WordPress on App Service

This article describes an architecture for small to medium-sized WordPress installations on Azure. The architecture uses Azure App Service to host WordPress and managed Azure services for the database, networking, and content delivery layers. For larger or storage-intensive installations, see WordPress hosting options on Azure.

Architecture

Download a Visio file of this architecture.

Data flow

This scenario covers a scalable installation of WordPress that runs on App Service.

The following data flow corresponds to the previous diagram:

The following data flow corresponds to the previous diagram:

• Users access the front-end website through Azure Front Door with Azure Web Application Firewall enabled.

• Azure Front Door distributes requests across the App Service web apps that run WordPress. If the requested content isn't cached, Azure Front Door retrieves it from the web apps.

• The WordPress application connects to Azure Database for MySQL flexible server through a private endpoint and retrieves dynamic content from the database.

• Azure Database for MySQL supports high availability via a standby server.

• All static content is hosted in Azure Blob Storage.

Components

• App Service is a platform as a service (PaaS) offering for building, deploying, and scaling web apps. In this architecture, App Service hosts the WordPress application.

• Azure Database for MySQL flexible server is a managed relational database service based on the open-source MySQL database engine. In this architecture, it stores WordPress data.

• Azure DDoS Protection is a network security service that provides enhanced distributed denial-of-service (DDoS) mitigation features. In this architecture, DDoS Protection helps defend the public IP address from DDoS attacks.

• Azure Front Door is a content delivery network and global load balancer. In this architecture, Azure Front Door serves as the application entry point for web users.

• Azure Virtual Network is a network service that enables Azure resources to communicate with each other, the internet, and on-premises networks while providing segmentation and isolation. In this architecture, App Service and back-end components are only reachable through private connections in the virtual network.

• Blob Storage is an object storage service optimized for large amounts of unstructured data. In this architecture, Blob Storage hosts all static content for the WordPress application.

• Network security groups (NSGs) use security rules to allow or deny network traffic by source or destination IP address, port, and protocol. In this architecture, NSG rules restrict traffic flow between subnets.

• WordPress on App Service template is a managed solution template for hosting WordPress on App Service. In this architecture, the template provides a preconfigured WordPress deployment that includes App Service and the other Azure services described in this section.

Alternatives

Use Azure Managed Redis to host a key-value cache for WordPress performance optimization plugins. The cache can be shared across App Service web apps.

Scenario details

This example scenario applies to small to medium-sized WordPress installations.

Potential use cases

• Media events that cause traffic surges
• Blogs that use WordPress as their content management system
• Business or e-commerce websites that use WordPress
• Websites that are built by using other content management systems

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that you can use to improve the quality of a workload. For more information, see Well-Architected Framework.

Reliability

Reliability helps ensure that your application can meet the commitments that you make to your customers. For more information, see Design review checklist for Reliability.

Consider the following recommendations when you deploy this solution:

• Configure automated backups for Azure Database for MySQL. Define a retention period that aligns with your recovery point objectives (RPOs). Test your restoration process periodically to verify backup reliability.

• App Service provides built-in load balancing and health checks. These features help you maintain availability when an App Service web app fails.

• Azure Front Door can serve cached responses when the origin is temporarily unavailable. This capability limits availability loss but doesn't replace a complete availability solution.

• You can replicate Blob Storage to a paired region for data redundancy across multiple regions. For more information, see Azure Storage redundancy.

• To increase Azure Database for MySQL availability, enable high availability. Same-zone high availability creates a standby server in the same availability zone as the primary server. For stronger fault isolation, use zone-redundant high availability, which places the standby server in a different availability zone. Use the General Purpose or Business Critical compute tier to enable high availability. For more information, see the high availability options that meet your needs.

Security

Security provides assurances against deliberate attacks and the misuse of your valuable data and systems. For more information, see Design review checklist for Security.

Consider the following recommendations when you deploy this solution:

• Use Azure Web Application Firewall on Azure Front Door to protect virtual network traffic that flows into the front-end application tier. For more information, see Azure Web Application Firewall on Azure Front Door.

• Use private endpoints for all back-end services, including Azure Database for MySQL and Blob Storage. Private endpoints keep traffic within the virtual network and prevent exposure to the public internet. For more information, see Azure Private Link.

• Block outbound internet traffic from the database tier.

• Block public access to private storage.

• Keep WordPress core, themes, and plugins updated to their latest versions to address known security vulnerabilities. Uninstall plugins and themes that you no longer need.

• Restrict access to the WordPress admin panel (/wp-admin) by creating Azure Web Application Firewall custom rules on Azure Front Door. Use the RequestUri match condition to match /wp-admin paths, combined with an IP address condition to allow access only from known IP address ranges. App Service access restrictions apply to the entire site, not individual URL paths, so they don't suit path-specific controls.

For more information about WordPress security, see General WordPress security and performance tips and Azure security documentation.

Cost Optimization

Cost Optimization focuses on ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Design review checklist for Cost Optimization.

Review the following cost considerations when you deploy this solution:

• Traffic expectations in GB per month: Your traffic volume affects your cost the most. The traffic that you receive determines the number of App Service instances that you need and the price for outbound data transfer. Serving content through Azure Front Door can reduce outbound data transfer costs.

• Hosted data: Consider the data that you host in Blob Storage. Storage pricing depends on used capacity.

• Write percentage: Consider how much new data you write to your website and host in Storage. Determine whether you need new data. For multiregion deployments, the new data that you write to your website correlates with the data that replicates across your regions.

• Static versus dynamic content: Monitor your database storage performance and capacity to determine whether a lower-cost SKU supports your site. The database stores dynamic content, and Azure Front Door caches static content.

• App Service optimization: For more information about how to optimize App Service costs, see Cost Optimization.

Operational Excellence

Operational Excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Design review checklist for Operational Excellence.

Consider the following recommendations when you deploy this solution:

• Enable Application Insights to monitor application performance, availability, and usage patterns. Use the monitoring data to identify and resolve problems before they affect users.

• Use deployment slots in App Service to stage WordPress core upgrades. Deploy the new version to a staging slot and validate theme and plugin compatibility before you swap into production. Back up the Azure Database for MySQL instance before the swap because WordPress automatically applies schema migrations against the shared database when an admin signs in after an upgrade.

• Automate your infrastructure deployments by using Bicep or Terraform. Infrastructure as code (IaC) helps you maintain consistency across environments and rebuild environments reliably.

• Set up Azure Monitor alerts for key metrics, such as App Service CPU utilization, database connection counts, and response times. Use alerts to respond to operational problems before they affect users.

Performance Efficiency

Performance Efficiency refers to your workload's ability to scale to meet user demands efficiently. For more information, see Design review checklist for Performance Efficiency.

Consider the following recommendations when you deploy this solution:

• Enable the autoscale feature in App Service to automatically scale the number of instances. You can set an autoscale trigger to respond to customer demand or based on a schedule. For more information, see Get started with autoscale in Azure.

• Use Azure Managed Redis to cache Hypertext Preprocessor (PHP) session data and frequently accessed WordPress objects. Offload these items from the database to reduce query load and improve page load times.

• Configure Azure Front Door caching rules to serve static assets from edge locations. Cache at the edge to reduce latency for users who are geographically distant from the App Service region.

• Use the latest supported PHP version in App Service for performance and security improvements. Verify that your WordPress version and plugins are compatible before you upgrade.

Contributors

Microsoft maintains this article. The following contributors wrote this article.

Principal author:

• Vaclav Jirovsky | Cloud Solution Architect

Other contributors:

• Adrian Calinescu | Senior Cloud Solution Architect
• Andrew Cardy | Senior Software Engineer

To see nonpublic LinkedIn profiles, sign in to LinkedIn.

Next steps

Product documentation:

• What is Azure Front Door?
• What is Azure Web Application Firewall?
• What is Blob Storage?
• Azure Database for MySQL flexible server
• What is Virtual Network?
• About Azure Key Vault
• Quickstart: Create a WordPress site
• What is DDoS Protection?

Microsoft training modules:

• Implement Key Vault
• Introduction to Virtual Network

Related resources

• Ten design principles for Azure applications
• Scalable cloud applications and site reliability engineering