It takes two easy steps to install WordPress but you should tweak some of the default settings to further optimize the performance and also improve the security of your WordPress website.
Optimize your WordPress Installation
These suggestions are only applicable to self-hosted WordPress.org sites and not WordPress.com blogs. Also, I assume that you are running WordPress on Apache under Linux. Let’s get started:
1. Move out the media upload folder
WordPress store all your uploaded images and files in the wp-content/uploads folder. You should however move this folder outside the main WordPress folder, preferably on a sub-domain. Thus your WordPress backups will be more manageable (the uploaded files and themes can be backed up separately) and, most important, serving images from a different domain will allow parallel downloads in the browser improving the page loading time.
Open your wp-config.php file and add the following lines to change the location of the wp-content folder. You may also deselect the option – “Organize my uploads into month- and year-based folders.”
2. Remove unnecessary meta tags from WordPress header
If you look at the HTML source code of your WordPress site, you will find a couple of meta tags in the header that aren’t really required. For instance, the version of WordPress software running on your server can be easily retrieved by looking at your source header.
This information is a good hint to WordPress hackers who are looking to target blogs that are using the older and less secure versions of WordPress software. To completely remove the version number and other non-essential meta-data from your WordPress header, add this snippet to the functions.php file found in your WordPress themes folder.
3. Prevent people from browsing your folders
Since you would not like anyone to browse your WordPress files and folders using the explorer view in web browsers, add the following line to your .htaccess file that exists in your WordPress installation directory.
Also make sure that there’s a blank index.php in the wp-content/themes and wp-content/plugins folder of your WordPress directory.
4. Disable HTML in WordPress comments
The comment box in WordPress allows commenters to use HTML tags and they can even add hyperlinks in their comment. The comments have rel=nofollow but if you would like to completely disallow HTML in WordPress comments, add this snippet to your functions.php file.
5. Turn off Post Revisions in WordPress
WordPress includes a helpful document revisions feature to help you track changes to post edits and you can also revert to any previous version of your blog posts. Post revisions do however increase the size of your WordPress wp_posts table as each revision means an additional row.
To disable post revisions in WordPress, open the wp-config.php file in your WordPress directory and add the following line:
Alternatively, if you would like to retain the Post Revisions functionality, you may just limit the number of posts revisions that WordPress stores in the MySQL database. Add this line to the wp-config file to only store the recent 3 edits.
6. Change the Post Auto-Save Interval
When you are editing a blog post inside the WordPress editor, it will auto-save your drafts as-you-type and this will help in recovering your work in case the browser crashes. The drafts are saved every minute but you can change the default duration to say 120 seconds (or 2 minutes) by adding a line to your wp-config.php file.
7. Hide the non-essential WordPress RSS Feeds
Your WordPress installation generates multiple RSS Feeds – the blog feed, article feeds, comments feed, category feeds, archive feeds, etc. – and these are auto-discoverable as they are included in the HTML header of your blog pages using the <link> meta tag. If you just want to publicize your main RSS feed and remove the other feeds from the
, add a line to your functions.php file:
8. Maintain a Single RSS Feed, Redirect Others
In the previous step, we simply removed the RSS feeds from printing inside the site header but the RSS feeds still exist. If you would like to have only one RSS feed served through FeedBurner and disable all the other feeds, add this to your .htaccess file. Do remember to replace the feed URL with your own.
9. Disable WordPress Login Hints
When you type a non-existent username or an incorrect password while logging into WordPress, it will provide a very detailed error message telling you exactly whether your username is wrong or the password doesn’t match. That could offer an hint to people who are trying to break into your WordPress blog but, fortunately, we can disable the login warnings.
10. Enable 2-factor Authentication
This is highly recommended. If someone gets hold of your WordPress credentials, they will still need your mobile phone to get into your WordPress dashboard.
Unlike Dropbox or Google, 2-step authentication isn’t part of WordPress but you can always use the Authy plugin to enable 2-factor authentication.
11. Change the Permalink Structure
Do not use the default Permalink structure of WordPress since it is bad for SEO. Go to Options -> Permalinks inside your WordPress dashboard and change your WordPress Permalink structure to something like:
12. Add Favicon and Touch Icons
Your WordPress theme may not even include references to the favicon (favicon.ico) or the Apple touch icons but web browsers and feed readers may still request them from your server. It’s always better to serve a file than returning a 404.
First, create a 16×16 favicon.ico and a 144×144 apple-touch.png file and upload them to the home directory of your blog. Then add this line to your .htaccess to redirect all apple touch icon requests to that particular file.
13. Disallow Indexing of WordPress scripts
You want Google and other search engines to crawl and index your blog pages but not the various PHP files of your WordPress installation. Open the robots.txt file in your WordPress home directory and add these lines to block the bots from indexing the backend stuff of WordPress.
14. Make the Admin a Subscriber
If your WordPress username is “admin,” create a new user and grant them administrator privileges. Now logout out of WordPress, log in as the new user and change the privilege of the user “admin” from Administrator to Subscriber.
You may even consider deleting the user “admin” and transfer any existing posts /pages to the new user. This is important for security reasons because you don’t want anyone to guess the username that has administrator privileges to your WordPress installation.
15. Hide XML Sitemaps from Search Engines
XML Sitemaps will help search engines better crawl your site but you don’t want search engines to actually show your sitemap in search results pages. Add this to your .htaccess to prevent indexing of XML sitemaps.
16. Do Not Use WordPress search
Make sure your site search is powered by Google Custom Search and do not use the built-in search feature of WordPress. WordPress search returns less relevant results and the other advantage is that it will reduce strain on your WordPress server /database since the search queries will be handled through Google.
Alternatively, if you plan to continue with WordPress built-in search, use the Nice Search plugin. It creates better permalinks for your WordPress search pages (/search/tutorials vs /?s=tutorials).
17. Password Protect the wp-admin Directory
You can easily add another layer of security to your WordPress installation by password protecting the wp-admin directory. You’ll however have to remember two sets of credentials for logging into WordPress – your WordPress password and the password that is protecting the wp-admin directory.
18. Log 404 Errors in Google Analytics
404 errors are a missed opportunity. You can use events in Google Analytics to log your 404 errors including details about the referring site that is pointing to that 404 page of your site. Add this snippet in your 404.php file.
19. Delete Unused Themes & WordPress plugins
The unused plugins and themes won’t affect the performance of your WordPress website but the aim should be to have as little executable code as possible on our server. Thus deactivate and delete the stuff that you no longer need.
20. Stop WordPress from Guessing URLs
WordPress has a strange habit of guessing URLs and it does make mistakes in most cases. Let me explain. If a user request labnol.org/hello URL but if that page doesn’t exist, WordPress may redirect that user to labnol.org/hello-world just because the URLs have some common words.
If you would like WordPress to stop guessing URLs and instead issue a 404 Not Found error for missing pages, put this snippet in the functions.php file:
21. Set Expiry Headers for Static Content
Refer to the HTML5 Boilerplate for details on setting up expiry and compression headers for performance. If you are using a caching plugin like W3 Total Cache, the cache control is managed by the plugin itself.
23. Improve WordPress Security
I have discussed WordPress security in detail earlier. The gist is that you should add secret keys to your wp_config.php file, install a file monitoring plugin (like Sucuri or WordFence), change the WordPress table prefix and also limit login attempts to prevent brute force attacks.
24. Disable File Editing inside WordPress
When you are logged into your WordPress dashboard as an admin, you can easily edit any of the PHP files associated with your WordPress plugins and themes. If you would like to remove the file editing functionality (one missing semicolon can take down your WordPress site), add this line to your wp-config.php file:
25. Remove extra Query Parameters from URLs
If the web address of your WordPress site is abc.com, people can still reach your site if they add a few query parameters to the URL. For instance, abc.com/?utm=ga or abc.com/?ref=feedly are, technically speaking, completely different URLs but will work just fine.
This is bad because it dilutes your link equity (SEO) and, in an ideal situation, you would like all URLs to point to the canonical version. Add this little snippet to your .htaccess file and it will strip the unnecessary query parameters from all incoming requests.
26. Remove the Admin Bar
This is an annoying feature of WordPress – it adds an admin bar on top of all pages and that is visible to all users who are logged into their WordPress.com accounts. This can however be removed by adding a line to your functions.php file.
27. Deal with Ad Blockers
Some of your blog readers may be using ad-blocking software to block ad serving from your site. You can serve alternate content like a list of your popular WordPress posts or embed a YouTube video instead.
28. Add Branding to your RSS Feed
You can easily add your brand logo to all articles in the RSS feed. And since these are served from your server, you can serve a different image for sites that are plagairising your content by republishing your feed. Add this to your functions.php file.
29. Install the Essential Plugins
Here’s a comprehensive list of WordPress plugins that I use and recommend.
30. Stay logged in for a longer period
If you check the “Remember Me” option, WordPress will keep you logged in for 2 week. If you are only logging into WordPress from a personal computer, you can easily extend the expiry date of the authorization login cookie by adding this to your functions.php file.
Also see: Linux Commands for WordPress
The story, Things You Should Do After Installing WordPress, was originally published at Digital Inspiration by Amit Agarwal on 23/12/2014 under WordPress, Internet.