Question

WordPress One-Click Install Improvements & Optimization Tips?

Hi everyone,

I would like to ask some questions about the WordPress One-Click Install on DigitalOcean. The website I am moving to this droplet gets around 800 daily users so I want to make sure it can handle the load and be secure.

Out the box is the default security enough or should more need to be done?

Why does does it install Ubuntu 20.04.5 LTS and not Ubuntu 22.04.1 LTS? Should I upgrade to Ubuntu 22.04.1 LTS? Are there benefits? Speed? Security?

Should any additional Fail2Ban filters be enabled? Currently only have the defaults are enabled -

# fail2ban-client status
Status
|- Number of jail:      3
`- Jail list:   sshd, wordpress-hard, wordpress-soft

Fail2Ban has 90 filters available so shouldn’t more be used? For example is it recommended to enable this filter php-url-fopen.conf or any others?

Would you recommend renaming the WordPress admin login wp-login.php? This would make the wordpress-hard and wordpress-soft filters redundant?

I understand the less Fail2Ban filters enabled the less resource intense it will be. I would like to find a good balance but lean more towards security over performance.

On the WordPress Fail2Ban settings page it says -

Note: The Free version of WP fail2ban is configured by defining constants in wp-config.php

When I look in wp-config.php I don’t see any F2B constants added? Should they be? Should I add some?

The WP Fail2Ban docs says -

You should consider enabling Comment: Spam and Attempted Comment: Closed post, and, if you don’t use WordPress’s commenting system at all, you should enable all the Attempted Comment Events. source: https://docs.wp-fail2ban.com/en/5.0/configuration/logging.html

I haven’t got comments enabled on this website so should I add the following to wp-config.php -

include __DIR__.'/wp-content/plugins/wp-fail2ban/lib/constants.php';

/**
 * Log comments on 'Closed' and 'Draft' posts
 */
define('WP_FAIL2BAN_LOG_COMMENTS_EXTRA', WPF2B_EVENT_COMMENT_NOT_FOUND | WPF2B_EVENT_COMMENT_TRASH | WPF2B_EVENT_COMMENT_CLOSED | WPF2B_EVENT_COMMENT_DRAFT | WPF2B_EVENT_COMMENT_PASSWORD);

source: https://docs.wp-fail2ban.com/en/5.0/defines/constants/WP_FAIL2BAN_LOG_COMMENTS_EXTRA.html#wp-fail2ban-log-comments-extra

Also I noticed when I log into the droplet SSH I get this message -

  • The must-use WordPress security plugin, fail2ban, is located at /var/www/html/wp-content/mu-plugins/fail2ban.php

I don’t have a /mu-plugins/ folder just /plugins/.

Is the WordFence plugin overkill?

Would I be right in thinking mod_security isn’t needed because UFW is enabled?

Should any of the UFW settings be adjusted or out the box is sufficient?

When it comes to file permissions I followed part of this guide so WordPress can automatically update via www-data - https://devanswers.co/configure-sftp-web-server-document-root/

I’ve added this to wp-config.php so WordPress can auto update without needing to do it via FTP -

define('FS_METHOD','direct');
define('WP_AUTO_UPDATE_CORE', true);

I’ve added these security headers to /etc/apache2/apache2.conf -

# Add Security Headers
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header always set Referrer-Policy "same-origin"
    Header always set X-Frame-Options "DENY"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header always set Feature-Policy "geolocation 'none'; midi 'none; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none';"
</IfModule>

Will the website cope with this traffic or should the Apache Workers be increased? If yes where are these settings located? On my other droplet they are here /etc/apache2/mods-available/http2.conf but on this new droplet I can’t find them. Is it because this droplet is shared? I plan to resize to this dedicated droplet CPU-Optimized Dedicated CPU 2 vCPUs 4 GB 25 GB 4 TB $42/mo the current droplet is shared 1 GB Memory / 1 Intel vCPU / 25 GB Disk.

These are the Apache Worker settings on the other dedicated droplet -

ServerLimit 1200
MaxClients 1200
MaxRequestsPerChild 8000

I was thinking about trying the OpenLiteSpeed WordPress 1-Click as it supposed to be 300+ faster. Does this help get a higher score on Google Page Speed?

If anyone can recommend any improvements I would really appreciate any the advice.

Thank you for taking time to read my post!


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Hi @twc8ac35a8636,

The Droplet itself should be secured enough. To make sure it keeps that way, you’ll need to at least once a week do updates:

  1. apt update
  2. apt upgrade

Why does does it install Ubuntu 20.04.5 LTS and not Ubuntu 22.04.1 LTS? Should I upgrade to Ubuntu 22.04.1 LTS? Are there benefits? Speed? Security?

The image itself seems to haven’t been updated to the 22.04 Ubuntu release. At this point, it’s fine staying with 20.04 but you’ll need to at some point upgrade to 22.04 so it might be better now rather than later. As for benefits, it’s always better to go to the next release, what comes to mind for me is the Kernel as on 22.04 it’s newer but there are a lot more improvements which you can read about.

Should any additional Fail2Ban filters be enabled? Currently only have the defaults are enabled -

I’m personally not a fan of Fail2Ban when it’s not configured by someone with a lot of experience with it. Fail2Ban can start banning legitimate requests if not configured properly so it’s always better to be careful around it. Additionally, it can cause a load on your system so really be careful.

What you already have should be sufficient for now.

Would you recommend renaming the WordPress admin login wp-login.php? This would make the wordpress-hard and wordpress-soft filters redundant?

Yes and no, it’s good to rename it with a plugin just so that it’s not so easily discoverable however most exploits do not come from wp-login but from outdated software.

` Is the WordFence plugin overkill?

Would I be right in thinking mod_security isn’t needed because UFW is enabled? `

WordFence won’t be overkill. Mod_security on the other hand with fail2ban wordfence and so on would be.

Be careful not to add to much firewalls and Security stuff as at some point when something breaks you won’t be able to figure out from where and why.

When it comes to file permissions I followed part of this guide so WordPress can automatically update via www-data - https://devanswers.co/configure-sftp-web-server-document-root/

That’s fine.

Regarding the Apache workers, if you can’t find them they are set to the default values. You can increase them by adding them to Apache’s main config file but Don’t increase them too much as it might come heavy for you Droplet.

Regarding other improvements, what I can recommend is to change your Apache MPM module from prefork to event and install php-fpm. It will greatly increase your experience.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.