WordPress checklist – Performance Factors
- gtmatrix.com pagespeed – score 95+
- gtmatrix.com yslow – score 95+
- pingdom tools – score A grade+
- testmysite – less than 4 seconds
- pagespeed insights score – Usability 95+
- pagespeed insights score – Mobile 90+
- pagespeed insights score – desktop 95+
- webpagetest score – A grade
- loadtest report – I use loader.io
Above scores are only a guideline. Every website is different and has different needs. It is very different to achieve the high score on all. This journal made good grades in almost all the above factors, except for pingdom. That said, detailed tuning of nginx and PHP-FPM is for another post.
WordPress checklist – Security factors
- Qualy’s SSL Lab – SSL Test – Must get A+ (No reason why you should not)
- hsts preload
- all plugins and server updated
- Disable XML-RPC – This is optional
Basic Nginx hardening is for another journal.
A word on Wpscan
wpcan is a godsend tool. If you cant use an online tool for some reason, please use an offline version. Things to note on wpscan report are
- Not all positives are positives.
- Your server should provide minimal information for a hacker. Any version number is an issue for me.
- Minimal plugin exposure listed is better.