Wordpress is awful on DO and many things can and do break. Trust me, I've been developing with Wordpress for over a decade, and WP on a VPS is a whole different kettle of fish. Whether it's hardening the VPS to avoid a DDOS, or auto-patching Ubuntu when OpenSSL gets another vulnerability. It's quite mightmarish. DO is good for things like Gitlab and VPNs and things like that, but good luck trying to get something bulletproof and high availability. It's a devops nightmare. It can be achieved, but it takes some time...
Why is Wordpress on a VPS a nightmare? You install nginx, php-fpm, mysql, enable unattended upgrades in Ubuntu, create a new user for Wordpress, run it, enable automatic updates, done.
It's a blog. It doesn't need to be bulletproof or run on a cluster.
I say this because so many peeps think using these pre-installed WP bundles is all kittens and unicorns; it is not. I am not singling out DO specifically, but any VPS provider that has pre-installed soft that does not respond to threat landscapes and it not hardened correctly. Users install without a care in the world for having their VPS naked and like a sitting duck. (Yes I monitor inbound traffic on VPSes and there are people who are interested in flooding if you don't practice throttling and load balancing, or PTR records which resolve the raw IP to other domains).
The performance of the out-of-the-box WordPress stack is terrible too. I maintain benchmarks for WordPress running on different company's platforms (http://reviewsignal.com/blog/2015/07/28/wordpress-hosting-pe...) and had to stop including Digital Ocean because it's just not in the same league. I get asked everytime why they aren't there though and have to explain, that's not really what Digital Ocean does. If you want high performance WordPress, lots of companies have built on top of DO's infrastructure to give you that. But DO doesn't give you that out of the box.
You are right it is difficult to keep self-managed installations secure vs. just using a SaaS provider, especially when some of the users only have basic admin skills. Having said that, we do our best to have secure settings by default, respond promptly to security issues (typically we release new images within hours of a new version being announced) and in particular in the case of WordPress we pre-configure everything out so automatic updates are enabled out of the box (which the user can also manage from the admin panel without touching the command line).
> there are people who are interested in flooding if you don't practice throttling and load balancing
perhaps someone is out to get you. never experienced this in my life. been running dedicated server with over a hundred installs for 2 years. sure you have script kiddies that might send a bot to try to brute force passwords. But Nginx can easily handle that load.
Spammers, phishers and other criminals are _always_ out to get _everyone_. It's typically done by robots - if your VPS is insecure, it's a matter of when, not if, and when is usually sooner than you think.
I meant DDOS, nobody cares enough to deny access to your little site unless there is something else which is going on. Other stuff, nothing much to worry about. Just follow best practices: use a password keeper, keep your site updated, disable comments, etc.
The way that typically goes is first your VPS gets exploited somehow and used to serve illegal content, send spam or scan other hosts. Then it gets DDOS-ed by someone who doesn't like the content or attacks initiated from the VPS.
Yeah the list goes on. Even for the pros, there are an insane amount of steps to get the install perfect. And it has to be perfect, as one overlooked thing can mean the box can be taken offline by net-hooligans. Things like Commando are handy for this and I frequently use recipes when I spin up a new server: https://commando.io/
I think the actual meaning being lost in translation here is "self-managing things is awful"—which it is, if you are a dev and don't want to be burdened with ops.
Indeed. First thing that blew my mind is that it checks to see if its files are owned by the uid of the php process. Why? Why can't we just +w on uploads, themes, plugins etc using group permissions?
This is why I'm ditching it and going back to static HTML for my corporate site. As a small consulting shop, we just don't have the time or resources to worry about "WTF is wrong now?"
Static site generators are definitely making a comeback... With the number of vulnerabilities and automated attacks on older versions of WP, and other frameworks, it's not an entirely bad idea...
Generate the site, push to S3 or Azure, then put CloudFlare (or another CDN/Cache) in front of it... Easy peasy.
I think WordPress is great on DigitalOcean. With EasyEngine you can be up and running - cached - and seconds with a handful of CLI commands. I've had great luck with running WP on DO.
I'm curious why you think it's awful? I used the one-click Wordpress install on DO and put up a custom-coded theme. The site gets around .5m visits a month and I've never run into any problems.
WP was not designed for modern deployment for a number or reasons. Wordpress is definitely not a 12 factor app. And there is nothing that can be really fixed by plugins. to fix this, one has to break WP core apis. WP is "a deploy once with ftp/sftp" cms.
I think a lot of developers--myself included, for a long time--don't really appreciate why this is the reason WordPress is as popular as it is. The vast majority of the criticisms people make of WP are valid, but good luck finding something else as easy for a non-developer to not just install and configure, but to actually maintain in a relatively secure fashion. (I also don't think developers appreciate how good modern WordPress is as this -- not to say that it's perfect, by any stretch, but once it's set up correctly the damn thing is self-updating. As long as you stick to popular, actively-developed plugins and put effort into keeping them updated -- which is frankly a pretty low bar, since it's about three clicks on the dashboard -- WordPress isn't likely to be a serious security concern.
I don't see how WordPress's general audience would be in the least concerned about its failure to be a "twelve-factor app," do you?
You have to run your own install script. It is more involved than deploying other things. I usually run a script to prepare the server first (for a generic secure setup, including LAMP) and then run the WP installing script (which is mostly Python working through sftp). It has taken a bit of time to figure this one out, because the generic secure setup requires constant upkeep. Its not something that you set and forget.
aptitude update sure is part of maintaining things up to date. One cannot rely on it exclusively due to how those updates sometimes require other changes. Plus it doesn't cover all packages. Using docker just adds another layer of complexity and possible vector of attack. For standalone wordpress installs docker is not required. Wordpress security is more of a continuous process rather than a set and forget thing due to how it's a constant target.
I actually run a few wordpress blogs on Cloudways - which sets up a managed host on top of DO or AWS. It's pretty good - I think there is value for managed "applications" on top of VPS.
Think of it as Cloudformation for the rest of the world !
