How to improve security and perfomace in your WordPress installation

1. ITALIAN WORDPRESS CONFERENCE 2012
16th June 2012
Turin - Italy

2. ITALIAN WORDPRESS CONFERENCE 2012
WORDPRESS
SECURITY
AND PERFORMANCE

3. Happy Birthday!!! #WPCON2012
About me
 37 years old
 Born in Turin (Italy)
 Co-Founder mavida.com
 WordPress Lover
 http://maurizio.mavida.com
 http://www.linkedin.com/in/mauriziopelizzone

4. #WPCON2012
SECURITY

5. HTACCESS #WPCON2012
Protect wp-login.php

6. HTACCESS #WPCON2012
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^my-login wp-login.php?loginkey=HR5SKG&redirect_to=
http://%{SERVER_NAME}/wp-admin/index.php [L]
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/my-login
RewriteCond %{QUERY_STRING} !^loginkey=HR5SKG
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login.php http://%{SERVER_NAME}/? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
</IfModule>

7. HTACCESS #WPCON2012
Deny .php execution

8. HTACCESS #WPCON2012
Order Allow,Deny
Deny from all
<Files ~ ".(xls|doc|rtf|pdf|zip|rar|mp3|flv|swf|png|gif|jpg|js|css)$">
Allow from all
</Files>
#
# manage exception
#<Files filename.php>
# Allow from all
#</Files>

9. #WPCON2012
CHANGE DIRECTORY
STRUCTURE

10. WP-CONFIG.PHP #WPCON2012
Rename wp-content
define( 'WP_CONTENT_DIR', dirname( __FILE__ ) . '/asset' );
define( 'WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/asset' );

11. WP-ADMIN –> MEDIA #WPCON2012
Change Upload Directory

12. WP-CONFIG.PHP + INDEX.PHP #WPCON2012
Move WordPress Core
/*
* add to wp-config.php
*/
define( 'WP_SITEURL', 'http://' . $_SERVER['SERVER_NAME'] . '/wordpress-core/');
define( 'WP_HOME', 'http://' . $_SERVER['SERVER_NAME']);
/*
* change in index.php
*/
define('WP_USE_THEMES', true);
require('./wordpress-core/wp-blog-header.php');

13. MY CUSTOM STRUCTURE #WPCON2012

14. #WPCON2012
BLACKHOLE

15. BLACKHOLE #WPCON2012
http://perishablepress.com/blackhole-bad-bots/

16. HTACCESS #WPCON2012
RULES FOR BLACKHOLE
RewriteEngine On
RewriteBase /
RewriteRule ^(admin|wp-admin|wp-content)$ blackhole/ [L]
RewriteRule ^(phpinfo|phpmyadmin)$ blackhole/ [L]

17. PLUGIN #WPCON2012
BLACKHOLE PLUGIN
<?php
/*
Plugin Name: blackhole
Plugin URI: http://maurizio.mavida.com/
Description: blackhole
License: GPL
Version: 0.1
Author: Maurizio Pelizzone
Author URI: http://maurizio.mavida.com
*/
if (!is_admin()){
include($_SERVER['DOCUMENT_ROOT'] . "/blackhole/blackhole.php");
}

18. #WPCON2012
FILE MONITOR

19. FILEMONITOR PLUGIN #WPCON2012

20. #WPCON2012
AVOID FTP

21. #WPCON2012
PERFORMACE

22. TITLE #WPCON2012
CACHE
(storing cached data in the database)

23. CACHE #WPCON2012
TRANSIENT API
http://codex.wordpress.org/Transients_API
$posts = get_transient( $transient_name );
if (!$posts) {
wp_reset_query();
$the_query = new WP_Query();
$the_query->query( $args );
$posts = $the_query->posts;
set_transient( $transient_name , $posts , $transient_expiration );
}

24. CACHE #WPCON2012

25. PLUGINS #WPCON2012
PLUGINS
(less is better)

26. PLUGINS #WPCON2012

27. MINIFICATION #WPCON2012
js/css MINIFICATION

28. MINIFICATION #WPCON2012

29. CDN #WPCON2012
CLOUDFLARE CDN
(as Reverse Proxy)

30. CDN #WPCON2012

31. TITLE #WPCON2012
SERVER TUNING
VARNISH deflate
memcached
expire
APC
NGINX
MySqlTuner

32. #WPCON2012
?

33. Other #WPCON2012
Thank you
Maurizio Pelizzone
@miziomon
maurizio@mavida.com
http://maurizio.mavida.com