‹ Back



Deploying Secure, Fast, Static WordPress Sites

Dennis Plucinik • February 28, 2018

The basic premise of this setup is that WordPress is a difficult application to secure, so let’s get it out of the picture entirely.

This solution may not seem intuitive at first but if you understand how all the components of a website’s infrastructure hang together, you’ll understand how this makes for the fastest loading and most impenetrable WordPress site possible.

WordPress brings many points of vulnerability, with new exploits discovered regularly. In fact there is a constant cyber-war raging between an army of bots, and teams of dedicated cyber-security professionals.

WordPress itself employs 50 experts who find and deploy fixes for security flaws on a daily basis.

We’re going to accomplish performance AND security goals in one shot, by generating a static site version of WordPress and hiding the WordPress installation itself from potential attackers.

At ATTCK, we followed this setup for our work with the United Nations Framework Convention on Climate Change Momentum for Change 2015 Annual Report.

You can view the Case Study here: https://attck.com/work/united-nations/

There are several basic principles that, frankly apply to any web application, including server security, file access limitations, and password strength. WordPress-specific risks can traditionally be mitigated by simple things like limiting plugin usage to only trusted sources and keeping them updated along with updating the WordPress core itself. Or by preventing brute force attacks by changing defaults like login URL location, security salts, and file access and ownership setting, among others.

But sometimes this isn’t enough.

Taking precautions even further, we can even abstract WordPress from the picture entirely by using a static site generator, like Simply Static or WP Static HTML Output to publish an HTML version of the site that never even touches a database. In these cases, we host the admin authoring instance on a private password-protected staging site. We can use any Continuous Integration service, like CircleCI, or CodeShip, to automatically deploy newly published site files to S3, via AWS CodeDeploy.

Here is what the basic infrastructure looks like


In addition, we can schedule a nightly backup of the site alongside uptime monitoring, automated integration tests, and file integrity scans to make sure any changes to the site content or outages are immediately reported to our team.

We can even further increase performance in two ways:

  • Deploying a cloud based WAF (Web Application Firewall), like CloudFlare or CloudFront.
  • Hosting all static assets (including HTML files) on Amazon S3

There are, however a few important caveats to this solution worth mentioning.

It may not seem obvious but a static site has no database.

This means, any plugin or feature you use that requires DB access for each will not work. Think, related posts, SEM retargeting, site search, or even commenting. There are, however some workarounds for embedding third-party, JavaScript based solutions like Disqus, or Heap for A/B testing.

There are many other things you can do to strengthen your WordPress site’s security if static site generation isn’t right for you. Read more on our article, Top 3 WordPress Security Plugins, to get started.

If you need reliable WordPress development services, please email us at [email protected] or click the “Start Your Project” button below.


Further Reading