WordPress deployment tips

Recently an associate of mine used WordPress to deploy their new company website. Since I have been using WordPress for many years they asked me for some tips for deployment and configuration. I ended up writing an article on my recommendations to deploy and configure a WordPress site so here it is.

Deploying and setting up WordPress correctly will help enormously in the areas of security, performance and on-site SEO. There are also best practise approaches to multilingual sites, contact forms, content management and system emails.

You can deploy on a virtual machine that you will manage, however if you do this WordPress requires a lot Linux CLI config to harden security and make performance acceptable. This will take time and require on-going maintenance. Therefore, I strongly recommend to use a specialist wordpress managed hosting firm (like Flywheel) since it will save you time and they will guarantee against hacking and provide staging, automatic nightly backups, performance optimization out of the box etc.

Important: If using a managed WordPress host like Flywheel there is not much for you to do regarding performance and security (except for combining css/js files and minifying of code). If not and you intend to install on a self-managed virtual machine there are a lot of extra things I recommend you do which are detailed in the performance and security points below.

Recommended to use nginx for web server if your site will have high traffic or traffic spikes. If low traffic you can use Apache or nginx (I find Apache easier to work with because you have htaccess files to play with).
At time of writing use PHP 7.3 as the latest version of WordPress supports it and it provides a performance improvement over older versions such as PHP 5.6.
WordPress is slow out of the box so setting up caching is critical. Either do it server side using Varnish or with a plugin through the WordPress GUI. Good caching plugins are WP Fastest Cache or WP Super cache. WP Fastest Cache does it by creating then calling static html files so has extreme performance if there is no dynamic content and it is setup right.
WordPress renders pages with multiple JavaScript and CSS files that it creates depending on the theme and/plugins being used. If a lot are present performance can take a hit due to the number of requests. It is best to combine these into fewer separate files and also minify the content, which can be done using plugins. Most caching plugins will have options to combine and minify css/js files. If using server side caching (instead of a caching plugin) then you want to look at Autoptimize plugin which handles only combining and minification but no caching.
A Content Delivery Network will improve performance, especially if your users are located across the globe. Cloudflare is the easiest way to take care of this but Amazon Cloudfront, Azure CDN, MaxCDN and many other providers do this well but may be more complex to setup. A WordPress managed host should be able to provide a CDN solution.
When WordPress is optimised pages should appear to load rapidly. If there is any noticeable slowness there is an underlying issue.

Due to its popularity WordPress is a target for bots and hackers so it’s critical you harden your WordPress install otherwise getting hacked is likely (I’ve fixed hacked wordpress sites about 20 times). Guidelines for hardening a server running WordPress can be found in the WordPress documentation. Read and implement their recommendations here: Hardening WordPress
Vulnerabilities often occur in outdated themes and/or plugins. It is recommended to use a custom made theme (using an off the shelf theme from somewhere like Themeforest increases the risk of being hacked). It is also recommended to only use plugins that are critical. Reduce the use of non-critical plugins.
Use complex passwords and use a plugin that limits the number of login attempts within a time period from same IP to avoid brute force attack.
Also, it’s a good idea to change the URL of the default wordpress login page. You can use Rename wp-login.php plugin to achieve that easily.
You will want to make sure permissions are setup correctly.
There is a good firewall plugin named WordFence that I have used for years. It does many things, one of which is to alert you if it appears your site has been compromised.
The best way to protect yourself from the eventuality of being hacked is to schedule automated backups. I recommend BackWPup for this. You can set scheduled backups to off-site locations such as Amazon S3 so even if your site gets taken out you can have a historic version up and running in no time.

Onsite SEO
A clean install of WordPress is not optimised for SEO. Yoast SEO is currently the number 1 SEO plugin IMO. It will take care of all the core onsite SEO. Mainly you will have a great page title, meta description, robots.txt and xml sitemap editor/creator while also having options for editing all meta tags. Go through all settings and you will be done with on site SEO quick and easy. Check out the bulk editor, it’s very useful.
Make sure you setup clean URLs in permalinks settings.
Redirection plugin is very useful to setup 301 and 302 redirects if you need them or want to mask download links. It is also great if you change URLs as it can automatically link old pages to new when URLs change.

Content management editor
The default editor in WordPress was changed not so long ago (when we moved to version 5) to something less developer friendly (seems to be aimed at non-technical users). For that reasons many people like to install and use the Classic Editor plugin which puts the original editor back as a page editing option. It gives you more control over underlying html etc and IMO is easier to work with.

Contact forms
If you will have contact forms on your site then Contact Form 7 is one of the most widely used plugins and the only one I have used but I think it is getting old now and there may be other better ones on the market. Check here for more info: Comparison of contact forms
If using a form the bots will identify it as a WordPress form and likely spam the hell out of it and Google Recaptcha is the only effective way to avoid this that I know of (normal captcha doesn’t stop the spammers). You don’t need to have the Google Recaptcha checkbox and challenge. It can be installed hidden so people don’t see it.

If your site will send emails (for Contact Form or handling user sign ups) then you can easily configure it to work with SendGrid or Amazon SES. You will find plugins for this. Alternatively relying on WordPress built in use of phpmail should work effectively. You just need to ensure the server IP is not on any spam blacklists.

If you want a multilingual site then WPML is the best and most mature plugin solution for this. It requires a paid subscription but worth it and extremely well documented and maintained. I have used it for years on several sites and wouldn’t look elsewhere.
An alternative solution which is a newer free plugin is Polylang. I never used it but think its worth a look as I have read good things about it.