For a more general information on shared hosting resource limits, please refer to the following article:
What Should I Do If I Receive a ‘Resource Limits Reached’ Error?
WordPress is a popular and powerful CMS, but it is not optimized by default. Keep in mind that a CMS like WordPress is a tool for building websites, but users most often install third-party themes and plugins which aren’t created or reviewed by the WordPress devs, and may not be properly optimized as-is.
If you’re seeing issues with resource limits on the hosting package, or slow response times on a WordPress site, we highly recommend optimizing the site with the following steps, in addition to reviewing further WordPress resources for other helpful information:
Review your site’s traffic statistics
Becoming familiar with the sources of traffic and bandwidth usage on the account will help to identify unnecessary or excessive traffic that can be reduced or eliminated. You may find that webcrawlers are indexing a large volume of pages meant to be private, or a vast majority of traffic is coming from malicious sources attempting to exploit your content. You may also find that your sites are getting more traffic than you had thought.
cPanel provides several options for viewing traffic statistics for the account. The differences are mostly aesthetic, so you can select the one you find easiest to use, and review the traffic information for the site(s) on the account. Here are links to the documentation for each:
High volumes of malicious activity (such as brute force login attempts, POST attempts to vulnerable scripts, etc.) as well as normal site indexing from webcrawlers like Googlebot and Bingbot do contribute to your bandwidth usage, so taking steps to limit this activity is one aspect of reducing the general usage on the account.
For more information on webcrawler activity, here are a few relevant links to Google documentation:
If Googlebot is accessing and indexing pages too fast, you can control the crawl speed through your Google Webmaster portal:
Be sure that open comment or contact forms are secure, and do not allow bots to post large volumes of comment spam:
Default WordPress settings do little to prevent this, and even if the spam comments only go to a moderation queue, their activity does contribute to the resource usage on your account. Review additional security tips in the WordPress documentation to reduce malicious traffic from other sources:
Administrative areas, like wp-admin on a WordPress installation, should never be indexed by search engines, as it is both unnecessary traffic and a security risk. By default, there is nothing preventing this in WordPress, Joomla, etc., so you’ll want to disable that behavior through other means. Google recommends using password protection on private directories (like administrative panels) to prevent them from being indexed:
In cPanel, this can be accomplished with Directory Privacy:
In addition to preventing admin areas from being publicly indexed, you’ll want to fully update all software, themes, plugins, etc. and patch security vulnerabilities to discourage malicious attempts to exploit your site. Even if no new content is being added to the site regularly, websites still require regular software maintenance, which you’ll need to perform on a regular basis, or have an experienced web developer do so for you. Please keep in mind that this regular maintenance is an expected part of using a WordPress site:
You can also use the traffic information to determine the largest sources of legitimate bandwidth usage, and review ways to reduce that usage and/or determine if offloading content is necessary. Here are a couple good places to start:
Test the page speed
A major source of high resource usage is the site code not being fully optimized. You can run a scan to check for issues that can be resolved through changes and tweaks to the installation. A good site to test with is GTMetrix:
Ideally, the page size to aim for would be around 1M or less, and the less concurrent connections, the better. Review the suggestions that are returned on the scan, and read the associated documentation.
Suggestions like ‘Leverage browser caching’ and ‘Enable gzip compression’ show the ‘type’ as ‘Server’ because they would require certain modules to be enabled on the server before they can be used. Gzip compression and caching modules are already enabled on all of our shared servers, however the website itself would still need to be configured to utilize them. For WordPress, for example, a popular plugin to to use for this is WordPress Total Cache:
Just keep in mind that simply installing the plugin does not enable those features automatically. Please refer to the plugin documentation for full instructions on how to install and configure those features in order to get the benefits of the plugin.
Further information specific to optimizing WordPress can be located in the following sections of the WordPress documentation:
CloudFlare offers several plans, but the Free package should suffice for most small sites, or sites that don’t need many advanced features. CloudFlare can provide basic malicious traffic filtering, CDN load-balancing, and some level of caching:
All of our shared hosting servers have the CloudFlare Apache module enabled, so you won’t need to contact us to make any server changes; you can just go right ahead and follow the Cloudflare information for configuring the site. Information on configuring CloudFlare on a WordPress site can be found here:
Always keep your site up to date
Regularly apply updates to the core installations. If you have inactive themes or plugins installed, they should be removed or, otherwise, you’ll want to be applying updates to those modules as if they were active, as any installed modules can still be exploited to compromise a site if they contain unpatched security flaws.
Be familiar with the modules you’re using, and the sources you’ll need to be keeping up with for information on security disclosures or other vital update announcements. If your site is custom-coded, you should be having a web developer reviewing your site code for necessary updates, security holes, or other required maintenance.
Compromised installations can also be used to infect other websites within the same hosting account, so it’s vital that all installed software be regularly maintained, or otherwise removed from the account. If you have development sites within your account, you’ll want to remove them if they’re no longer in use, otherwise you’ll need to be just as diligent at keeping them up to date as a production site. Here is an article with further discussion of site cross-contamination:
If you’re finding that, even with extensive optimization, your account is still reaching resource limits, then it’s likely that your account has outgrown what shared hosting plans can offer. Please keep in mind that shared hosting is typically intended for personal sites and some small business sites where uptime is less critical. For higher availability, higher volume traffic, or sites that are otherwise more resource-intensive, a virtual private server or dedicated server is recommended.
We do offer VPS and dedicated server options with our sister company, DotBlock, which can be found here:
Please note that this information is provided as a courtesy for general guidance on the steps involved in optimizing a website; performing these steps, however, would be outside the scope of our support. If you’re not comfortable with completing the above steps on your own, we recommend locating an experienced web developer to assist.