID FTP

21. #WPCON2012
PERFORMACE

22. TITLE #WPCON2012
CACHE
(storing cached data in the database)

23. CACHE #WPCON2012
TRANSIENT API
http://codex.wordpress.org/Transients_API
$posts = get_transient( $transient_name );
if (!$posts) {
wp_reset_query();
$the_query = new WP_Query();
$the_query->query( $args );
$posts = $the_query->posts;
set_transient( $transient_name , $posts , $transient_expiration );
}

24. CACHE #WPCON2012

25. PLUGINS #WPCON2012
PLUGINS
(less is better)

26. PLUGINS #WPCON2012

27. MINIFICATION #WPCON2012
js/css MINIFICATION

28. MINIFICATION #WPCON2012

29. CDN #WPCON2012
CLOUDFLARE CDN
(as Reverse Proxy)

30. CDN #WPCON2012

31. TITLE #WPCON2012
SERVER TUNING
VARNISH deflate
memcached
expire
APC
NGINX
MySqlTuner

32. #WPCON2012
?

33. Other #WPCON2012
Thank you
Maurizio Pelizzone
@miziomon
maurizio@mavida.com
http://maurizio.mavida.com