Before launching any website, its always good to have a proper checklist. This post is the checklist, which I use before the launch of any web application. I have fine tuned this one for WordPress based websites. So let’s call it WordPress checklist. The focus, as usual, is performance and security.
WordPress checklist – Performance Factors
-
gtmatrix.com pagespeed – score 95+
-
gtmatrix.com yslow – score 95+
-
pingdom tools – score A grade+
-
testmysite – less than 4 seconds
-
pagespeed insights score – Usability 95+
-
pagespeed insights score – Mobile 90+
-
pagespeed insights score – desktop 95+
-
webpagetest score – A grade
-
loadtest report – I use loader.io
Above scores are only a guideline. Every website is different and has different needs. It is very different to achieve the high score on all. This journal made good grades in almost all the above factors, except for pingdom. That said, detailed tuning of nginx and PHP-FPM is for another post.
WordPress checklist – Security factors
-
Wpscan vulnerability scan report – Online tool
-
Qualy’s SSL Lab – SSL Test – Must get A+ (No reason why you should not)
- hsts preload
-
all plugins and server updated
-
Naxsi or ModSecurity WAF installed – I prefer Naxsi
-
Disable XML-RPC – This is optional
Basic Nginx hardening is for another journal.
A word on Wpscan
wpcan is a godsend tool. If you cant use an online tool for some reason, please use an offline version. Things to note on wpscan report are
-
Not all positives are positives.
-
Your server should provide minimal information for a hacker. Any version number is an issue for me.
-
Minimal plugin exposure listed is better.
As usual, I keep updating my GitHub for updated files. Like Naxsi or nginx config. Feel free to download it and use it.
I am not perfect by any chance, so if there is any improvement you wanted to add, please feel free to ping. I will add those as appropriate.