Complete guide for maintaining, optimising WordPress websites for optimum performance, maximum speed for loading webpages, maximum security for preventing website hacking & highjacking by intruders

Introduction

 
I have been using WordPress for almost more than 5 years now.

 
I will explain in below post step by step procedure to harden, secure & optimise WordPress for best performance & security.

 
So First thing first,

 

Introduction to WordPress

 
What is WordPress: WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015. WordPress is the most popular blogging system in use on the Web at more than 60 million websites.

 
As we know of today WordPress is offered in two different formats, One is managed & hosted by team at WordPress.com & second as self hosted by user using downloadable installable package available at WordPress.org.

 

Difference between WordPress.com & WordPress.org

 
Following things really differentiate WordPress.com and WordPress.org from each other

 
1st Difference
WordPress.com: User provides the content & website is managed by team at WordPress.com
WordPress.org: Content provided by User & Managed by User itself

 
2nd Difference
WordPress.com: Hosting, security and backups are managed by team at wordpress.com. You can have two types of domains like mandarapte.wordpress.com or mandarapte.com with premium service
WordPress.org: Hosting, security, backups are managed by user.

 
3rd Difference or Similarity
WordPress.com: Custom Themes are supported
WordPress.org: Custom Themes are supported

 
4th Difference
WordPress.com: Features like social media sharing, stats, comments, and polls are available without plugin
WordPress.org: For social media sharing, stats, comments, and polls you have to install jetpack plugin

 
5th Difference
WordPress.com: Premium personal support and the WordPress.com forums are always available.
WordPress.org: Only WordPress.org support forums are available for assistance.

 
6th Difference
WordPress.com: You must register for an account on WordPress.com and abide by our Terms of Service.
WordPress.org: No registration with WordPress.org is required.

 
As discussed if you are using WordPress.org for your website you can follow this steps to manage WordPress website performance & security on your own:

 

Assumption: I assume that you are good with coding skills & you know little bit of HTML, CSS, PHP website coding structure.

 

Precaution: Before moving forward backup your MySQL Database & WordPress installable files from your server.

 

Note: All below mentioned performance, maintenance & security tips will be either related to following three types of items of your WordPress website installations. Those are .htaccess, functions.php & wp-config.php file.

 
What is .htaccess file?
The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis. WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof. Most notably, WP modifies this file to be able to handle pretty permalink.

 
What is wp-config.php?
One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database connection information.

 
What is functions.php file?
One way to change the default behaviours of WordPress is using a file named functions.php. It goes in your Theme’s folder. The functions file behaves like a WordPress Plugin, adding features and functionality to a WordPress site. You can use it to call functions, both PHP and built-in WordPress, and to define your own functions. You can produce the same results by adding code to a WordPress Plugin or through the WordPress Theme functions file.

 

1. So we will start optimise our WordPress website for performance with following maintenance & optimisation tricks:

 

A. Server, Domain & DNS server related Optimisation

 
i. Choose Right Website Hosting Provider
As Wikipedia says: A web hosting service is a type of Internet hosting service that allows individuals and organisations to make their website accessible via the World Wide Web. Web hosts are companies that provide space on a server owned or leased for use by clients, as well as providing Internet connectivity, typically in a data centre. Web hosts can also provide data centre space and connectivity to the Internet for other servers located in their data centre, called colocation, also known as Housing in Latin America or France.

 
While choosing web host look for following things:

 
Definite Availability of Services like PHP, Perl, Python, Apache, MySQL, E-Mail host, Domain host, SSD Storage for MySQL Database & website, Dedicated MySQL Resources, Plenty of Bandwidth

 
Optional Services like Git, SVN, WP-CLI, sFTP and SSH access, Automatic Backups, Virus Removal, Google Apps Integration

 
ii. Use a Content Delivery Network i.e. CDN
As Wikipedia Says: A content delivery network or content distribution network (CDN) is a globally distributed network of proxy servers deployed in multiple data centres. The goal of a CDN is to serve content to end-users with high availability and high performance. CDNs serve a large fraction of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.

 
iii. Reduce MySQL Database size
Description & Why you may want to reduce MySQL database size.
The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision – what was added, what remained unchanged, and what was removed. Lines added or removed are highlighted, and individual character changes get additional highlighting.

 
Copy following code in wp-config.php file located in your server root.

 

/* Limit the number of posts revisions that WordPress stores in the database */
define( 'WP_POST_REVISIONS', 3 );

 
Further Reading: How to reduce MySQL Database size by managing WordPress Post Revisions count (WordPress Tip for Optimum Performance)

 
iv. Repair & Optimise MySQL Database
Introduction: As we use & utilise our WordPress website running with MySQL database it gets cluttered & overheads with extra information or data in database tables sometimes it crashes of it’s own burden.

 
Read following post for detailed information about How to repair, optimise MySQL Databases through phpMyAdmin for optimum WordPress Website Performance over the years

 

B. .htaccess related Optimisation Techniques

 
i. Enable Browser Caching
To enable browser caching you need to set expiry dates on certain types of files. Find your .htaccess file in the root of your domain. You can edit the .htaccess file with notepad or any text editor. In this file we will set our caching parameters to tell the browser what types of files to cache over period of time so that page loading time improves by avoiding or keeping certain files & using browser cache from history.

 
Copy following code in .htaccess located in your server root:

 

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 2 days"
</IfModule>
## EXPIRES CACHING ##

 
ii. Enable HTTP persistent connection (HTTP keep-alive)
As Wikipedia explains:
HTTP persistent connection, also called HTTP keep-alive, or HTTP connection reuse, is the idea of using a single TCP connection to send and receive multiple HTTP requests/responses, as opposed to opening a new connection for every single request/response pair. The newer SPDY protocol uses the same idea and takes it further to allow multiple concurrent requests/responses to be multiplexed over a single connection.

 
Copy following code in .htaccess located in your server root:

 

<ifModule mod_headers.c> Header set Connection keep-alive </ifModule>

 
Further Reading: How to enable HTTP persistent connection or HTTP keep-alive for your website for faster page speed using .htaccess file

 
iii. Enable Gzip Output Compression

 
Introduction

 
As Apache Website Defines: The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.

 
Copy following code in .htaccess located in your server root:

 

<IfModule mod_deflate.c>
# Insert filters
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE image/svg+xml
 
# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
 
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>

 
Further Reading: How to enable Gzip Output Compression using Mod Deflate in WordPress for minimising website load time, increase speed & performance, WordPress Performance Tip

 
iv. Disable WordPress Pingbacks & Trackbacks

 
By disabling WordPress Pingbacks & Trackbacks you will reduce SPAM in comments of your WordPress blog

 

#XML RPC Interface for weblog clients, Trackback & Pingback Protection
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>

 
Further Reading: How to disable WordPress Pingbacks & Trackbacks, One of the old Feature & Core Functionality of WordPress, Optimum Performance Tip

 

C. wp-config.php Related Optimisations

 
i. Automate WordPress Website Maintenance
Read this post to learn more about automating tasks such as updates, maintenance. A right way to Automated WordPress Website Maintenance, Here is how I automated my process of WordPress Website maintenance which will require my attention only when I want to write blog post but no extra time & effort to push more buttons elsewhere.

 
ii. Automatically Empty WordPress Trash
Read this post to know How to Automatically Empty WordPress Trash including deleted posts, pages, attachments & comments from the WordPress trash bin? A small tweak for optimum performance & avoiding bloated WordPress installation with useless data.

 
iii. Enable WordPress Automatic Background Updates
Read this post to know How to selectively or totally enable & disable ‘WordPress Automatic Background Updates’ while modifying code in WordPress root wp-config.php file & Your theme’s functions.php file

 

D. WordPress Theme, functions.php related Optimisation

  1. Use a Fast, Optimised WordPress Theme with current WordPress, PHP, MySQL, Apache code standards
  2. Monitor Your Plugins folder deactivate or delete plugin which you don’t want
  3. Install a Cache Plugin
  4. Use Asynchronous JavaScript & other code filetypes e.g Use latest Google Analytics Asynchronous in Header
  5. Make JavaScript and CSS External
  6. Put StyleSheets at top top / above header tag
  7. Put Scripts at the Bottom / above footer tag
  8. Minify and Combine all CSS and Javascript
  9. Totally Avoid Redirects for posts & pages
  10. Minimise HTTP Requests. you can calculate your website’s HTTP requests using plugin such as Pingdom Tools
  11. Optimise Your Images for the Web & Use Sprites for Images
  12. Choose right online Advertisements Service Provider so that you can monetise your website without bandwidth bottlenecks
  13. Consider Not Using Official Social Media Buttons & Widgets as it will add adhoc pressure on your website loading time at visitor’s end.

 

2. Now we will look at how we can maximise security of our WordPress website:

 
i. Use WordPress Salt
Read this post to know What is WordPress Salt? A WordPress Security or Secret Key Generator (WordPress Tip for Optimum Security)

 
ii. Securing WordPress Installation
Read this post to know how to secure WordPress Installation & Boosting WordPress Website Performance with Easy .htaccess Code Settings or hacks (Note: This are the setting – hacks that I deployed on my website too)

 
iii. Install Official Jetpack for WordPress Plugin from Jetpack by WordPress.com
Jetpack simplifies managing WordPress sites by giving you visitor stats, security services, speeding up images, and helping you get more traffic. Jetpack is a free plugin.

 
iv. Install Block Bad Queries (BBQ) pluginBlock
Bad Queries (BBQ) is a simple script that protects your website against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution that works great for sites where .htaccess is not available.

 
v. Install WP-Optimize plugin
WP-Optimize is an extensive WordPress database cleanup and optimisation tool. It doesn’t require PhpMyAdmin to clean and optimise your database tables.

 
Further Reading: Essential Plugins to have in your every new WordPress installation

 
Hope it helps,

 
Thanks & Regards
Mandar Apte

Leave a Reply

Your email address will not be published. Required fields are marked *