Complete guide for maintaining, optimising WordPress websites for optimum performance, maximum speed for loading webpages, maximum security for preventing website hacking & highjacking by intruders


I have been using WordPress for almost more than 5 years now.

I will explain in below post step by step procedure to harden, secure & optimise WordPress for best performance & security.

So First thing first,


Introduction to WordPress

What is WordPress: WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015. WordPress is the most popular blogging system in use on the Web at more than 60 million websites.

As we know of today WordPress is offered in two different formats, One is managed & hosted by team at & second as self hosted by user using downloadable installable package available at


Difference between &

Following things really differentiate and from each other

1st Difference User provides the content & website is managed by team at Content provided by User & Managed by User itself

2nd Difference Hosting, security and backups are managed by team at You can have two types of domains like or with premium service Hosting, security, backups are managed by user.

3rd Difference or Similarity Custom Themes are supported Custom Themes are supported

4th Difference Features like social media sharing, stats, comments, and polls are available without plugin For social media sharing, stats, comments, and polls you have to install jetpack plugin

5th Difference Premium personal support and the forums are always available. Only support forums are available for assistance.

6th Difference You must register for an account on and abide by our Terms of Service. No registration with is required.

As discussed if you are using for your website you can follow this steps to manage WordPress website performance & security on your own:


Assumption: I assume that you are good with coding skills & you know little bit of HTML, CSS, PHP website coding structure.


Precaution: Before moving forward backup your MySQL Database & WordPress installable files from your server.


Note: All below mentioned performance, maintenance & security tips will be either related to following three types of items of your WordPress website installations. Those are .htaccess, functions.php & wp-config.php file.

What is .htaccess file?
The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis. WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof. Most notably, WP modifies this file to be able to handle pretty permalink.

What is wp-config.php?
One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database connection information.

What is functions.php file?
One way to change the default behaviours of WordPress is using a file named functions.php. It goes in your Theme’s folder. The functions file behaves like a WordPress Plugin, adding features and functionality to a WordPress site. You can use it to call functions, both PHP and built-in WordPress, and to define your own functions. You can produce the same results by adding code to a WordPress Plugin or through the WordPress Theme functions file.


1. So we will start optimise our WordPress website for performance with following maintenance & optimisation tricks:


A. Server, Domain & DNS server related Optimisation

i. Choose Right Website Hosting Provider
As Wikipedia says: A web hosting service is a type of Internet hosting service that allows individuals and organisations to make their website accessible via the World Wide Web. Web hosts are companies that provide space on a server owned or leased for use by clients, as well as providing Internet connectivity, typically in a data centre. Web hosts can also provide data centre space and connectivity to the Internet for other servers located in their data centre, called colocation, also known as Housing in Latin America or France.

While choosing web host look for following things:

Definite Availability of Services like PHP, Perl, Python, Apache, MySQL, E-Mail host, Domain host, SSD Storage for MySQL Database & website, Dedicated MySQL Resources, Plenty of Bandwidth

Optional Services like Git, SVN, WP-CLI, sFTP and SSH access, Automatic Backups, Virus Removal, Google Apps Integration

ii. Use a Content Delivery Network i.e. CDN
As Wikipedia Says: A content delivery network or content distribution network (CDN) is a globally distributed network of proxy servers deployed in multiple data centres. The goal of a CDN is to serve content to end-users with high availability and high performance. CDNs serve a large fraction of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.

iii. Reduce MySQL Database size
Description & Why you may want to reduce MySQL database size.
The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision – what was added, what remained unchanged, and what was removed. Lines added or removed are highlighted, and individual character changes get additional highlighting.

Copy following code in wp-config.php file located in your server root.


/* Limit the number of posts revisions that WordPress stores in the database */
define( 'WP_POST_REVISIONS', 3 );

Further Reading: How to reduce MySQL Database size by managing WordPress Post Revisions count (WordPress Tip for Optimum Performance)

iv. Repair & Optimise MySQL Database
Introduction: As we use & utilise our WordPress website running with MySQL database it gets cluttered & overheads with extra information or data in database tables sometimes it crashes of it’s own burden.

Read following post for detailed information about How to repair, optimise MySQL Databases through phpMyAdmin for optimum WordPress Website Performance over the years


B. .htaccess related Optimisation Techniques

i. Enable Browser Caching
To enable browser caching you need to set expiry dates on certain types of files. Find your .htaccess file in the root of your domain. You can edit the .htaccess file with notepad or any text editor. In this file we will set our caching parameters to tell the browser what types of files to cache over period of time so that page loading time improves by avoiding or keeping certain files & using browser cache from history.

Copy following code in .htaccess located in your server root:


<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 2 days"

ii. Enable HTTP persistent connection (HTTP keep-alive)
As Wikipedia explains:
HTTP persistent connection, also called HTTP keep-alive, or HTTP connection reuse, is the idea of using a single TCP connection to send and receive multiple HTTP requests/responses, as opposed to opening a new connection for every single request/response pair. The newer SPDY protocol uses the same idea and takes it further to allow multiple concurrent requests/responses to be multiplexed over a single connection.

Copy following code in .htaccess located in your server root:


<ifModule mod_headers.c> Header set Connection keep-alive </ifModule>

Further Reading: How to enable HTTP persistent connection or HTTP keep-alive for your website for faster page speed using .htaccess file

iii. Enable Gzip Output Compression


As Apache Website Defines: The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.

Copy following code in .htaccess located in your server root:


<IfModule mod_deflate.c>
# Insert filters
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE image/svg+xml
# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary

Further Reading: How to enable Gzip Output Compression using Mod Deflate in WordPress for minimising website load time, increase speed & performance, WordPress Performance Tip

iv. Disable WordPress Pingbacks & Trackbacks

By disabling WordPress Pingbacks & Trackbacks you will reduce SPAM in comments of your WordPress blog


#XML RPC Interface for weblog clients, Trackback & Pingback Protection
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all

Further Reading: How to disable WordPress Pingbacks & Trackbacks, One of the old Feature & Core Functionality of WordPress, Optimum Performance Tip


C. wp-config.php Related Optimisations

i. Automate WordPress Website Maintenance
Read this post to learn more about automating tasks such as updates, maintenance. A right way to Automated WordPress Website Maintenance, Here is how I automated my process of WordPress Website maintenance which will require my attention only when I want to write blog post but no extra time & effort to push more buttons elsewhere.

ii. Automatically Empty WordPress Trash
Read this post to know How to Automatically Empty WordPress Trash including deleted posts, pages, attachments & comments from the WordPress trash bin? A small tweak for optimum performance & avoiding bloated WordPress installation with useless data.

iii. Enable WordPress Automatic Background Updates
Read this post to know How to selectively or totally enable & disable ‘WordPress Automatic Background Updates’ while modifying code in WordPress root wp-config.php file & Your theme’s functions.php file


D. WordPress Theme, functions.php related Optimisation

  1. Use a Fast, Optimised WordPress Theme with current WordPress, PHP, MySQL, Apache code standards
  2. Monitor Your Plugins folder deactivate or delete plugin which you don’t want
  3. Install a Cache Plugin
  4. Use Asynchronous JavaScript & other code filetypes e.g Use latest Google Analytics Asynchronous in Header
  5. Make JavaScript and CSS External
  6. Put StyleSheets at top top / above header tag
  7. Put Scripts at the Bottom / above footer tag
  8. Minify and Combine all CSS and Javascript
  9. Totally Avoid Redirects for posts & pages
  10. Minimise HTTP Requests. you can calculate your website’s HTTP requests using plugin such as Pingdom Tools
  11. Optimise Your Images for the Web & Use Sprites for Images
  12. Choose right online Advertisements Service Provider so that you can monetise your website without bandwidth bottlenecks
  13. Consider Not Using Official Social Media Buttons & Widgets as it will add adhoc pressure on your website loading time at visitor’s end.


2. Now we will look at how we can maximise security of our WordPress website:

i. Use WordPress Salt
Read this post to know What is WordPress Salt? A WordPress Security or Secret Key Generator (WordPress Tip for Optimum Security)

ii. Securing WordPress Installation
Read this post to know how to secure WordPress Installation & Boosting WordPress Website Performance with Easy .htaccess Code Settings or hacks (Note: This are the setting – hacks that I deployed on my website too)

iii. Install Official Jetpack for WordPress Plugin from Jetpack by
Jetpack simplifies managing WordPress sites by giving you visitor stats, security services, speeding up images, and helping you get more traffic. Jetpack is a free plugin.

iv. Install Block Bad Queries (BBQ) pluginBlock
Bad Queries (BBQ) is a simple script that protects your website against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution that works great for sites where .htaccess is not available.

v. Install WP-Optimize plugin
WP-Optimize is an extensive WordPress database cleanup and optimisation tool. It doesn’t require PhpMyAdmin to clean and optimise your database tables.

Further Reading: Essential Plugins to have in your every new WordPress installation

Hope it helps,

Thanks & Regards
Mandar Apte

Published by Mandar Apte

Mandar is a Mumbai-based multi-disciplinary designer with UX/UI, Logo, Symbol, and Brand Identity design expertise. He currently runs his Mudrkashar Linguistic Apple iPhone, iPad, and Mac app business in the heart of Mumbai city.

Leave a comment

Leave a Reply