Posted in Security, Technology

The do’s and dont’s when setting up a self-hosted WordPress site

Installing a basic WordPress system really is a straightforward task, but configuring it to survive unexpected technical problems and inevitable hacking attempts requires some planning.

If you have decided to get all the features that WordPress software has and perhaps tweak the system a bit, or you simply want to have total control over everything the WordPress system does, you are going to have to find a web hosting service for your site. Finding a web hosting service is easy, but setting up and configuring your own web server needs some planning.

WordPress has documented the main steps for moving from a WordPress.com blog to a self hosted server. In this article, we focus on the key things you should do and not do when configuring your own system.

Tevya Washburn wrote a long blog post where he told the story of his WordPress service business. After a number of years with persistent problems, he finally mastered WordPress, and was able to list the key tasks to do when running multiple WordPress sites. Since most people who are setting up a WordPress for themselves or for a small business, need only one or two web sites, I have adopted Tevya Washburn’s tips and made them relevant for someone who is starting his or her journey with self-hosted WordPress.

There are plenty of web hosting companies that are specifically marketing WordPress hosting. The best thing with them is that you usually get a system that has the basic installation already running: web server (usually Apache), Mysql or Maria database, and PHP. They are all required by WordPress.

That’s not all. Even before the WordPress site is up and running, it is important to configure all the dependencies between system components so that you can avoid the single point of failure.

When you are running and administering your own web server, you will quickly find out that all kinds of things happen on the internet that cause problems for your site. It maybe a massive wave of spam email, an attempt to hack into your system, comment spam storm, or something else, but things happen 24/7 online.

man looking at program code on computer monitor. photo: Jefferson Santos

The do’s and don’ts of WordPress configurations

After running Typo3 and Drupal web servers, and now WordPress sites, we have learned two key things:

  1. Avoid single point of failure and
  2. Secure your system from day one.

In concrete terms, this means that you should:

  • Get a cloud hosting service with WordPress-optimized configuration.
  • Set up separate WordPress instance for each WordPress site (don’t use WordPress Multisite feature).
  • If you are setting up multiple sites, consider spreading them across two or more servers.
  • Configure the DNS for your server with the registrar where you bought your domain name.
  • Whichever web hosting service and control panel you choose, learn common Linux commands (bash shell) well. You will need it. Especially, troubleshooting and monitoring what is going on in the system are common command prompt tasks. Creating small scripts that automate routine tasks is another reason for learning Linux commands.
  • Install a Linux firewall.
  • Install WordPress security plugins that are relevant to your system.

Avoid these items in your WordPress installation:

  • Don’t use shared hosting or hosting that uses cPanel.
  • Don’t use WordPress Multisite feature.
  • Don’t run an email server in the same system as WordPress. Email server can be a resource hog, and it is another point of entry to the system.
  • Don’t make your WordPress installation available to the internet before basic security elements are in place.
  • Don’t rely on your web hosting service backup alone (of course, this varies by hosting company – some services have excellent backup plans that can quickly recover from a disaster), but consider backing up your web data to another server where you can quickly recover it.

WordPress security

We have been running a dedicated traffic monitoring/hacker blocking program on our WordPress servers for awhile now. The program runs on Linux, and monitors traffic before it enters WordPress. It is designed to scan for WordPress-specific hacking attempts.

The statistics that the program collects are scary. WordPress sites attract hackers like happy hikers attract mosquitoes.

Hackers tend to bombard WordPress servers with attempts (top 3 on our sites):

  • to login as admin
  • to run a php program on the server
  • to get into the system via xmlrpc.php

This is just a brief introduction to security challenges that WordPress sites have. Hopefully it is enough to convince everyone that securing a WordPress server is essential. More information on how to actually do it can be found here.