WordPress Hardening

WordPress Hardening

There are some simple tweaks you can do to prevent some popular infections.

1. Disable PHP execution in /uploads/ and /cache/ folders

You can easily add a few lines of code into your Apache or Nginx configuration which will prevent PHP usage inside /upload/ and /cache/ folders. In many scenarios, this can render the initial backdoor or dropper useless as it can’t be executed even if arbitrary file upload was successful.

Nginx:

# Deny access to PHP files in any /uploads/ or /cache/ directories
 location ~ /uploads/(.+)\.php$ { access_log off; log_not_found off; deny all; }
 location ~ /cache/(.+)\.php$ { access_log off; log_not_found off; deny all; }

Apache:
 Create a .htaccess file to /upload/ and /cache/ folder and write following inside both of the files:
 # Kill PHP Execution
 <Files ~ "\.ph(?:p[345]?|t|tml)$">
 deny from all
 </Files>

2. Disable file editing from Admin Panel

It’s a good idea to disable file editing options directly from the WordPress Admin Panel. You can add the following code into your wp-config.php file:

## Disable Editing in Dashboard
 define('DISALLOW_FILE_EDIT', true);

3. Hide default Admin Panel

WordPress sites are constantly brute-forced by botnets and hacking scripts. The main reasons for this is the vast amount of sites with known admin panel location /wp-admin/ and the fact that many site owners will use default Admin or Administrator username and a weak password. It’s an easy way to gain access to thousands of WordPress sites and infect them with desired malware, install backdoors, send e-mail spam and redirect traffic.

It can be tricky to change the /wp-admin/ location manually in a way that it works properly. Use a third party plugin instead, such as WPS Hide login.

4. Web Application Firewall, Up-time Monitoring, Vulnerabilities

It’s good to have a managed web application firewall which is always updated with the latest security risks and exploits that follow outdated and vulnerable WordPress plugins, themes and core versions. Firewall today is as essential for websites as anti-virus software for computers and having a full overview of what’s going on on your site is a must-have.

There are different WordPress plugins like WordFence, iThemes Security and All In One WP Security which allow you to set up hardening options to your site automatically, without having to add scripts to different files manually (as above).

If you want to have confidence and don’t want to go over the WordPress hardening or even worse, a malware removal process, I suggest you sign up our (WordPress) Maintenance Services. We offer Free migration from other (WordPress) maintenance services or hosts. No fixed contracts, cancel anytime, starting at € 20/month.

5. Use secure hosting and keep software up to date

Your hosting environment has to be updated (check if PHP 7.2 is supported), well configured and secure. If you save money by choosing a cheap, untrusted hosting provider then it’s a matter of time when issues arise. You can secure your application with highest grade security solutions, but when your host is hacked, none of the implemented security on your application matters.

Discover our top rated hosting for fast & reliable (WordPress) websites. Sites are hosted on secured servers. Get up to 200% the speed compared with HDD hosting. 100% Uptime Guarantee for your websites or applications. We can help you launch, enhance or migrate your hosting according to your needs. 24x7x365 we monitor your (virtual) server or website. Our advice is straightforward and free, and we can’t wait to help.

If you have any question or need help, feel free to contact us.

Stay safe!

Swift Plugin Organizer

With Swift plugin organizer you can disable plugins on specific pages. Here an example to exclude Contact Form 7 on frontend sidewide, except on your contactpage.

1.) Add a disable rule: Frontend this will disable Contact Form 7 everywhere (on frontend).

2.) Add an exception (enable rule): URL Match, “contact”. It will let the plugin load on “http://yoursite.com/contact/” page.

3.) However you also need to add an exception for the “feedback” wp-json request. It will be https://yoursite.com/wp-json/contact-form-7/v1/contact-forms/ID/feedback. The easiest if you add an URL Match enable rule: “wp-json/contact-form-7”.

WP Rocket with WP Rocket Footer JS

Introduction

WP Rocket

WP Rocket is known as one of the best caching solutions for WordPress and is a premium plugin (no free version available). It is user-friendly and has a perfect marketing strategy, which certainly contributed to the many good reviews on the internet.

The plugin will function correctly after activation; as a result you won’t be racking your head against the wall trying to configure it. Those of you who are technologically literate can dive into its advanced options and set up a custom configuration.

What about the plugin WP Rocket Footer JS ?

This plugin process all inline and external JS to one file, not multiple, and put at the footer with async on and put all localized scripts together before the primary script above. It also automatically optimize popular 3rd party services. You can download the plugin at the WordPress Repository here.

It´s definitely not a well known plugin and so far downloaded just +1.000 times, not a lot compared to the number of WP Rocket users The plugin starts functioning as soon as you activate it. After activiting the Plugin, clear the WP Rocket cache, preload it and test the results.

Testing is done using GTMETRIX from London, UK.

Plugin	Fully Loaded Time	Pagespeed Score	YSlow Score
None	3.0 seconds	C – 79%	D – 66%
WP Rocket	1.0 second	A – 98%	A – 94%
with Footer JS	1.2 second	A – 99%	A – 96%

And here the results of the print screens

WITHOUT CACHE

WP ROCKET

WP ROCKET WITH FOOTER JS PLUGIN

Conclusion of WP Rocket with WP Rocket Footer JS Plugin.

At first sight it seems that WP Rocket with the extra Footer JS Plugin did a slightly better job. The loading speed was a bit slower (0.2 second), but the GT Metrics scores where better with the plugin. It scores 99% Pagespeed score and 96% YSlow score. But taking a closer look, besides the higher Metrics, the way of loading some pages with the extra plugin was a bit “funny”. There is a delay in the first part, obvious a result of placing all the JS in the footer. It could certainly annoy visitors. Above that, it took 0.2 second longer to load. Not much, but when it comes to speed optimizing, quit important for me.

My conclusion, it isn´t good enough to add this extra plugin in addition of WP Rocket as it can also generate new problems and it does not improve the most important factor; Load time.

In case you want also a high speed loading website, just contact us.

note: I only did fast global testing, didn´t play with advanced settings in WP Rocket; just installed and activated the WP Rocket Footer JS Plugin. Therefore this test is a personal experience related to one specific website.

Which Wordpress Plugin Should You Choose?

Why?
With the use of mobile devices, website speed has become increasingly important. These days, visitors expect websites to load within two seconds or less. Anything more and they are likely to push the back button on their browser. One of the most effective ways to make a website load faster is to use caching. WordPress users who want to implement this technology can choose from a number of plugins.

But what is caching?

The term caching means temporarily storing data. Web browsers constantly save data from websites like images, files and pages on your hard drive. That way, when you go back to the same site, they don’t need to load everything from the start but can use what they already have. As a consequence, websites appear faster on your screen. To understand what WordPress caching plugins do, you first need to understand that the majority of websites are HTML documents (and CSS/JavaScript, of course, but HTML is the basis). WordPress, however, consists mainly of PHP.
When someone request to see your WordPress site, its HTML version is dynamically created from the PHP scripts found inside the files on your server. Naturally, that takes time and processing power.To speed up the process, caching plugins create and save HTML versions of your pages beforehand and serve them to browsers directly. That way, they don’t have to build the pages from scratch every time.

Okay I understand that, but how can I choose the right cache plugin for my website?
It´s not easy to tell, probably your first idea is to search on Google for something like “best wordpress cache plugin“. You get thousands of results and a lot of comparisons tests. Most of these “tests” are actually websites with advertisements. If you take a closer look to these “tests” likely all mentioned plugins have a direct link to the website of the author, but with a referal. In other words, they earn (affliate) commission from the plugin author. Why should they write a honest article?

The only way to make the right choice, is to test multiple cache plugins yourself. Is it easy to setup? Are there any conflicts? Is the speed of your website increasing? Does everything works correctly. Most cache plugins creates some conflicts if you use all (pro) settings. Therefore good support from the author or other users is essential. If you only go with basic settings that already is a great start to compare the outcome of the cache plugins.

Free or paid?
Plugins come in free and paid (or premium) forms. The decision to go with a free or a paid one varies from case to case. However, choosing the right plugin is very important. Also keep in mind that plugins should solve a specific problem or provide an essential function. As mentioned before, reliable support is essential, which in most cases you only get with paid plans.

Now you understand how it works, I tested 2 poplulair Cache Plugins; WP Rocket & Swift Performance.
Read further about the test and the outcome….

Introduction

Swift Performance is a relatively new cache plugin on the market for WordPress and I was curious if it would work just as well as WP Rocket. This comparison shows real live website data using WP Rocket, and later switching to Swift Performance.

I have purchased Swift Performance developer license for a fair comparison, as Swift Performance has also a free version (Lite). All our websites uses WP Rocket for about 4 years now, and I am extremely satisfied with its performance. But, saying that I´m always looking for improvements, into testing new stuff and comparing.

So, here is a test comparison between WP Rocket and Swift Performance.

01. WP Rocket

Features
WP Rocket is a feature-rich caching plugin that offers cache preloading, browser caching, GZIP compression and options for HTML, CSS and JavaScript minification and concatenation.

Aside from the technical bits, WP Rocket is user-friendly and doesn’t require you to mess with any advanced configuration settings (unless of course you absolutely want to). The plugin starts functioning as soon as you activate it.

Business Website: https://wp-rocket.me/
Documentation: https://docs.wp-rocket.me/

02. Swift Performance

Swift Performance is in my opinion the best WordPress cache plugins. There is a free version (Lite) and a Pro Version. It is feature-rich yet simple to use. Even better, this plugin launches upon its activation a Setup Wizard, where you can choose for automatic or manual configuration.

Swift Performance provides an intelligent, modern caching system. You can even cache AJAX request, dynamic pages, and you can add exceptions (URL, page or content based rules).

Features
Page caching is working out of the box. It is compatible with WooCommerce, bbPress, Cloudflare and Varnish as well. It will boost your performance, improve SEO scores, and create a better user experience. The Pro version even comes with a Plugin Organizer and (free) Image Optimizer.

Business Website: https://swiftperformance.io/
Documentation: https://swiftperformance.io/faq/
Unofficial Guide: https://wpjohnny.com/swift-performance-wordpress-cache-plugin-unofficial-guide/

Okay, enough talking, what is the outcome of the test?

Testing environment

The website in question is Montevalepereiro.com. This is the business website from one of our clients, and at the time of testing, the website uses WordPress 4.9.6, it is hosted on a VPS and runs a custom theme and about 10 plugins. This website used WP Rocket for the last 2 years.

Testing is done using GTMETRIX from London, UK.

Plugin	Fully Loaded Time	Pagespeed Score	YSlow Score
None	3.0 seconds	C - 79%	D - 66%
WP Rocket	1.0 second	A - 98%	A - 94%
Swift Performance	1.0 second	A - 100%	A - 100%

And here the results of the print screens

WITHOUT CACHE

WP ROCKET

SWIFT PERFORMANCE

Conclusion of Swift Performance Pro Vs. WP Rocket.

To avoid misunderstanding, I paid for both licenses from WP Rocket and Swift Performance, are not working for these companies and/or have none relationship to them in any other way. I develop web applications and optimize all sort of websites. For optimizing WordPress websites I use a lot of different techniques.

At first sight I was pretty sure that Swift Performance did a bit better job. The loading speed was exactly the same, but the GT Metrics scores where better with Swift Performance. It looks quit impressive a 100%/100% score. But taking a closer look, besides the higher Metrics, the way of loading some pages with Swift Performance was a bit “funny”. It could annoy visitors. Above that, I had to disable/change some plugins to get it work properly. For example a Pop Up plugin (Master PopUps) was acting very strange with Swift Performance while working with WP Rocket it worked out of the box. On the other hand, with WP Rocket I had to disable Lazy Load and combine Scripts as well, because it caused some conflicts in the layout. Both cache plugins needed some manual configuration to get it cached without generating any conflict.

I contacted both plugin authors; Swift Performance solved the two problems. WP Rocket admitted that Swift Performance was doing a better job in this case then their own cache plugin. They even offered a refund, but withdrew that generous offer later….

What plugin should you choose?

Swift is relative new and is get to be the best all in one optimization plugin soon, has some awesome features, such as free image optimizing (can you believe it), critical font and plugin organizer. The support was always a bit slow, but nowerdays amazing fast and they are always willing to help and come up with a solution. Swift Performance plugin is – ‘Swiss Army knife’ for speeding up WordPress websites. The total page size and number of requests where lower then WP Rocket, so Swift did really a good job.

WP Rocket is user friendly, good looking and comes also with good support. Unfortunately they do not offer free image optimizing and a way to organize plugins. Should they?

At the end of the day it is al about the page loading time and both cache plugins achieved a loading time in 1 second and therefore if you have to choose (why not both?) right now I would definitely recommend Swift Performance. It is certainly a close call, but let´s hope that these competitors stay sharp and continue to work on improving their product, from where we could benefit all.

In case you want also a high speed loading website, just contact us.

note: I didn´t test the performance after activiting the two plugins (out of the box). The examples and numbers are after configuration and testing repeatly with different settings in a way that the front end of the website does not show any conflict for visitors or in browser console for developers.