I love WordPress. It’s a flexibile tool that can do pretty much anything you can throw at it. I’ve asked it to be a blog, a CMS, a social network, a mentoring database, a business directory, and at one point, had it powering digital signage on my campus.
What I don’t love is the rise of brute force attacks, security holes and problems with WordPress that have really become a major issue. I know this is because of the rise of WordPress and the fact that it powers so much of the web. I get frustrated because I’m having to spend a great deal of time troubleshooting, protecting and defending my sites from annoying attackers instead of creating content.
I’ve also been frustrated lately by the performance of WordPress lately. As its built on PHP and MySQL, it can require a bit of processing power to make it perform at its best.
How many millions of WordPress blogs are hosted on shared servers where there can be tens of thousands of sites competing for a finite amount of processor, memory and database resources? Add on top of that the brute force hammering of login pages, scans by bots (both good and bad) and you have performance issues.
WordPress’ template tags are great, but even using something like
<?php bloginfo( name ); ?>
requires a PHP and database call. That’s just for the site name. You can call tags for the stylesheet directory, template directory and so on.
Now, I’ve been at this a long time, so I’m doing additional caching, minifying, hosting static assets at a CDN and more but I’m still on a shared environment.
If I were queen, I’d want a setup something like the following:
I would break apart the adminsitration/writing interface and what blog and site visitors see. I’d make it two separate tools for a few reasons:
When all you have to do to see if a site is running WordPress is add a /wp-admin to any URL is kind of an issue. Yes you can change this using a plugin, but is Joe Average blogger going to do that? No.
I’d want WordPress to live either as a Docker-type virtual machine or a standalone app. It’d be nice if I could run it locally, but that’s not a deal-breaker.
At the least, I’d lock the WordPress admin and login pages to only be accessible from my IP and/or require two-factor authentication using a system like Google Authenticator, Clef, or Authy. Two-factor has to be built-in.
As I mentioned, I’m caching and more in an effort to speed up performance. I would love to not have to worry about that, and I’d love for WordPress to spit out static pages and assets and automatically upload them to the place I determine.
I’d love for it to be hosted at Amazon S3 or Cloudfront. You can host static web assets there and I bet for most sites the cost would be pennies a month. Want to serve HTTPS pages? CloudFront can do that (more) and you can serve secure content from S3 by using their domain names.
Static pages will always serve the fastest because Apache or Nginx doesn’t need to interpret the files. It just gets the request and serves the file. This would cut out the need for a MySQL database, PHP, and more and would reduce security issues, brute force attacks and more.
S3 and Cloudfront are built to scale and would have no problem serving any blog’s static content. Cloudfront would make your site even faster as your content would be distributed around the world automatically and be served from the closest data center to the user, further increasing speed.
If you use something like Disqus for comments, most users would never know your site is being served statically from Amazon or Rackspace’s Cloud Files.
Tim Nash has thought this through a bit in a series of blog posts, the most recent of which is here. I like his thinking but the process is complicated and requires several steps to accomplish. I’d love for this all to be automatic.