Introduction
I have been using WordPress for almost more than 5 years now.
I will explain in below post step by step procedure to harden, secure & optimise WordPress for best performance & security.
So First thing first,
Introduction to WordPress
What is WordPress: WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015. WordPress is the most popular blogging system in use on the Web at more than 60 million websites.
As we know of today WordPress is offered in two different formats, One is managed & hosted by team at WordPress.com & second as self hosted by user using downloadable installable package available at WordPress.org.
Difference between WordPress.com & WordPress.org
Following things really differentiate WordPress.com and WordPress.org from each other
1st Difference
WordPress.com: User provides the content & website is managed by team at WordPress.com
WordPress.org: Content provided by User & Managed by User itself
2nd Difference
WordPress.com: Hosting, security and backups are managed by team at wordpress.com. You can have two types of domains like mandarapte.wordpress.com or mandarapte.com with premium service
WordPress.org: Hosting, security, backups are managed by user.
3rd Difference or Similarity
WordPress.com: Custom Themes are supported
WordPress.org: Custom Themes are supported
4th Difference
WordPress.com: Features like social media sharing, stats, comments, and polls are available without plugin
WordPress.org: For social media sharing, stats, comments, and polls you have to install jetpack plugin
5th Difference
WordPress.com: Premium personal support and the WordPress.com forums are always available.
WordPress.org: Only WordPress.org support forums are available for assistance.
6th Difference
WordPress.com: You must register for an account on WordPress.com and abide by our Terms of Service.
WordPress.org: No registration with WordPress.org is required.
As discussed if you are using WordPress.org for your website you can follow this steps to manage WordPress website performance & security on your own:
Assumption: I assume that you are good with coding skills & you know little bit of HTML, CSS, PHP website coding structure.
Precaution: Before moving forward backup your MySQL Database & WordPress installable files from your server.
Note: All below mentioned performance, maintenance & security tips will be either related to following three types of items of your WordPress website installations. Those are .htaccess, functions.php & wp-config.php file.
What is .htaccess file?
The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis. WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof. Most notably, WP modifies this file to be able to handle pretty permalink.
What is wp-config.php?
One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database connection information.
What is functions.php file?
One way to change the default behaviours of WordPress is using a file named functions.php. It goes in your Theme’s folder. The functions file behaves like a WordPress Plugin, adding features and functionality to a WordPress site. You can use it to call functions, both PHP and built-in WordPress, and to define your own functions. You can produce the same results by adding code to a WordPress Plugin or through the WordPress Theme functions file.
1. So we will start optimise our WordPress website for performance with following maintenance & optimisation tricks:
A. Server, Domain & DNS server related Optimisation
i. Choose Right Website Hosting Provider
As Wikipedia says: A web hosting service is a type of Internet hosting service that allows individuals and organisations to make their website accessible via the World Wide Web. Web hosts are companies that provide space on a server owned or leased for use by clients, as well as providing Internet connectivity, typically in a data centre. Web hosts can also provide data centre space and connectivity to the Internet for other servers located in their data centre, called colocation, also known as Housing in Latin America or France.
While choosing web host look for following things:
Definite Availability of Services like PHP, Perl, Python, Apache, MySQL, E-Mail host, Domain host, SSD Storage for MySQL Database & website, Dedicated MySQL Resources, Plenty of Bandwidth
Optional Services like Git, SVN, WP-CLI, sFTP and SSH access, Automatic Backups, Virus Removal, Google Apps Integration
ii. Use a Content Delivery Network i.e. CDN
As Wikipedia Says: A content delivery network or content distribution network (CDN) is a globally distributed network of proxy servers deployed in multiple data centres. The goal of a CDN is to serve content to end-users with high availability and high performance. CDNs serve a large fraction of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.
iii. Reduce MySQL Database size
Description & Why you may want to reduce MySQL database size.
The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision – what was added, what remained unchanged, and what was removed. Lines added or removed are highlighted, and individual character changes get additional highlighting.
Copy following code in wp-config.php file located in your server root.
/* Limit the number of posts revisions that WordPress stores in the database */ define( 'WP_POST_REVISIONS', 3 );
iv. Repair & Optimise MySQL Database
Introduction: As we use & utilise our WordPress website running with MySQL database it gets cluttered & overheads with extra information or data in database tables sometimes it crashes of it’s own burden.
B. .htaccess related Optimisation Techniques
i. Enable Browser Caching
To enable browser caching you need to set expiry dates on certain types of files. Find your .htaccess file in the root of your domain. You can edit the .htaccess file with notepad or any text editor. In this file we will set our caching parameters to tell the browser what types of files to cache over period of time so that page loading time improves by avoiding or keeping certain files & using browser cache from history.
Copy following code in .htaccess located in your server root:
## EXPIRES CACHING ## <IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType text/css "access plus 1 month" ExpiresByType application/pdf "access plus 1 month" ExpiresByType text/x-javascript "access plus 1 month" ExpiresByType application/x-shockwave-flash "access plus 1 month" ExpiresByType image/x-icon "access plus 1 year" ExpiresDefault "access plus 2 days" </IfModule> ## EXPIRES CACHING ##
ii. Enable HTTP persistent connection (HTTP keep-alive)
As Wikipedia explains:
HTTP persistent connection, also called HTTP keep-alive, or HTTP connection reuse, is the idea of using a single TCP connection to send and receive multiple HTTP requests/responses, as opposed to opening a new connection for every single request/response pair. The newer SPDY protocol uses the same idea and takes it further to allow multiple concurrent requests/responses to be multiplexed over a single connection.
Copy following code in .htaccess located in your server root:
<ifModule mod_headers.c> Header set Connection keep-alive </ifModule>
iii. Enable Gzip Output Compression
Introduction
As Apache Website Defines: The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.
Copy following code in .htaccess located in your server root:
<IfModule mod_deflate.c> # Insert filters AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-httpd-php AddOutputFilterByType DEFLATE application/x-httpd-fastphp AddOutputFilterByType DEFLATE image/svg+xml # Drop problematic browsers BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </IfModule>
iv. Disable WordPress Pingbacks & Trackbacks
By disabling WordPress Pingbacks & Trackbacks you will reduce SPAM in comments of your WordPress blog
#XML RPC Interface for weblog clients, Trackback & Pingback Protection <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)"> Order Deny,Allow Deny from all </FilesMatch>
C. wp-config.php Related Optimisations
i. Automate WordPress Website Maintenance
Read this post to learn more about automating tasks such as updates, maintenance. A right way to Automated WordPress Website Maintenance, Here is how I automated my process of WordPress Website maintenance which will require my attention only when I want to write blog post but no extra time & effort to push more buttons elsewhere.
ii. Automatically Empty WordPress Trash
Read this post to know How to Automatically Empty WordPress Trash including deleted posts, pages, attachments & comments from the WordPress trash bin? A small tweak for optimum performance & avoiding bloated WordPress installation with useless data.
iii. Enable WordPress Automatic Background Updates
Read this post to know How to selectively or totally enable & disable ‘WordPress Automatic Background Updates’ while modifying code in WordPress root wp-config.php file & Your theme’s functions.php file
D. WordPress Theme, functions.php related Optimisation
- Use a Fast, Optimised WordPress Theme with current WordPress, PHP, MySQL, Apache code standards
- Monitor Your Plugins folder deactivate or delete plugin which you don’t want
- Install a Cache Plugin
- Use Asynchronous JavaScript & other code filetypes e.g Use latest Google Analytics Asynchronous in Header
- Make JavaScript and CSS External
- Put StyleSheets at top top / above header tag
- Put Scripts at the Bottom / above footer tag
- Minify and Combine all CSS and Javascript
- Totally Avoid Redirects for posts & pages
- Minimise HTTP Requests. you can calculate your website’s HTTP requests using plugin such as Pingdom Tools
- Optimise Your Images for the Web & Use Sprites for Images
- Choose right online Advertisements Service Provider so that you can monetise your website without bandwidth bottlenecks
- Consider Not Using Official Social Media Buttons & Widgets as it will add adhoc pressure on your website loading time at visitor’s end.
- Use a Fast, Optimised WordPress Theme with current WordPress, PHP, MySQL, Apache code standards
- Monitor Your Plugins folder deactivate or delete plugin which you don’t want
- Install a Cache Plugin
- Use Asynchronous JavaScript & other code filetypes e.g Use latest Google Analytics Asynchronous in Header
- Make JavaScript and CSS External
- Put StyleSheets at top top / above header tag
- Put Scripts at the Bottom / above footer tag
- Minify and Combine all CSS and Javascript
- Totally Avoid Redirects for posts & pages
- Minimise HTTP Requests. you can calculate your website’s HTTP requests using plugin such as Pingdom Tools
- Optimise Your Images for the Web & Use Sprites for Images
- Choose right online Advertisements Service Provider so that you can monetise your website without bandwidth bottlenecks
- Consider Not Using Official Social Media Buttons & Widgets as it will add adhoc pressure on your website loading time at visitor’s end.
2. Now we will look at how we can maximise security of our WordPress website:
i. Use WordPress Salt
Read this post to know What is WordPress Salt? A WordPress Security or Secret Key Generator (WordPress Tip for Optimum Security)
ii. Securing WordPress Installation
Read this post to know how to secure WordPress Installation & Boosting WordPress Website Performance with Easy .htaccess Code Settings or hacks (Note: This are the setting – hacks that I deployed on my website too)
iii. Install Official Jetpack for WordPress Plugin from Jetpack by WordPress.com
Jetpack simplifies managing WordPress sites by giving you visitor stats, security services, speeding up images, and helping you get more traffic. Jetpack is a free plugin.
iv. Install Block Bad Queries (BBQ) pluginBlock
Bad Queries (BBQ) is a simple script that protects your website against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution that works great for sites where .htaccess is not available.
v. Install WP-Optimize plugin
WP-Optimize is an extensive WordPress database cleanup and optimisation tool. It doesn’t require PhpMyAdmin to clean and optimise your database tables.
Further Reading: Essential Plugins to have in your every new WordPress installation
Hope it helps,
Thanks & Regards
Mandar Apte