OLS – Multi Site

Category: Server Administration

Web servers, PHP, and the stack underneath.

  • Hardening Your WordPress Site: Security Basics

    Hardening Your WordPress Site: Security Basics

    Most WordPress sites are not compromised by some exotic zero-day. They are compromised through weak passwords, outdated plugins, and file permissions that are far more generous than they need to be. The good news is that the same handful of basic measures stops the overwhelming majority of real-world attacks.

    Start with accounts. Every administrator should use a long, unique password and two-factor authentication. Delete the default “admin” username if it still exists, and limit the number of accounts that hold the administrator role to the few people who genuinely need it. An editor cannot install a malicious plugin; an administrator can.

    Lock Down Accounts First

    Next, keep everything updated. The vast majority of hacked sites were running a plugin with a known, already-patched vulnerability. Enable automatic updates for minor core releases and for plugins you trust, and make a habit of removing plugins you no longer use rather than leaving them deactivated but present on disk.

    Finally, tighten the filesystem. Files should be 644, directories 755, and wp-config.php can be locked down further still. Disabling file editing from the dashboard with DISALLOW_FILE_EDIT means that even if an account is taken over, the attacker cannot paste PHP straight into your theme. None of this is glamorous, but security rarely is.

  • Getting Started with OpenLiteSpeed for WordPress

    Getting Started with OpenLiteSpeed for WordPress

    OpenLiteSpeed is the open-source edition of the LiteSpeed Web Server, and over the last few years it has become a genuinely popular choice for hosting WordPress. It speaks the same configuration concepts as Apache, ships with a clean admin console on port 7080, and includes an event-driven architecture that handles concurrent connections far more gracefully than a traditional prefork setup.

    If you are coming from an Apache or shared-hosting background, the first thing you will notice is that OpenLiteSpeed does not read .htaccess files the way Apache does by default. Rewrite rules still work, but they are evaluated through LiteSpeed’s own engine. For WordPress this matters mostly in one place: permalinks. Once you enable a rewrite rule for the document root, pretty permalinks behave exactly as you would expect.

    Why It Pairs Well With WordPress

    The real reason most people switch is caching. The bundled LiteSpeed Cache plugin talks directly to the server, which means full-page cache, object cache, and even edge-side includes are handled in C rather than in PHP. In practice that turns a 600ms uncached response into a sub-50ms cache hit without any third-party CDN in front of it.

    • Install PHP 8.3 and the LSAPI handler.
    • Point the virtual host document root at your WordPress directory.
    • Enable the rewrite rule so permalinks resolve.
    • Install the LiteSpeed Cache plugin and turn on full-page caching.

    None of these steps takes more than a few minutes, and the payoff is a stack that stays responsive under load. In the next few articles we will dig into each layer, starting with what actually happens on a cache hit.