We've been reluctant to host WordPress sites for clients based on the performance and security issues with WP. We've done a few small ones for family or friends (cohabiting with our other sites on our VPSs), but they don't have the same performance expectations that our clients do.

At the moment we have several clients who want us to provide WP blogs or sites. So it's time to bite the bullet and set up a Linode config that is optimized for WP. I don't know how many WP sites can comfortably coexist on a 1GB or 2GB Linode (WP is a RAM hog), though I assume it's primarily based on overall traffic of all the sites (correct me if I'm wrong).

Based on your experiences, here's what I'm looking for regarding hosting WP sites:
- is there a particular distro that seems to perform better?
- does apache, nginx or nginx in front of apache perform best?
- what PHP implementation (mod_php, fast-cgi, fpm, etc) performs best?
- what PHP caching (zend, apc, xcache, etc) performs best?
- does postgresql perform better than mysql, and are there any positives or negative to using postgresql with WP?
- does memcached help?
- are there specific tunings for any apache/nginx, php/fast-cgi/fpm, mysql/postgresql, etc that you've found to be beneficial?
- what WP plugins have you found to negatively affect performance?
- what WP plugins have you found that offer nice features with a low performance hit?
- which WP security plugin(s) to use? Better WP Security? Bullet Proof Security? Others?


I'm also looking for any positive or negative experiences you've had with hosting or supporting WP sites.

We've all had our swings and misses, and I'd like to learn as much as I can from the mistakes of others as well as my own. Trial and error has its place, but I've found it's usually a better idea to ask those who know more than I do.

Any feedback would be appreciated.


Thanks,
James

For most of your points I just treat WP as any other PHP site.
Wordpress doesn't support postgresql out of the box so stick with mysql or a drop in replacement (mariadb, percona).
I use wp better security and find it's easy to use, has no performance impact and does a good job.
APC works fine I wouldn't bother with xcache etc.
Your biggest performance improvement will be through caching, using either varnish or nginx's fastcgi cache, I personally use nginx, below is a snippet of the cache rules

set $nocache "";
if ($http_cookie ~ (comment_author_.*|wordpress_logged_in.*|wp-postpass_.*)) {
  set $nocache "Y";
}

fastcgi_cache wordpress;
fastcgi_no_cache $nocache;
fastcgi_cache_bypass $nocache;
add_header X-Cache-Status $upstream_cache_status;

This basically means if the browser sends a wordpress specific cookie i.e. they made a comment or are logged in they bypass the cache, anonymous users get the cached page.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

If you get the caching set up right, you can host lots of WP sites on a 1gb Linode. If you think there will be tons of people using the admin sections at same time or carts (not cached), then you may need to consider larger memory resources though. Caching is the key...has been for me. Before right setup, cpu was all over the place, once in place, cpu is under control.

- what PHP implementation (mod_php, fast-cgi, fpm, etc) performs best?
FPM from what I've read performs better, it's what I've been using and been good so far.

- what PHP caching (zend, apc, xcache, etc) performs best?
Currently using PHP APC for objects, memecached for database, then W3Total Cache to manage the caching and page cache. I tried Varnish and some WP plugins to manage it, but it always caused issues with ecommerce or maybe I just couldn't figure out how to configure it right to avoid tha issue. W3TC has been fine and you can configure it to work with plugins like Woocommerce. For example, with wrong config and a cart widget, the widget will not update and you click around the site after adding/deleting cart items. PHP APC causes issue in WP admin all the time, have to reload or restart it for some admin section updates to be visible in browser

- does postgresql perform better than mysql, and are there any positives or negative to using postgresql with WP?
Using MariaDB with some caching as well.

- does memcached help?
It appears to have helped in speed and resource conservation.

- what WP plugins have you found to negatively affect performance?
None really, just woocommerce is resource intensive when working with it in the admin.

- what WP plugins have you found that offer nice features with a low performance hit?
Gravity forms, contact form 7 all work fine for me...as does MainWP to manage several sites from same dash.

- which WP security plugin(s) to use? Better WP Security? Bullet Proof Security? Others?
NinjaFirewall has been good so far...

I'm also looking for any positive or negative experiences you've had with hosting or supporting WP sites.
Only things that bugs me is APC caching WP admin screens. I'll run the auto update for WP and page refreshes as if I didn't just do it. Reload APC and the update is visible.

+1 for pure nginx with fastcgi_cache and php-fpm (no apache).

For Wordpress there's an nginx helper plugin that manages cache purging: http://wordpress.org/plugins/nginx-helper/

Your nginx needs to include the third-party nginx_cache_purge module: http://labs.frickle.com/nginx_ngx_cache_purge/ This is not included in the open-source build from nginx.org or distro repos.

The simplest setup if starting from scratch is to install Debian 7 and use the dotdeb.org repository. That will give you nginx with the cache purge module and a choice of php 5.4 or 5.5.

Some reading:

http://nginx.org/en/docs/http/ngx_http_ ... tcgi_cache
https://rtcamp.com/wordpress-nginx/tuto ... h-purging/

_________________
sleddog

Thanks a lot for the feedback guys. This will save me time and frustration.


James

varnish - nginx - php5-fpm - apc- memcached

varnish can be a little fiddly but once you have the config correct it works like a charm. I try to always go away from plugins and do optimisation serverside, try google's pagespeede module for nginx. Get APC up and running too.

With this setup you'll easily be able to handle up to a hundred wordpress installations (i do).

MySQL for database, one of the most popular and any question I've ever had has been answered on the internet in a matter of hours.

Steer clear of Contact form 7 if you're REALLY picky about page load times as it loads it's files onto every page and quite 'heavy'.

My security of choice: Better WP Security

... though the more you learn the less you need it.

you can easily exclude the wp-admin screen from being cached by APC.

Ubuntu 12.04 is probably the most stable and easiest to get started with in my opinion.

Good luck

_________________
My Website: http://www.paulthomson.me

Can you share this piece, would be a big help.

Thanks for the feedback, LiveFree.

Ubuntu 12.04 LTS. MySQL, and nginx as a reverse proxy with Apache works well for me (plus APC and Memcached). I use the W3 Total Cache plugin on all live sites (can take a while to get used to all its many settings, but once you master it it works really well).

I don't use a security plugin. Where possible I limit the IP addresses that are able to access the wp-login.php URL via .htaccess. If this isn't possible, because of dynamic IP address allocation or multiple login locations, I password protect the wp-login.php URL via .htaccess - it adds an extra login step for clients, but I just explain to them that it's for their benefit (and mine obviously) and send them the URL to an article about the botnet(s) that are constantly on the search for weakened WordPress installs. I also follow the tips given here:

http://codex.wordpress.org/Hardening_WordPress (loads of good advice)

One thing I always do is move a WordPress install's wp-config.php file to an arbitrary directory, a directory out of the web root, somewhere not directly accessible via the web (how to do so is included in the above URL). There's been a lot of discussion about the usefulness of this - http://wordpress.stackexchange.com/questions/58391/is-moving-wp-config-outside-the-web-root-really-beneficial - but I can't see how it's not a good thing to do. I also include a rule in the document root's .htaccess file preventing access to the 'dummy' wp-config.php file that contains the PHP include command.

Re Contact Form 7, I use it on all my WordPress sites. If you want to prevent it loading its CSS and JS code on every page of your site, add this to your wp-config.php file:

define('WPCF7_LOAD_JS', false);
define('WPCF7_LOAD_CSS', false);

... and this to your WordPress theme's contact page template:

<?php
   if ( function_exists( 'wpcf7_enqueue_scripts' ) ) {
      wpcf7_enqueue_scripts();
      wpcf7_enqueue_styles();
   }
?>

... Contact Form 7 will then load its CSS and JS code on the contact page only.