I wanted to keep an evergreen log of how we run WordPress. Currently, we manage 36 WordPress sites under the company name Rigadoon New Media. You can see some of those projects on the My Web Projects page. Hopefully, you will find these details useful. If you have questions or suggestions then add a comment at the bottom of the page.
Starting at the base. After running on various shared hosting environments and then eventually our own VPS, RNM finally went with running our own server, and we haven’t looked back. The machine is a So You Start server by OVH running out of their Montreal data centre. It has been amazingly reliable, with only one network-related outage in 3 years. The machine is way overpowered for our hosting needs but it makes the WordPress sites scream. The only resource that is running short is disk space. The server uses SSDs to boost performance but that comes with a hit on storage. The plan is to move to a similar server in September with double the SSD disk space.
Effectively we are running our own shared hosting service so we run CloudLinux as the server OS. We really like the security and resource control that CloudLinux provides.
On top of that, we run WHM & cPanel. WHM is really useful when having to manage all those accounts. Not many of our users ever access their cPanel account but the cPanel is a great interface if they need it.
One other note, we highly recommend getting the ConfigServer team to run their one-time magic on any server. They will setup it up more securely and provide you with several tools that will keep your server secured and running well for years after.
CDN & Firewall
The number of hacking attempts on our server and WordPress sites per day is just downright scary. It doesn’t stop, 24 hours a day, 365 days a year. To help with this all our sites are deployed behind Cloudflare‘s service. We user their free plan which provides all the protection we need at the moment.
To help limit the number of password guessing attempts we use a page rule. URL match for *domain.com/wp-login.* with Security Level: I’m Under Attack and Browser Integrity Check: On. Doing this has dropped the number of password guessing attempts from 100s a day to only a few per site.