Elliott C. Back: In Aere Aedificare

I just had a brilliant idea to really slow down the spammers. First, go install mod_limitipconn. Then, add something like this to your .htaccess file to limit the number of simultaneous spam comments:

<IfModule mod_limitipconn.c>
<Location /wp/wp-comment-post.php>
MaxConnPerIP 1
</Location>
</IfModule>

This will prevent them from streamlining requests, essentially denying them the right to post multiple times at once. This is good, because it means that you have turned spammers from parallel to sequential machines!

Google just did a makeover on their Google Analytics package, completely revamping their UI. We won’t get to play with it for a while, though, because they’re slowing rolling out the new version across all their myriad users. Undoubtedly this strategy has two business-centric side effects:

1. With a slow rollout, they can fix any bugs in the application which they might have overlooked. By the time the 95% start to use it, the 5% will have made it perfect.
2. They can make it sure it scales. As they add site after site, they can accurately measure how much of their distributed grid will have to power the new, heavier UI.

I don’t have access to a live version, but this screenshot looks a lot the newly announced free stat tracking app from Wordpress. For comparison, here’s a screenshot from their web page:

I won’t argue that they’re the same, but the style is similar–and Wordpress came way first. Copying or unconscious emulation? You decide.

Wow! A blog of mine running Wordpress 2.0.4 just got hacked. The attacker, without logging in, was able to inject a bunch of spam links into three of my posts. I caught the attack because I read my own Wordpress feeds, and noticed the update. The IP address the attacker used was 64.252.168.207. Here is the timeline of his penetration into my poor, but out of date, Wordpress installation:

1) Visit Video Games Blog pretending to be Googlebot
2) Visit random pages just to confuse me
3) Visit the three target pages (1, 2, 3)
4) Grab the nonces from wp-admin/post.php?action=edit
5) Use the nonces to do something weird to /wp-admin/inline-uploading.php?action=view
6) Post to the regular edit page

If you don’t want to be hacked, here’s what you need to do:

• Upgrade to the latest version of Wordpress (2.0.10 in my case)
• Remove crap you don’t need. If you’re not using comments, remove wp-comments-post.php. If you don’t know what xmlrpc is, remove wp-xmlrpc.php as well.
• Permission your files. If you are on a shared host, it’s especially important that you don’t make your wp-config world read/writable, or anyone can steal your database login information, or just overwrite it with their own.

If you’re interested, here’s the full server log, as a text file: wordpress-hack-log.txt. The attacker didn’t compromise or access any other services, just used the web interface to insert his spam into my post.

People everywhere complain that Wordpress is slow, or that they can’t survive a digg. They die if they get more than 10,000 visitors a day, their hosting providers ban them for using too many resources, and they cry because they have to purchase expensive hosting plans. If this describes your plight, before you run over to Survive Digg hosting and plunk down even more money, take a look at your Wordpress setup and LAMP stack. You can make them better.

My Hardware

I’m not running on a top-of-the-line multi-processor machine with 16 GB of RAM per node. I have a Pentium 4 with 1M L1 cache, 1 GB of RAM, a 160GB SATA2 drive, and 100MB/s ethernet. I get 1.3 TB of bandwidth of month, as well. The hardware is from Cari.net and I pay $80 a month for it.

WP Built-in Object Cache

Did you know Wordpress will try and cache all kinds of database queries as files on disk? It’s so simple. Just add the following to your wp-config.php:

// Enable the WordPress Object Cache:
define(ENABLE_CACHE, true);

This can give a noticeable and immediate performance benefit. Less queries = less overhead and more CPU to go do other things. In case you don’t believe me, I just had a guy whose load average was between 20 and 50. After making this tiny change, it dropped to 2.

WP-Cache

You’ve seen this before, but if you’re not using the WP-Cache plugin, we shouldn’t talk. It serializes your posts to a file on disk and later spits them back. It’s the classic caching solution. It also knows how to update itself when comments are received, etc, so your site is always the most up to date. Currently 304 posts are cached on this site in the last hour.

Wordpress Plugins

Here is the complete list of plugins that run on this blog:

Content Filters: Adbright BritePic Enabler, Admin Info, Adsense Injection,Auto-hyperlink URLs, Feedburner Feed Replacement, Terms2tags, Wordpress Duplicate Content Cure, WPvideo, WP Fixed Size, WP Adsense, WP-Stats, wp-cache

New Functions: delicious - Bookmark this!, Elliott’s Asides, Elliott’s Feed Tagger, Google Sitemaps, PJW Mime Config, Plugins Used, Relative Dates

Remote Services: Akismet, Extract Terms, Get RSS, Text Link Ads, WordPress From/Where

As you can see, there are just five that have any kind of processing impact. Akismet has to make calls to their webservice to verify spam. Extract Terms uses the Yahoo API to build keywords for automatic tagging. Get RSS performs similar operations per post. Text Link Ads keeps track of an xml file it updates every now and then. WP From/Where archives the keywords used to find every post. The first four cache their results. WP From/Where is the only “expensive” plugin I have, since it adds a query to every page load.

You should go through your plugins, and see if there’s a way to make them faster. To make them stop creating queries and use flat files, or better yet, cache things. If your plugins are slowing down your Wordpress installation, fix them and submit a patch their author. He’ll probably even give you a free link.

You can install something like xDebug to profile your PHP code for bottlenecks, as well.

MySQL Query Cache

The MySQL Query Cache saves results of queries in case the query comes by again. However, it only knows how to save the byte-text of queries, not their compiled versions, so small changes to the query will create different cache entries. Turn this on if you don’t have unique ids in every query. You can enable it by adding the following to /etc/my.cnf:

query_cache_type = 1
query_cache_size = 26214400

This will turn on the query cache and instruct it to use 26M of RAM. After you’ve changed the config, restart the MySQL process by /etc/init.d/mysqld restart and then run these SQL queries to verify that it’s working properly:

SHOW STATUS LIKE ‘Qcache%’;
SHOW STATUS LIKE ‘Questions%’;
Qcache_free_blocks 2960
Qcache_free_memory 11693192
Qcache_hits 10433610
Qcache_inserts 5221850
Qcache_lowmem_prunes 2113131
Qcache_not_cached 1335038
Qcache_queries_in_cache 8765
Qcache_total_blocks 20976
Questions 21338215

When I check, I find the Query Cache efficiency is at worst 10433610/21338215, or 49%. That’s not bad.

PHP Opcode Cache

Why recompile our scripts every time, when we can save the bytecode? I use eAccelerator v0.9.5 to accelerate my PHP classes, currently of which 455 are saved. To install it follow these simple steps:

cd eaccelerator-0.9.5
phpize
./configure
gmake (or make)
gmake install (or make install)
add extension=”eaccelerator.so” to your php.ini file
add eaccelerator.cache_dir=”/tmp/eaccelerator” to your php.ini file
mkdir /tmp/eaccelerator
chmod 0777 /tmp/eaccelerator

Their wiki has very clear instructions for how to install it. This extension is a win-win. It uses a bit of disk space, but it also optimizes the opcodes and saves you from having to recompile a script every time. It can shave up to 5000ms off your loading time, depending how bad the php code you’re actually running is. For me, it saves about 650ms per page.

Apache httpd.conf

First, and perhaps most importantly, comment out any modules you’re not using. Loading them takes time and memory. Your apache config file is usually located in /etc/httpd/conf/httpd.conf. Some settings to keep in mind:

# Timeout and Keepalive
Timeout 30
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 6

#Maximum Client Connections
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 512
MaxClients 512
MaxRequestsPerChild 4000
</IfModule>

There are tons of how to guides out there for configuring apache to maximize performance, but mostly it’s great software that doesn’t need much tuning.

PHP php.ini

PHP is a beast with all kinds of horrible modules it thinks it needs to load. You find the php configuration usually at /etc/php.ini; here are some settings to observe:

;*Hide our info
expose_php = Off
;*Turn off for performance
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
;*Allow PHP to accept large data
post_max_size = 6M
file_uploads = On
upload_max_filesize = 6M

The real trick is to disable as many extensions as you aren’t using to save memory. You can check out this guide for more information about optimizing a php configuration.

Linux Kernel

Let’s put it this way; you want to be running the latest and greatest versions of all your software. If you’re using a 2.4 Kernel, don’t. The 2.6 kernel is appreciably faster. For me, getting the latest software is as easy as running the yum update command, as I use FC5. If you’re on a different distro, check their documentation for instructions on how to update to the latest version:

[root@fc435152 ~]# yum update
Loading "installonlyn" plugin
Loading "skip-broken" plugin
Setting up Update Process
Setting up repositories
livna 100% |=========================| 951 B 00:00
atomic 100% |=========================| 951 B 00:00
psa-8.1 100% |=========================| 951 B 00:00
updates 100% |=========================| 1.2 kB 00:00
core 100% |=========================| 1.1 kB 00:00
mono 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
Dependencies Resolved

==================================
Package Arch Version Repository Size
==================================
Installing:
kernel i686 2.6.20-1.2312.fc5 updates 15 M
kernel-smp i686 2.6.20-1.2312.fc5 updates 16 M
kernel-smp-devel i686 2.6.20-1.2312.fc5 updates 4.6 M
Updating:
alsa-lib i386 1.0.14-0.1.rc1.fc5 updates 404 k
cups i386 1:1.2.8-1.fc5 updates 2.9 M
cups-libs i386 1:1.2.8-1.fc5 updates 180 k
dhcdbd i386 1.15-2.FC5 updates 68 k
gnupg i386 1.4.7-4.1 updates 1.9 M
gpm i386 1.20.1-82.fc5 updates 185 k
krb5-devel i386 1.4.3-5.4 updates 954 k
krb5-libs i386 1.4.3-5.4 updates 558 k
krb5-workstation i386 1.4.3-5.4 updates 858 k
libX11 i386 1.0.0-4.fc5 updates 761 k
libXfont i386 1.2.8-1.fc5 updates 227 k
libpcap i386 14:0.9.4-4.fc5 updates 207 k
openssh i386 4.3p2-4.12.fc5 updates 279 k
openssh-clients i386 4.3p2-4.12.fc5 updates 435 k
openssh-server i386 4.3p2-4.12.fc5 updates 251 k
samba i386 3.0.24-4.fc5 updates 16 M
samba-client i386 3.0.24-4.fc5 updates 4.2 M
samba-common i386 3.0.24-4.fc5 updates 8.5 M
tcpdump i386 14:3.9.4-4.fc5 updates 443 k
tzdata noarch 2007d-1.fc5 updates 451 k
Removing:
kernel i686 2.6.17-1.2142_FC4 installed 38 M
kernel-smp i686 2.6.17-1.2142_FC4 installed 44 M
kernel-smp-devel i686 2.6.17-1.2142_FC4 installed 13 M

Transaction Summary
=================================
Install 3 Package(s)
Update 20 Package(s)
Remove 3 Package(s)

Total download size: 75 M

Architecture

If you’re serving more than 5 million hits a day, you’ll want to take a different approach than if you’re serving 500,000 hits a day. For a small server, like mine, which can handle up to perhaps 1,000,000 hits a day, you’ll want everything running on the same box:

For a more complicated server, you’ll split off the MYSQL component onto a hefty box, with Apache/PHP instances on a cluster of loadbalanced other boxes:

Conclusion

There’s no good reason for Wordpress or your site to be slow, except your own negligence. Cache everything. Monitor performance. Use the latest versions of your software. Configure it intelligently. If you take an active part in every bit of software that powers your site, soon you’ll find things fit together more smoothly than before, and the secrets of a fast server will naturally fall into place.

Other Resources

Call me Lorelle; I’m going to link every other optimization guide for Wordpress I can find:

• Optimize WP Loading Times
• Optimize your database
• How To: Optimize Your CSS Even More
• Optimizing Wordpress Performance
• Optimizing Wordpress for High Volume Traffic
• High Performance Wordpress
• Optimizing Wordpress and LAMP to survive the Digg effect
• Diggproof & Speed up Your Wordpress Blog
• DiggProof your Wordpress
• WP 2.1 Is Faster Than 2.0
• Summer of Code 2007 Performance Testing Project

There’s a new monetization service from AdBrite which is quite promising. It’s called BritePic and offers to overlay assorted controls on top of your images, as well as unobtrusive advertisements. Their list of features is long, but rather unimpressive:

# Email this image
# Link to this image
# Embed this image (you still get the ad revenue, even if your pic is embedded elsewhere)
# Zoom in and out (see demo)
# Captions that slide out when you hover over the pic
# Ads from AdBrite
# Link the image to another URL
# Subscribe to RSS

What really shines is the user interface for their BritePic enhancements. It’s a sheer, transparent overlay that reacts to mouse events and hides when not active. For example, it adds a header which you can mouseover to show the advertisement:

There’s also a menu added to the bottom to produce a list of features:

I’m definitely going to start running the ads on this blog, just because I like how easy they are to use, and how little they get in the way of the user experience. I coded up a quick Wordpress plugin to replace all image tags with appropriate adbrite tags, and it works fine for me so far: adbrite-images.rar. You need to replace the Adbrite ID with your own, and then activate and you’re good to go.