Creating a Fast, Secure Website

- 6 minutes read - 1186 words

Introduction

I recently move my website form an OVH hosted solution, to an OVH VPS (virtual private server). Doing things yourself is often much cheaper, but can be more complex. Web solutions like Square Space offer fast, reliable hosting which scales to sudden demand. However for £10 a month it is nearly three times more expensive than my VPS and it is possible to get the same level of performance and scaling, thanks to Cloudflare.

Setup

This guide isn’t about how to setup a Linux server, there are already plenty of guide out there for that. I can recommend the Digital Ocean guide for this. What you will need:

  1. A server running Linux (or Windows, but the aim is low cost), for stability I recommend a LTS version
  2. Apache or Nginx web server
  3. PHP and a MySQL database
  4. Certbot
  5. Wordpress (or another CMS)
  6. Unattended Upgrades

The great thing about content management systems is that they decouple the website from the web server. When setting up my current configuration I was able to set everything up, then just migrate my Wordpress database using a plugin (WP-migrate, which also changes all the internal links for you).

Security

Certbot is often mentioned in server setup guides, since there is no reason not to use TSL. Once you have everything setup (including Cloudflare) I recommend running your site through Mozilla Observatory, which gives websites a security rating based on adherence to best practices. (Note, this is just relating to the HTTP protocol, you still need to keep your server and software up to date, PHP is notorious for vulnerabilities. Unattended upgrades can really help with this.)

(Note: I have recently discovered a problem with Certbot. Cloudflare appears to be interfering with the certificate renewal process, probably by caching the page generated to authentication. I am yet to find a proper workaround for this. Currently I pause Cloudflare, run Certbot –

Cloudflare also adds an extra layer of security, IP obfuscation. While security through obscurity isn’t a good practice to rely on, it still helps. All domain requests for your site will go to Cloudflare, who will fetch un-cached content from your web server. This is done to reduce load on your server, but has the added benefit that there shouldn’t be any records relating the domain to the server IP address (unless there are old DNS records still accessible). This doesn’t make your server unreachable, just hard to find.

Cloudflare

Now we get to the heart of this article, using Cloudflare to make your server appear to be faster than it actually is.

Take a look below; my site load time from London isn’t bad because the server is hosted there. Run the test again, and it’s a little faster now that it has been cached.

Then I tested it from Sydney, which is understandably slow due to the thousands of kilometres for the data to travel. Running it again, now it’s been cached, it loads 25 times faster!

As soon as the site has been cached anyone loading the site will be directed to the closest geographical Cloudflare data centre. If it isn’t found then it will be fetched from your server. As of writing, Cloudflare has 155 data centres around the world so even if you get a worldwide spike in traffic, each page will be loaded a maximum of 155 times until the cache expires.

Important Settings

Let’s have a look at what setting you need to make sure yoursite is properly cached and secure. In tab order from the Cloudflare dashboard:

  • DNS – You need to set the DNS servers for you site in you domain registrars control panel. A combination of Cloudflare’s guide and Goggling should help achieve this. Note, it can take some time for DNS updates to propagate and become active.
  • SSL – Full (Strict) – This means the pages are fetched by Cloudflare using HTTPS and delivered to users with it as well.
  • Always use HTTPS – Never serve you site over HTTP!
  • HTST (On, 12 months, include sub domains, preload) – This means that browsers will know to only load your site over HTTPS and disallow it if a certificate error is found. This can cause issues if you try domain redirections.
  • Minimum TLS Version – 1.2 or 1.1 if you need old browser to reach your website (1.0 really shouldn’t be used).
  • Opportunistic Encryption – On
  • Onion Routing – On (if you want to allow Tor traffic)
  • TLS 1.3 – Enabled
  • Automatic HTTPS re-writes – On
  • Security Level – Medium (provides best balance between security and usability)
  • Auto Minify – JavaScript, CSS, HTML (will reduce page size delivered to browsers by removing the human readable formatting in code, since it is read by a browser not a human)
  • AMP – Can be faster for mobile loading, but I leave it off since I don’t want a bunch of Google code added.
  • Brotli – On
  • Rocket Loader – Off (Fails SRI check)
  • Mobile Redirect – only if you have a dedicated mobile version
  • Browser Cache Expiration – 4 hours (good balance for me, lower if you update frequently)
  • Always Online – On
  • Page Rules – See next section
  • HTTP/2 – On
  • IPV6 – On
  • Web Sockets – On
  • Pseudo IPV4 – Off
  • IP Geolocation – On
  • E-mail address obfuscation – Off (I found it hide e-mail examples in a post I wrote)
  • Server-side excludes – On
  • Hotlink Protection – Off

Page Rules

You get three free page rules, and you are going to need all of them. Firstly you need to turn off ‘Show Toolbar when viewing site’ on all user profiles, otherwise it will get cached and make your site look weird.

The 3 page rules you need are:

  1. your.domain/wp-login – Security Level: High – Cache level: Bypass
  2. your.domain/wp-admin – Security Level: High – Cache level: Bypass
  3. your.domain/ – Cache level: Cache Everything – Edge Cache TTL: a month

The first two rules prevent the login area being cached (otherwise it would all be public) and add some extra protection to the login areas to prevent bots spamming the login. The third rule ensures that whole pages are cached on the rest of the site and will be cached on edge servers for a month. (The cache for edge servers should be a long as possible as the plugin will automatically purge changes).

Cloudflare Plug-in

Cloudflare helpfully made a plugin for Wordpress. Don’t bother trying to manage the more limited range of settings here, use the web dashboard for that. What is useful is the option to automatically purge the cache for any pages that have been changed, that way visitors will have the most up to date version straight away.

Results

Your Wordpress site should now load quickly anywhere on Earth. Since a Linux VPS costs around £3.50/month and hosting providers such as Squarespace start at £10/month, the price to performance ratio is great. It is also faster than Squarespace!

On the free plan Cloudflare also caches sites ever 7 daysfor the always online service (more details here).If your webserver ever goes down, some pages will still be available.