Author Archive

Plugins that improve your WordPress performance, page speed and security

Sunday, September 25th, 2016 | Permalink

Despite the optimization on the webserver, it makes sense to install a couple of plugins that secure and speed up your wordpress installation.

In my concrete case, I am using as a minimum the following:

Hyper Cache
Hyper Cache is a simple caching plugin that pre-renders your content, so your webserver doesn’t need to processes all dynamic content for every request and only does this once there is a change.
Super simple, but speeds up your website enormously.
It also supports CDN.

Login LockDown
Limites the amount of possible attempts to login. This helps to prevent bruteforce attacks where an attacker tries random passwords till he has access. Find information about it here.

Stop XML-RPC Attack
Stop XML-RPC Attack helps you reducing the amount of requests going to xmlrpc.php. This could possibly used to flood your webserver with useless requests.

BJ Lazy Load
Lazy Load helps to only load content that the user is looking at. E.g. when opening a long page, not all pictures are visible directly. Some are below the fold. It makes no sense to load these images before they are watched, so this helps preventing unnecessary requests + increases the user experience, while speeding up everything.

EWWW Image Optimizer
EWWW Image Optimizer optimizes and compresses all pictures that you have uploaded or will upload in WordPress. Makes files smaller, while not losing the quality and therefore speeds up the page.

miniOrange 2 Factor Authentication
miniOrange 2 Factor Authentication enables you to use several methods of two factor authentication, means your username + password + a second authentication. This could be e.g. an email, SMS or the Google Authenticator. I highly recommend the Google Authenticator. It is free and simple.

All these plugins are free of charge, some have a pro version, which I don’t need.

Load static content directly thru Nginx

Saturday, September 24th, 2016 | Permalink

Everytime your wordpress blog loads, it is also sending a lot of files that are static e.g. images, CSS, javascript and so on.

In the standard configuration, this is passed thru the PHP process which slows down the delivery as it has to be processed before, even that there is absolutely no reason to do this.

You can avoid this, by configuring NGINX to directly deliver these files and speed everything up.

Add to your https configuration the following line

location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff)$ {
expires 30d;
log_not_found off;
}

If you have more file types that you want to deliver directly and that are static, add them to js|css|png|jpg|jpeg|gif|ico|woff e.g. js|css|png|jpg|jpeg|gif|ico|woff|pdf

Restart your NGINX and you are good to go.

Nginx optimize SSL Test Grade

Saturday, September 24th, 2016 | Permalink

There is plenty articles on this topic.

It is basically limiting the accepted ciphers for the encryption and kicking out old broken encryption algorithms.

My configuration for Nginx looks something like this.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header Strict-Transport-Security "max-age=0; includeSubdomains";

Add this to your specific host configuration in the server {} part for port 443.

For Apache I am using something like this

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA2\
56:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECD\
HE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-\
SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM\
-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA
SSLHonorCipherOrder on

Check your result using SSL Test.

WordPress, redirect all traffic from http to https Nginx and Apache

Saturday, September 24th, 2016 | Permalink

To redirect all traffic that goes to a http site to your https site, you have to work with redirect.

If you are using Apache as your webserver, just edit the .htaccess file in your document root.
Be sure mod_rewrite is enabled in your setup.

Then, just simply add the following lines

RewriteCond %{HTTP_HOST} !^www\.YOURWEBSITE\.com$ [NC]
RewriteRule ^(.*)$ https://www.YOURWEBSITE.com/$1 [R=301,L]

For Nginx this needs a little bit more of effort.
Add the following lines into the the server {} configuration for your port 80 webserver within the virtual server configuration. Usually be found in /etc/nginx/site-available/.

location / {
return 301 https://www.YOURWEBSITE.com$request_uri;
try_files $uri $uri/ /index.php?$args;
}

For exception management, have a look at exceptions for redirects

Nginx adding http2 support to improve speed

Saturday, September 24th, 2016 | Permalink

Since version 1.9.5 Nginx support http2, which is a major improvement in comparison to http 1.1.

One of the major differences is https by default. If you haven’t enabled your website for https, then I ask you to read thru my short summary on Letsencrypt and how to set it up.

The second thing is an improvement in regards to overall data transfer. http 1.1 was design at a time in which bandwidth was still a problem. Therefor the RFC set a limit of simultanoius connections as written in RFC 2086.

Clients that use persistent connections SHOULD limit the number of simultaneous connections that they maintain to a given server. A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy. A proxy SHOULD use up to 2*N connections to another server or proxy, where N is the number of simultaneously active users. These guidelines are intended to improve HTTP response times and avoid congestion.

Means, that the amounts of files that could be loaded from a single host is limited. With http2 this limit falls and websites load way faster then before.

Nginx has a manual to install http2 which I literally don’t want to copy & paste here.
Read yourself and make the internet faster!

Once you’re done, check if your site really supports http2 by using the http/2 and spdy indicator plugin in Chrome.

Improve WordPress ranking by adding https

Saturday, September 24th, 2016 | Permalink

One step to improve the overall security in the internet is the usage of https.
https makes sense for every site, not only banks, insurances and online shops.
It is not only making the communication between you and your user secure, it also could improve your Google ranking.

The simplest way to do this is Letsencrypt. Letsencrypt is free of charge and super simple to use.
It comes with a simple bash script that you can execute and it will take care of all the configuration necessary to encrypt your side successfully.

Go to Certbot choose your setup and follow exactly the steps shown underneath.

In my case this was:

Certbot

This takes a maximum of 10 minutes and you have a secure connection.

Be aware that your certificate needs renewal every three months, but this only takes a couple of seconds.
I added that to my update script, that I am running frequently to cover for this. I will probably post this pretty soon too.

If you like it, please consider donating to Letsencrypt. Even small amounts like $5 can help to keep this project alive. The cheapest alternative certificate I know costs $25 per year.

And just to mention it, for around $60 yearly you can sign up to StartCom and generate as many certificates as you like.

Once done have a look at the SSL Test to check if your site is fully encrypted and gets a good grade.

SSL Test A Grade

If you are getting everything but an A, consider optimizing this as well. Have a look at this blog post for SSL optimization.

Also another step is to redirect all your traffic from http to https, so you are 100% sure to serve only secure content. Have a look at my post to achieve forwarding traffic from http to https.

Pimping a wordpress for high-performance and against DDoS attacks – series

Saturday, September 24th, 2016 | Permalink

For quite a while, I am supporting the finance blog of a friend of mine. He started this as a small blog project (it is still a blog) and quickly got a lot of traffic.

The initial setup was a hosted website with a provider including PHP and MySQL.
Quickly there was too much traffic and the site became really really slow. On top, the possibilities in this environment are limited.

Next step – own server. So we booked him a machine at Hetzner, a German ISP with quite good conditions. I put VMWare in place and virtualizied the entire thing.
As time goes, the machine became old and had to be replaced. So we decided for a new machine and to install everything bare metal (no VMs).
The current machine holds a Skylark Quad-Core processor, 64 GB of RAM, SATA HDD and a lot of more cool things.

So a fairly decent setup.

Recently the site was attacked using several different technics.

This series is about the steps we took to keep the site alive and also gain speed, performance, reduce load and file sizes.

The result of this series should be a WordPress installation on steroids.

You will use and run:

– Nginx
http/2
https / SSL encryption
– Caching for WordPress
– Optimized compression for images and files
– CDN
– Fail2Ban to avoid to many requests from one source
– Optimized caching on client side
Faster page loads
– Lazyload for images
– and many things more

Nginx, don’t redirect to https for specific site / url

Saturday, September 24th, 2016 | Permalink

After you have read my article on redirecting all traffic to https, you discovered that some content is not appearing correctly anymore.

For the finance blog I am supporting, this is the case for some pages like “10 goldene Regeln für binaere Optionen” were http content is embedded. In this case it is an external javascript (unfortunately, you should try to avoid this whenever possible) that could not be served using https.

So, we needed an exception to do this.

In your server {} configuration for port 80 (non-ssl) add this:

location ^~ /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
try_files $uri $uri/ /index.php?$args;
}

In the configuration for port 443 (ssl / https) add this:

location /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
return 301 http://$server_name$request_uri;
try_files $uri $uri/ /index.php?$args;
}

Of course you need to adjust that for your needs. This overrides the configuration for the redirect all, for an exception with the URL “/10-goldene-regeln-fur-den-handel-mit-binaren-optionen”

HTST – Strict Transport Security

Sunday, May 1st, 2016 | Permalink

I recently stumbled across a pretty cool, but also painful if you don’t know it, functionality within the HTTP/S protocol.

It is called HTST or HTTP Strict Transport Security. Basically it tells the browser over a header to request everything from this server only via HTTPS instead of HTTP.
The first request will set something like a cookie, but it is, depending on the browser, not a regular cookie. For example Safari stores this information in a file called HTST.plist.

The header sets a lifetime like for a cookie.

In my specific case, I had an entire server redirected to https by a rewrite rule, but one specific URL redirected to http. HTST avoided that drastically and it took me a few hours and some external help to figure this out.

Details about my case can be found here.

What’s the state on IPv6 – 2016 Edition

Saturday, April 9th, 2016 | Permalink

Nearly three years ago, I tested a list of popular website for there IPv6 support. Back then the adoption was shockingly small.

ARIN recently ran out of IPv4 addresses and now has a waiting list for new address spaces. This makes the situation even more dramatic.

Time to run my test again.

Only 8 websites that didn’t support IPv6 three years ago now support it.

yahoo.com
linkedin.com
microsoft.com
apple.com
instagram.com
aol.com
netflix.com
dropbox.com