This document provides an overview and best practices for using WordPress. It discusses why WordPress is commonly used, potential issues like site failures, and strategies to mitigate risks such as proper hosting, regular backups, performance monitoring, and ongoing security measures. The document emphasizes minimizing technical complexity, using experts for hosting, backing up content and databases, configuring uptime monitoring, addressing common vulnerabilities, and having incident response plans.

1. WORDPRESS
by Todd Dow

2. Who is Todd Dow?
 Senior Digital Specialist at Postmedia Digital
 CISA & PMP certified
 15 years industry experience: Postmedia, AOL
Canada, numerous small business websites.

3. Etiquette
 Don’t be shy!
 Ask questions right away.
 If you disagree, say so.
 A discussion is more interesting than a lecture.

4. Overview
 Why do we use WordPress?
 What if my WordPress site fails?
 Causes of failure
 Mitigation Strategies:
 Hosting
 Backups
 Monitoring
 Security

5. Why do we use WordPress?
 Communication
 Education
 Productivity
 Entertainment
 To make money

6. Customers Expect Fast Pages
< 1 sec
3%
1 - 5 sec
16%
6 - 10 sec
30%11 - 15 sec
16%
16 - 20 sec
15%
20+ sec
20%
Abandonment Rate based on page speed
Source: Kissmetrics.com

7. Time = Money
-11%
-7%
-16%
-18%
-16%
-14%
-12%
-10%
-8%
-6%
-4%
-2%
0%
Page Views Conversions Customer Satisfaction
Average Impact of One Second Delay in
Response Time
Source: gomez.com

8. What if my WordPress site is slow or
non-responsive?
 Communication
 Education
 Productivity
 Entertainment
 To make money
 No communication
 No education
 Lost productivity
 No entertainment
 Loss of revenue

9. Costs of speed & uptime issues
 “For a $100,000/day
ecommerce site, a
one-second delay
means $2.5 million
in lost revenues in a
year” (Gomez.com)
 Loss of reputation
 Loss of revenue due
to customer refunds
 Additional damages
(SLA penalties)
 Loss of future
business
Large Enterprises Small/Medium Business

10. Sources of speed & uptime
issues
Power
Networks
DNS
Servers
OS
Software
3rd parties
Traffic
Unoptimize
d content
Human
error
Hackers

11. How do we minimize risk?
Minimize our footprint:
Site
Content
Application
Platform
Infrastructure
Outsource
Customize
Full Control
Platforms:
PHP, Python,
Apache
OS
Servers
DNS
Networks
Power
Wordpress, 3rd
parties
User accounts
Content

12. How do we minimize risk?
Hosting Backups
Monitoring Security
Operational best practices, focusing on:

13. Hosting needs:
 Keep it simple – minimize your footprint:
 Host with experts
 Avoid hosting your own hardware
 Get your vendor to manage OS & application
patching and maintenance
 Expect the following from your vendor:
 99.999% uptime
 24x7 support
 System health dashboard
 Off-peak-hours maintenance windows
Hosting

14. Hosting Options – free or low
cost
WordPress.com:
 Free
 For $43 a year:
 custom domain
 Fonts
 Colours
 CSS
Hosting

15. Low Cost Hosting
 Numerous hosting
options
 Start at $5/month
 Full blog
customization
Risks:
 Shared
infrastructure
 Scalability
Hosting

16. Dedicated Hosting
 $50 to $100/month
 Full blog
customization
Risks:
 Scalability
Hosting

17. Volume Based Hosting
 Focus is on traffic
 Don’t worry about
servers, network, et
c.
 Start at $100/month
 Full or partial blog
customization
Hosting

18. Tier 1 Hosting
 Enterprise-level
hosting
 Start at
$3,750/month
 Full blog
customization
 High volume, high
availability
Hosting

19. Other Hosting Options
Scalable hosting:
 Amazon Web
Services
 Microsoft Azure
Pros:
 Scalable, full control
Cons:
 Management
overhead
Hosting

20. Other Hosting Considerations
Static content hosting:
 Amazon S3
Use a CDN:
 Amazon CloudFront
 Akamai
 Brightcove
 Cachefly
 Limelight
Hosting

21. Backup needs:
Why do backups?
 Protect against site corruption
 Protect against hosting failure
 Ensure business continuity
How often should you do backups?
 As frequently as you post new content.
Backups

22. Backup options:
 Roll your own script
to copy files & DB
 VaultPress Service
& Plug-in
 Backup Buddy
Plug-In
 Numerous other
solutions.
Backups

23. Backup options – source code:
Use a source code
repository to store
your code (plug-
ins, themes, etc.)
Options:
 Github
 Assembla
 Bitbucket
Backups

24. Types of monitoring
 Heartbeat = uptime monitoring
 Log = diary of all activities
 Performance = page speed, weight, etc.
 Security = vulnerability scanning
 Traffic = site visits
Monitoring

25. Heartbeat Monitoring
Heartbeat = uptime
monitoring
 Verelo.com
 Pingdom.com
 Etc.
Monitoring

26. Log Monitoring
Log = diary of all
activities
 Splunk.com
 LogRhythm.com
 Etc.
Monitoring

27. Performance Monitoring
Performance = page
speed, weight, etc.
 Browser Tools
 Google PageSpeed
 Webpagetest.org
 Gomez
 Keynote
Monitoring

28. Security Monitoring
Security = vulnerability
scanning
 Nessus
 Qualys
 VaultPress
Monitoring

29. Traffic Monitoring
Traffic = site visits
 WordPress stats
 Google Analytics
Monitoring

30. Security Considerations
We can all be hacked.
We are all vulnerable.
Accept it.
Security

31. Security
Security Considerations:
Our goal: minimize our surface area:
Site
Content
Application
Platform
Infrastructure
Outsource
Customize
Full Control
Platforms:
PHP, Python,
Apache
OS
Servers
DNS
Networks
Power
Wordpress, 3rd
parties
User accounts
Content

32. Security Considerations
Some current trends:
 DDOS attacks are becoming more and more
common
 Password theft and human engineering
 Top 5 OWASP Vulnerabilities in 2013:
 SQL injection
 Broken authentication and session mgmt
 Cross-site scripting
 Insecure direct object references
 Security misconfiguration
Security

33. What can we do?
DDOS attacks:
 Work with your hosting provider
 Use a Content Delivery Network (CDN)
 Architect for scale
Security

34. What can we do?
Password theft and human engineering
 Create and maintain secure passwords:
 More than 8 chars, alpha-numeric & symbols, etc.
 Change your password regularly (every 90 days, at
most)
 Two factor authentication
 Education & Awareness:
 Don’t click on links or visit sites that you don’t trust.
 Don’t share your password with others
 Beware of phishing attacks
Security

35. What can we do?
Secure coding to mitigate issues like these:
 SQL injection
 Broken authentication and session mgmt
 Cross-site scripting
 Insecure direct object references
 Security misconfiguration
Google this term: “secure coding”
Security

36. WordPress VIP Guidelines
Wordpress.com VIP checklists for security & best
practices:
 http://vip.wordpress.com/documentation/security
/
 http://vip.wordpress.com/documentation/best-
practices-introduction/
Security

37. WordPress VIP Guidelines
WordPress.com security guidelines in a nutshell:
 Use strong passwords
 Connect to your site using SFTP/SSH, SSL or some other secure
channel
 Restrict admin access
 Disable plug-in/theme editing
 Move wp-config.php file
 Use salts on passwords
 Properly administer permissions on directories
 Change the DB prefix
 Avoid direct php script & DB queries
 Don’t leave comments in your code
 Don’t write to the file system
Security

38. What can we do?
Ongoing best
practices:
 Scan for
vulnerabilities:
 Nessus
 Qualys
 VaultPress
 Patch
 Password changes
 Education
Security

39. I’ve been hacked! What now?
http://codex.wordpress.org/FAQ_My_site_was_hacked
In a nutshell:
 Stay calm.
 Contact your hosting provider
 In cases of significant damage, contact a security
consulting firm and/or police
 Scan your local machine for malware
 Change your passwords
 Identify and fix the issue(s)
 Restore from last good known backup
Security

40. Review
Hosting: Build a
stable, scalable
infrastructure
Backups: Make sure
backups happen and test
them often.
Monitoring: Measure your
critical performance data.
Security: Monitor and
respond to threats.

41. Thanks for listening! Questions?
@toddhdow
http://toddhdow.com/
toddhdow@gmail.com
When in doubt, look for “toddhdow” at <insert
social media site here>