Despite the optimization on the webserver, it makes sense to install a couple of plugins that secure and speed up your wordpress installation.

In my concrete case, I am using as a minimum the following:

Hyper Cache
Hyper Cache is a simple caching plugin that pre-renders your content, so your webserver doesn’t need to processes all dynamic content for every request and only does this once there is a change.
Super simple, but speeds up your website enormously.
It also supports CDN.

Login LockDown
Limites the amount of possible attempts to login. This helps to prevent bruteforce attacks where an attacker tries random passwords till he has access. Find information about it here.

Stop XML-RPC Attack
Stop XML-RPC Attack helps you reducing the amount of requests going to xmlrpc.php. This could possibly used to flood your webserver with useless requests.

BJ Lazy Load
Lazy Load helps to only load content that the user is looking at. E.g. when opening a long page, not all pictures are visible directly. Some are below the fold. It makes no sense to load these images before they are watched, so this helps preventing unnecessary requests + increases the user experience, while speeding up everything.

EWWW Image Optimizer
EWWW Image Optimizer optimizes and compresses all pictures that you have uploaded or will upload in WordPress. Makes files smaller, while not losing the quality and therefore speeds up the page.

miniOrange 2 Factor Authentication
miniOrange 2 Factor Authentication enables you to use several methods of two factor authentication, means your username + password + a second authentication. This could be e.g. an email, SMS or the Google Authenticator. I highly recommend the Google Authenticator. It is free and simple.

All these plugins are free of charge, some have a pro version, which I don’t need.

Everytime your wordpress blog loads, it is also sending a lot of files that are static e.g. images, CSS, javascript and so on.

In the standard configuration, this is passed thru the PHP process which slows down the delivery as it has to be processed before, even that there is absolutely no reason to do this.

You can avoid this, by configuring NGINX to directly deliver these files and speed everything up.

Add to your https configuration the following line

location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff)$ {
expires 30d;
log_not_found off;
}

If you have more file types that you want to deliver directly and that are static, add them to js|css|png|jpg|jpeg|gif|ico|woff e.g. js|css|png|jpg|jpeg|gif|ico|woff|pdf

Restart your NGINX and you are good to go.

There is plenty articles on this topic.

It is basically limiting the accepted ciphers for the encryption and kicking out old broken encryption algorithms.

My configuration for Nginx looks something like this.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header Strict-Transport-Security "max-age=0; includeSubdomains";

Add this to your specific host configuration in the server {} part for port 443.

For Apache I am using something like this

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA2\
56:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECD\
HE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-\
SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM\
-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA
SSLHonorCipherOrder on


Check your result using SSL Test.