Optimising wordpress expert required


#21

@ahsan.parwez - What was the changes in Breeze 1.0.1 version, someone forgot to update the changelog at Wordpress??


#22

Hi @bohlin,

Sorry, an error on our side, our new readme file didn’t go through the push to wp.org repo. We will fix it.

Things updated are as follows.

1- Added Breeze Logo
2- Improved text
3- Fixed a minor security issue where a non-admin user was able to purge cache
4- Added links to “Feedback” and “Support”


#23

@ahsan.parwez Ok, thanks for the improvements and update.


#24

Actually, thank you for noticing and reporting that :slight_smile:


#25

Hi @daniel,

Your take on things definitely show your experience with optimizing websites. I am looking forward to hearing your feedback about Breeze.

I agree that Themes on Themeforrest and plugins that we use are resource hogs. What inexperienced WordPress developers do is add up features into their plugins and themes. Most of those features are not used by wider audience and just bloat up the databases and disks.

That’s why starting with a basic theme and adding features into it is the way to go. Also depending on external services is better. For example, adding an analytics reporting plugin on wp admin is rubbish, better to use Google Analytics or Piwik Analytics separately.

Maybe people get carried away and load up their websites with redundant plugins and mess things up :smiley:


#26

@daniel Autoptimize actually does the opposite of bloat sites, it’s the gold standard of minification out there! Frank (the developer) also provides excellent support.

Totally agree with Wordfence and Yoast (never used the others) having a lot of bloat though.

@paul have you considered hiring somebody to help you with this issue?


#27

Autoptimize cluttered a client sites file-structure and bogged it down to the point were HDD ran out and the autoptimize needed to be cleared manually every single day (it flashed red every time he logged in). It was not a smooth experience.

Besides, the point we always argue is that if performance and optimization is important, you should have a custom built proper WP theme, that is made for your site. Which then of course should be minified in the code build process, not by adding additional complexity into the GUI and production environment. Plugins like these might work well for most, but we black list them due to them often behaving very wonky and is a quick fix to a much deeper issue.

I’m sure that the developer is a nice guy and provides excellent support, we just prefer doing it “right” from the start and not using tools like this. Even though I’m positively sure that Autoptimize is one of the better plugins… I just used it as an example as its fairly well known.


#28

The Autoptimize plugin has been improved a lot in the recent version. It is not really what was few years back.

I think if we properly configure AO plugin, as per specific site requirement, this plugin may never disappoint. I have been using this plugin from quite long time and I personally feel very user-friendly with this plugin. It’s bit technical to debug, setup but worth for optimization. This is why, I am also a huge fan of this plugin.

As a solution, you may keep unchecked this option, there are also some other exclude option you may give try.


#29

Wow learned abit from here.

Do you have any lightweight alternative for Wordfence? I can probably google, but will be a bonus to hear your opinion. Thanks in advance!


#30

Well, it kinda depends on exactly what functionality from WordFence you want to mimic. But no, not a single plugin off the top of my head. For more info, continue reading :slight_smile:

We usually promote that things like this shouldn’t be handled by the CMS you use, but instead by your server-side software such as a firewall.

So, if its network or server related security issues, you should handle it in your linux firewall and preferably add a service such as Cloudflare which adds much more proper protection than any plugin does.

Then for WP specific issues, we suggest handling them specifically. Such as we always disable the XMLRPC feature, move wp-config.php, not use the “admin” username, maybe even add 2-step authentication etc etc.

I know it might not be the answer you’re looking for, but its the one I got :slight_smile: We highly encourage people to actually deal with the real issues, and do it properly, instead of using your Content Management System to handle things like brute-force attacks and security, because that is the wrong place (if we’re being all annoyingly technical about it).

Of course, if you’re on cheap shared hosting you might not have the option of installing whatever you want, adjusting the server etc. But if you’re on something like Cloudways that have a good base setup, you should start using Cloudflare as well and then just disable the most common WP threats (such as XMLRPC).


#31

Thanks @daniel,

I’m already using Cloudflare. So you’re saying wordpress plugins like Sucari / Wordfence are not needed? Feels kinda naked. :sweat_smile:

Thanks for your suggestion. I’ll disable XMLRPC. I’ve already used phpmyadmin to change the “admin” name. Will using Google captcha help to reinforce the login page?


#32

Well, some of their functionality is needed, but those plugins specifically (if you’re taking care of important security concerns in other ways), no.

For example, Cloudflare gives you a firewall, then thats covered etc. Its important to actually think of what specifically plugins do, and what exactly you need of that functionality. We don’t have Sucuri or Wordfence installed on any of our ~60 sites, because they are so horribly bloated. That being said, we are very aware and skilled in this area, and have the knowledge to secure our installs without these plugins. If one does not have knowledge or time to actually deal with things properly, then a plugin might be a way to go. But Wordfence created hundreds of thousands of rows in the DB, completely filling it with utter crap, so we blacklisted that plugin forever.

Google captcha is only an anti-spam solution. It can protect something like a contact form so you don’t get spam submissions, but wont really do anything for your login form.

If you want to really secure your login you should add 2-factor authentication, something like Google Authenticator (which can also be used on your Cloudways account login), https://wordpress.org/plugins/google-authenticator/


#33

Hi @daniel

Google Invisible reCAPTCHA can protect registration and login forms too.

To add 2FA, Google Authenticator is a good choice. We have compiled a list of 2FAs. That might be helpful.


#34

Well said, I also do not use any security plugin. I think web firewall is better.

Security plugin is for kid, who need basic notification for WordPress/plugin/theme updates.

WordPress core is secure and regularly maintained software, and if we keep updated and follow what codex says; Rarely we will face any issue.

The most important thing are

  • having most updated backup. Thankfully Cloudways has inbuilt feature for taking backup. So, I have no worry.
  • Strong password, indeed important
  • HTTPS
  • TFA

For the shake of security, hiding x and y are just myths which I see some plugins do.


#35

Hi @paul are you still having issues?


#36

Thanks for all the great replies to this. A lot of work seems to have made the site faster but it could be faster still.

I am using wordfence or aspects of it, but I also use it on other sites which are not having the issues. I think the theme maybe a culprit. Backups etc also cause a lag on the site.

I had to disable cloudflare due to issues with the payment gateway. I also had to disable the Redis cache as it was causing 500 errors on the site due to redis being unable to write to disk (ive got 20gb of free space). The support I got was ‘disable redis’ which was not ideal.

Having said that, a good slimming of the database and a lot of configuring w3TC seems to have made quite a difference.

I think a guide on how to use and understand newrelic might help. The free one with cloudways is the lite plan which is really limited, they seem to provide a better free tier which would be nice.

Paul


#37

Are you using a cron job to run wp-cron.php and setting DISABLE_WP_CRON to true in wp-config.php? I made a huge difference (2 whole seconds of load time) on one of my sites.


Announcing the Top Users for the month of December (2017)