WordPress Security Optimization for High-Performing Websites

Hacking and cyber attacks can cause massive server performance problems if not outright interruptions. Many people have no idea how often servers get attacked because they never see the logs. Every server will get attacked several thousand times (sometimes in one hour) every month. Your site might even be attacked right now but you just don’t know it.

Securing against these attacks requires a delicate balance. You don’t want a server that lets hackers freely bombard your ports and resources. But you also don’t want a server that’s too secure and excessively auditing all traffic that it slows your users or worse (it blocks legitimate users).

Today we will share a set of tips on website security optimization provided by Johnny Nguyen in The Ultimate WordPress Speed Optimization Guide. Each security optimization below hint will be marked with the level of required skills to implement and the impact it will bring.


BEGINNER – can Google and follow instructions.

INTERMEDIATE – working as WordPress contractor.

ADVANCED – programmer or server-admin.


LOW – maybe 100-200ms difference. Possibly unnoticeable.

MEDIUM – around 500ms difference.

HIGH – 1 second difference or more.

1. Shutdown Unnecessary Server Services (ADV, HIGH)

You can think of unused services as unused phones or email accounts. They sit around eating up resources (MEMORY) and take up your time with unwanted connections (SPAM, HACKERS). Whatever you’re not using, disable it from your server!

DNS – disable if using external DNS server (Cloudflare, DNSME, etc.)

Email – disable if using 3rd-party email (G-Suite, MXroute, etc.)

FTP/SFTP – disable if not using

Other proxies – like Varnish

Many of these services are enabled by default with your server stack or control panel. You can read their documentation to get a list. For services that need to be running, you can limit their exposure to bad traffic using firewalls.

2. Server firewall configuration (ADV, HIGH)

Most default firewall configurations are set too lax to avoid causing issues. You should jump in there and block off as much as possible. Some example logic below:

Ports used by specific people (SSH, FTP) – only you or a few others. Do an IP whitelist and block the rest.

Ports used by certain country (POP3, IMAP, FTP) – if some services are only used from within one country, you can block all other countries. Be careful though as someone traveling will lose access!

Ports attacked only by certain country – if you have many attacks coming from certain countries or regions, you can ban by country or entire IP ranges.

There are many server firewalls out there. Each with their own pros and cons and recommended for different uses cases. You can read up online how others use and configure them. It’s easiest to start with the default one that comes with your stack.

3. Server Brute Force Protection (ADV, HIGH)

Brute-force protection is like a smart firewall. It leaves services and ports open but automatically bans the obvious offenders.

It automatically bans anyone putting in the wrong authentication, or using blacklisted generic user-names, etc.

They’re easy to set and very powerful. Just be careful that they don’t block legitimate users/traffic. You can see what brute-force or DDOS protection came with your server and enable it. Maybe don’t set it so strict if you have many users on this server.

4. Brute-Force Protection on wp-login.php (BEG, HIGH)

The WordPress admin login page is often bombarded by bots trying random user-names and passwords to get through. While they might not get in, their constant attempts eat up lots of resources. There are several ways to prevent them, each with their pros and cons.

Server-level brute force protection – easy and efficient but can lockout legitimate users on busy servers with sites using Cloudflare. Problem is brute-force lockouts block by IP and visitors coming in through Cloudflare all share the same (proxy) IP. Sure, you can configure to pass true client IP through Cloudflare headers but this slows down page load!

Application-level brute force protection – many WordPress security plugins can do this. They secure the login page by banning users with bad credentials.

Some plugins hide the login page – moving it to a different URL. Just make sure the standard login URL is either blocked or cached to prevent visits on it from using resources.

Other plugins protect the login form by putting a captcha and banning certain robots, crawlers, devices. This can work well but might annoy or false-flag legitimate users.

Only server I know with native brute-force protection on wp-login.php is LiteSpeed. All other servers (Apache & NGINX) will have to enable it with either a security plugin or http auth.

5. HTTP Authentication (BEG, MED)

Do you have specific pages being bombarded and no convenient way of blocking access to them? HTTP AUTH is a quick-and-dirty way of locking out all users. Only problem is it’s a slight hassle for legitimate users. Most guides show you how to protect the wp-admin directory but you can protect other frequently-visited ones as well.

Setup HTTP AUTH on Apache/LiteSpeed


Handy HTTP AUTH passwords generator

6. Disable XML-RPC Protocol (BEG, MED)

The XML-RPC protocol allows external apps (like mobile apps), to log into your WordPress and edit content or view WooCommerce sales. Unfortunately, it’s often exploited by hackers and bots brute-forcing their way into your site.

If you don’t use it, disabling XML-RPC prevents server slowdowns caused by the thousands of XML-RPC hack requests.

If you need to leave it on, you can whitelist your IP’s (and also for Jetpack, if you use it).

7. Security Plugin Configuration (BEG-INT, MED)

If you don’t have access to your server, you can use security plugins. Yes, security is more efficiently run at the server level (closer to raw computing power) than at the application level (slower PHP processing)…but sometimes, it’s hard to set global security rules when you have many clients/sites and each one needs something different.

Nonetheless a software-level security plugin like WordFence is still a useful option to block attacks that the server doesn’t, and/or prevent hacked sites from doing more damage.

My favorite WordPress security plugin is WordFence.

Most important feature of security plugins IMO is malware scanning. Scan manually or schedule during low-traffic hours. This feature doesn’t necessarily improve website speed, it detects system exploits and prevents them from using up resources (hosting spam sites or attacking other servers).

The firewall features on security plugins probably aren’t needed if you have a server firewall already. Firewalls activated at the PHP level slow all incoming requests.

The performance problem with security plugins is due to A) over-aggressively filtering all incoming traffic, and B) scanning too often. Both eat up many resources especially on large sites with many pages and visitors. I suggest not using software firewall, and also to set your malware scans to a slower speed.

8. DNS Edge-Level Security Configuration (BEG, MED)

Remember how I said that security is more efficiently done at the server level than at the application level? Well doing it at the edge level (DNS-level) can be even more efficient than at your server level since it’s using someone else’s servers. There are some performance implications between dealing with security at the edge VS on your server. You can decide what works best for your use case.

Dealing with security on your server can be more convenient since you have more control. You can optimize for your specific use. Only downside is it uses your server resources and also that you need admin skills.

Dealing with security via another server (like DNS proxy, Cloudflare) or security service (Sucuri) saves your server precious resources but might add slight load delay issues since visitors are passing through an extra proxy before reaching your web-server.

The weaker your server and server-admin skills, the more likely a security service is more efficient at blocking DDOS requests. Then again, for a smaller site you might not have so much security problems. Whatever you do, don’t try to put overly-aggressive DDOS security at both levels (DNS & server). This can cause false-positives where legit visitors are blocked because all visitors (good and bad) share the same IP when coming through a proxy.

Most people don’t have to worry about DDOS attacks, ok?

Most lower-level DDOS attacks are easily handled by your server.

The highest-level DDOS attacks are the ones that overwhelm servers (even with good security) but they cost money and concentrated effort from hackers. Unless someone is specifically targeting you, you don’t have to worry about them.

Easiest way to deal with high-level DDOS attacks is to immediately sign up with a dedicated security company like Sucuri (when it happens).

I don’t recommend paying for fancy security services that you mostly won’t need.

9. HTTPS and HTTPS Redirect (BEG, LOW)

You should absolutely be using HTTPS. (It’s the only way to get the benefits of HTTP/2 protocol.)

Put 301 HTTPS redirects on your server so visitors are quickly redirected to the proper HTTPS protocol and correct domain version of your site (with or without “www”). Without these server redirects, WordPress can still do it but it takes a little longer.

Also, don’t forget to make sure all your internal urls are using HTTPS. Don’t rely on SSL plugins (unnecessary) or WordPress (slow) to redirect you. Set the redirects from the server!

Bonus tip: if using Cloudflare, set a page rule to do your HTTPS 301 redirects from there as well. (Even faster than from local server!)

Need an optimized and secure WordPress hosting that meets the needs of your project? Get in touch with CirrusGrid for choosing the best option and receiving technical assistance while migration.

By Tetiana Fydorenchyk of Jelastic | June 24, 2020

To Know More | Free Trial Now | To Meet Us

CirrusGrid Help Developers Wins Competition

Neil Armstrong

Buzz Aldrin

Charles Conrad

Alan Bean

Alan Shepard

How many names up there do you know without Googling?

Most people will know Neil Armstrong, the first person who landed on the moon. If you are interested in science and moon landing, you probably know Buzz Aldrin as well. But do you know the rest?

You got it right! The others and there is a total of 12 astronauts who walked on the moon too. But most people do not even hear their names. They might put in as much effort as Neil Armstrong. However, they did not enjoy the same limelight as the legend. Just because they are not the first?

Do you agree, timeline matters?

Similar in today’s competitive business world, if you are not the first, you probably the last. If you have a great idea, make sure you are the first to launch it.

Imagine you are now developing new software for the market; what matters most is the value it brings to its customers—choosing the best platform, source engine, time, and cost factors. It may impact the overall development and results.

You need a solution that offers you the flexibility that you only need to deploy once, and you can worry-free that allows you to stay focus on the development rather than spent half of your time on troubleshooting and support.

Why is CirrusGrid ideal for Software developers?

  • Supports Java, PHP, Ruby, Node.js, Python, .NET, Go environments, as well as Docker and Kubernetes clusters.
  • Unique pay-per-use pricing model, pay only for what you use without having to pay for excessive reserve instance.
  • Automatically scale according to your users without you having to monitor it every midnight.
  • Connect with multiple software and apps marketplace for your picking.
  • Move into production as a turnkey solution.

CirrusGrid also automates IT work so developers can concentrate on their core competency. Developers get a cloud platform that runs and scales any application with no code changes required offering the following features:

  • Easy creation of dev, test, production environments
  • Fast setup of clustered and highly available applications
  • Support for microservices and legacy applications
  • Automatic vertical and horizontal scaling
  • Zero downtime deployment with automated traffic distribution
  • Out-of-the-box TCP and HTTP(S) load balancing
  • Free and custom SSL certificates
  • Ability to hibernate, stop, restart, clone applications
  • Integrated CI and CD tools for automation
  • Built-in monitoring of RAM, CPU, network, storage, IO with alert notifications
  • Log viewer and config manager within native dashboard
  • Sharing environment and account collaboration with different access levels
  • Application management via UI, SSH, API and CLI
  • Deployment via GIT, SVN, FTP and SFTP
  • Ability to use different hardware or clouds within single portal
  • Integrated IDE Plugins: IntelliJ IDEA, Eclipse, NetBeans
  • Virtual Private Servers (VPS) powered by CentOS, Ubuntu and others
  • Marketplace with a rich set of preconfigured applications for one click installation
  • Wide choice of ready to go certified application container stacks
  • Docker containers support with integrated public and private hub registry
  • No vendor lock-in with import/export feature and zero code changes

To Know More | Free Trial Now | To Meet Us

Your right Cloud services are finally here. Why?

Over the years, the number of Cloud service providers in the market are getting vast. However, not all service provider offers the same value.

Qloud MSP is an experienced managed services provider that heavily focuses on service level and customer satisfaction. Because we know an effective cloud adoption requires not just extensive technical studies but including risks assessment and complex financial calculations to get the best ROI from technological benefits. Choosing the wrong cloud may lead the company locked into an expensive and painful ordeal such as heavy downtime, unpredictable recurring cost, poor technical support, and massive security flaws.

Qloud MSP has perspectives.

The results are finally here after years in planning and development. The moment we decided to build a cloud infrastructure, we wanted to develop something that fits most of the business needs.

Here are the sets of serious criteria that considered as an ideal Cloud infrastructure;

  • Intuitive user interface
  • Reliable and high performance
  • Easy deployment, migration, and administration
  • Meet industry standards, compliance and secure
  • Latest technology and future upgradable
  • Competitive pricing and Pay-as-you-use model
  • Integration capabilities
  • PaaS, SaaS, IaaS as in Public Cloud, Hybrid and VPC ready

It is considered almost impossible to build such a near-perfect Cloud platform based on technical imagination. However, we did it! Thanks to the award-winning cloud platform developers, Jelastic, and other open-source gurus from diverse expertise.

Our strategic technology partnership allows us to built CirrusGrid. The Cloud services that we believed will bring significant benefits to our customers in their digital business transformation.

To Know More | Free Trial Now | To Meet Us

Why Data Backup is the Most Important Thing Now, and What Are the Criteria?

COVID-19 pandemic is forcing many businesses to shift towards work from home. Employees began to use their personal computers or corporate given laptops to carry on their tasks as part of the business continuity plan. 

But many organizations do not realize that their data may not be control, backing up, and centralized into a secure and safe environment. When it comes to remote working, accessing files in the most convenient ways is the top priority. However, employees often make unconscious mistakes; for instance, copy and edit files somewhere in the desktop, or shared folders, then leave it abandoned. Who owned these data? The company and the customers.

Corporate data has become the backbone of company success and one of the most critical assets. Imagine, what if all these data are lost one day? Your customer payment record, their delivery orders, subscription records, contract, and agreements, all gone.

The risks of data loss are everywhere and anytime, and no one could predict when it happens. Here’s the highest risk:

Security Breaches – Hackers, Malware and Viruses 

We all know that Ransomware remains one of the top outbreaks that can cause unrecoverable damages to any network and system. Imagine the only machine storing critical data is infected by Ransomware, and no other backup data is available. Even if you willing to pay for the price, it doesn’t mean your information is recoverable. Advanced malware protection software may help at some level, but there will be no silver bullet that can give a 100% assurance. Risk is always there.

User Negligence

No offense, but the truth is always bitter—over 32% of data losses caused by human error. Often, mistakes such as accidental deletion, lost somewhere in the computer, no backup, keeping everything in the fragile USB drive without a second copy is simply too risky. 

Physical Damages

Disk failure, hardware damage, and natural disasters like floods, fire, and hardware that keep your data malfunctioned are inevitable, and we should not take for granted because it usually strikes without any warning.

Using the Wrong Medium

Backup and online file storage is not the same. Storing files in cloud storage like Box, Dropbox, and Onedrive is okay for general use. However, such service providers are not liable for any data loss for several valid reasons regardless of whose fault because data is always under the custodian of the users or company, and recovery may incur an additional charge too.     

So how to choose the right backup?

There are hundreds of different types of backup solutions in the market, even copy-paste into another location manually as the second copy is better than none. Our advice, It doesn’t really matter as long the solution can backup and recover the critical data as when it needed without any problems or errors. However, getting a reliable yet affordable backup solution is somewhat subjective.   

For optimal protection here’s what you need:

• Easy to set up and compatible with most of the conventional operating systems.

• A convenient centralized cloud platform that allows users to create, edit, and reschedules backup jobs anytime, anywhere.

• Supports from NAS to SAN and Cloud storage to empower users to choose the nearest backup for the quickest recovery. Automatically replicates your local on-premise backup to secure cloud storage that meets your business DR compliance.

• It comes with robust security features like multi-factor authentication, built-in malware protection, and data encryption.

• Not just data, but has the ability to backup other applications like O365, Virtual Machine, and Emails.

• Pay-as-you-Grow and subscription model that the company does not need to spend on expensive storage and technology upfront.

• The 3-2-1 backup rule – the strategy is the key that we should always remember by:Keeping at least 3 copies of data

Store 2 copies of the backup into different mediums or storage

– Keeping at least 3 copies of data

– Store 2 copies of the backup into different mediums or storage

– Keep 1 copy of backup offsite

Lastly, get a reliable solution provider that will always keep your platform up-to-date, highly responsive to any of your technical questions, and has both capabilities and capacity to cater to your data growth.    

To know more https://www.qloud.my/backup-and-disaster-recovery/

















Qloud MSP signs partnership agreement with Netassist to strengthen security services line up.

Kuala Lumpur, Malaysia 7th October 2019 – Netassist (M) Sdn Bhd and Qinetics MSP Sdn Bhd or known as Qloud MSP, signed a long term strategic partnership to provide Managed Security Services and Solutions to its customers. The collaboration is to help organizations to secure their business operations in the most optimum manner through their total solutions in Malaysia and the region.

Both companies will continuously joint provides much comprehensive cybersecurity technology available to their clients to prevent and protects against rising cyber threats. Every organization today are protected with at least some essential equipment such as antivirus, firewall, anti-spam and intrusion prevention. However, this may not be sufficient to keep them safe from intelligent cybercriminals with targeted attacks behavior. This requires a combination of process, people and technology. Therefore, Qloud MSP that specialized in proactive managed support and system monitoring will include these security features to strengthen its current products and services.  

11 OCT 2019

By: Marketing Team – Qloud MSP | www.qloud.my | Contact Us

Why business needs Managed Cloud Services Providers?

Organizations are moving their applications and servers to Cloud computing providers becoming a trend because the task of managing an IT infrastructure is getting complex. The evolution of technology is dramatically fast. Often, many IT departments failed to keep up the pace of possessing new skills to manage such a modern environment like cloud effectively.

Moreover, many business owners or IT leaders have a misconception towards outsourcing to cloud providers. Migrating entire systems to the cloud doesn’t mean the providers responsible for all administrative works include, backup verification, penetration test, performance check, audit, and necessary future upgrade plans. Why? Aren’t we pay them? The answer is simple. The infrastructure is theirs, but data is yours. Data means information, and it is the biggest asset for a company.

Most cloud service providers do offer many flavors of software and ad-hoc services like backup and recovery, performance monitoring, and reporting statistics, but because most of them were optional, the IT team still requires to monitor and manage many other comprehensive aspects including policy, access control, picking the right software, dealing with security threats and contingency plan to avoid costly downtime. Hence, choosing the right cloud service providers like AWS, Azure, Alibaba or even local Cloud brandings is crucial. Otherwise, it will significantly impact the ROI and the main objectives of moving into the cloud. 

What Qloud MSP’s Managed Cloud & Hosting do?

We help organizations to implement, monitor and manage complex cloud environments effectively. Evaluate and propose the right and reliable cloud solution that performs best based on their IT environment and budget because IT should support the business and not the other way round.

To know more about Qloud MSP Managed Cloud and Hosting

23 SEP 2019

By: Wang CW, General Manager – Qloud MSP | www.qloud.my | Contact Us

Don’t let the rising IT cost overshadow your value in the organization.

Many enterprises allocate an annual IT budget to support their business operations. This budget covers the essentials, including networks, servers, storage, computers, software licenses, human capital, outsourcing, as well as backup and disaster recovery.
Ten years ago, this would have been enough. But in today’s digital landscape, we need more.

The Rise of Cyberattacks

We now live in an era of ransomware, spear-phishing, and AI-driven attacks. One compromise to your system can lead, not only to millions of dollars of loss but also to a damaged company reputation.

With increased concerns over these unpredictable cybersecurity threats, many organizations left with no choice but to invest in more secure and faster infrastructures. Whether you’re staying with an on-premise setup, hybrid or moving to the cloud, these upgrades can get costly, eating into your profits.

The Big Questions

Before making any changes, take a moment to answer these questions:

  • How long will downtimes affect your operations?
  • What is the latest technology out there? Does your IT team have the right knowledge?
  • How much does an upgrade cost? Do you have the budget?
  • How are you going to proceed from here? What are the necessary steps?
  • Do you understand the importance of an upgrade?

We’ve witnessed many organizations spending huge investments on IT system upgrades, and often, they do not achieve the expected results. Research has found that 55% of IT professionals agree that some cloud adoptions fail because organizations lack an understanding of the business-driven objectives of migrating to the cloud, while 42% of professionals say insufficient proper planning.

While businesses may understand the need to keep up with the latest technology to stay shielded from threats, the lack of knowledge, time, human resources, and funds can bring about new levels of challenges.

So why don’t you leave it to the experts?

How We Can Help

Qloud MSP’s Next-Gen Managed Services is a reliable managed services provider designed to provide long-term benefits to your organization. Beyond taking away your IT headaches, we are capable of enhancing your IT lifecycle and business productivity. Whether your focus is on ROI or technological improvements, our years of experience in planning, building, and implementing the right solution for our customers means we can help you reach your goals.

20 SEP 2019

To learn more, take a look at our latest Managed Services Packages and Secure Managed Hosting Services.

By: Wang CW, General Manager – Qloud MSP | www.qloud.my | Contact Us

Qloud MSP and Nextcloud announce partnership

Stuttgart, Kuala Lumpur, 1st March 2019 – Nextcloud GmbH, the globally leading supplier of the most popular self-hosted content collaboration platform, announces a partnership with Qinetics Services Sdn Bhd d/b/a Qloud MSP to deliver secure, self-hosted cloud collaboration technology to customers in Malaysia and South East Asia. Together, Nextcloud and Qloud MSP enable customers to regain control over their data with a reliable, easy to use and well-integrated platform.

The partnership with Qloud MSP gives our customers access to a secured data host, sync, share and collaboration environment in Malaysia,

said Frank Karlitschek, CEO of Nextcloud GmbH.

We look forward to successfully deliver projects together to empower customers and protect their data.

Nextcloud complements our portfolio to deliver private cloud solutions,

says CW Wang, General Manager of Qloud MSP.

We’re proud to work together with the market leader in the self-hosted productivity market and deliver reliable, well integrated team productivity solutions to our customers.

Modern organizations provide their employees with easy to use, mobile team productivity technology to enable on-the-go collaboration and sharing. As the leading self-hosted secure file exchange and collaboration solution, Nextcloud simplifies legal compliance and keeps data secure by providing system administrators full control over the location and access rights of stored data. Deep integration in infrastructure means quick deployment and little need for extensive data migration efforts. Qloud MSP offers its customers accelerated deployment, cloud or private hosting and 24/7 Support.

About Qloud MSP
Qloud MSP (Qinetics Services Sdn. Bhd) is a Malaysian based technology company specialized in Managed Services, IT outsourcing and Cloud Computing. Our solution is highly focus in driven customers business productivity while prioritizing data protection and control. For more information, visit Qloud MSP or follow @QloudMSP on LinkedIn.

About Nextcloud
Nextcloud offers the industry-leading, fully open source, self-hosted Content Collaboration Platform, combining the easy user interface of consumer-grade cloud solutions with the security and compliance measures enterprises need. Nextcloud brings together universal access to data through mobile, desktop and web interfaces with next-generation, on-premise secure communication and collaboration features like real-time document editing, chat and video calls, putting them under direct control of IT and integrated with existing infrastructure.
Nextcloud’s easy and quick deployment, open, modular architecture and emphasis on security and advanced federation capabilities enable modern enterprises to leverage their existing file storage assets within and across the borders of their organization.

Qinetics Services Sdn. Bhd Becomes Member of MSPAlliance®

Qinetics Services Sdn. Bhd joins vibrant global consortium of cloud, managed service providers and technology enabling vendors

Kuala Lumpur, 28th March 2018 — Qinetics Services Sdn. Bhd today announced that it has become a member of the MSPAlliance. 

MSPAlliance is the oldest Managed Services group and the only Accrediting and Standards based body created specifically for the Managed Services Industry. With over 30,000 corporate members worldwide, the MSPAlliance is a very powerful and influential global network of IT professionals. MSPAlliance works in a collaborative effort with service providers, technology enabling vendors, governmental bodies as well as other industry associations, to further the acceptance of the managed services and cloud industry to the business consumer. 

MSPAlliance Member companies’ are able to achieve MSP and Cloud Certifications including, SSAE 18 Audits (SOC 1 and 2) and ultimately achieve certification through the MSPAlliance MSP/Cloud Verify Program™ 

“We are delighted to have Qinetics Services Sdn. Bhd as a member of our global association,” said Celia Weaver, MSPAlliance president. “By upholding the MSPAlliance Managed Service Provider’s Code of Ethics, Qinetics Services Sdn. Bhd will work with MSPAlliance, as well as their industry peers, to help ensure the integrity of the managed services and cloud profession.” 

“Your trusted partner towards new era of business”


Qinetics’ Managed Services have over 16 years in delivering technology solutions to meet every range of business client needs from mid enterprises to large corporations. We provide various tailor-made solutions for every business’ needs while bringing competitive advantages. That’s how we practiced it with a team of over 100 brilliant individuals, we enable the information age with complete business solutions to help your ideas succeed. 




MSPAlliance® is a global industry association and accrediting body for the Cyber Security, Cloud Computing and Managed Services Provider (MSP) industry. Established in 2000 with the objective of helping MSPs become better MSPs. Today, MSPAlliance has more than 30,000 cloud computing and manage service provider corporate members across the globe and works in a collaborative effort to assist its members, along with foreign and domestic governments, on creating standards, setting policies and establishing best practices. For more information, visit www.mspalliance.com