Over the years, I have set up a lot of WordPress sites for my self as well as some of my clients. Down the road, I have discovered some good-to-follow setups for a secure and high performance WordPress site.

For me, a high performance WordPress site must be:

1. Secure and Spam Free
2. Fast Loading
3. Minimum Resource consuming
4. High Availability
5. Search Engine Optimized

To meet these goals, you must optimize on both your software and hardware. It might require a little technical knowledge on the server optimization, but why stop yourself from being adventurous and learn it from trial and error?

Step 1: Setup an Amazon AWS Ubuntu Nginx Instance

I will recommend Amazon AWS Ubuntu Nginx instance for the performance. If you are already using other server OS other than Ubuntu Nginx, you can still proceed to read this guide for optimizing WordPress performance.

I have once have my website with 3 – 5 millions pageviews a month on Lunux and Windoes server. Windows server general consume more resources than Linux. I have tried apache on Centos but it create a lot zombies (idle processes) when you get a lot of traffic. I have then adventure to use Nginx on Centos as reverse proxy. Performance dramatically improved but the server still become slow and ends up reboot when traffic spike.

Eventually I’ve move to Nginx on Ubuntu. This setup so far has the best performance but you have to sacrifice some graphic user interfaces such as Cpanel and WHM.

Step 2: Install WordPress to your Instance

Installing Wordpres on Nginx can be a little different compared with what you have experienced using GUI such as Cpanel. You need to SSH to your server and type some commands to install WordPress.

Step 3: Optimize your WordPress for better performance

My goals for the optimization are simple: fast loading, secure and Search Engine optimized. You can do it by using some trusted plugins or fine tuning some WordPress settings if you are a technical person.

Step 4: Enable HTTPS and HTTP/2

A lot of people took a step back when it comes to enabling https. Other than the SEO concerns, website with https will load slower than http in general.

But if you have also enabled HTTP/2 with https, the trade-off of the speed will become very little. Follow this guide to enable HTTPS for free.

Step 5: Install Cloudflare

You need Cloudflare to boost your WordPress performance for a few reason:

• Security – Cloudflare able to blocks most of the bots traffic and attack attempts.
• Performance – Cloudflare will serve the cached version of your WordPress content to the user without hitting your server.
• A Free Cloudflare Account would be sufficient to get you all these basic protections and speed optimizations.

However, you need to configure the Cloudflare settings right in order to get the things work. For some basic setups to get your cloudflare CDN working:

1. add “always online” page rule to all your blog posts and pages

Add a page rule for YOUR_DOMAIN/*. This will tell Cloudflare to serve cache copy of your website.

The settings:

Always online: On
Cache Level: Cache Everything
Cache TTL: 12 hours (or more)

2. Add another page rule for wp-admin

 YOUR_DOMAIN/wp-admin*

This will tell Cloudflare not to cache wp-admin directory

Settings:

Browser Integrity Check: On
Browser Cache TTL: 30 minutes
Security Level: High
Cache Level: Bypass
Disable Apps
Disable Performance

3. Add another page rule for blog preview

 YOUR_DOMAIN/*preview=true*

This will tell Cloudflare not to cache the blog preview

Settings:

Browser Integrity Check: On
Browser Cache TTL: 30 minutes
Always Online: Off
Security Level: High
Cache Level: Bypass
Disable Apps, Disable Performance

 

You can only add up to 3 page rules for using the free version. These 3 basic and essential settings are good enough to fully enable your Cloudflare CDN Caching.

 

 

Conclusion

This is my ultimate WordPress setup to fully utilize the server and internet  resources. It covered the security, performance, high availability and scalability. Feel free to give it a try and leave your feedback here.