Build a Screaming Fast, Bulletproof WordPress Site

Published in

Plan of ATTCK

4 min readMar 5, 2018

(originally posted on attck.com)

The architecture we’re going to discuss involves configuring WordPress to publish a static site (i.e., HTML only version) which we then host on a high-performance server configuration such as AWS S3 and CloudFlare.

If you’ve never heard of a static WordPress site, keep reading.

The basic premise of this setup is that WordPress is a difficult application to secure, so let’s get it out of the picture entirely.

This solution may not seem intuitive at first but if you understand how all the components of a website’s infrastructure hang together, you’ll understand how this makes for the fastest loading and most impenetrable WordPress site possible.

WordPress is vulnerable

WordPress brings many points of vulnerability, with new exploits discovered regularly. In fact there is a constant cyber-war raging between an army of bots, and teams of dedicated cyber-security professionals.

WordPress itself employs 50 experts who find and deploy fixes for security flaws on a daily basis.

We’re going to accomplish performance AND security goals in one shot, by generating a static site version of WordPress and hiding the WordPress installation itself from potential attackers.

At ATTCK, we followed this setup for our work with the United Nations Framework Convention on Climate Change Momentum for Change 2015 Annual Report.

You can view the Case Study here: http://attck.com/work/united-nations/

Key security principles

There are several basic principles that, frankly apply to any web application, including server security, file access limitations, and password strength. WordPress-specific risks can traditionally be mitigated by simple things like limiting plugin usage to only trusted sources and keeping them updated along with updating the WordPress core itself. Or by preventing brute force attacks by changing defaults like login URL location, security salts, and file access and ownership setting, among others.

But sometimes this isn’t enough.

Secure infrastructure

Taking precautions even further, we can even abstract WordPress from the picture entirely by using a static site generator, like Simply Static or WP Static HTML Output to publish an HTML version of the site that never even touches a database. In these cases, we host the admin authoring instance on a private password-protected staging site. We can use any Continuous Integration service, like CircleCI, or CodeShip, to automatically deploy newly published site files to S3, via AWS CodeDeploy.

*Here is what the basic infrastructure looks like*

In addition, we can schedule a nightly backup of the site alongside uptime monitoring, automated integration tests, and file integrity scans to make sure any changes to the site content or outages are immediately reported to our team.

Even faster performance

We can even further increase performance in two ways:

Deploying a cloud-based WAF (Web Application Firewall) & CDN, like CloudFlare or CloudFront.
Hosting all static assets (including HTML files) on Amazon S3

There are a few important caveats to this solution worth mentioning.

Functional caveats

It may not seem obvious but a static site has no database.

This means, any plugin or feature you use that requires real-time DB access will not work. Think, related posts, SEM retargeting, site search, or even commenting. There are, however some workarounds for embedding third-party, JavaScript based solutions like Disqus, or Heap for A/B testing.

There are many other things you can do to strengthen your WordPress site’s security if static site generation isn’t right for you. Read more in our article, Top 3 WordPress Security Plugins, to get started.

If you need reliable WordPress development services, please email us at hello@attck.com.

Author: Dennis Plucinik,
Founder, ATTCK

About ATTCK: We’re an NYC-based digital agency that specializes in web and native app design and development. We work with companies of all sizes. If you’re looking for an agency to work with, give us a call at (917) 725–0044 or email us at hello@attck.com.