reducing server resources: improve costs, seo, conversions & ux
TRANSCRIPT
14 years of search engine marketing experience,
worked with many large organisations in Australia
(both in-house and agency side), in a broad range
of industries including: shopping, insurance,
classified and service websites.
Specialising in SEO, but have experience in:
- SEM - Analytics - Social
- Local - Reputation Management
- Email Marketing
A network of 11 travel websites; managing everything from:
- Search Engine Optimisation - Social Media Marketing
- Video & Image Creation - Content Editing
- Web Programming - Website Building
- Affiliate Marketing - AdSense
- Web Analytics - Keyword Research
Web Search Strategist
Not Really!During my routine inspection of my Cpanel interface, I
noticed that my CPU usage and account executions were
significantly higher than normal and were exceeding the
usage limits. From past experience – this usually leads to
trouble…
Surely I was already safe?
Having road-tested a lot of Wordpress security plugins in the
past, I thought I was pretty safe from potential hackers,
harvesters and spamming; especially with the built in
features of Wordfence…
http://www.wordfence.com/
Wordfence – IP blocking
I was blocking whole countries from accessing my websites,
along with individual IPs that have tried accessing my admin
panel and those who were obviously not human visitors
(crawling my website too quickly, but not a search engine)
http://www.wordfence.com/
Wordfence – FirewallAdditional to this, there is a built-in firewall that automatically
blocks IPs based on certain triggers (accessing the site too
quickly, using a username that doesn’t exist, etc)
http://www.wordfence.com/
Redirections – 404 Logs
I also utilise a plugin that logs all 404 errors and easily lets
me implement 301 redirects to stop users from trying to
access those files in the future. I also block their IPs if they
apparent to be sniffing for file vulnerabilities.
https://wordpress.org/plugins/redirection/
Ask for help
Since I have had similar issues in the past, I jumped into a
live chat session with my Web Host, who then told me to
launch a support ticket.
<<< ME
THEM >>>
Research admin-ajax.php
I just did a quick Google search and found out what this file
is used for, ways I could minimise the usage, and possible
effects of changing how it works.
Research wp-cron.php
Similar to the previous, I researched what this file is and
what it does. The default configuration of wp-cron is used to
trigger background / maintenance tasks in the background
every time a page is loaded. If you have a pretty basic
website, this really isn’t required, so I limited how often cron-
jobs are processed.
Some of my themes use Timthumb
Timthumb is a resource heavy script that automatically
compresses and resizes images on the fly.
Since it is somewhat old technology and has been a known
security vulnerability in the past - it’s no longer updated /
supported, I have a started to change themes (that’s another
story altogether), but I have also blocked external websites
from triggering the script and hotlinking images.
Awstats – Visiting CountriesSince Google Analytics only monitors pages / users that
trigger the tracking code, it is advised to look into Awstats
instead (this looks at all files on your website).
For an AU based website that normally receives nearly all
traffic from Australia, the stats below looked worrying –
especially the Pages to Hits Ratio.
Awstats – Requested Files
Similar to the list of files provided by the hosting company, I
was also able to view the most requested file on a site basis.
You can see here that xmlrpc.php has been requested an
abnormally high number of times.
Awstats – Visiting IP addresses
Similar to the country report, you can also review the most
active IP addresses. Not only can we see that the ratio
between Pages and Hits is way to low, but an IP trace
shows they are from suspicious countries outside of my
targeted audience.
IP Deny ManagerWith the IP addresses in hand, I used the IP Deny Manager
tool to start blocking these suspicious IPs form accessing
my website. The good thing about this is that it applies the
blocks across all your websites at once.
I also added additional countries to Wordfence.
An email I get at 3am in the morning
So lets just say it was not very fun waking up to this –
especially since everything was fixed… that and I already
flagged potential issues that I was looking into.
The major issue:
Current Suggested
Not only were the suggested upgrades I needed are overkill
for what I need, but the closest hosting upgrade is more than
4 times the price.
What I responded with:
ME >>>
<<< THEM
So they unblocked my website, but
I pretty much 24 hours to turn
things around or I would be
blocked again.
Block and block some moreUsing a combination of Awstats & the IP Deny Manager, I
reviewed the list of recently visited IP addresses and further
blocked anything suspicious.
Spyder Spanker - Settings Panel
Blacklist Whitelist
IP BlockingCountry Blocking
http://spyderspanker.com/
Spyder Spanker – Project Honeypot
If a visitor doesn’t get matched to your whitelist or
blacklist, their IP is submitted to Project Honeypot
where they are matched
against an up to the minute
list of comment spammers,
harvesters, hackers and
suspicious IPs.
http://spyderspanker.com/
EWWW Image Optimiser
A great free and easy to use Wordpress Plugin that
bulk optimises your existing images files and new
optimises new images on the fly.
https://wordpress.org/plugins/ewww-image-optimizer/
Caching Plugins
So even though I was using the built-in
mod_pagespeed apache module provided by my
webhost, there was several things that I wasn’t able
to implement and the settings were quite basic… so
I went looking around.
https://www.w3-edge.com/products/w3-total-cache/
W3 Total Cache
After road-testing several plugins by looking at their
configuration options, their functionality, pagespeed
scores and page loading times, I settled on W3
Total Cache for their manual control of Javascript
minifying and deferring and cache settings.
Here are some of the key benefits of these plugins:
https://www.w3-edge.com/products/w3-total-cache/
W3 Total Cache: Setting Examples
Manual
control of
Javascript
Delivery
CDN
Support for
popular
providers
Full control
on the file
types to
cache / CDN
deliverhttps://www.w3-edge.com/products/w3-total-cache/
CDN Delivery
“A content delivery network (CDN) is an
interconnected system of cache servers that use
geographical proximity as a criteria for delivering
web content.
Which CDN provider to use?
Apart from reading a lot of online reviews and
endorsements, I also used a few calculators that would
compare pricing on monthly bandwidth and traffic origin.
Some providers have the nerve to charge extra for different countries and also
will look to charge you a flat fee regardless of how much data you use. http://www.cdncalc.com/
http://www.webperformancetoday.com/2014/04/09/web-page-speed-affect-conversions-infographic/
http://www.webperformancetoday.com/2014/04/09/web-page-speed-affect-conversions-infographic/
http://www.webperformancetoday.com/2014/04/09/web-page-speed-affect-conversions-infographic/
http://www.webperformancetoday.com/2014/04/09/web-page-speed-affect-conversions-infographic/
http://www.webperformancetoday.com/2014/04/09/web-page-speed-affect-conversions-infographic/
http://www.webperformancetoday.com/2014/04/09/web-page-speed-affect-conversions-infographic/
My server resources normalised
I got a response back from my web host that
server resources have fell back to normal rates
and that the ticket has been closed.
If anything, these are the lowest they have
been in a long time, which means I can afford
to use additional plugins and launch more
websites to maximise my existing hosting
package.
CDN Impact
You can see from the below bandwidth graph below that
even though my website traffic increased, the data served
from my server has fallen considerably. This is an indication
that content is being servers via my CDN by the closet data
centre for users.
Pagespeed: Before & After
Measuring 2 different websites using the same theme on the
same host, we can see that the one that uses W3 Total
cache and EWWW has halved their page load time, is 520k
lighter and has 16 less requests – even though website A is
loaded with affiliate widgets and Adsense units.
Website A
Website B
Website A Performance: Pre vs Post changes
Using the same website and the same testing tool, we can
see that by using EWWW, we successfully trimmed 500k
from the page weight, and due to the improved code & asset
delivery, the website’s visual progress has improved by 1
second at both the 50% and 100% marks.
Summary
So even though I have added several new plugins to my
website to make it more secure and to improve delivery, I
have actually negated any noticeable impacts by installing
them.
Even though I was pretty confident with mod_pagespeed’s
out of the box functionality, it actually goes to show that you
can always go that little bit further to improve your results,
and you shouldn’t become
complacent believing what you have
is always the best solution – test, test
and test again – and forever strive for
the best results possible (backed up
by actual data).
Final Advice
• Monitor your website, check your stats and logs
• Utilise plugins / modules to automatically block bad bots /
visitors
• Block whole countries that serve no purpose accessing
your website
• Lock down your login page
• Utilise plugins / systems to make your website load faster
and reduce your page weight (it’s part of the Google
Algorithm and great for UX)
• Use a CDN – they are actually very cheap – even if you
host locally
• Forever test!
Follow Me
https://www.facebook.com/HolidayPointAU
https://twitter.com/HolidayPointAU
https://plus.google.com/+HolidaypointAu
http://www.flickr.com/photos/holidaypointau/
http://pinterest.com/holidaypointau/
http://www.youtube.com/user/HolidayPoint/
http://www.holidaypoint.com.au/