[blfr]

Why is Wordpress on a VPS a nightmare? You install nginx, php-fpm, mysql, enable unattended upgrades in Ubuntu, create a new user for Wordpress, run it, enable automatic updates, done.

It's a blog. It doesn't need to be bulletproof or run on a cluster.

(Of course, the hip choice is Ghost.)

[steeples]

I say this because so many peeps think using these pre-installed WP bundles is all kittens and unicorns; it is not. I am not singling out DO specifically, but any VPS provider that has pre-installed soft that does not respond to threat landscapes and it not hardened correctly. Users install without a care in the world for having their VPS naked and like a sitting duck. (Yes I monitor inbound traffic on VPSes and there are people who are interested in flooding if you don't practice throttling and load balancing, or PTR records which resolve the raw IP to other domains).

[ohashi]

The performance of the out-of-the-box WordPress stack is terrible too. I maintain benchmarks for WordPress running on different company's platforms (http://reviewsignal.com/blog/2015/07/28/wordpress-hosting-pe...) and had to stop including Digital Ocean because it's just not in the same league. I get asked everytime why they aren't there though and have to explain, that's not really what Digital Ocean does. If you want high performance WordPress, lots of companies have built on top of DO's infrastructure to give you that. But DO doesn't give you that out of the box.

[prydonius]

You are right it is difficult to keep self-managed installations secure vs. just using a SaaS provider, especially when some of the users only have basic admin skills. Having said that, we do our best to have secure settings by default, respond promptly to security issues (typically we release new images within hours of a new version being announced) and in particular in the case of WordPress we pre-configure everything out so automatic updates are enabled out of the box (which the user can also manage from the admin panel without touching the command line).

[x5n1]

> there are people who are interested in flooding if you don't practice throttling and load balancing

perhaps someone is out to get you. never experienced this in my life. been running dedicated server with over a hundred installs for 2 years. sure you have script kiddies that might send a bot to try to brute force passwords. But Nginx can easily handle that load.

[gtrubetskoy]

Spammers, phishers and other criminals are _always_ out to get _everyone_. It's typically done by robots - if your VPS is insecure, it's a matter of when, not if, and when is usually sooner than you think.

[x5n1]

I meant DDOS, nobody cares enough to deny access to your little site unless there is something else which is going on. Other stuff, nothing much to worry about. Just follow best practices: use a password keeper, keep your site updated, disable comments, etc.

[gtrubetskoy]

The way that typically goes is first your VPS gets exploited somehow and used to serve illegal content, send spam or scan other hosts. Then it gets DDOS-ed by someone who doesn't like the content or attacks initiated from the VPS.

[buckbova]

I tried to install wordpress from apt-get and it wasn't trivial. File permissions were out of whack, plugins and upgrades weren't working.

I eventually scrapped it and installed from source. Took a little longer to configure but worked out.

I also added some extra firewall and server monitoring tools.

[steeples]

Yeah the list goes on. Even for the pros, there are an insane amount of steps to get the install perfect. And it has to be perfect, as one overlooked thing can mean the box can be taken offline by net-hooligans. Things like Commando are handy for this and I frequently use recipes when I spin up a new server: https://commando.io/

[lucasmullens]

WordPress is not just a blog. It's used for so much more than that: http://wordpress.tv/2013/11/07/aaron-holbrook-wordpress-is-a...

[marpstar]

Yeah, but by-and-large people are using it for a blog/CMS. It's definitely packed with features, but that doesn't make it elegant or fun.

[brobinson]

Don't forget memcached and W3 Total Cache. :-)