The Core

I have just finished developing a traditional corporate website based on WordPress for a client who is fanatic about security, stability and up-time. If you are done laughing I will tell you how we made a rock solid fast website.

Why WordPress? I still haven’t found anything better. Drupal is too complex and all Java based CMS suck.

The website is a traditional corporate website, so comments and other fancy social interaction is not possible. They just don’t have the resources to communicate with their users in this way. This means that we can tighten security in a way that would break the functionality on a normal WP installation.

The site only uses these best-of-breed plugins, so it is light and fast:
Gravity Forms
WordPress SEO
W3 Total Cache

The site runs on a dedicated virtual server, which opens a nice bag of tricks. First of all a normal user has no need to access a .php file directly because all request are routed to the index.php file. For commenting, login, xmlrpc etc users will need direct access to certain .php files but this is not the case on this site.

I have accomplished this with the following directives in the httpd.conf file

<Directory "/var/www/html">
  AllowOverride All
  Order allow,deny
  Allow from all

  <Files *.php>
    Order deny,allow
    Deny from all
    Allow from 10.0.0.10
  </Files>
  <Files "index.php">
    Order Allow,Deny
    Allow from all
  </Files>

</Directory>

So access to .php files is only allowed from 10.0.0.10 which is an internal VPN IP but you could of course set public WAN IP. In setup you don’t have direct access unless you are on a secure VPN connection.

Furthermore we have removed all WP version info in the HTML. However some plugins like WordPress SEO will give away version info but info is placed in HTML comments, which are removed by the minify function in W3 Total Cache.

You can always find the WP version in the readme.html and in case we forget to delete that file after an upgrade we have restricted access with to location directive

<Location ~ "/(wp-admin|license\.html|license\.txt|readme\.html)">
  Order Deny,Allow
  Deny from all
  Allow from 10.0.0.10
</Location>


The site is pretty fast as it is but to speed up things even more they will put a F5 load balancer in front of the server. This is not for load balancing but simply for caching. The content on the site is pretty static so there is a long time to live on the cache and in cache the server is down the load balancer will keep the cache.


So there you have it. A WordPress website can be a good match for those who are fanatic about security, stability and up-time.
 

Torben - cool tip and useful for almost any CMS that routes all user traffic through index.php.

I've hesitated on allow/deny based on IP because of the need to access the site from various IPs and hadn't thought of the VPN with internal IP solution largely because I have no clue how I would even start to set this up.   Any good pointers to a resource to get me started with figuring that out?

Nice! This is a good reference post.

Always happy to hear from you, Torben:)