WordPress on Raspberry Pi 2, six months down the road

So the last report from my Slackware based RPi2 hosting project ended on a cliffhanger (pun intended), as I was just recovering after suffering data corruption, the occasional kernel panic and random errors. Suspecting the instability might be caused by my overly optimistic approach to overclocking and overvolting, I decided to turn things down a few notches.

Raspberry Pi 2 on Slackware ARM

Slackware ARM on RPi2 based hosting

Fast forward five months and my RPi2 is still hosting this website and that takes us well past the six months mark. There have been no further issues with stability or data corruption so I’m confident the initial rollercoaster ride was all due to my lack of competence. As a matter of fact, hosting WordPress on the RPi2 has been so much fun that I’ve shelved my plans on moving to a cloud based SSD VPS indefinitely.

Performance and expectations

What most people reading my RPi2 articles seem to be interested in (according to Google Search Console) is the string “raspberry pi 2 wordpress performance”, so lets talk about that part.
There are a few prominent blogs that promotes hosting WordPress on a Raspberry Pi 2 that also might seduce you to believe that they themselves are running their website on the RPi2. However, if you look at the IP address and investigate the HTTP-headers, you’ll most likely discover a cloud hosted SSD VPS.

Sadly, a WordPress installation running on a RPi2 will always render a page in seconds rather than milliseconds. To avoid getting burned for slow loading times you’ll have no choice but to implement WordPress caching, preferably by installing a third party plugin. The good news, however, is that by serving your visitors static files there will be no noticeable drop in performance when compared to a “real” server. For the record, it’s also advisable to use a lightweight theme and stick to essential plugins only. And yes, try to stay as far away from shortcodes as possible.

Web hosting from your apartment

Alright! we’re all cached up and the RPi2 is ready to conquer the interwebs, what could possibly go wrong? While moving your website from your old hosting provider and relaunching it on the RPi2 you might not be aware of the impending dangers that might befell a tasty raspberry suddenly surrounded by hungry predators. That might sound like a joke, but actually, you’re now running the single most attacked piece of software on the internet.

Bots will blindly scan your site looking for vulnerabilities, they’ll try to bruteforce your login credentials, they’ll fill your comment section with spam and flood your site with requests, all while digesting your remaining bandwidth. In the end these attacks will trigger a multitude of PHP requests, that in turn will create a high load on the RPi2 and services will eventually become unresponsive.

Setting up your server

Didn’t you mention something about fun a few paragraphs ago?
Sure, it’s both fun and viable to host your WordPress blog on the RPi2 but it should be done foremost with an eye on security. That way we’ll try our best to avoid being a part of the Internet of compromised things. Take notice that those bots you’ll soon have filling up your server logs didn’t start out life as part of some hackers toolbox.

Most distributions have excellent documentation on how to harden your server by reducing available attack vectors. I strongly recommend following the path of learning and manual configuration as apposed to using pre-built images running WordPress out of the box. Those images might be great for testing WordPress on the RPi2, but that doesn’t mean they’re meant to be deployed on the Internet.

Iptables fail2ban chain

Iptables in combination with fail2ban and ModSecurity will ease the load on your server by blocking unwanted requests.

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.