How We Run WordPress

I wanted to keep an evergreen log of how we run WordPress. Currently, we manage 35+ WordPress sites under the company name Rigadoon New Media (RNM). You can see some of those projects on the My Web Projects page. Hopefully, you will find these details useful. If you have questions or suggestions then add a comment at the bottom of the page.

Server

Starting at the base. After running on various shared hosting environments and then eventually our own VPS, RNM finally went with running our own server, and we haven’t looked back. The machine is a So You Start server by OVH running out of their Montreal data centre.  It has been amazingly reliable, with only one network-related outage in 5 years. The machine is way overpowered for our hosting needs but it makes the WordPress sites scream. The only resource that is running short is disk space. The server uses SSDs to boost performance but that comes with a hit on storage. We are in the process of migrating to a similar server in with quadruple the SSD disk space.

OS

Effectively we are running our own shared hosting service so we run CloudLinux as the server OS. We really like the security and resource control that CloudLinux provides between accounts. On the new server, still being tested, we are running mod_lsapi which so far seem blazing fast. We also are looking PHP-FPM as another option. I will update this section once we decide.

On top of that, we run WHM & cPanel. WHM is really useful when having to manage all those accounts. Not many of our users ever access their cPanel account but the cPanel is a great interface if they need it.

The server runs Apache (EasyApache4) and MariaDB.

One other note, we highly recommend getting the ConfigServer team to run their one-time magic on any server. They will setup it up to be secure and provide you with several tools that will help manage and secure the server for years after. We are repeat customers of their service.

CDN & Firewall

The number of hacking attempts on our server and WordPress sites per day is just downright scary. It doesn’t stop, 24 hours a day, 365 days a year. To help with this all our sites are deployed behind Cloudflare‘s service. We user their free plan which provides all the protection we need at the moment.

To help limit the number of password guessing attempts we use a page rule. URL match for *domain.com/wp-login.* with Security Level: I’m Under Attack and Browser Integrity Check: On. Doing this has dropped the number of password guessing attempts from 100s a day to only a few per site in a week.


WordPress Management

WordPress Plugins