Speed & Uptime with Wordpress


Published on

My presentation from WordCamp Hamilton 2013.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Speed & Uptime with Wordpress

  1. 1. WORDPRESSby Todd Dow
  2. 2. Who is Todd Dow? Senior Digital Specialist at Postmedia Digital CISA & PMP certified 15 years industry experience: Postmedia, AOLCanada, numerous small business websites.
  3. 3. Etiquette Don’t be shy! Ask questions right away. If you disagree, say so. A discussion is more interesting than a lecture.
  4. 4. Overview Why do we use WordPress? What if my WordPress site fails? Causes of failure Mitigation Strategies: Hosting Backups Monitoring Security
  5. 5. Why do we use WordPress? Communication Education Productivity Entertainment To make money
  6. 6. Customers Expect Fast Pages< 1 sec3%1 - 5 sec16%6 - 10 sec30%11 - 15 sec16%16 - 20 sec15%20+ sec20%Abandonment Rate based on page speedSource: Kissmetrics.com
  7. 7. Time = Money-11%-7%-16%-18%-16%-14%-12%-10%-8%-6%-4%-2%0%Page Views Conversions Customer SatisfactionAverage Impact of One Second Delay inResponse TimeSource: gomez.com
  8. 8. What if my WordPress site is slow ornon-responsive? Communication Education Productivity Entertainment To make money No communication No education Lost productivity No entertainment Loss of revenue
  9. 9. Costs of speed & uptime issues “For a $100,000/dayecommerce site, aone-second delaymeans $2.5 millionin lost revenues in ayear” (Gomez.com) Loss of reputation Loss of revenue dueto customer refunds Additional damages(SLA penalties) Loss of futurebusinessLarge Enterprises Small/Medium Business
  10. 10. Sources of speed & uptimeissuesPowerNetworksDNSServersOSSoftware3rd partiesTrafficUnoptimized contentHumanerrorHackers
  11. 11. How do we minimize risk?Minimize our footprint:SiteContentApplicationPlatformInfrastructureOutsourceCustomizeFull ControlPlatforms:PHP, Python,ApacheOSServersDNSNetworksPowerWordpress, 3rdpartiesUser accountsContent
  12. 12. How do we minimize risk?Hosting BackupsMonitoring SecurityOperational best practices, focusing on:
  13. 13. Hosting needs: Keep it simple – minimize your footprint: Host with experts Avoid hosting your own hardware Get your vendor to manage OS & applicationpatching and maintenance Expect the following from your vendor: 99.999% uptime 24x7 support System health dashboard Off-peak-hours maintenance windowsHosting
  14. 14. Hosting Options – free or lowcostWordPress.com: Free For $43 a year: custom domain Fonts Colours CSSHosting
  15. 15. Low Cost Hosting Numerous hostingoptions Start at $5/month Full blogcustomizationRisks: Sharedinfrastructure ScalabilityHosting
  16. 16. Dedicated Hosting $50 to $100/month Full blogcustomizationRisks: ScalabilityHosting
  17. 17. Volume Based Hosting Focus is on traffic Don’t worry aboutservers, network, etc. Start at $100/month Full or partial blogcustomizationHosting
  18. 18. Tier 1 Hosting Enterprise-levelhosting Start at$3,750/month Full blogcustomization High volume, highavailabilityHosting
  19. 19. Other Hosting OptionsScalable hosting: Amazon WebServices Microsoft AzurePros: Scalable, full controlCons: ManagementoverheadHosting
  20. 20. Other Hosting ConsiderationsStatic content hosting: Amazon S3Use a CDN: Amazon CloudFront Akamai Brightcove Cachefly LimelightHosting
  21. 21. Backup needs:Why do backups? Protect against site corruption Protect against hosting failure Ensure business continuityHow often should you do backups? As frequently as you post new content.Backups
  22. 22. Backup options: Roll your own scriptto copy files & DB VaultPress Service& Plug-in Backup BuddyPlug-In Numerous othersolutions.Backups
  23. 23. Backup options – source code:Use a source coderepository to storeyour code (plug-ins, themes, etc.)Options: Github Assembla BitbucketBackups
  24. 24. Types of monitoring Heartbeat = uptime monitoring Log = diary of all activities Performance = page speed, weight, etc. Security = vulnerability scanning Traffic = site visitsMonitoring
  25. 25. Heartbeat MonitoringHeartbeat = uptimemonitoring Verelo.com Pingdom.com Etc.Monitoring
  26. 26. Log MonitoringLog = diary of allactivities Splunk.com LogRhythm.com Etc.Monitoring
  27. 27. Performance MonitoringPerformance = pagespeed, weight, etc. Browser Tools Google PageSpeed Webpagetest.org Gomez KeynoteMonitoring
  28. 28. Security MonitoringSecurity = vulnerabilityscanning Nessus Qualys VaultPressMonitoring
  29. 29. Traffic MonitoringTraffic = site visits WordPress stats Google AnalyticsMonitoring
  30. 30. Security ConsiderationsWe can all be hacked.We are all vulnerable.Accept it.Security
  31. 31. SecuritySecurity Considerations:Our goal: minimize our surface area:SiteContentApplicationPlatformInfrastructureOutsourceCustomizeFull ControlPlatforms:PHP, Python,ApacheOSServersDNSNetworksPowerWordpress, 3rdpartiesUser accountsContent
  32. 32. Security ConsiderationsSome current trends: DDOS attacks are becoming more and morecommon Password theft and human engineering Top 5 OWASP Vulnerabilities in 2013: SQL injection Broken authentication and session mgmt Cross-site scripting Insecure direct object references Security misconfigurationSecurity
  33. 33. What can we do?DDOS attacks: Work with your hosting provider Use a Content Delivery Network (CDN) Architect for scaleSecurity
  34. 34. What can we do?Password theft and human engineering Create and maintain secure passwords: More than 8 chars, alpha-numeric & symbols, etc. Change your password regularly (every 90 days, atmost) Two factor authentication Education & Awareness: Don’t click on links or visit sites that you don’t trust. Don’t share your password with others Beware of phishing attacksSecurity
  35. 35. What can we do?Secure coding to mitigate issues like these: SQL injection Broken authentication and session mgmt Cross-site scripting Insecure direct object references Security misconfigurationGoogle this term: “secure coding”Security
  36. 36. WordPress VIP GuidelinesWordpress.com VIP checklists for security & bestpractices: http://vip.wordpress.com/documentation/security/ http://vip.wordpress.com/documentation/best-practices-introduction/Security
  37. 37. WordPress VIP GuidelinesWordPress.com security guidelines in a nutshell: Use strong passwords Connect to your site using SFTP/SSH, SSL or some other securechannel Restrict admin access Disable plug-in/theme editing Move wp-config.php file Use salts on passwords Properly administer permissions on directories Change the DB prefix Avoid direct php script & DB queries Don’t leave comments in your code Don’t write to the file systemSecurity
  38. 38. What can we do?Ongoing bestpractices: Scan forvulnerabilities: Nessus Qualys VaultPress Patch Password changes EducationSecurity
  39. 39. I’ve been hacked! What now?http://codex.wordpress.org/FAQ_My_site_was_hackedIn a nutshell: Stay calm. Contact your hosting provider In cases of significant damage, contact a securityconsulting firm and/or police Scan your local machine for malware Change your passwords Identify and fix the issue(s) Restore from last good known backupSecurity
  40. 40. ReviewHosting: Build astable, scalableinfrastructureBackups: Make surebackups happen and testthem often.Monitoring: Measure yourcritical performance data.Security: Monitor andrespond to threats.
  41. 41. Thanks for listening! Questions?@toddhdowhttp://toddhdow.com/toddhdow@gmail.comWhen in doubt, look for “toddhdow” at <insertsocial media site here>