AgilePress

Tag: Cloudflare

  • The Caching Strategy: Stop Installing W3 Total Cache (And What to Use Instead)

    We see it every day. A client complains their website is slow. We log in and find W3 Total Cache installed with 20 checkboxes ticked at random, fighting against SG Optimizer, while the server gasps for air.

    Caching is not magic. It is physics. If your server takes 3 seconds to think (TTFB), no plugin will make your site load in 0.5 seconds.

    At AgilePress, we believe in Hierarchy: First, fix the server. Second, fix the code. Third, cache everything.

    Here is our “White List” of caching solutions, categorized by real-world scenarios.

    The “Black List”: Please Delete These

    Before we tell you what to use, let’s clarify what we avoid to prevent “bloat.”

    • W3 Total Cache: The Villain. Ideally, it’s powerful. In reality, it has hundreds of confusing options, breaks easily, and is overkill for 99% of sites.
    • WP Super Cache: The Dinosaur. It works, but its code is ancient, and its file management (mod_rewrite rules) is messy by modern standards.
    • WP Fastest Cache: The Adware. The dashboard is full of “Buy Premium” banners. We don’t deliver ad-filled backends to professional clients.

    Scenario A: The “LiteSpeed” Server (The Native Choice)

    If your hosting uses LiteSpeed Web Server (like Hostinger, GreenGeeks, or some SiteGround plans), you have a Ferrari engine. Don’t put bicycle wheels on it.

    • The Plugin: LiteSpeed Cache (LSCache).
      • Why: It is not a normal PHP plugin. It talks directly to the server kernel. It caches at the server level, which is faster than anything else.
    • The CDN: QUIC.cloud.
      • It integrates natively with LSCache to serve images and static files globally.
    • Verdict: If you are on LiteSpeed, use LSCache. Nothing beats it.

    Scenario B: The “Set & Forget” (Blogs & Corporate)

    If you are on Nginx or Apache and have a simple site (Portfolio, Blog, Brochure), you don’t need a complex suite. You need HTML generation.

    • Option 1: Surge.
      • The Philosophy: Zero configuration. You activate it, and it generates static HTML files.
      • The Warning: It is so minimal that on some specific hosting setups, it might cause conflicts.
    • Option 2: Cache Enabler (The Reliable Backup).
      • If Surge gives you trouble, Cache Enabler (by KeyCDN) is our standard. It supports WebP, clears cache on publication, and is rock-solid.
    • Verdict: Keep it simple. Don’t use a rocket launcher to kill a mosquito.

    Scenario C: The Performance Kings (Complex / E-commerce)

    For high-traffic sites, WooCommerce, or membership platforms where Core Web Vitals are a struggle.

    • FlyingPress: Our current favorite. It goes beyond caching; it cleans your database, generates Critical CSS, and delays JavaScript intelligently. It replaces 5 other plugins.
    • WP Rocket: The industry standard. Excellent UI and reliability.
    • Note: These cost money because they do the hard work of code optimization, not just caching.

    The Hidden Engine: Object Caching (Database)

    This is where most “slow” WooCommerce sites fail. Page Caching (HTML) stops working when a user logs in or adds an item to the cart. We need to cache the Database Queries.

    • Option A: Redis (The King).
      • Available on VPS, Cloudways, and premium hosting. It stores SQL results in RAM. It is mandatory for serious e-commerce.
    • Option B: Memcached (The Prince).
      • If your host doesn’t have Redis but offers Memcached (common in older cPanel hosts), use it. It is lighter than Redis and still vastly better than nothing.
    • Option C: SQLite Object Cache (The Savior).
      • The Secret Weapon: What if you are on cheap shared hosting with no Redis/Memcached?
      • Use the SQLite Object Cache plugin. It creates a local high-speed database file to mimic Redis. It is a game-changer for low-budget dynamic sites.

    The Global Layer: The CDN

    Your server is fast in New York. But what about your visitor in London?

    • Cloudflare (Free/Pro): The default choice. It acts as DNS, Security (WAF), and CDN.
      • Pro Tip: Their “APO” (Automatic Platform Optimization) service for $5/mo is incredible for WordPress.
    • BunnyCDN: If you want pure speed without changing your DNS. It is cheap and loved by performance developers.

    Conclusion: The AgilePress Stacks

    We don’t have a single tool. We have a strategy for each environment.

    1. The “Native” Stack (Hostinger/GreenGeeks):
      • LiteSpeed Cache + QUIC.cloud + Redis.
    2. The “Pro” Stack (Cloudways/Kinsta):
      • FlyingPress (or WP Rocket) + Redis + Cloudflare APO.
    3. The “Minimalist” Stack (Shared Hosting):
      • Cache Enabler + SQLite Object Cache + Cloudflare Free.

    Stop looking for the “best plugin.” Look for the right stack for your server.

  • The Security Illusion: Why We Banned Wordfence and AIOS

    When a site owner fears getting hacked, their knee-jerk reaction is usually to install the “biggest” security plugin they can find.

    Names like Wordfence, All In One Security (AIOS), or Solid Security dominate the market. They are the “Norton Antivirus” of WordPress.

    At AgilePress, we do not use them.

    In fact, we often remove them to instantly improve a client’s server response time.

    Security is not measured by how many settings your plugin has. It is measured by where you stop the attack. Here is why we shift the weight to the server and use minimalist tools inside WordPress.

    The Problem with “The Giants” (Wordfence, AIOS, Sucuri)

    These popular plugins operate on a flawed premise: Application-Level Security.

    They run inside WordPress. This means that for the plugin to block a malicious bot, WordPress has to load first. The PHP engine has to spin up, connect to the database, and execute the plugin’s code.

    The “PHP Trap”: Imagine 1,000 bots attack your login page simultaneously.

    • With Wordfence: Your server has to execute WordPress 1,000 times just to say “Access Denied.” This consumes CPU and RAM, often crashing the server (a self-inflicted DDoS) even if the hackers don’t get in.
    • Database Bloat: These plugins log every failed attempt in your database. We have seen wp_options tables bloated by gigabytes of security logs, slowing down the entire site.

    The AgilePress Strategy: Defense in Depth

    We believe that malicious traffic should be stopped as far away from your WordPress installation as possible.

    Layer 1: The Edge (CDN & Cloudflare)

    The best request is the one that never hits your server. We use Cloudflare (or your hosting’s edge firewall) to block geographical threats and known botnets.

    • Cost to your server: Zero.
    • Speed impact: Positive.

    Layer 2: The Server (Hardening & Imunify)

    This is where most people undervalue their hosting. If you use a quality provider with cPanel or Plesk, you already have enterprise-grade tools that operate at the root level, far more efficiently than any plugin.

    • Native Hardening: We configure the server to apply strict rules (like disabling PHP execution in upload folders) directly from the control panel.
    • Imunify360 / ImunifyAV: Many modern servers come with Imunify built-in. This tool scans files and blocks malware at the Linux OS level. It runs in the background without slowing down your WordPress and without writing junk logs to your database.
    • The Reality: If your server has Imunify, installing Wordfence is redundant and harmful to performance.

    Layer 3: The Application (The AgilePress Stack)

    Once traffic passes the Edge and the Server, it reaches WordPress. Here, we need a lightweight goalkeeper, not an army.

    1. The Firewall: NinjaFirewall (The “True” WAF)

    Unlike Wordfence, NinjaFirewall is a stand-alone Web Application Firewall.

    Why we choose it: It hooks into PHP (via php.ini or .user.ini) before WordPress loads.

    • It filters requests before the WordPress database connection is established.
    • If a request is malicious, it is killed instantly. WordPress never wakes up.
    • It saves massive amounts of CPU compared to standard plugins.

    2. The Identity Guard: WP 2FA (by Melapress)

    A firewall protects the perimeter; 2FA protects the user. We use WP 2FA because it adheres to the Unix philosophy: “Do one thing and do it well.” It doesn’t scan files, it doesn’t check IPs. It just provides a rock-solid, lightweight Two-Factor Authentication.

    3. The Anti-Bot Shield: Cloudflare Turnstile (Goodbye reCAPTCHA)

    Spam and brute-force attacks are usually automated. Traditionally, developers stopped this with Google reCAPTCHA, which forces users to “click on traffic lights” and loads heavy scripts that spy on your visitors.

    At AgilePress, we use Cloudflare Turnstile.

    • Invisible: It verifies if the visitor is human without forcing them to solve puzzles (Zero Friction).
    • Lightweight: It is far more privacy-respecting and lighter than Google’s solution.
    • Effective: It stops bots at your login and contact forms without punishing your real customers.

    Conclusion: Engineering vs. Fear

    The “Big Security Plugins” sell peace of mind through complexity. They want you to see a dashboard with 50 checkboxes and a map of blocked attacks so you feel like the plugin is “working.”

    In reality, that dashboard is slowing you down.

    At AgilePress, we build secure sites by design. We block at the Edge, harden the Server with Imunify, filter with NinjaFirewall, and verify with Turnstile.

    Maximum Security. Minimal Footprint.