Website and application visitors expect their online experiences to be both fast and secure. This is especially true as websites and applications are more frequently used as the primary storefront for businesses, support transactions with sensitive information, and store private customer data. With over 28 percent of the world’s websites running on WordPress, they are especially vulnerable to attack due to higher levels of visibility.
Whether you’re running a small personal blog or multi-million dollar eCommerce shop, this blog post will cover an array of security and performance improvements which all WordPress website owners should seriously consider implementing. When combined, these enhancements can improve WordPress page load speeds by over 2x and prevent attackers from compromising your website through a variety of vectors.
At CloudFlare, these issues are near and dear to our hearts, and we’ve learned how to address each of these features individually or as one solution to ensure a faster, safer website.
Join a content delivery network (CDNs)
A great starting point for any website owner to best understand how to reduce their website’s latency and improve loading speeds for visitors is to understand where a majority of latency is coming from, and how that latency impacts the website beyond just the bare visitor experience.
One of the most substantial drivers of website latency is the geographic distance between website visitors and origin server locations. It’s estimated that for every 100 miles of distance between visitors and origin servers, there is an added 0.82 milliseconds of latency. For example, if your website is hosted Scottsdale, Ariz. and receive a visitor from Tokyo, Japan, they’re going to experience a greater amount of latency than someone trying to access it from Los Angeles due to distance.
Latency is proven to play a key role in SEO rankings, conversions, signups, revenue, and overall visitor experiences. Google reported that increased site latency as small as 100 – 400 milliseconds has a measurable impact on consumer behavior, and Walmart found a sharp decrease in conversion rate as site load time increased by just a few seconds.
When deciding on a CDN, it’s likely you’ll want to compare key factors such as query speed, uptime, number of data centers, additional functionalities, etc. A vendor-agnostic website which helps compare these components across various CDNs is https://www.cdnperf.com/.
Use website optimizations and the latest web standards
Geographic distance combined with heavy, unoptimized static content results in even further latency for visitors. It’s important to ensure that every page renders fast and efficiently from whatever device or Internet connection your visitors are using. Found below are a list of website optimizations and web standards which should be adopted to get the most out of your website’s performance.
SSL / TLS 1.2 and 1.3
SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This secure link, also called TLS (Transport Layer Security), ensures that all data transferred remains private. Millions of websites use SSL encryption every day to secure connections and keep their visitor’s data safe from monitoring and tampering, as well as improving their website’s performance.
When adding an SSL certificate to your website, your domain will be accessed in a web browser through the HTTPS protocol, rather than HTTP — the additional ‘S’ stands for ‘secure’. SSL encryption is becoming essential as modern web browsers, such as Google Chrome and Firefox, are beginning to show prominent warnings to website visitors that it is an untrusted and unsafe asset to browse. Utilizing SSL to enable HTTPS offers the following benefits for your website:
- Security: Encrypting traffic with SSL ensures nobody can snoop on your users’ data.
- Trust: By displaying a green lock in the browser’s address bar, SSL increases visitor’s trust.
- Regulatory Compliance: SSL is a key component in PCI compliance.
- Performance: Modern SSL can actually improve page load times.
- Search Ranking Boost: Search engines favor HTTPS websites.
The latest version of SSL, 1.3, reduces latency even further and removes insecure features of TLS making HTTPS more secure and performant than any previous version of TLS and its non-secure counterpart, HTTP.
To install an SSL certificate, you’ll want to check out this Torque article.
If a website has an SSL/ TLS certificate with version 1.2 or later, they’ll be able to utilize the HTTP/2 protocol; HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web and makes websites up to two times faster with no changes to existing codebases. Enabling HTTP/2 manually can be a highly technical process and the guide on how to enable it can be found here.
All modern browsers support and automatically negotiate gzip compression for all HTTP and HTTPS requests. By enabling gzip compression, website owners reduce the size of transferred responses by up to 90 percent, which can significantly reduce the amount of time for a page to load, reduce data usage for the client, and improve the time to first render of your pages. Google categorizes Gzip compression as a Page Speed Insights optimization that all website owners should be using.
Head over to the Google developer center for an in-depth review of Gzip compression and how to manually enable it.
The Google developer center will also help you with this.
IPv6 is the Internet’s next-generation protocol, designed to replace the current Internet Protocol, IP Version 4. Today, we’ve run out of IPv4 addresses and IPv6 represents the modern Internet where billions of devices including phones, tablets, cars, household appliances and a slew of IoT devices need to interact on a global scale.
IPv6 offers a variety of advantages over its predecessor IPv4, including efficient routing and packet processing, directed data flow, improved security, and more. Setting your website up on a Content Delivery Network (CDN) which supports IPv6 and IPv4 to IPv6 translation is one of the best ways to ensure IPv6 addresses can access your WordPress website.
Find a DDoS mitigation provider
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. The typical target of DDoS attack includes layers 3, 4, and 7 of the Open Systems Interconnection (OSI) model of websites and applications:
DDoS attacks are often not one-off events and victims are typically targeted multiple times in a year. According to CloudFlare’s experience, anybody – both large and small organizations – can be targeted. Even though many jurisdictions have laws under which ”DDoS attacks are illegal, there are ”DDoS-as-a-Service” providers offering subscriptions some starting as low as at $5 – $10 per month.
The ability to absorb spikes in traffic is just as critical as intelligent filtering. Many content delivery networks (CDNs) have the added benefit of acting as DDoS mitigation solution when combined with intelligent software to monitor all assets on the network. Depending on the number of data centers within a network, the total amount of throughput, and whether or not the network uses Anycast technology, traffic can likely be absorbed while keeping assets online and performant.
When choosing a DDoS protection provider, some key features to compare are the total number of data centers, network throughput, the cost structure of services (i.e. charge per amount of bandwidth or flat-rate pricing), and mitigation of both volumetric and application-layer attacks.
Implement a web application firewall (WAF)
A Web Application Firewall (WAF) protects websites and applications by filtering out bad web traffic between a specific web property and the Internet while letting good traffic through. WAFs protect against attacks such as cross-site forgery, cross-site scripting (XSS), and SQL injection; it’s considered a layer 7 defense in the OSI model.
WAFs are typically bundled together into a suite of products which create a holistic defense against a range of attacks. By deploying a WAF in front of your WordPress website, a shield is placed between your website and the Internet. A WAF is a type of reverse-proxy, protecting the server from exposure by having traffic pass through the WAF before reaching the server, acting as a “scrubbing center”.
Evaluating your current DNS provider
Domain Name Servers (DNS) are the equivalent to a phone book, maintaining a directory of domain names and translating them into IP addresses, which identify the location of website or application assets. DNS is required because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses. Records of all the domain name servers across the web are stored in a Central Registry, where hosting companies and Internet service providers receive updated DNS information on a regular cadence.
Just as CDNs assist with delivering content closest to visitors as possible, if DNS is incorporated into the CDN, it can assist in resolving DNS requests as close to the visitor as possible; this reduces latency and page load times even further.
Most hosting providers offer DNS services, but if you decide to opt into using another service for your WordPress website’s DNS, you’ll likely want to compare key factors such as raw performance, resolver simulations, uptime, and quality of the network across a variety of regions. A vendor-agnostic website which helps compare these components across various DNS providers is https://www.dnsperf.com.