Author: Keith Tysinger

How to Speed Up your WordPress Website

Posted on | by Keith Tysinger | Leave a Comment on How to Speed Up your WordPress Website

SantoHost.com just introduced WordPress One, a no-limits WordPress hosting plan with Cloudflare’s CDN integration. So, it’s a good time to touch on how to speed up your WordPress website.

The biggest problem with WordPress is that it requires more resources than a static website — a lot more! When one first installs WP, it may seem fairly fast. As you add more and more pages, plugins, or change the theme, WordPress literally becomes bogged down over time. This scenario is acceptable if your server can handle the additional stress; however, most servers cannot, resulting in a significant slowdown.

If you are a professional who depends on your online presence, you need a specialized hosting service that can maintain the computing resources that lend themselves to a speedy website.

So, if your website is too slow, you should consider moving it to a faster hosting service. SantoHost.com offers free WordPress migration. They will move your website to their speedy servers for free, do a malware scan, and update your core files (and the theme if necessary). With managed hosting, you get a lot more for your money than just web hosting. The experts at SantoHost.com will keep your website updated and therefore safe from hackers.

DIY WordPress Tune-Up

I will list a few things the average website owner can do to speed up their WordPress website:

If your website is running slow and your hosting panel has a malware scanner, scan your files for malware. Malware has the potential to significantly slow down your website, as well as cause complete disruption or defacement.

You can replace all of your graphics with the newer Webp format. It will make your images 25% smaller with no degradation. This process can be a big job if you have many images. Major graphics apps like Affinity allow you to choose between lossless and lossy webp formats. Lossless means no degradation of the image, but it should generally not be used for the web. Use lossy; you can choose the amount of quality you are willing to sacrifice to have smaller images. I have found that using lossy compression at 75-85 percent quality is so effective that the webp format is indistinguishable from the original and reduces the image size to one third of its original size.

Use fewer plugins. Look for plugins that can perform multiple tasks. It’s usually best to use popular plugins, as they’re more likely to be updated and cause fewer issues.

I have spent hundreds of hours tweaking WordPress sites for speed. Although the process is never exhausted, adhering to these suggestions will yield the greatest return on your investment.

Finally, I have come to the conclusion that a CDN is essential for excellent pagespeed scores. A cheap and easy way to speed up your WordPress website is to use Cloudflare’s APO plugin. This service costs $5 per month but achieves full-page caching around the world (which is especially great if you have international clients).

Another factor is page-caching plugins. WordPress has dozens of them, some free of charge. I’m nearly ready to release my WordPress plugin, SantoCache (because, of course, we need yet another one). These types of plugins can significantly improve the load time of your website. But this is a topic for another day. After I release my plugin, I can explain how these types of plugins can speed up your website, which a typical WordPress user can’t do.

I have even more tips in my article, “Why is my WordPress website so slow?

When your bank blocks your VPN, you still have options

Posted on | by Keith Tysinger | Leave a Comment on When your bank blocks your VPN, you still have options

When you’re overseas and require access to your banking app, discovering you are blocked out can be quite distressing, if not traumatic.

Anonymous network For security reasons, we do not allow connections from a VPN or proxy. Please disable it and try again. If you are on WiFi, please switch to your mobile network and try again.

Error:

Anonymous network For security reasons, we do not allow connections from a VPN or proxy. Please disable it and try again. If you are on WiFi, please switch to your mobile network and try again.

How to get Around your Bank’s VPN Block

I will offer three ways that you may access your account abroad.

1) First, contact your bank and tell them that you are abroad. They may be able to unblock access to your account. This step is crucial. If you try to log in using the methods below without first contacting your bank, you may lock yourself out.

2) If you have your SIM from your country, turn off Wi-Fi and try to use mobile data from your home-based mobile provider. You may have to turn on the roaming feature:

To use this feature, your carrier must allow international roaming, which is often an add-on with additional charges.

3) Use your favorite VPN and give it another shot! I often recommend NordVPN. Or you can try ProtonVPN for free.

Some banking apps are excellent at detecting VPNs and proxies. You can sometimes bypass their firewalls by using a residential proxy located in your home country. I would recommend such usage only for extreme emergencies. Today, I successfully used my banking app with this method. It works, but not 100 percent. I had to try three different IP addresses before I was able to log into my banking app. Third time’s the charm!

I don’t know of any VPSs that offer residential IP addresses, only dedicated IP addresses from a data center.

However, never fear. There are multiple websites that offer residential IPs for rent.

(I do not get a commission from the following links):

nodemaven.com

Node Maven is where I was able to obtain a residential IP for around $6. I then used an Android proxy client to establish a connection to the IP. The Android app was called Nore Proxy.

Best of luck with your endeavors! A few caveats : NEVER allow an app to install a certificate in order to use a proxy or VPN. Don’t change your email or phone number on your banking app while abroad. You may, and probably will, get your account frozen. This phenomenon actually happened to me once. I changed my phone number while in SE Asia, which resulted in an immediate lockout. I eventually had to fly back to the USA and go meet with a bank manager in person to get access to my money! I was flagged as a hacker, I guess.

Fun times. He who has the gold makes the rules!

Everything you need to know about VPN services but were too afraid to Ask

Posted on | by Keith Tysinger | Leave a Comment on Everything you need to know about VPN services but were too afraid to Ask

VPN services offer a sense of security while being online, but are they worth the hassle and cost? My answer is yes! I find that my VPN is indispensable, especially living and traveling in other countries. For example, I can’t log in to my banking apps from the Philippines, and occasionally the bank even blocks my VPN connection (more about that later). Furthermore, I’m often getting blocked from my own servers because I may type in an incorrect password too many times. With a VPN I can change IP addresses in a second, and boom! I’m back in.

Let’s first make a distinction between proxies and VPNs. The chief difference between a proxy and a VPN is that proxies do not necessarily have encryption. Meanwhile, one expects robust encryption from a VPN provider. The way VPNs work is by encrypting your Internet connection before it leaves your computer. Your internet connection can then pass through your ISP and all sorts of Internet routers with strong encryption. Your data connection will end at a data center, where the VPN provider will decrypt your internet connection and send it back out to the original target.

The VPN data center can be anywhere in the world. Your IP address is swapped with one from the data center (the outgoing connection), so it seems you’re in the state or country of the new IP address. This feature allows you to, for example, “unblock” American Netflix from anywhere in the world.

There are many VPN companies competing for your business. Over and over, you will hear NordVPN is the best. I use it myself and can recommend their service with confidence. I am using their service with a residential IP address in the USA. Now, no company — not Netflix or my bank — can know that I am using a VPN. This is a very cool feature that NordVPN offers. Ultimately, VPNs serve no purpose if the service you are attempting to access blocks you. The big companies (like Netflix & HBO) have the big data center IPs blacklisted. A few companies can get you through without detection. NordVPN is one of the best, with or without the residential IP add-on.

Unblocking isn’t the best feature of VPNs. Privacy is the best part. Have you ever had your credit card number stolen? It literally happened to me three nights ago. That’s why I’m determined to always keep my VPN on. Some of the networks here and popular service apps may not be secure. Anywhere that offers free WiFi, including hotels, is another huge problem. A new trend at hotels is passwordless WiFi, which is unencrypted. A VPN is the best protection from your credit card numbers and other personal information being intercepted.

Finally, I’m not here to sell VPN services. Oh, who am I kidding? If you require a private VPN server, please feel free to send me an email. However, there is a safe and free option that most people are not aware of. Cloudflare offers a fantastic 1111 app that upgrades your DNS and data connections. They use the Wireguard protocol, so this is a legitimate free VPN service; however, you can’t change or choose your location like you can with a major VPN provider. The 1111 app is great for emergencies, like when you find yourself at a public WiFi spot with no data plan.

Lastly, if you want to stay safe on the Internet, never use a “free” VPN app. The reason is simple: no VPN company can offer free VPN services. Ad revenue isn’t nearly enough to support any kind of legitimate VPN service because running a VPN is an expensive endeavor. Many of the “free” VPN apps are known to only be scamware/malware. Good protection isn’t free, but you will find NordVPN to be an excellent value.

There are many topics I didn’t get to cover, like jurisdiction and the evolving politics surrounding VPNs and privacy in general. I fear what could happen if my technical writing crosses over into the political sphere.

Troubleshooting Http/3 and QUIC Problems: A Checklist

Posted on | by Keith Tysinger | Leave a Comment on Troubleshooting Http/3 and QUIC Problems: A Checklist

First, you can verify whether HTTP/3 is working on your website by using these sites: Http3check or Http3checker. You can also do a simple:

ShellScript
curl -I --http3 https://your-website.com

You need five things to make HTTP/3 work. While my examples primarily focus on Nginx, they can aid you in troubleshooting any web server.

1) A web server that supports HTTP/3 (Nginx since version 1.25.0).

Check the Nginx version and double-check to make sure it was compiled with the HTTP/3 module.

ShellScript
#Verify the version is >= 1.25
nginx -v

#Next check if the http_v3_module was compiled 
nginx -V 2>&1 | grep --color http_v3_module

2) Make sure your web server is configured for HTTP/3.

For Nginx, you must enable HTTP/3 in the Vhost file

ShellScript
server {
  listen 80;
  listen [::]:80;
  listen 443 quic;
  listen 443 ssl;
  listen [::]:443 quic;
  listen [::]:443 ssl;
  http2 on;
  http3 off;
  ssl_protocols TLSv1.3;
  {{ssl_certificate_key}}
  {{ssl_certificate}}
  ...

change http3 to on; I understand that https/3 defaults to on when compiled with the http/3 module, but I always add it anyway. It lets you remember later on that this website is intended to be upgraded to http3.

You will also need an Http header to advertise your server’s support for http/3

ShellScript
add_header Alt-Svc 'h3=":443"; ma=2592000';

This will go in your Vhost file, as above. For Nginx, it will either go in the Server block or the Location block if you are running a reverse proxy. You need to verify that this header is there, or you have to add it yourself.

A little trick I have learned if you are having trouble getting Http/3 to be stable is to add the directive reuseport to the quic listeners like so:

ShellScript
listen 443 quic reuseport;
listen [::]:443 quic reuseport;

Of course “listen [::]” is the listener for 1Pv6 connections. If you are not using IPv6, you should just leave them in there for future upgrades — or delete them now for easier debugging. The choice is yours.

3) You will need a domain name and a valid, not self-signed, SSL certificate

4) You will need to use TLS 1.3. It’s sometimes beneficial to force TLS 1.3 as in the first example, adding ssl_protocols TLSv1.3. This is very appropriate, especially if only your own clients will be connecting to the instance, as opposed to a general website.

4) In your firewall, you need to open both TCP and UDP protocols for port 443

HTTP/3 uses UDP, unlike the previous versions of HTTP, which only used TCP. You will need to open TCP and UDP.

5) A modern web browser that supports Http/3 which is nearly all of them.

Also, TLS 1.3 was finalized in 2018. I do not even try to support older hardware. Requiring TLS 1.3 enhances security at the expense of a few older clients. If you do not explicitly require TLS 1.3, the client can then downgrade to HTTP/2 or HTTP/0.9, which may allow hackers to take advantage of the vulnerabilities in these older protocols. A good rule is to allow only TLSv1.2 and TLSv1.3 because TLSv1.1 is not only outmoded but also, according to Google.com, “… vulnerable to attacks, making it unsuitable for protecting sensitive data.”

ShellScript
ssl_protocols TLSv1.2 TLSv1.3;

If you are interested in this subject, you must check out “moz://a SSL Configuration Generator” that will generate all sorts of safer and more robust web server configs according to your preferences.

I hope my checklist was helpful!

CloudPanel Masters Reverse Proxies so you don’t have to

Posted on | by Keith Tysinger | Leave a Comment on CloudPanel Masters Reverse Proxies so you don’t have to

If you’ve ever experienced frustration when attempting to configure a reverse proxy, CloudPanel will simplify your life. CloudPanel is a free, no-frills hosting panel that is surprisingly robust and satisfying to use. It uses the Nginx server, ready for HTTP/3.

The self-hosting movement is in full swing, and CloudPanel is a perfect remedy for those of us who prefer a GUI hosting panel rather than using only the CLI. It excels at reverse proxies, even if—especially if—your project is Dockerized.

The best thing about CloudPanel is its built-in reverse proxy feature. CloudPanel will even add an SSL (Let’s Encrypt) certificate automatically, or you may import your own cert.

CloudPanel is so easy, in fact, I’m only going to post a few screenshots to explain everything you need to know.

You are halfway there!

Finished!

One final thing, you may want to turn on HTTP/3. Check out my blog post on how to use HTTP/3 in CloudPanel and Nginx.

Immich with OpenLiteSpeed as a reverse proxy

Posted on | by Keith Tysinger | Leave a Comment on Immich with OpenLiteSpeed as a reverse proxy

So, you have installed Immich and are now realizing that it needs a reverse proxy or another method to add some security to your instance. OpenLiteSpeed to the rescue! This tutorial will help you configure OpenLiteSpeed (OLS) with your Immich app.

Immich is a fantastic Google Photos alternative if you are willing to self-host. While LightSpeed is “drop-in replacement for Apache,” OLS is not. OLS is from Mars; Apache is from Venus.

You may be wondering, if OLS is so quirky, then why use it at all? The answer is simple: speed, plus the fact that it is free. OLS supports HTTP/3, which will speed up our Immich instance immensely. For the record, Nginx also supports HTTP/3. Apache reportedly has an HTTP/3 module in development, but I can’t find the beta version anywhere at the time of writing.

Another reason to use OLS is because CyberPanel, a companion web hosting panel, is free (with frustrating adverts). It’s excellent for hosting a few websites free of charge. Not only will you get the speed of HTTP/3, but also a free SSL certificate, which is required for HTTP/3.

To make things a bit easier, you can create your website’s config files (vhost) using your hosting panel and install the corresponding SSL certificate using your (sub)domain. This way, we don’t have to create the website’s vhost configuration file from scratch.

We have two methods to configure OLS: the OLS admin control panel or by editing the config files directly. OLS has a dedicated admin panel, which you will find hidden on port 7080, i.e., https://myserver.mydomain.com:7080. The username should be admin. If you have forgotten your password, SSH into your server and issue

OLS forgotten password

ShellSession
/usr/local/lsws/admin/misc/admpass.sh

 

After you log in, click on Virtual Hosts. If you are starting from scratch, click on the + sign to create a new vhost. Otherwise, find and click on the website that you have already created for your Immich app.

Under the Basic tab, select NO to Enable Scripts/ExtApps, and then select YES to Restrained.

Next, select External App and select Web Server

Add 127.0.0.1:2283 for the web server address and provide your web server a name. You can use the information listed below. Click save.

Click on Context, then create a new Proxy —click on Next

Enter / for the URL,

Upgrade: $http_upgrade
Connection: upgrade

For the Header operations. Click save.

Click on Listeners, then add your virtual host to each listener type.

Our Immich virtual host would need to be added to all three listener types in the above example.

Finally, you need to restart the OpenLiteSpeed server. Look for the big green button at the top and restart OLS. That’s it!

Another word about listeners. If you’re a keen observer, you’ve likely noticed that my configuration lacks the IPV6 listener for the default port. If your system doesn’t have IPV6, then you probably only have two listeners. If you are using IPV6, you should generally have 4 listeners. Even your mail servers need IPV6. We can see here that CyberPanel seemed to forget my IPV6 for the default port. Is it a bug or a feature? I had to add this manually.

Here is the final vhost config for OLS. I assume that you can simply use this config instead of going through all of the above steps with the OLS admin panel… but I don’t know for sure. Please let me know in the comments what you think!

ShellSession
docRoot                   $VH_ROOT/public_html
vhDomain                  $VH_NAME
vhAliases                 www.$VH_NAME
adminEmails               redacted@yourmomma.com
enableGzip                1
enableIpGeo               1

errorlog $VH_ROOT/logs/$VH_NAME.error_log {
  useServer               0
  logLevel                WARN
  rollingSize             10M
}

accesslog $VH_ROOT/logs/$VH_NAME.access_log {
  useServer               0
  logFormat               "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i""
  logHeaders              5
  rollingSize             10M
  keepDays                10
  compressArchive         1
}

index  {
  useServer               0
  indexFiles              index.php, index.html
}

extprocessor immich {
  type                    proxy
  address                 127.0.0.1:2283
  maxConns                500
  initTimeout             600
  retryTimeout            0
  respBuffer              0
}

context / {
  type                    proxy
  handler                 immich
  extraHeaders            <<<END_extraHeaders
Upgrade: $http_upgrade
Connection: upgrade
  END_extraHeaders


  addDefaultCharset       off
}

context /.well-known/acme-challenge {
  location                /usr/local/lsws/Example/html/.well-known/acme-challenge
  allowBrowse             1

  rewrite  {
    enable                0
  }
  addDefaultCharset       off
}

rewrite  {
  enable                  1
  autoLoadHtaccess        1
}

vhssl  {
  keyFile                 /etc/letsencrypt/live/redacted                /etc/letsencrypt/live/redacted/fullchain.pem
  certChain               1
  enableECDHE             1
  renegProtection         1
  sslSessionCache         1
  enableSpdy              15
  enableStapling          1
  ocspRespMaxAge          86400
}

websocket / {
  address                 127.0.0.1:2283
}

module cache {
storagePath /usr/local/lsws/cachedata/$VH_NAME
}

Final Thoughts

This is a lot of work for a simple reverse proxy. CloudPanel has a built-in reverse proxy, and so does AApanel, my favorite open-source hosting panel. For the record, I have given up on CyberPanel. The project appears to be all but abandoned, and there are too many adverts on the admin panel to make it usable or any bit enjoyable.