First off, let’s be clear: ALL HOSTS ARE SLACKERS. To some extent, anyway. They promise to help you defend your site(s) against hacking and bots, but they never, EVER do. We left Zweeko because their servers couldn’t reboot and our sites would be down for hours at a time – and they would just say “no worries!”. Yeah. We moved to Siteground, which has been a huge improvement, but they offer no more support or ACTUAL help than Zweeko did. But at least with Siteground the sites crash and are rebooted in minutes rather than hours.
If you have old sites with URLs that have been in service for 20 years like ours, you WILL be a target for bots and hackers. If your site performance is never good and your host shrugs their shoulders, it’s probably bot attacks that are slowing things down.
So, we put up with constant outages for about a year. We’d ask for help and Siteground would just offer the same old bullshit answers: Tweak your robots.txt file! Write a special root file that will block bots! Don’t use WordPress! DO use WordPress! Upgrade your account! (That last one is a standard. Better to sell more services than actually FIX a client’s problems!)
They never once recommended a plugin that might help. NEVER. And Siteground actually says in their marketing: “We eat WordPress for breakfast!” I beg to differ.
Anyway, the point is, never expect a host to do anything more than take your money and try to take MORE of your money.
And another thing to never rely on your web host for: your EMAIL. Just don’t. Use Gmail. What we do is set up email addresses with our URLs then forward them to a Gmail account. That way, there is spam filtering and you have far more control of your email. These days, NO ONE looks at your email account – other than to judge you for using AOL, Yahoo or the other old ass crappy ones. Heh. I’ve got many email accounts and I’ve never had anyone even realise it when I accidentally use a different one on a reply. We skipped using host email all together with Player One; its email is playeroneatl at gmail dot com. MUCH simpler. Also, when you change hosts (and you will), your email will still work since it is independent of your URL. Same thing goes for registering your URL. Use a separate registrar (I use namecheap.com) from your host. That way your domain registration doesn’t have to be moved when you change hosts (and you will change hosts). Protips, people! Protips!
We struggled with bot attacks for years, but I think we’ve finally found a plugin that actually helps: StopBadBots. We installed in across all our WP sites and have had only a one or two outages in a month, which is amazing. I also installed Blackhole for Bots, but that one requires some robots.txt file fiddling, so it’s not plug and play like StopBadBots is. I highly recommend StopBadBots.
I also had an issue with email enquiry form spam, so I configured the plugin (Contact Form 7 by Miyoshi) to work with Akismet Anti Spam plugin (standalone from Jetpack), which seems to work quite well.
If you don’t already, go NOW and turn on Askismet for comment spam and Jetpack (Askismet is included in JetPack, but we also use the standalone plugin) for WordPress. Make sure to configure JetPack’s settings to turn ON “Brute force protection” and turn OFF “login with any wordpress account”. Always check your settings for any plugin you use with WP.
Then go get Wordfence. This plugin is very thorough and really helps with bots that try to log into your WP site. You’ll need to get an API key and you’ll need to take some time to configure all the sections, but it is REALLY worth it. The plugin will tell you how to get the API key and they offer lots of documentation. I will advise that you tweak the Rate Limiting Rules pretty tightly. GET WORDFENCE!
Also install Heartbleed Control plugin, to stop the heartbleed exploit, which will run up site hits.
If hosts would actually offer decent WP support, I don’t think WP would be such a pain in the ass. WHY they won’t simply suggest a plugin rather than all the bullshit über complicated rewrite crap is beyond me. But *I* will recommend what is working for us.
As with all things technical, things evolve, so this info is not forever, but for right now, August 2017, these things are working. Hopefully they will continue to work for the foreseeable future! And I hope that they might help others who struggle with site performance issues while running WordPress!