optimizing wordpress
TRANSCRIPT
Optimizing Wordpress/PHPOptimizing Wordpress/PHP webserver performance
and protecting your server from common security exploits and attacks
prepared especially for:
WordCamp 2010 Philippinesp pp
October 2, 2010
Target AudienceTarget Audience
• WordCamp Philippines 2010p pp– Developer Track talks– NetrepreuneursVPS U– VPS Users
• This is NotThis is Not– For change‐resistant people– For those afraid of the unix shell– For those on shared hosting– For those looking for a talk on MS IIS or Microsoft Anything.Anything.
Why Optimize?Why Optimize?
• Visitors Attention span is small.p– Need to load FAST
• Google ranks faster loading pages higher than lslow ones
• Be ready to get slashdott’d or digg’d• Save money on server costs• Save money on server costs. • Save sleep and reduce server downtime. • Offer more value and specialization to yourOffer more value and specialization to your clients.
• Increase your lifespan and overall happiness!
Serving your PHP: Quick HistoryServing your PHP: Quick History
• The web outgrows CGI ‐> mod php for Apache e eb outg o s CG od_p p o pac eintro’d around same time as FastCGI (~1995)
• The practice of bundling a single interpreted p g g pinstance of php with the httpd became more prevalent and FastCGI fell to wayside.
• For the past 15 yrs Apache has dominated the Internet’s httpd server landscape. To this day, 57 12% of all sites run on Apache Addntly57.12% of all sites run on Apache. Addntly, mod_php is the most popular apache module, running on over 20mm hosts as of 4/2007. g /
mod php weaknessesmod_php weaknesses
• Slow, Fat &InsecureS o , at & secu e• Bloated footprint.
– Every httpd process is tied to the mod phpy p p _p pinterpreter. This means all files, incl. css, js are served with mod_php tied to httpd. Unnecessary and set trend for development of non‐threaded phptrend for development of non threaded phpextensions
• Security – Every php script must be run by the user defined in your httpd.conf. Different scripts all have same non‐privileged access creating a security vulnerabilityprivileged access creating a security vulnerability
OSS ProliferationOSS Proliferation
• The proliferation of open source software hasThe proliferation of open source software has created netrepreneurs and a need: Affordable Performance and ScalabilityPerformance and Scalability.
• There are many alternatives now to fill the void left by Apache and mod php Today wevoid left by Apache and mod_php. Today we cover the russian NGINX (engine‐X) httpdproxy serving to php fpm (forked processproxy serving to php‐fpm (forked process manager) sockets.
What is NGINX?What is NGINX?
• Nginx is a lightweight high‐performanceNginx is a lightweight, high performance reverse proxy load balancer web server
• Best known user is Russian search engine• Best known user is Russian search engine, rambler. 500,000,000 requests per day
N i i h d d i• Nginx is asynchronous and event‐driven , ‘streaming’, apache is threaded and slower
Performance ComparisonPerformance Comparison
• First, let’s talk an Apples vs. Apples comparison, , pp pp p ,(OS, Hardware & benchmarking tools) both Tested on:
Virtual Images: Sun VirtualBox OSE v3 2 8 on debian– Virtual Images: Sun VirtualBox OSE v3.2.8 on debian‐6.0‐unstable guest
– Intel Core Duo 1.667GHz– 1024MB RAM– Debian‐5.0‐STABLE, kernel 2.6.26‐2– siege 2 66siege 2.66– ab 2.3– wordpress 3.0.1
httpd detailshttpd details
• Apache ImageApache Image– Apache 2.2.9 mpm‐prefork
Php 5 2 6 mod php– Php 5.2.6 mod_php
– All installed using .deb packages
GINX I• nGINX Image– PHP 5.3.3 w/ php‐fpm
– Nginx/0.7.67
– Both built from source
Benchmark Test DetailsBenchmark Test Details
• Wireless connection out to router ~50m away yand back to VM Image. Ping time <1ms
• Tested a medium sized wp‐blog index page with full range of plugins enabledfull range of plugins enabled
• Siege Tests (3 Tests ea.)– 360s Each360s Each– 3 Concurrency Levels: 15, 40, 90
• ApacheBench Tests (3 Tests ea.)– 1000 Requests– 3 Concurrency Levels, 15, 40, 90
Siege Test: 15 Concurrent ConnectionsHits – Mean Response Time (ms) – Hits /sec
80%
90%
100%
40%
50%
60%
70%
nginx
apache
0%
10%
20%
30%
0%
hits response mean hits/sec
15 apache nginx
hits 1076 1558
responseresponse mean 4.47 2.96
hits/sec 2.99 4.32
Siege Test: 15 Concurrent ConnectionsTotal MB Transf’rd – Shortest – Longest ResponseTotal MB Transf rd Shortest Longest Response
10
12
8
4
6 apache
nginx
0
2
data transferred (MB) shortest response time (ms) longest response time (ms)data transferred (MB) shortest response time (ms) longest response time (ms)15 apache nginx
data transferred (MB) 4.19 6.16
shortest responseshortest response time (ms) 3.66 1.05
longest response time (ms) 9.93 5.79
Siege Test: 40 Concurrent ConnectionsHits – Mean Response Time (ms) – Hits /sec
90%
100%
60%
70%
80%
20%
30%
40%
50%
nginx
apache
0%
10%
20%
hits
response mean
hits/sec40 apache nginx
hits 783 1614
response pmean (s) 17.4 8.31
hits/s 2.18 4.49
Siege Test: 40 Concurrent ConnectionsTotal MB Transf’rd – Shortest – Longest Response
30
35
20
25
apache
10
15
p
nginx
0
5
data transferred (MB) shortest response time (ms) longest response time (ms)
40 apache nginx40 apache nginxdata transferred (MB) 3.05 6.38shortest response time (ms) 4.484 2.09longest response time (ms) 29.67 11.32
Siege Test: 90 Concurrent ConnectionsHits – Mean Response Time (ms) – Hits /sec
70%
80%
90%
100%
40%
50%
60%
70%
nginx
apache
0%
10%
20%
30%
hits response mean hits/sec
90 apache nginx
hits 10 1635
response mean 8.51 18.79
hits/sec 0.03 4.54
Siege Test: 90 Concurrent ConnectionsTotal MB Transf’rd – Shortest – Longest Response
400
250
300
350
100
150
200 apache
nginx
0
50
data transferred (MB) shortest response time (ms) longest response time (ms)
90 apache nginx
data transferred (MB) 0.04 6.47
shortest response Apache Imagetime (ms) 0 1.55
longest response time (ms) 360 20.82
Apache Image Crashed!!!!
Apache ….. Come on!Apache ….. Come on!• Apache used so much memory, drove load avgbeyond 40, here you see mysqld kernel panic
A Quick Word on Virtualized lDevelopment
• Since I’ve been in the RP I easily get frustrated when on a remote ssh developing and my internet or power goes out. Or, I need to work and the venues wifi isn’t working.– Use VirtualBox images for ‘local development’– Build a standard wordpress image – You can use it over and over
again.– Edit your local /etc/hosts file to match the intended hostname
of the final product; point at the IP of your imageof the final product; point at the IP of your image.– Develop and have fun. – You WILL save time, hair and your health this way. You’ll also be
able to get more work doneable to get more work done.– When you’re done then dump your db, tar your wp dir up and
scp her over to the target server.
Build nginx from sourceBuild nginx from source
• Instructions conf files and init scripts up atInstructions , conf files and init scripts up at
• DependenciesLib t– Libevent
– Init.d script
– Fastcgi_params.conf
– Wordpress_params.conf (for clean urls)
– Debian‐style vhost dir’s /sites‐available /sites‐enabled
Build php & php‐fpm from sourceBuild php & php fpm from source• Cool points about php‐fpm:
h d ff– Can run as many php instances as you want on different ports, users, memlimits, timeouts, etc, etc. Each application can have it’s own ‘virtualized’ phpinstallation. These php processes are totally de‐coupled from the webserver. This leaves the webserver to do what it does best – SERVE to the appropriate handlerhandler.
• Dependencies, Instructions , conf files and init scripts up at http://bit.ly/9vkDBA
• Long story short is– Download 5.3.3‐stable, the fpm is built‐in.– Use ./configure –help to see all build flags– At the end you’re going to want to look over and customize the php‐fpm.conf,
php.ini , and build an init.d scriptp p , p• Php‐fpm.conf
– Change default log location to your liking– Change pid to match your init.d script– Tweak the process manager. Set the ‘harakiri’ process suicide timeout
Install memcachedInstall memcached
• Instructions conf files and init scripts up atInstructions , conf files and init scripts up at http://bit.ly/9vkDBA
• Dependencies• Dependencies– libmemcached‐0.41
li 3– sqlite3
Optimizations for WordpressOptimizations for Wordpress
• PluginsPlugins– Quotemarks replacer
• Disables wptexturize function Saves cpu from constantDisables wptexturize function. Saves cpu from constant regex search.
• http://wordpress.org/extend/plugins/quotmarks‐replacer/
– FlexiCache• http://wordpress.org/extend/plugins/flexicache/
• Use memcached
Common Security ExploitsCommon Security Exploits
• mysql not behind iptablesmysql not behind iptables
• Php internal port not behind iptables
h ll i d d k l• ssh allowing password and keyless access
• ssh not on a non‐standard port
QuestionsQuestions
• It’s question & answer time!It s question & answer time!
Thank youThank you
• Thank you to the sponsors and to you forThank you to the sponsors and to you for attending WordCamp Philippines.
• Go get ‘em!
• ‐Eric MalloyA T S l ti• A‐Team Solution
• Revision 0.01 01/10/2010