The complete guide for maintaining and optimising WordPress websites for optimum performance.


I have been using WordPress for almost more than five years now.

In the post below, I will explain the step-by-step procedure for hardening, securing, and optimising WordPress for best performance and security.

So, First things first,

Introduction to WordPress

What is WordPress? WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. Its features include a plugin architecture and a template system. As of January 2015, over 23.3% of the top 10 million websites used WordPress. WordPress is also the most popular blogging system on the Web, with more than 60 million websites using it.

As we know today, WordPress is offered in two different formats: one is managed and hosted by the team at, and the other is self-hosted by the user using a downloadable installable package available at

Difference between &

The following things differentiate and from each other

1st Difference The user provides the content & website is managed by the team at Content provided by the User & Managed by the user itself.

2nd Difference Hosting, security and backups are managed by the team at You can have two types of domains: or, which offer premium service. Hosting, security, and backups are managed by the user.

3rd Difference or Similarity Custom Themes are supported. Custom Themes are supported.

4th Difference Features like social media sharing, stats, comments, and polls are available without a plugin. You must install the Jetpack plugin for social media sharing, stats, comments, and polls.

5th Difference Premium personal support and the forums are always available. Only support forums are available for assistance.

6th Difference You must register for an account on and abide by our Terms of Service. No registration with is required.

As discussed, if you are using for your website, you can follow these steps to manage WordPress website performance & security on your own:

Assumption: I assume you are skilled at coding and know a little about HTML, CSS, and PHP website coding structure.

Precaution: Back up your MySQL Database & WordPress installable files from your server before moving forward.

Note: All performance, maintenance, and security tips mentioned below will be related to the following items in your WordPress website installations: .htaccess, functions.php, and the wp-config.php file.

What is a .htaccess file?
The .htaccess file is a distributed configuration file that controls how Apache handles configuration changes per directory. WordPress manipulates this file to serve files from its root directory and subdirectories. Most notably, WP modified this file to handle pretty permalinks.

What is wp-config.php?
One of the most critical files in your WordPress installation is the wp-config.php file. This file, located at the root of your WordPress file directory, contains your website’s base configuration details, such as database connection information.

What is a functions.php file?
One way to change WordPress’s default behaviour is to use a file named functions.php. It goes in your Theme’s folder. The functions file behaves like a WordPress Plugin, adding features and functionality to a WordPress site. You can use it to call PHP and built-in WordPress functions and define your functions. You can produce the same results by adding code to a WordPress Plugin or through the WordPress Theme functions file.

We will start optimising our WordPress website for performance:

A. Server, Domain & DNS server-related Optimisation

i. Choose the Right Website Hosting Provider
As Wikipedia says, a web hosting service is a type of Internet hosting service that allows individuals and organisations to make their websites accessible via the World Wide Web. Web hosts provide space on a server owned or leased for clients and Internet connectivity, typically in a data centre. Web hosts can also provide data centre space and connectivity to the Internet for other servers located in their data centre, called colocation, also known as Housing in Latin America or France.

While choosing a web host, look for the following things:

Definite Availability of Services like PHP, Perl, Python, Apache, MySQL, E-Mail host, Domain host, SSD Storage for MySQL Database & website, Dedicated MySQL Resources, Plenty of Bandwidth

Optional Services like Git, SVN, WP-CLI, sFTP and SSH access, Automatic Backups, Virus Removal, Google Apps Integration

ii. Use a Content Delivery Network, i.e. CDN
As Wikipedia Says, A content delivery network or content distribution network (CDN) is a globally distributed network of proxy servers deployed in multiple data centres. The goal of a CDN is to serve content to end-users with high availability and high performance. CDNs serve a significant fraction of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks.

iii. Reduce MySQL Database size
Description & Why you may want to reduce MySQL database size.
The WordPress revisions system records each saved draft or published update. You can see changes made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision—what was added, what remained unchanged, and what was removed. Lines added or removed are highlighted, and individual character changes are highlighted.

Copy the following code in the wp-config.php file located in your server root.

/* Limit the number of posts revisions that WordPress stores in the database */
define( 'WP_POST_REVISIONS', 3 );

iv. Repair & Optimise MySQL Database
Introduction: As we use and utilise our WordPress website running with a MySQL database, it gets cluttered and overheads with extra information or data in database tables, and sometimes it crashes due to its burden.

B. .htaccess related Optimisation Techniques

i. Enable Browser Caching
To enable browser caching, you must set expiration dates for certain types of files. Find your .htaccess file in the root of your domain. You can edit the .htaccess file with Notepad or any text editor. In this file, we will set our caching parameters to tell the browser what types of files to cache over a period so that page loading time improves by avoiding or keeping specific files & using browser cache from history.

Copy the following code in .htaccess located in your server root:

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 2 days"

ii. Enable HTTP persistent connection (HTTP keep-alive)
As Wikipedia explains:
HTTP persistent connection, also called HTTP keep-alive or HTTP connection reuse, uses a single TCP connection to send and receive multiple HTTP requests/responses rather than opening a new connection for every request/response pair. The newer SPDY protocol uses the same idea but takes it further by allowing multiple concurrent requests/responses to be multiplexed over a single connection.

Copy the following code in .htaccess located in your server root:

<ifModule mod_headers.c> Header set Connection keep-alive </ifModule>

iii. Enable Gzip Output Compression


As the Apache Website Defines, The mod_deflate module provides the DEFLATE output filter, which allows output from your server to be compressed before being sent to the client over the network.

Copy the following code in .htaccess located in your server root:

<IfModule mod_deflate.c>
# Insert filters
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE image/svg+xml
# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSI[E] !no-gzip !gzip-only-text/html
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary

iv. Disable WordPress Pingbacks & Trackbacks

By disabling WordPress Pingbacks & Trackbacks, you will reduce SPAM in the comments of your WordPress blog

#XML RPC Interface for weblog clients, Trackback & Pingback Protection
<FilesMatch "^(xmlrpc.php|wp-trackback.php)">
Order Deny,Allow
Deny from all

C. wp-config.php Related Optimisations

i. Automate WordPress Website Maintenance

ii. Automatically Empty WordPress Trash

iii. Enable WordPress Automatic Background Updates

D. WordPress Theme, functions.php related Optimisation

  1. Use a Fast, Optimised WordPress Theme with current WordPress, PHP, MySQL, and Apache code standards.
  2. Monitor Your Plugins folder. Deactivate or delete plugins that you don’t want.
  3. Install a Cache Plugin
  4. Use Asynchronous JavaScript & other code filetypes, e.g. Use the latest Google Analytics Asynchronous in Header.
  5. Make JavaScript and CSS External
  6. Put StyleSheets at the top/above the header tag
  7. Put Scripts at the Bottom / above footer tag
  8. Minify and Combine all CSS and Javascript
  9. Avoid Redirects for posts & pages
  10. Minimise HTTP Requests. Using plugins such as Pingdom Tools, you can calculate your website’s HTTP requests.
  11. Optimise Your Images for the Web & Use Sprites for Images
  12. Choose the right Online Advertisements Service Provider so that you can monetise your website without bandwidth bottlenecks
  13. Consider Not Using Official Social Media Buttons & Widgets as it will add ad-hoc pressure on your website loading time at the visitor’s end.

2. Now we will look at how we can maximise the security of our WordPress website:

i. Use WordPress Salt

ii. Securing WordPress Installation

iii. Install Official Jetpack for WordPress Plugin from Jetpack by
Jetpack simplifies managing WordPress sites by giving you visitor stats and security services, speeding up images, and helping you get more traffic. Jetpack is a free plugin.

iv. Install Block Bad Queries (BBQ) plugin
Bad Queries (BBQ) is a simple script that protects your website against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request strings. This is a simple yet solid solution that works great for sites where .htaccess is not available.

v. Install the WP-Optimize plugin
WP-Optimize is an extensive WordPress database cleanup and optimisation tool. It doesn’t require PhpMyAdmin to clean and optimise your database tables.

Further Reading:

Hope it helps,

Thanks & Regards
Mandar Apte

Published by Mandar Apte

Mandar is a Mumbai-based multi-disciplinary designer with UX/UI, Logo, Symbol, and Brand Identity design expertise. He currently runs his Mudrkashar Linguistic Apple iPhone, iPad, and Mac app business in the heart of Mumbai city.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.