---
title: WordPress/WooCommerce Security & Performance Stack
type: article
created: '2026-04-05'
updated: '2026-04-05'
source_docs:
- raw/2026-02-19-papertube-asymmetric-marketing-call-123695176.md
tags:
- wordpress
- woocommerce
- cloudflare
- security
- performance
- bot-traffic
- seo
- wp-engine
- caching
- infrastructure
layer: 2
client_source: null
industry_context: null
transferable: true
---

# WordPress/WooCommerce Security & Performance Stack

Asymmetric operates a managed WordPress/WooCommerce stack built on WP Engine with Cloudflare as the front-line layer. The stack is designed to deliver layered security, bot and AI scraper blocking, advanced caching, and consistently high site health scores. Clients hosted on this stack routinely achieve 99–100/100 health scores; clients on third-party platforms (Shopify, Webflow) typically cannot reach the same baseline without significant workarounds.

## Stack Components

| Layer | Tool | Role |
|---|---|---|
| DNS & CDN | Cloudflare | Bot blocking, geo-filtering, security rules, edge caching |
| Hosting | WP Engine | Server-level bot blocking, server-side caching |
| E-commerce | WooCommerce | Drop-in Shopify replacement; same payment processor setup |
| Page caching | Rocket (plugin) | CDN caching, edge caching, performance optimization |
| Indexing | Crawl Scout | Daily Google index requests for all unindexed pages |
| Monitoring | Aggregated dashboard + AI | 30+ data sources unified; AI-driven insight layer |

## Security: Layered Defense

Security is enforced at multiple points rather than relying on any single tool.

**Cloudflare (front-of-stack)**
- Blocks bots before they reach the origin server
- Supports geo-blocking by country or IP range (e.g., blocking all non-US/EU/CA traffic)
- Web Application Firewall (WAF) rules, including regex-based custom rules
- AI bot blocking — prevents scraping of content and images for model training or video generation
- Security headers (the two headers that cannot be set via HTML must be configured here)

**WP Engine (server layer)**
- Catches traffic that passes Cloudflare
- Server-level firewall and caching rules
- Provides a second enforcement point independent of Cloudflare

**Security Headers**
- Asymmetric configures the full set of security headers; four can be injected via HTML, two require Cloudflare
- Moving a client from no headers to a full set typically improves their security grade from D to A
- Firewalls with strict policies will flag or penalize domains missing security headers

## Performance: Caching Architecture

Three caching layers interact to maximize speed:

1. **Cloudflare** — edge caching at the CDN level
2. **WP Engine** — server-side caching at the host level
3. **Rocket** — plugin-level CDN and edge caching within WordPress

This layered approach, combined with proper DNS configuration, is what enables the 99–100/100 health scores Asymmetric targets for all hosted clients.

## SEO: Daily Indexing via Crawl Scout

Crawl Scout runs daily against every client site and submits index requests to Google for any page not yet indexed. This ensures:
- New and updated pages are indexed as quickly as possible
- Orphaned or low-visibility pages are surfaced and investigated
- The team has daily visibility into how many pages are unindexed and why

## Monitoring & Insight Layer

All data sources — health scores, indexing status, traffic, security events, ad performance — are aggregated into a single dashboard. An AI layer evaluates the combined inputs and surfaces insights that would not be visible from any single tool alone.

## Bot Traffic: Diagnosis & Remediation

Bot surges are a common problem for clients not on the managed stack. Typical symptoms include:

- Sudden spike in traffic from specific countries or IP ranges
- Avast or other security tools flagging the domain
- Cloudflare configured but not effectively blocking (misconfiguration or missing rule layers)

**Remediation options (in order of precision):**

1. **Geo-blocking** — block all traffic from countries with no legitimate customer base; blunt but fast
2. **IP-range blocking** — more targeted; useful when bot traffic is concentrated in specific ranges
3. **Separate regional domain** — e.g., `papertube.co.uk` for UK traffic, allowing finer-grained accept/block rules without affecting the main domain
4. **Cloudflare rule audit** — review existing WAF and firewall rules for gaps; Cloudflare configuration is complex and easy to misconfigure

> **PaperTube example:** Bot traffic surged starting February 4–5. The site had Cloudflare configured but the setup was not optimized. Asymmetric offered to audit the Cloudflare configuration and tighten bot protection rules as an immediate step, ahead of any potential full migration to the managed stack. See [[clients/papertube/index]].

## Comparison: Managed Stack vs. Third-Party Platforms

| Capability | Asymmetric Stack | Shopify | Webflow |
|---|---|---|---|
| Full Cloudflare control | ✅ | ❌ | ❌ |
| Server-level bot blocking | ✅ | ❌ | ❌ |
| Security header control | ✅ Full | ⚠️ Partial | ⚠️ Partial |
| Multi-layer caching | ✅ | ⚠️ Limited | ⚠️ Limited |
| Daily indexing requests | ✅ | ❌ | ❌ |
| Health score target | 99–100 | Variable | Variable |

Clients on Shopify or Webflow can receive partial improvements (e.g., security headers via HTML injection, DNS moved to Cloudflare), but the full stack benefits require migration to WP Engine + WordPress/WooCommerce.

## Migration Considerations

For e-commerce clients migrating from Shopify:
- WooCommerce is a functional equivalent; payment processor setup is comparable
- Product catalog, orders, and customer data require migration planning
- The primary client-facing experience is unchanged; the security and performance gains are infrastructure-level

## Related

- [[clients/papertube/index]]
- [[knowledge/cloudflare/cloudflare-bot-protection]]
- [[knowledge/seo/crawl-indexing-strategy]]