how to make your website load faster53% of visits are abandoned if a mobile site takes longer than three seconds to load. So regardless of how your visitors arrive at your website (be it via organic search, paid search, organic social, paid social or directly say from offline advertising) having a website that isn’t fast is going to hurt your bottom line. Its also going to make Google less likely to send potential customers your way.web page speed vs bounce rate

There are only two ways to improve website load speed in the broader sense:

  1. Serve less data
  2. Optimise how that data is served

Most websites are hopelessly bloated. That is the amount of data you are asking the server to download is larger (often far larger) than it needs to be.

Why page size increases and how to reduce it

The following make big contributions to page size:

1. JavaScript

It is very important to minimize the files to reduce the page size as much as possible to make your site user-friendly. Scripts can slow down page load and bloat page size.

2. Images

Images have a lot to answer for – in fact if websites owners could just get on top of this one issue perhaps 60%+ of the page load issues they face would be sorted out in one foul swoop. You still need/want images on your website though right? So how can you lower the burden of having them? Two ways really – the first one involves using better (for our purposes) file formats like (especially) WebP – which Google themselves developed – to get the most out of every kB added to the page size by images.

The second way is by compression of images whilst maintaining most or all of the image quality with tools such as JPEG Optimizer (if you didn’t listen to step 1); Optimizilla;; CompressNow or any one of many other options.

3. Fonts

Most sites use custom fonts now – more than half. That is a staggering statistic. Fonts impact on page size has exploded in the last decade with an increase of space used of 5000% since 2010. The font obviously plays a role in branding so its not without value. So if you insist on going with a custom font WOFF2 file type custom fonts are by far the most economical in terms of impact of page size. WOFF2 uses custom preprocessing and compression algorithms to deliver ~30% file-size reduction over other formats.

4. Videos

Again obviously video has its purpose and its place. However, high-quality video can blow up a page size to monsterous proportions. If you absolutely have to have a video on your website its a great deal easier and faster to embed an iframe code from YouTube, Vimeo, or Amazon CloudFront instead of trying to self-host it.

5. Advertising

Overly complex ads can add a lot of kB or even MB to your page load size. At the end of the day you need to remain vigilent on this issue and decide for yourself whether the loss in performance is worth the ad revenue or if there are tweaks that can be made by excluding heavier ads from your website.


Caching is the process of storing copies of files in a cache, or temporary storage location, so that they can be accessed more quickly. Technically, a cache is any temporary storage location for copies of files or data, but the term is often used in reference to Internet technologies. Web browsers cache HTML files, JavaScript, and images in order to load websites more quickly, while DNS servers cache DNS records for faster lookups and CDN servers cache content to reduce latency.

What Does A Browser Cache Do?

Every time a user loads a webpage, their browser has to download quite a lot of data in order to display that webpage. To shorten page load times, browsers cache most of the content that appears on the webpage, saving a copy of the webpage’s content on the device’s hard drive. This way, the next time the user loads the page, most of the content is already stored locally and the page will load much more quickly.

Browsers store these files until their time to live (TTL) expires or until the hard drive cache is full. (TTL is an indication of how long content should be cached.) Users can also clear their browser cache if desired.

Caching Tools To Avoid

I avoid the following caching tools.

  • NitroPack


Advanced Caching

Caching. Pre-caching. Minification, merging, critical CSS. CDN. Lazy load. Image compression. JS defer.

NitroPack ensures a high cache hit ratio with tons of advanced features like:

  • Smart cache invalidation;
  • Automatic cache warmup;
  • Device and cookie-aware caching;
  • Browser and session-aware caching.NitroPack

Reasons To Use NitroPack

  1. It gives you better page scores. If that makes you feel better then that is a good thing but a lot of things can make you feel better – surfing, meditation or even medication. But that doesn’t mean its very useful.
  2. Easy to use. Always a good thing. But then again most things that can hurt you badly aren’t very hard to use – axes, car crashes and so on.

Reasons Not To Use NitroPack

  1. Flash of unstyled content issues are very commonplace. What this means is that there is a visual mix up upon loading and this will hurt you badly in the eyes of Google. Its also just a bit annoying for everyone – both on the backend and frontend.
  2. Inconsistent speed improvements. So it can help your site load speed but this improvement is far from consistent.
  3. Stupidly over priced. They just don’t have the right economies of scale at play here. I don’t think I’d be overstating it by saying that the current pricing structure is the equivalent of charging £40 for a frankly homemade craft beer – only really clueless idiots won’t realise they’re being ripped off.
  4. Misleads page score tools rather than legitimately improves them. This is a huge red flag. NitroPack has been created to fudge test scores more than provide actual improvements in function. That makes it a terrible choice for a caching plugin.
  5. Not ideal for complex websites. The more complex your website the more issues this damp squib of a get rich quick scheme will cause you.

Final Verdict: Avoid Like The Plague. Consider Yourself Warned.

Some recent customer reviews:

Terrible support. It’s absolutely impossible to manage 2 websites in 1 account. After trying to get in touch with customer support they simply ignore you and let you wait for literally a month. Sent my first request on the 8th of May, and received my response yesterday (June 7th).

I have checked the Google Page Speed score and its worse than without nitropack. My page was the first on google and now my google ranking dropped dramatically because of this “priority support”……

LiteSpeed Cache

LiteSpeed Web Servers

If LiteSpeed web server is a 9.9/10 then, in my experience, LiteSpeed Cache is probably a 9.2/10. Its about the best option going but not quite as dominant in its field as LiteSpeed web server is in its… that is its brilliant but less perfect.

  • LiteSpeed is the 4th most popular web-server behind Apache, NGINX and Microsoft IIS.
  • You can run Apache software on it (like WHM/cPanel) and also use Apache configurations (like htaccess).
  • It’s popular with websites of all sizes.
  • It gives great performance without much configuration.
  • Comes with caching plugins for WordPress, Joomla, Drupal, Magento, and others.
  • Comes with built-in security against brute-force attacks and DDOS.

LiteSpeed Cache Plugin

  • Free cache plugin that has to be used on LiteSpeed servers.
  • This is a true enterprise-grade caching plugin (incredible for both consumer use and enterprise use). I highly recommend it for any site with massive traffic (over 1 million monthly visitors) and/or many pages (over 1k pages).
  • Updated very often.

LiteSpeed Cache Features

  • Server-side caching
  • Object caching
  • Can cache private pages (logged-in users), and admin pages
  • Image optimization
  • CDN compatibility
  • Database optimizations

LS & LSC speeds up your site & decreases your server usage.

Configure LiteSpeed Cache Plugin

Suggested configuration for most client websites.

General > General Settings

  • Automatically Upgrade – up to you. Either is fine.
  • Notifications – up to you. Either is fine.

Cache > Cache

  • Enable LiteSpeed Cache – ON
  • Cache Logged-in Users – OFF
  • Cache Commenters – OFF.
  • Cache REST API – Leave it ON, but turn off if any functions break.
  • Cache Login Page – ON is faster since bots often attack the login page. Turn OFF if it breaks your login page (design, function, captcha). For those changing wp-login url, don’t do that! LiteSpeed servers natively protect admin urls. Much better performance to let LS shut down brute force attacks than to do it with slow security plugins!
  • Cache favicon.ico – ON.
  • Cache PHP Resources – ON.
  • Cache Mobile – OFF.
  • List of Mobile User Agents – leave alone.
  • Private Cached URIs – leave alone.
  • Force Public Cache URIs – leave alone.
  • Drop Query String – fbclid, gclid, utm*, _ga.

Cache > TTL

Leave all alone.

Cache > Purge

Leave all alone.

Cache > Excludes

Leave all alone.

Cache > ESI

With ESI (Edge Side Includes), pages may be served from cache for logged-in users.

  • Enable ESI – ON.
  • Cache Admin Bar – ON.
  • Cache Comment Form – ON.
  • ESI Nonce – leave alone.
  • Vary Group – leave alone.

Cache > Object

Make sure Memcache or Redis are enabled on server.

  • Object Cache – ON.
  • Method – Redis better than Memcache.
  • Host – Localhost.
  • Port – default.
  • Default Object Lifetime – default.
  • Username – not needed.
  • Password – not needed.
  • Redis Database ID – not needed.
  • Global Groups – not needed.
  • Do Not Cache Groups – leave alone.
  • Persistent Connection – ON.
  • Cache Wp-Admin – OFF.
  • Store Transients – ON.

Cache > Browser

  • Browser Cache – ON.
  • Browser Cache TTL – default.

Cache – Advanced

  • Login Cookie – leave blank for single websites.
  • Improve HTTP/HTTPS Compatibility – OFF.
  • Instant Click – OFF. Can cause high server usage.

CDN > CDN Settings

  • CDN –OFF.
  • Use CDN Mapping – OFF. CDN and Cloudflare do not use CDN Mapping.
  • CDN URL – leave alone.
  • HTML Attribute To Replace – leave alone.
  • Original URLs – leave alone unless you have a complicated website structure (multiple languages etc).
  • Included Directories – default.
  • Exclude Path – default.
  • Cloudflare API – for Cloudflare-users only. Enter email, global API key, and domain.

CDN > Manage

  • Cloudflare – I don’t mess with.
  • Development – if you want to conveniently disable Cloudflare without having to log in and deal with 2-FA security (haha).
  • Cloudflare Cache – convenient way to purge only Cloudflare cache (and not your LSC cache), such as when you update some images or other assets and want the change to show immediately.

Image Optimization > Image Optimization Settings

  • Auto Request Cron – ON.
  • Auto Pull Cron – ON.
  • Optimize Original Images – ON.
  • Remove Original Backups – OFF.
  • Optimize WebP Versions – I leave it OFF, but feel free to play with it if you got lots of time.
  • Optimize Losslessly – ON.
  • Preserve EXIF data – OFF.
  • Create WebP Versions – ON.
  • Image WebP Replacement – ON.
  • WebP Attribute To Replace – default.
  • WebP For Extra srcset – ON.
  • WordPress Image Quality Control – 75.

Page Optimization > CSS Settings

  • CSS Minify – OFF.
  • CSS Combine – ON. When off page load speed is far less consistent in my experience.
  • CSS Combine External and Inline – OFF. Extensive testing has shown this to have a negative impact on page load speed. Fairly large impact too (in both directions).
  • CSS HTTP/2 Push – OFF. Can cause the following issues – Increased bandwidth used;  Slows down site when visitors are coming from far away, especially via mobile networks, and slows down site for returning visitors.
  • Load CSS Asynchronously – OFF. This can cause serious issues with CLS.
  • Generate Critical CSS – ON.
  • Generate Critical CSS In Background – ON.
  • Separate CCSS Cache Post Types –  every post type that has its own page design and CSS.
  • Separate CCSS Cache URIs – any specific page that uses different CSS from other pages.
  • Inline CSS Async Lib – OFF.
  • Font Display Optimization – Default or Block.

Page Optimization > JS Settings

  • JS Minify – OFF.
  • JS Combine – OFF.
  • JS HTTP/2 Push – OFF.
  • Load JS Deferred – OFF.
  • Load Inline JS – DEFAULT.

Page Optimization > Optimization Settings

  • CSS/JS Cache TTL – default.
  • HTML Minify – OFF.
  • DNS Prefetch – all external domains.
  • DNS Prefetch Control – ON.
  • Remove Query Strings – OFF.
  • Load Google Fonts Asynchronously – ON.
  • Remove Google Fonts – OFF.
  • Remove WordPress Emoji – ON.

Page Optimization > Media Settings

  • Lazy Load Images – ON.
  • Responsive Placeholder – ON.
  • LQIP Cloud Generator – OFF.
  • Inline Lazy Load Images Library – ON.

Page Optimization > Media Excludes

  • If you have a specific lazy load exclusion here is where you can include them.

Page Optimization > Discussion Settings

  • Gravatar Cache – OFF.
  • Gravatar Cache Cron – ON if you’re caching Gravatar.
  • Gravatar Cache TTL – 3 months.

Page Optimization > Tuning Settings

  • Generally leave alone.

Database > Manage

  • Clean All – does all optimizations listed. Highly recommended in most cases.

Database > DB Optimization Settings

  • Revisions Max Number – 0.
  • Revisions Max Age – 0.

Crawler > Summary

Leave well alone in almost all cases.

Crawler > General Settings

  • Crawler – enable it if on dedicated or VPS server.
  • Delay – default. Can be lowered for huge websites.
  • Run Duration – default value is fine but you can increase it for priority sites.
  • Interval Between Runs – 60.
  • Crawl Interval – 86400 (1 day) for smaller websites.
  • Threads – anything from 1 to 16 (more if you have more server capacity going spare less if you don’t).
  • Server Load Limit – 3 on dedicated servers or VPS with reasonable resources.

Crawler > Simulation Settings

  • not required for most websites.

Crawler > Sitemap Settings

  • not required for most websites.

Supplementary Resources For LiteSpeed Server & Cache


A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially relative to end users. CDNs came into existence in the late 1990s as a means for alleviating the performance bottlenecks of the Internet, even as the Internet was starting to become a part of people’s everyday life. Since then, CDNs have grown to serve a large portion of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social media sites.

CDNs are a layer in the internet ecosystem. Content owners such as media companies and e-commerce vendors pay CDN operators to deliver their content to their end users. In turn, a CDN pays Internet service providers (ISPs), carriers, and network operators for hosting its servers in their data centers. CDN is an umbrella term spanning different types of content delivery services: video streaming, software downloads, web and mobile content acceleration, licensed/managed CDN, transparent caching, and services to measure CDN performance, load balancing, Multi CDN switching and analytics and cloud intelligence. CDN vendors may cross over into other industries like security, with DDoS protection and web application firewalls (WAF), and WAN optimization.

Notable CDN Options To Consider

Rated in order of preference for use on behalf of my clients.

  1. Cloudflare have, in a relatively short space of time, grown to become to CDNs what the Hoover is/was to vacuum cleaners. There is very good reason for this. They offer an exceptional and constantly improving service. The levels and pace of innovation in their service offering is staggering. In my experience and opinion no one who uses Cloudflare is using the wrong CDN and everyone else is currently in their wake.
  2. CDN77 is a very highly rated option by users. They don’t really deal with very small business users much though and go straight to the mid-market for their entry level pricing so head to head its only really fair compare Cloudflare Business or above to these guys. Good customer service and a belter of a service offering. Wouldn’t lose a wink of sleep if for some reason we used these guys instead of Cloudflare (which admittedly doesn’t happen too often).
  3. Amazon CloudFront
  4. jsDelivr
  5. Fastly – more tailored to the mid-market space than Cloudflare & highly regarded by many of their customers. Entry level pricing is 2.5 times what Cludflare’s is. But, to be fair, you get coverage for 5 domains not one so suited to companies with multople websites and/or agencies. Overall Cloudflare remains the better option but they don’t enjoy the massive gap over Fastly that they do most of the rest of the CDN field. Quality of Support is rated as substantially better than CloudFlare’s by users as is Video Delivery.
  6. Google Hosted Libraries – slower than CloudFlare (but this varies from place to place from a couple of percent slower to MUCH slower). Not an option I suggest for my clients under normal circumstances.
  7. F5 – overpriced worse version of Cloudflare probably doesn’t make for a great slogan, especially when you are targeting the enterprise level but in F5’s case it is true.
  8. Akamai
  9. MaxCDN
  10. Microsoft Azure CDN
  11. RawGit
  12. Incapsula CDN
  13. KeyCDN
  14. EdgeCast CDN
  15. Cloudinary
  16. StackPath CDN

CDNs went from a nice to have to a must have for all businesses online in the last 3-5 years. If you aren’t using one then you are at a distinct disadvantage against almost all of your serious competition. With my experience of configuring CDNs I am able to turn what would otherwise be a disadvantage into a clear and very useful advantage for my clients. I am confident that I can configure your DNS better than most of your competition have configured theirs.


Cloudflare is my default choice for CDN for clients. In perhaps 95% of cases it is exactly the right choice and that is for websites running the gambit from microsites to enterprise level ones. I have almost nothing but positive things to say about Cloudflare.

Cloudflare acts as a reverse proxy for web traffic. It supports web protocols, including SPDY and HTTP/2. In addition to this, Cloudflare offers support for HTTP/2 Server Push.

DDoS Protection

Cloudflare provides DDoS mitigation services which protect customers from distributed denial of service (DDoS) attacks. As of September 2020, the company claims to block “an average of 72 billion threats per day, including some of the largest DDoS attacks in history.”

Content Distribution Network

Cloudflare offers a popular Content Distribution Network (CDN) service. It supports over 25 million internet websites.


Cloudflare for Teams is a suite of authentication and security products aimed at business clients. Teams consists of two parts: Gateway, a highly-customizable dns resolver, and Access, a zero-trust authentication service.


In 2017 Cloudflare launched Cloudflare Workers, a serverless computing platform that allows one to create entirely new applications or augment existing ones without configuring or maintaining infrastructure. Since then, the product has expanded to include Workers KV, a low-latency key-value data store, Cron Triggers for scheduling cron jobs, and additional tooling for developers to deploy and scale their code across the globe.


After being leaked to the press, Cloudflare Pages was launched as a beta in December 2020. The product is a platform for developers to collaborate and deploy websites on Cloudflare’s infrastructure of 200+ data centers worldwide.

Cloudflare Argo

Cloudflare Argo reduces network latency on average by 35% and connection errors by 27%. Traditional network technologies use static routing information, which can be slower and often use congested paths. Slow loading times and connection timeouts increase the likelihood of poor user experience. The Cloudflare company routes 10% of all HTTP/HTTPS Internet traffic. This provides them real-time intelligence on the true speed of network paths. Cloudflare’s Argo smart routing algorithm uses this information to route traffic across the fastest paths available while maintaining secure connections and eliminating excess latency. Argo propagates content via Cloudflare’s 100+ server locations.Cloudflare Argo

Although the vast majority of visitors to this website are from the United Kingdom, almost a third of the visitors are from North America. With the USA at the top. This was one of the reasons – also plain curiosity – why I decided to give Cloudflare Argo a test run. In short, if you have a significant chunk of international traffic, it’s more than worth it. If all of your web traffic is UK-based, you will still see around 20% response time improvement depending on your existing TTFB. With page loads for website hovering around the 350ms mark, the reduction of 70 milliseconds of response time in the UK is something I definitely enjoy.

In Greek mythology, the Argo was a ship built with the help of the gods which sailed from Iolcos to Colchis to retrieve the Golden Fleece.

Load Balancing

Load balancing refers to the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient. Load balancing can optimize the response time and avoid unevenly overloading some compute nodes while other compute nodes are left idle.

Load balancing is the subject of research in the field of parallel computers. Two main approaches exist: static algorithms, which do not take into account the state of the different machines, and dynamic algorithms, which are usually more general and more efficient, but require exchanges of information between the different computing units, at the risk of a loss of efficiency.LOADBALANCING


What are WebSockets?

WebSockets are open connections sustained between the client and the origin server. Inside a WebSockets connection, the client and the origin can pass data back and forth without having to reestablish sessions. This makes exchanging data within a WebSockets connection fast. WebSockets are often used for real-time applications such as live chat and gaming.

Why Use WebSockets?

Because WebSockets creates a single connection and doesn’t need multiple HTTP headers, WebSockets can provide anywhere from 500:1 to a 1000:1 reduction in unnecessary HTTP header traffic compared to HTTP polling solutions.

The server no longer needs to wait for a request to come back before it sends new data; it can simply push the data to the client the moment it has new information. Tests have shown a 3:1 reduction in latency compared to polling solutions.

For more technical information on the WebSockets, you can read up on the HTML5 Web Sockets Specification.

How Can I Use WebSockets With Cloudflare?

No additional configuration is required to send WebSockets traffic through Cloudflare. Cloudflare will immediately begin proxying your WebSockets through to your origin.

Can I Use WebSockets Over SSL?

Yes. WebSockets through Cloudflare are fully compatible with Cloudflare’s SSL.

Brotli – Gzip Just Got Better

Cloudflare applies Brotli compression to speed up page load times for visitors. Cloudflare will select Brotli compression as the preferred content encoding method if multiple compression methods are supported. If the client does not support Brotli compression, then gzip compression is used instead.

Brotli Vs Gzip Compression

  • HTML files are 21% smaller than gzip.
  • CSS files are 17% smaller than gzip.
  • Javascript files 14% smaller than gzip.Brotli

So it beats gzip across the board. Perhaps not by a massive amount but if you’re looking for every last bit of performance improvement then its definitely what you should be using. From an SEO perspective its also a Google developed compression tool so you can be sure that it is what their algorithm is happy to encounter. Then again so is AMP and that’s been a bumpy road but Brotli, overall, has proved itself to be a safe bet as a performance enhancing implementation for my client websites.

Brotli compresses with a combination of the LZ77 lossless compression algorithm, Huffman coding and 2nd order context modelling. It was developed by Google and works best for text compression. Brotli is primarily used by web servers and content delivery networks to compress HTTP content, making internet websites load faster. It is regarded as the successor to gzip & is supported by all major web browsers and is becoming increasingly popular, as it provides better compression than gzip.

Web Servers

  • For Apache HTTP Server, the ‘br’ content-encoding method has been supported by the mod_brotli module since version 2.4.26.
  • Microsoft IIS has a supported extension since May 2018 that adds support for the ‘br’ content-encoding method.
  • nginx has a ngx_brotli module provided by Google since December 2016.
  • Node.js features a built-in native en- and decoder since version 11.7.0, which can be used to support the ‘br’ content-encoding.
  • Amazon CloudFront can automatically compress cacheable responses at the edge using Brotli, as of September 2020.
  • LiteSpeed Web Server has included the ‘br’ content-encoding method for static files only since version 5.2 in July 2017.
  • Cloudflare CDN offers a brotli option to compress data between its edge node and the user.
  • NaviServer added support in version 4.99.17b1
  • Caddy (web server) Serves statically compressed .br files since version 0.9.4 from December 21st, 2016.
  • lighttpd mod_deflate supports .br since 1.4.56 from November 2020.

CNAME Flattening

What Is CNAME Flattening?

With CNAME Flattening, Cloudflare will follow a CNAME to where it points and return that IP address instead of the CNAME record itself.

There are two main benefits:

  • CNAME flattening allows Cloudflare website owners to add CNAMEs at the root of the domain, which is otherwise not allowed in the DNS specification.
  • CNAME flattening speeds up DNS resolution on CNAMEs by up to 30%.

Enhanced HTTP/2 Prioritization

Optimizes the order of resource delivery, independent of the browser. Greatest improvements will be experienced by visitors using Safari and Edge browsers.

What Does Enhanced HTTP/2 Priotitization Do?

The speed of loading web content, from the user’s perspective, is dependent on the order in which the resources load. With HTTP/2, by default, Cloudflare will follow the order requested by the browser. This ordering varies from browser to browser, causing a significant difference in performance.

With Enhanced HTTP/2 Prioritization enabled, resources will be delivered in the optimal order for the fastest experience across all browsers.

Auto Minify

What Does Auto Minify Do?

Auto Minify removes unnecessary characters from your source code (like whitespace, comments, etc.) without changing its functionality.

Minification can compress source file size which reduces the amount of data that needs to be transferred to visitors and thus improves page load times.

Why Isn’t Auto Minify Working?

Cloudflare’s Auto Minify feature may intentionally not minify some scripts under specific circumstances to ensure we don’t create errors in your website code. On these occasions the code will be delivered unminified:

  • If the file is served from an external service or a domain not powered by Cloudflare (For example Google, Facebook, Twitter, widgets etc).
  • If the file contains .min in the filename
  • If the file has syntax errors and it cannot be parsed
  • Inline CSS or JS embedded inside your HTML code will not be minified
  • Auto Minify will not remove newlines from your HTML but will remove unnecessary whitespace

IP Geolocation

Include the country code of the visitor location with all requests to your website.

Note: You must retrieve the IP Geolocation information from the CF-IPCountry HTTP header.

What Is IP Geolocation?

Cloudflare can geolocate visitors to your website and pass the country code on to you. Once enabled, we will then add an HTTP header named “CF-IPCountry” to all requests we make to your website.

Note: Cloudflare uses a GeoIP database to map IP addresses to countries. “XX” means that we found no record in our geolocation database for an IP address.

Additional Resources

Onion Routing

Onion Routing allows routing traffic from legitimate users on the Tor network through Cloudflare’s onion services rather than exit nodes, thereby improving privacy of the users and enabling more fine-grained protection.

How Does Onion Routing Work?

When this setting is enabled, the response to HTTPS requests coming from the Tor Browser will include an “alt-svc” header containing the address of one or more onion services operated by us. The Tor Browser establishes a Tor circuit with one of our onion services and, after a verification step by the browser, the subsequent requests will be routed through the onion service instead.
This allows us to distinguish individual circuits and only challenge circuits that show unusual behavior, while keeping users’ anonymity intact.Understanding Onion routing concept an example

Cloudflare SitesCloudflare Sites

Antananarivo, Madagascar – (TNR)
Cape Town, South Africa – (CPT)
Casablanca, Morocco – (CMN)
Dakar, Senegal – (DKR)
Dar Es Salaam, Tanzania – (DAR)
Djibouti City, Djibouti – (JIB)
Durban, South Africa – (DUR)
Johannesburg, South Africa – (JNB)
Kigali, Rwanda – (KGL)
Lagos, Nigeria – (LOS)
Luanda, Angola – (LAD)
Maputo, MZ – (MPM)
Mombasa, Kenya – (MBA)
Monrovia, Liberia – (ROB)
Nairobi, Kenya – (NBO)
Port Louis, Mauritius – (MRU)
Réunion, France – (RUN)
Tunis, Tunisia – (TUN)

Bangalore, India – (BLR)
Bangkok, Thailand – (BKK)
Bandar Seri Begawan, Brunei – (BWN)
Cebu, Philippines – (CEB)
Chengdu, China – (CTU)
Chennai, India – (MAA)
Chittagong, Bangladesh – (CGP)
Chongqing, China – (CKG)
Colombo, Sri Lanka – (CMB)
Dhaka, Bangladesh – (DAC)
Dongguan, China – (SZX)
Guangzhou, China – (CAN)
Hanoi, Vietnam – (HAN)
Ho Chi Minh City, Vietnam – (SGN)
Hong Kong – (HKG)
Hyderabad, India – (HYD)
Islamabad, Pakistan – (ISB)
Jakarta, Indonesia – (CGK)
Jashore, Bangladesh – (JSR)
Jinan, China – (TNA)
Johor Bahru, Malaysia – (JHB)
Karachi, Pakistan – (KHI)
Kathmandu, Nepal – (KTM)
Kolkata, India – (CCU)
Kuala Lumpur, Malaysia – (KUL)Re-routed
Lahore, Pakistan – (LHE)
Macau – (MFM)
Malé, Maldives – (MLE)
Manila, Philippines – (MNL)
Mumbai, India – (BOM)
Nagpur, India – (NAG)
New Delhi, India – (DEL)
Ningbo, China – (NBG)
Osaka, Japan – (KIX)
Phnom Penh, Cambodia – (PNH)
Seoul, South Korea – (ICN)
Shanghai, China – (SHA)
Shijiazhuang, China – (SJW)
Singapore, Singapore – (SIN)
Suzhou, China – (SZV)
Taipei – (TPE)
Thimphu, Bhutan – (PBH)Re-routed
Tianjin, China – (TSN)
Tokyo, Japan – (NRT)
Ulaanbaatar, Mongolia – (ULN)
Vientiane, Laos – (VTE)
Wuhan, China – (WUH)
Wuxi, China – (WUX)
Xi’an, China – (XIY)
Yangon, Myanmar – (RGN)Re-routed
Yerevan, Armenia – (EVN)
Zhengzhou, China – (CGO)
Zhuzhou, China – (CSX)

Amsterdam, Netherlands – (AMS)
Athens, Greece – (ATH)
Barcelona, Spain – (BCN)
Belgrade, Serbia – (BEG)
Berlin, Germany – (TXL)
Brussels, Belgium – (BRU)
Bucharest, Romania – (OTP)
Budapest, Hungary – (BUD)
Chișinău, Moldova – (KIV)
Copenhagen, Denmark – (CPH)
Cork, Ireland – (ORK)Re-routed
Dublin, Ireland – (DUB)
Düsseldorf, Germany – (DUS)
Edinburgh, United Kingdom – (EDI)
Frankfurt, Germany – (FRA)
Geneva, Switzerland – (GVA)
Gothenburg, Sweden – (GOT)
Hamburg, Germany – (HAM)
Helsinki, Finland – (HEL)
Istanbul, Turkey – (IST)
Kyiv, Ukraine – (KBP)
Lisbon, Portugal – (LIS)
London, United Kingdom – (LHR)
Luxembourg City, Luxembourg – (LUX)
Madrid, Spain – (MAD)
Manchester, United Kingdom – (MAN)
Marseille, France – (MRS)
Milan, Italy – (MXP)
Moscow, Russia – (DME)
Munich, Germany – (MUC)
Nicosia, Cyprus – (LCA)
Oslo, Norway – (OSL)
Palermo, Italy – (PMO)
Paris, France – (CDG)
Prague, Czech Republic – (PRG)
Reykjavík, Iceland – (KEF)
Riga, Latvia – (RIX)
Rome, Italy – (FCO)
Saint Petersburg, Russia – (LED)
Sofia, Bulgaria – (SOF)
Stockholm, Sweden – (ARN)
Tallinn, Estonia – (TLL)
Tbilisi, Georgia – (TBS)
Thessaloniki, Greece – (SKG)
Vienna, Austria – (VIE)
Vilnius, Lithuania – (VNO)
Warsaw, Poland – (WAW)
Zagreb, Croatia – (ZAG)
Zürich, Switzerland – (ZRH)
Latin America & the Caribbean
Arica, Chile – (ARI)
Asunción, Paraguay – (ASU)
Bogotá, Colombia – (BOG)
Brasilia, Brazil – (BSB)
Buenos Aires, Argentina – (EZE)
Campinas, Brazil – (VCP)
Curitiba, Brazil – (CWB)
Fortaleza, Brazil – (FOR)Re-routed
Guatemala City, Guatemala – (GUA)
Lima, Peru – (LIM)
Medellín, Colombia – (MDE)
Panama City, Panama – (PTY)
Paramaribo, Suriname – (PBM)
Porto Alegre, Brazil – (POA)
Port-Au-Prince, Haiti – (PAP)
Quito, Ecuador – (UIO)
Rio de Janeiro, Brazil – (GIG)
Salvador, Brazil – (SSA)
San José, Costa Rica – (SJO)Re-routed
Santiago, Chile – (SCL)
São Paulo, Brazil – (GRU)
St. George’s, Grenada – (GND)
Tegucigalpa, Honduras – (TGU)Re-routed
Willemstad, Curaçao – (CUR)

Middle East
Amman, Jordan – (AMM)
Baghdad, Iraq – (BGW)Re-routed
Baku, Azerbaijan – (GYD)Re-routed
Beirut, Lebanon – (BEY)
Doha, Qatar – (DOH)
Dubai, United Arab Emirates – (DXB)
Kuwait City, Kuwait – (KWI)
Manama, Bahrain – (BAH)Re-routed
Muscat, Oman – (MCT)
Ramallah – (ZDM)
Riyadh, Saudi Arabia – (RUH)
Tel Aviv, Israel – (TLV)

North America
Ashburn, VA, United States – (IAD)
Atlanta, GA, United States – (ATL)
Boston, MA, United States – (BOS)
Buffalo, NY, United States – (BUF)
Calgary, AB, Canada – (YYC)
Charlotte, NC, United States – (CLT)
Chicago, IL, United States – (ORD)
Columbus, OH, United States – (CMH)
Dallas, TX, United States – (DFW)
Denver, CO, United States – (DEN)
Detroit, MI, United States – (DTW)
Honolulu, HI, United States – (HNL)
Houston, TX, United States – (IAH)
Indianapolis, IN, United States – (IND)
Jacksonville, FL, United States – (JAX)
Kansas City, MO, United States – (MCI)
Las Vegas, NV, United States – (LAS)
Los Angeles, CA, United States – (LAX)
McAllen, TX, United States – (MFE)
Memphis, TN, United States – (MEM)
Mexico City, Mexico – (MEX)
Miami, FL, United States – (MIA)
Minneapolis, MN, United States – (MSP)
Montgomery, AL, United States – (MGM)
Montréal, QC, Canada – (YUL)
Nashville, TN, United States – (BNA)
Newark, NJ, United States – (EWR)
Norfolk, VA, United States – (ORF)
Omaha, NE, United States – (OMA)
Philadelphia, United States – (PHL)
Phoenix, AZ, United States – (PHX)
Pittsburgh, PA, United States – (PIT)
Portland, OR, United States – (PDX)
Queretaro, MX, Mexico – (QRO)
Richmond, VA, United States – (RIC)
Sacramento, CA, United States – (SMF)
Salt Lake City, UT, United States – (SLC)
San Diego, CA, United States – (SAN)
San Jose, CA, United States – (SJC)
Saskatoon, SK, Canada – (YXE)
Seattle, WA, United States – (SEA)
St. Louis, MO, United States – (STL)
Tallahassee, FL, United States – (TLH)
Tampa, FL, United States – (TPA)
Toronto, ON, Canada – (YYZ)
Vancouver, BC, Canada – (YVR)
Winnipeg, MB, Canada – (YWG)

Adelaide, SA, Australia – (ADL)
Auckland, New Zealand – (AKL)
Brisbane, QLD, Australia – (BNE)
Canberra, ACT, Australia – (CBR)
Melbourne, VIC, Australia – (MEL)
Noumea, New Caledonia – (NOU)
Perth, WA, Australia – (PER)
Sydney, NSW, Australia – (SYD)

How To Decide Which Hosting Option Is Right For You

The pursuit of a fast & reliable website starts with getting the right hosting. Many of your competitors have got this almost comically wrong. That’s good news for you if you are reading this. I’ve been where you are now – frustrated by hosting that is slow and/or unreliable. Until I had enough and decided to learn hosting inside out for myself so I’d never again suffer from poor website performance.

The Truth About Shared Hosting

Shared hosting is almost useless. No business, who wants to build traction of any magnitude should use shared hosting. That’s the truth. The reason is the same reason IV drug users shouldn’t share needles –  you are making other people’s problems your own. If you’ve done any online research on shared hosting you will have been lied to by authors who are nothing more than affiliate salespeople for the worst of the worst web hosting frauds out there. They offer very lucrative affiliate fees and authors basically just cut and paste press releases which are full of exaggerations, falsehoods and lies. Shared hosting is out of the question for anyone who takes website performance seriously. End of story.The Truth About Shared Hosting

Managed VPS Hosting

Anytime you see vCPU in the marketing material its time to close the tab.

Unmanaged VPS Hosting

Better than managed VPS hosting but requires some technical skill you probably don’t have the time or ambition to acquire.

Enterprise-Grade SSD Cloud Server

Ever thought to yourself why does it take my little website 3 seconds or more to load when Google who must have a trillion times more traffic (and thus stress on their server) can loads at (by my recent 24-hour a day checks over the last two weeks) at a median speed of 286ms (from London)? They have invested in the following data centres in Europe alone:

  1. Saint-Ghislain, Belgium
  2. Hamina, Finland
  3. Dublin, Ireland
  4. Eemshaven, Netherlands
  5. Hollands Kroon (Agriport), Netherlands
  6. Fredericia, Denmark
  7. Zürich, Switzerland
  8. Warsaw, Poland

Each of these has a typical cost of roughly €500 million – some more, some less. The point is Google are able to service the vast majority of their billions of users fast & reliably because they have invested in infrastructure. I realise your company probably doesn’t make as much money as Google do – obviously – but part of the reason they made £130 billion in revenue worldwide last year was due to this sizeable investment in infrastructure over many years. Google’s global total of 31 data centres have cost them in the region of £20 billion to accumulate (some of the non-European ones cost substantially more). So $20 billion invested on web hosting for a company that does £130 billion in revenue (ongoing). That’s probably not a bad rule of thumb ratio for many companies – 20/130= 15.4% of single year revenue on hosting since they started in 1998 (23 years).

For a company who aspires to reach revenues of, say, £500,000 per annum, this would mean spending a total on web hosting of £76,923.08 over 23 years which is £3,344.48/year or £278.71 per month. Can you see how £4.95/month shared hosting is a bit like getting your girlfiend an engagement ring made out of tin foil?

Cloud computing has allowed even smaller companies to take advantage of bite size chunks of enterprise level superior hosting options & hardware.

How I Host Websites

By using data centres in 12 strategically locations around the world from which clients can pick the fastest state of the art hosting to service their visitors from: Central London, Amsterdam, Warsaw, Helsinki (2 options), Madrid, Frankfurt, Sydney, Chicago, New York, San Jose & Singapore. Our Central London data centre is the only centre in the middle of the capital with two dedicated 33kV transformers.

There’s something for all types & sizes of businesses. All hosting options come with a minimum of 1 GB memory, 25 GB storage, 1 TB transfer & a AMD EPYC 7542 32-Core Processor. Hosting performance is quantifiably better than Microsoft Azure, Amazon Web Services, Google, Digital Ocean, Linode or Vultr.

SSD Cloud Servers

  • 100% uptime SLA – you read that correctly. One hundred percent uptime guaranteed.
  • All power, cooling and connectivity systems have a stand-in replacement or redundant capacity in case of breakdowns.
  • Up to 100,000 IOPS per virtual disk
  • All data centres directly connected to the Internet via transit operators and Internet exchange points (IXPs). Plus a dedicated backbone network for connectivity between data centres and carriers.
  • Effortlessly scalable and cost-effective. We offer hosting options that are affordable for everyone. All the way up to enterprise level packages.
  • CloudFlare Content Delivery Network, site caching, and web security service implemented on all packages.
  • InfiniBand networking – a computer networking communications standard in high-performance computing with very high throughput and very low latency.
  • Latest AMD EPYC processors
  • CPU up to 20 cores; Memory up to 128 GB & Storage up to 2 TB

Data Centresdata centre locations

Equinix Sydney, Australia

Equinix’s Sydney International Business Exchange™ (IBX®) data centers are business hubs for 755+ companies, where a high performance platform for private interconnection is available for digital services. These facilities are home to the richest ecosystem of enterprises in Australia, including 160+ network service providers, 280+ cloud and IT service providers, 60+ content and digital media providers. Our Sydney facilities allow customer to access the broadest range of cloud, which includes AWS, Microsoft Azure, IBM Softlayer, Google Cloud, Oracle Cloud Infrastructure. Customer can also take advantage of peering opportunities with direct access to the largest peering platform in Australia, and access to the key subsea cable facilities – Hawaiki Cable, Southern Cross Cable, PIPE Pacific Cable.

Interxion Frankfurt, Germany

On the infrastructure side, the location Frankfurt am Main is the backbone of the digital business in Germany. As far as data centre density and connectivity to central Internet hubs are concerned, the Frankfurt data centre is the leader throughout Germany and rivals London. Our network-neutral Frankfurt data centre campus puts your systems at the heart of Europe’s digital economy. We host more carriers than anyone else in Europe as well as thriving cloud, digital media and financial communities. Whatever the nature, size and reach of your business is: be assured of the best connectivity for your needs and the fastest performance for your hosted systems.

The connectivity you need

With the biggest available choice of carriers in an ultra-secure facility, and a huge choice of businesses for potential cross connects, our Frankfurt campus is ideal for any business that wants to:
Use specific carriers – to reach specific markets or simply because they’re your preferred choice.

Have a top-quality, highly secure and scalable European hub for mission-critical IT systems.

Build or use cloud services: because proximity to carriers and our cloud community gives you the low latency you need. Choose from more than 600 carriers and ISPs on campus to reduce cost of network access and benefit from industry leading performance.

Interxion Madrid, Spain

Madrid has become the digital hub for Southern Europe, concentrating an ecosystem of digital businesses and infrastructure to interconnect more enterprises and users with content and cloud services.

The region is the main data interconnection and distribution node within the Iberian Peninsula, with several Internet Exchanges and data centers to connect the traffic from submarine cables landing at the Spanish and Portuguese coasts. The announced arrival of new regions and services in Spain from cloud providers such as AWS, Azure or Google support the development of Madrid as a digital “port” for data exchange.

Equinix Helsinki, Finland

Finland is a rapidly growing market with a highly digital infrastructure, skilled workforce and low barriers to entry. One of Europe’s most dynamic and innovative technology hubs, the city has a large concentration of startups and a culture of innovation.

Telia Helsinki, Finland

When the significance of business data grows, secure data storage, refining and transfer may require new solutions. Whether you need a platform for services enabled by the fourth industrial revolution (such as robotics, IoT and 5G) or just a simple rack, Telia Helsinki Data Center is here for you.​

Our open Data Center provides data center, cloud, and infrastructure services for both Finnish and international companies and organizations – with ease, speed, and security.

Interxion Amsterdam, Netherlands

As one of the best-connected cities in Europe, Amsterdam is a key hub for international business. Home to two Interxion campuses – Schiphol and Science Park – Amsterdam is at the heart of the digital economy on the European continent.

Equinix Warsaw, Poland

Warsaw is the business capital of Poland and Eastern Europe’s second largest economy. When you colocate in this strategic gateway city, you benefit from its exceptional network connectivity. Our Warsaw data centres provide direct fiber connections to major telecommunications carriers and many leading enterprises.

Princeton Digital Group Singapore, Singapore

Singapore plays a critical role as the digital capital of Asia, with Smart Nation and Infocomm Media 2025 government initiatives powering the digital ecosystem.

A high-density subsea cable network ensures diverse connectivity to other markets within Asia-Pacific. The nation’s rich, resilient power supply and skilled workforce make for a business-friendly climate. Our data center in Singapore is situated in a central part of the city, serving as a strategic location for hyperscalers and enterprises looking for additional capacity to support their expansion plans.

Volta London, UK

Situated on Great Sutton Street, the Volta Data Centres facility provides businesses with state-of-the-art certified and accredited data services in the beating heart of London. It means our capital city-based partners reach their global audiences and clients with low latency, high performance connectivity, and 100% uptime service level agreement (SLA), as standard.

Not only is the facility walking distance from Liverpool Street Station and the Barbican tube stop, but its specific location on two separate diverse power rings within London’s upgraded 33kV network means Volta is one of the most power-resilient data centres in the UK.

A carrier-neutral data facility with 20+ diverse entry points and over 25 carriers on-site, Volta customers access the level of connectivity they need from the providers they prefer. It means diversity, flexibility, and cost-efficiency, with the power to adapt, and the ability to stay agile.

However, a prime location, 100% uptime, and ultra-resilient connectivity mean nothing without formidable security. That’s why the Volta Data Centres facility is manned with security guards 24/7, equipped with biometric access control, and provides reliable backups and UPS devices to protect your data against outages.

CoreSite Chicago, USA

CoreSite’s CH1 data center location is strategically located in downtown Chicago, adjacent to the Board of Trade. In addition to several clouds and networks available within the campus, this centralized location provides exceptionally low-latency access to businesses, end users, and interconnection destinations in the market.

CoreSite New York, USA

CoreSite’s New York data center (NY1) is located at 32 Avenue of the Americas in Manhattan and is home to hundreds of businesses including financial services providers, domestic and international carriers, cloud computing providers, IT and managed service providers, healthcare companies and enterprises. Dark fiber tethering to CoreSite’s NY2 data center in nearby Secaucus, New Jersey creates one of the most powerful, low-latency data center campuses on the East Coast, giving customers the ability to grow cost-effectively while maintaining excellent connectivity options.

CoreSite San Jose, USA

CoreSite’s Silicon Valley data center can support nearly any computing requirement with the latest in data center efficiency and redundancy designs. The facility is part of the Santa Clara campus, comprised of over 775,000 square feet of colocation space. SV7 also supports hybrid and multi-cloud solutions with low latency access to the network, cloud and enterprise community within CoreSite’s SV3,  SV4 and SV8 facilities in Santa Clara, as well as the rest of CoreSite’s Silicon Valley data center market.

Web Servers

web server is computer software and underlying hardware that accepts requests via HTTP, the network protocol created to distribute web pages, or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiates communication by making a request for a specific resource using HTTP, and the server responds with the content of that resource or an error message. The server can also accept and store resources sent from the user agent if configured to do so.

A server can be a single computer, or even an embedded system such as a router with a built-in configuration interface, but high-traffic websites typically run web servers on fleets of computers designed to handle large numbers of requests for documents, multimedia files and interactive scripts. A resource sent from a web server can be a preexisting file available to the server, or it can be generated at the time of the request by another program that communicates with the server program. The former is often faster and more easily cached for repeated requests, while the latter supports a broader range of applications. Websites that serve generated content usually incorporate stored files whenever possible.

Technologies such as REST and SOAP, which use HTTP as a basis for general computer-to-computer communication, have extended the application of web servers well beyond their original purpose of serving human-readable pages.

Of the major web server software my preference for speed and performance on client websites is roughly as follows:

  1. LiteSpeed Web Server – There aren’t many no brainers in computing but in 2021 using LiteSpeed is one of them. Litespeed is built for speed. It focuses on making websites load very fast, especially those created using CMS like WordPress, Magento and Joomla. For HTTP/2 LiteSpeed Web Server performs 12X faster than Nginx and 84X faster than Apache when loading WordPress. LiteSpeed Web Server’s architecture delivers more performance from your existing infrastructure, typically cutting server load in half and improving TTFB by 3x. LiteSpeed has developed their own PHP API called LSAPI. LSAPI increases the performance of PHP and reduces load. LiteSpeed acts as a drop-in replacement to Apache, this means that it works out of the box. Can be restarted without causing downtime. Supports unlimited concurrent connections. It uses less resource intensive even under high load making it perfect for websites of all sizes.
  2. nginx – its a definite step down from LiteSpeed but is probably the best of the rest. If switching to LiteSpeed is possible we do it. Lacks flexibility as configuration is done via one configuration file unlike with Apache where configuration for specific sites can be overridden via .htacccess file.
  3. Varnish – again a step off LiteSpeed’s considerable pace but not terrible and vastly superior to Apache and Microsoft-IIS. Not ideal but not terrible for our purposes.
  4. Google Servers
  5. Apache – LiteSpeed’s HTTP/2 implementation performed 84X faster than Apache. This makes Apache almost useless for our purposes.  Its slower than modern web servers. RAM intensive under high load. Requires disabling of unused modules to improve security. I would advise website owners in the strongest possible terms to move away from Apache & will almost never willingly work on an Apache site.
  6. Microsoft-IIS –  Bundled with Windows and not usable in UNIX environments. Non-opensource. Its runs on Windows OS only. Avoid like the plague.

lightspeed web server performance

lightspeed web server performance


What Is DNS?

DNS is often referred to as the phonebook of the internet, when a user types a web address into their browser, DNS is what connects that user with the web site they are seeking. DNS stands for Domain Name System, and the DNS maintains a directory of every website on the Internet.

A computer can only find a website using it’s IP address, which is a long, punctuated string of numbers, such as in the older IPv4 format, or 2400:cb00:2048:1::c629:d7a2 in the new IPv6 . These addresses can be hard for humans to remember, and on top of that, the IP addresses for some websites are dynamic and can change periodically. DNS makes it easier for people to access websites by letting them use human-friendly web addresses, also known as URLs.

For example, a current IPv6 IP address for is 2400:cb00:2048:1::c629:d7a2. Instead of memorizing that address, a user can type ‘’ into their browser. When that happens, the browser sends out a request to DNS, and DNS returns a response telling the browser the IP address of that website, and the browser then sends a request to that IP address which responds with the website’s data.

DNS Servers

What Is A DNS Resolver?

A DNS resolver is a type of server that manages the “name to address” translation, in which an IP address is matched to domain name and sent back to the computer that requested it. DNS resolvers are also known as recursive resolvers.

Computers are configured to talk to specific DNS resolvers, identified by IP address. Usually, the configuration is managed by the user’s Internet Service Provider (ISP) on home or wireless connections, and by a network administrator on office connections. Users can also manually change which DNS resolver their computers talk to.

The following DNS service providers have 1.0% market share or more:

  1. Cloudflare 14.3%
  2. GoDaddy Group 11.8%
  3. Newfold Digital 6.6%
  4. Amazon 5.4%
  5. Google 2.2%
  6. Namecheap 2.1%
  7. United Internet 1.8%
  8. Wix 1.5%
  9. SiteGround 1.4%
  10. OVH 1.2%
  11. Hetzner, & Beget all 1.0%

HTTP Compression

HTTP compression is a capability that can be built into web servers and web clients to improve transfer speed and bandwidth utilization.

HTTP data is compressed before it is sent from the server: compliant browsers will announce what methods are supported to the server before downloading the correct format; browsers that do not support compliant compression method will download uncompressed data. The most common compression schemes include gzip and Brotli; however, a full list of available schemes is maintained by the IANA.

There are two different ways compression can be done in HTTP. At a lower level, a Transfer-Encoding header field may indicate the payload of an HTTP message is compressed. At a higher level, a Content-Encoding header field may indicate that a resource being transferred, cached, or otherwise referenced is compressed. Compression using Content-Encoding is more widely supported than Transfer-Encoding, and some browsers do not advertise support for Transfer-Encoding compression to avoid triggering bugs in servers.

LiteSpeed Web Server

LiteSpeed Web Server’s architecture delivers more performance from your existing infrastructure, typically cutting server load in half and improving TTFB by 3x. LiteSpeed’s benchmarks, when compared to nginx and Apache, speak for themselves. When you switch to LiteSpeed Web Server, you can be confident that your sites will experience measurable improvements in speed.

LiteSpeed’s simpler stack and intelligent cache give it an edge. With LiteSpeed’s advanced built-in cache engine, you can eliminate the need for the HTTPS reverse proxies or additional third party caching layers required with Apache. Plus, LiteSpeed stores compressed cache files, where nginx does not.LiteSpeed Web Server

Moving to LiteSpeed from almost any web server gives my clients a speed and performance boost. But moving from Apache (which many do) to LightSpeed can and often is transformative, see below:

serverload Apache vs LightSpeed

What Is Website Security?

The Internet is a dangerous place! With great regularity, we hear about websites becoming unavailable due to denial of service attacks, or displaying modified (and often damaging) information on their homepages. In other high-profile cases, millions of passwords, email addresses, and credit card details have been leaked into the public domain, exposing website users to both personal embarrassment and financial risk.

The purpose of website security is to prevent these (or any) sorts of attacks. The more formal definition of website security is the act/practice of protecting websites from unauthorized access, use, modification, destruction, or disruption.

Effective website security requires design effort across the whole of the website: in your web application, the configuration of the web server, your policies for creating and renewing passwords, and the client-side code. While all that sounds very ominous, the good news is that if you’re using a server-side web framework, it will almost certainly enable “by default” robust and well-thought-out defense mechanisms against a number of the more common attacks. Other attacks can be mitigated through your web server configuration, for example by enabling HTTPS. Finally, there are publicly available vulnerability scanner tools that can help you find out if you’ve made any obvious mistakes.


What Is An SSL Certificate?

SSL stands for Secure Sockets Layer and, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

It does this by making sure that any data transferred between users and sites, or between two systems remain impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal which can include credit card numbers and other financial information, names and addresses.

TLS (Transport Layer Security) is just an updated, more secure, version of SSL. We still refer to our security certificates as SSL because it is a more commonly used term, but when you are buying SSL from DigiCert you are actually buying the most up to date TLS certificates with the option of ECC, RSA or DSA encryption.

HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.

An SSL certificate is installed on the server side but there are visual cues on the browser which can tell users that they are protected by SSL. Firstly, if SSL is present on the site, users will see https:// at the start of the web address rather than the http:// (the extra “s” stand for “secure”). Depending on what level of validation a certificate is given to the business, a secure connection may be indicated by the presence of a padlock icon or a green address bar signal.

Google now advocates that HTTPS, or SSL, should be used everywhere on the web and, as of 2014, the search engine has been rewarding secured websites with improved web rankings, another great reason for any site to install SSL.

Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. When you buy an ‘SSL’ certificate from DigiCert, you can of course use it with both SSL and TLS protocols.

SSL Certificate Authorities I Use For Clients

IdenTrust – the only bank-developed identity authentication system in the world, IdenTrust delivers a legally and technologically interoperable environment for authenticating and using identities in more than 175 countries. With over 5.1 million certificates in active production, IdenTrust supports over 18 billion validations per year.IdenTrust
DigiCert Group – Digicert has mid-range pricing since it offers features for every certificate including a warranty of $1,000,000, free re-issues and a logo you can add to your site to built visitor confidence. DigiCert certificates support 256-bit encryption, feature SHA-256/384/512 signatures, and 2048+ RSA or P-256/P-384 Elliptical Curve Cryptography (ECC). DigiCert SSL certificates are trusted by all major browsers, mail systems, operating systems and mobile devices. There are five different types of certificates that are available: SSL Plus (DV), EV, Multi-Domain (UC/SAN), EV Multi-Domain and Wildcard Plus.Digicert
Sectigo – a leading cybersecurity provider of digital identity solutions, including TLS/SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security.Sectigo
Comodo – Comodo offers an RSA 2048-bit encryption for DV, wildcard and EV certificates. UC certificates have 128-bit or 256-bit encryption.Comodo believes electronic security should be easy to implement and accessible to everyone without sacrificing product
Let’s Encrypt – a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).Let’s Encrypt

A Note About Symantec

Symantec’s cheapest SSL certificate is $279.00 per year.

Google Chrome’s Distrust Of Symantec

What happened: In March of 2017, Google indicated they had lost confidence in Symantec due to alleged flaws in the way its SSL certificates were being issued and validated by its partners. A lack of sufficient oversight was cited. Symantec and Google “agreed on a plan that requires Symantec to migrate certificate validation to a third party.” Symantec sold its certificate business to Thoma Bravo, LLC, whereby it came to be controlled by DigiCert in 2017. GeoTrust was also sold by Symantec to DigiCert around the same time. So for the time being my recommendation is go straight to DigiCert and for legacy reasons avoid Symantec for at least the next 5 years.


HSTS stands for “HTTP Strict Transport Security” forces a browser to use secure HTTPS connections. Enabling HSTS means HTTP requests will never hit your origin server. If your site is already set up to use HTTPS, we recommend configuring HSTS on your origin server as well.

If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected, if, for example, the visitor types or even just This creates an tiny opportunity for a man-in-the-middle attack. The redirect gets exploited to direct visitors to a malicious site instead of the secure version of the original site. So simply redirecting from HTTP to HTTPS has a security risk inherent in it – and HSTS overcomes this. I regard it as a requirement for all client websites so as to avoid the possibly unlikely but ultimately disasterous impact of a man-in-the-middle attack which puts the entire website in peril. There is really no reason not to deploy HSTS.

The HTTP Strict Transport Security header tells the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. It is a way to pre-emptively shut a very small gap in your website’s security which canny hackers know how to exploit.

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

Examples Of Man-In-The-Middle AttacksMan in the Middle Attacks

  • DSniff – the first public Man-in-the-middle attacks circa 2000.
  • Fiddler2 – first developed by a programer working on Internet Explorer for Microsoft back in 2003 Fiddler is used by hackers to break into online stores.
  • The US National Security Agency impersonated Google to gather data on people. A document leaked by Edward Snowden, showed how a “man in the middle attack” involving Google was apparently carried out.
  • In 2015, the government of Kazakhstan created a root certificate which could have enabled a man-in-the-middle attack on HTTPS traffic from Internet users in Kazakhstan. The certificate allowed the Kazakh government to intercept, decrypt, and re-encrypt any traffic passing through systems it controlled. In July 2019, it became compulsary in Kazakhstan. On August 21, 2019, Mozilla and Google announced that  Firefox and Chrome would not accept the government-issued certificate. Apple followed suit with Safari. Microsoft did nothing – but because the certificate wasn’t in their root store would only take effect if a user manually installed it which some people obviously did. In December 2020, the Kazakh government tried again and again Mozilla, Google & Apple blocked them pretty much immediately. Slightly worrying what this says about Microsoft.
  • Superfish was an Israeli/American malware company. On February 20, 2015, the United States Department of Homeland Security advised uninstalling it because it made computers vulnerable to serious cyberattacks, including interception of passwords and sensitive data being transmitted through browsers. Wound up operations a couple months later.
  • Comcast used man-in-the-middle attack to warn subscribers of potential copyright infringement (by violating their privacy).

How To Decrease TTFB

The 3 Elements That Make Up TTFB

  1. Request: browser sends an http request to the server hosting the website.
  2. Server processing: The server processes the request.
  3. Response: The server responds to the web browser.

TTFB is the time it takes for the response to first reach the web browser.

TTFB Benchmark

I only really consider TTFB for pages loaded from places where the target market are located. So, for example, if you’re a British business which only services British customers, your TTFB from Australia or Hong Kong is of almost no importance to me. What I care about is your TTFB from London and/or other British cities & towns.

According to Google, TTFB should be under 200 milliseconds. For my clients I like to build in some safety room simply because there will always be some variation in load and response times so I like to get it to where I can run 10 simulations from London and 10 on the spin are under 100ms.

TTFB under 100ms = fantastic.

101ms-200ms = ok.

201-500 ms = below standard.

501 ms – 1 s = poor.

>1s = horrendous.

Use The Fastest Available DNS Provider

In the 30 days to 18 July, 2021 the fastest DNS providers in Europe were as follows:

  1. Sectigo 6.24ms
  2. Exoscale DNS 6.26ms
  3. Cloudflare 7.38ms
  4. 11.34ms
  5. DigitalOcean 13.89ms
  6. Limelight DNS 14.91ms
  7. Verizon ROUTE 15.92ms
  8. G-Core 16.63ms
  9. Rage4 17.94ms
  10. Advanced Hosting DNS 18.04ms

Slower than the Top 10 DNS Providers: UltraDNS 18.21ms; entryDNS 18.29ms; RcodeZero 18.94ms; Constellix 19.05ms; DNSMadeEasy 19.11ms; NS1 19.23ms; Namecheap 20.33ms; CloudfloorDNS 20.79 ms; NuSEC 20.81ms; GoDaddy 21.06ms; Dyn 21.76ms; Route53 22.22ms; dnsimple 22.7ms; No-IP 23.51ms; OVH 24.3ms & Gransy AnycastDNS 24.77 ms.

Too slow to be used by any UK company website: ClouDNS 25.61 ms; Linode 25.87 ms; Google Cloud 28.8 ms; Zilore 28.93 ms; ironDNS 29.12 ms; 29.47 ms; Verisign 32.13 ms; Azure 35.78 ms; EasyDNS38.12 ms; Vultr 38.84 ms; Softlayer 40.24 ms; NGENIX DNS 45.29 ms.

Too slow to be used by any UK website: Akamai 56.21 ms; Rackspace 64.5 ms; Zoneedit 73.27 ms; OnApp 116.32 ms; EdgeDirector 130.15 ms & 139.58 ms.

Cloudflare DNS Vs Google Cloud DNS Speed Over Time

Cloudflare DNS consistently outperforms Google Cloud DNS (~7ms vs ~28ms most months):

30 days to 18 July, 2021 7.38 ms vs 28.8 ms

June 2021 7.13 ms vs 28.86 ms

May 2021 6.81 ms vs 28.9 ms

April 2021 7.22 ms vs 28.22 ms

March 2021 7.31 ms vs 28 ms

February 2021 7.37 ms vs 27.37 ms

January 2021 8.08 ms vs 27.5 ms

December 2020 7.37 ms vs 27.5 ms

November 2020 7.79 ms vs 28 ms

October 2020 7.3 ms vs 28.84 ms

September 2020 17.42 ms vs 27.69 ms

August 2020 6.97 ms vs 27.85 ms

July 2020 7.01 ms vs 27.57 ms

This 20ms saving goes directly toward your final TTFB count.

What Slows Down TTFB

There are a few things that could be causing a slow TTFB. If you have a high TTFB it is important to figure out what or what combination of factors is causing this to happen. The most common reasons for a slow TTFB include the following:

  • dynamic content
  • networking issues
  • badly configured web server
  • server capacity issues
  • database configuration issues

TTFB & Web Server

OpenLiteSpeed has a better TTFB vs. Nginx. You’ll save between 50ms+ on this alone. OpenLiteSpeed also does a whole lot better under stress than does Nginx.

TTFB & Hosting Providers

Certain major hosting providers off consistently terrible TTFB. The table below shows major hosting providers by typical TTFB. To give you an indication of how seriously flawed these hosting providers are – I won’t do SEO work on any site hosted by SiteGround (or IONOS or BlueHost).

Hosting ProviderTTFB(ms)
Liquid Web190
Cloudways Linode141
Cloudways DigitalOcean136
Scroll to Top