You can install WordPress in 2 easy steps but it is recommended that you tweak some of the default settings to optimize the performance and also improve the security of your WordPress website.

Wordpress Optimization Guide

Optimize your WordPress Installation

These suggestions are only applicable to self-hosted WordPress.org sites and not WordPress.com blogs. Also, I assume that you are running WordPress on Apache under Linux. The guide is now updated for WordPress 4.2. Let’s get started:

1. Move out the media upload folder

WordPress store all your uploaded images and files in the wp-content/uploads folder. You should however move this folder outside the main WordPress folder, preferably on a sub-domain. Thus your WordPress backups will be more manageable (the uploaded files and themes can be backed up separately) and, most important, serving images from a different domain will allow parallel downloads in the browser improving the page loading time.

Open your wp-config.php file and add the following lines to change the location of the wp-content folder. You may also deselect the option – “Organize my uploads into month- and year-based folders.”

define( 'WP_CONTENT_URL', 'http://files.domain.com/media' );
define( 'WP_CONTENT_DIR', $_SERVER['HOME'] . '/files.domain.com/media' );

2. Remove unnecessary meta tags from WordPress header

If you look at the HTML source code of your WordPress site, you will find a couple of meta tags in the header that aren’t really required. For instance, the version of WordPress software running on your server can be easily retrieved by looking at your source header.

<meta name="generator" content="WordPress 4.1" />

This information is a good hint to WordPress hackers who are looking to target blogs that are using the older and less secure versions of WordPress software. To completely remove the version number and other non-essential meta-data from your WordPress header, add this snippet to the functions.php file found in your WordPress themes folder.

  remove_action( 'wp_head', 'wp_generator' ) ;
  remove_action( 'wp_head', 'wlwmanifest_link' ) ;
  remove_action( 'wp_head', 'rsd_link' ) ;

3. Prevent people from browsing your folders

Since you would not like anyone to browse your WordPress files and folders using the explorer view in web browsers, add the following line to your .htaccess file that exists in your WordPress installation directory.

Options All -Indexes

Also make sure that there’s a blank index.php in the wp-content/themes and wp-content/plugins folder of your WordPress directory.

4. Disable HTML in WordPress comments

The comment box in WordPress allows commenters to use HTML tags and they can even add hyperlinks in their comment. The comments have rel=nofollow but if you would like to completely disallow HTML in WordPress comments, add this snippet to your functions.php file.

add_filter( 'pre_comment_content', 'esc_html' );

Update: Replaced wp_specialchars with esc_html as the former is deprecated since WordPress 2.8+

5. Turn off Post Revisions in WordPress

WordPress includes a helpful document revisions feature to help you track changes to post edits and you can also revert to any previous version of your blog posts. Post revisions do however increase the size of your WordPress wp_posts table as each revision means an additional row.

To disable post revisions in WordPress, open the wp-config.php file in your WordPress directory and add the following line:

define( 'WP_POST_REVISIONS', false);

Alternatively, if you would like to retain the Post Revisions functionality, you may just limit the number of posts revisions that WordPress stores in the MySQL database. Add this line to the wp-config file to only store the recent 3 edits.

define( 'WP_POST_REVISIONS', 3);

6. Change the Post Auto-Save Interval

When you are editing a blog post inside the WordPress editor, it will auto-save your drafts as-you-type and this will help in recovering your work in case the browser crashes. The drafts are saved every minute but you can change the default duration to say 120 seconds (or 2 minutes) by adding a line to your wp-config.php file.

define( 'AUTOSAVE_INTERVAL', 120 );

7. Hide the non-essential WordPress RSS Feeds

Your WordPress installation generates multiple RSS Feeds – the blog feed, article feeds, comments feed, category feeds, archive feeds, etc. – and these are auto-discoverable as they are included in the HTML header of your blog pages using the <link> meta tag. If you just want to publicize your main RSS feed and remove the other feeds from the , add a line to your functions.php file:

remove_action( 'wp_head', 'feed_links', 2 );
remove_action( 'wp_head', 'feed_links_extra', 3 );

8. Maintain a Single RSS Feed, Redirect Others

In the previous step, we simply removed the RSS feeds from printing inside the site header but the RSS feeds still exist. If you would like to have only one RSS feed served through FeedBurner and disable all the other feeds, add this to your .htaccess file. Do remember to replace the feed URL with your own.

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator) [NC]
 RewriteRule ^feed/?.*$ http://feeds.labnol.org/labnol [L,NC,R=301]
</IfModule>

9. Disable WordPress Login Hints

When you type a non-existent username or an incorrect password while logging into WordPress, it will provide a very detailed error message telling you exactly whether your username is wrong or the password doesn’t match. That could offer an hint to people who are trying to break into your WordPress blog but, fortunately, we can disable the login warnings.

function no_wordpress_errors(){
  return 'GET OFF MY LAWN !! RIGHT NOW !!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

10. Enable 2-factor Authentication

This is highly recommended. If someone gets hold of your WordPress credentials, they will still need your mobile phone to get into your WordPress dashboard.

Unlike Dropbox or Google, 2-step authentication isn’t part of WordPress but you can always use the Authy plugin to enable 2-factor authentication.

11. Change the Permalink Structure

Do not use the default Permalink structure of WordPress since it is bad for SEO. Go to Options -> Permalinks inside your WordPress dashboard and change your WordPress Permalink structure to something like:

Option 1. /%post_id%/%postname%
Option 2. /%category%/%postname%/%post_id%/

12. Add Favicon and Touch Icons

Your WordPress theme may not even include references to the favicon (favicon.ico) or the Apple touch icons but web browsers and feed readers may still request them from your server. It’s always better to serve a file than returning a 404.

First, create a 16×16 favicon.ico and a 144×144 apple-touch.png file and upload them to the home directory of your blog. Then add this line to your .htaccess to redirect all apple touch icon requests to that particular file.

RedirectMatch 301 /apple-touch-icon(.*)?.png http://example.com/apple-touch.png

13. Disallow Indexing of WordPress scripts

You want Google and other search engines to crawl and index your blog pages but not the various PHP files of your WordPress installation. Open the robots.txt file in your WordPress home directory and add these lines to block the bots from indexing the backend stuff of WordPress.

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Disallow: /feed/
Disallow: */feed/

14. Make the Admin a Subscriber

If your WordPress username is “admin,” create a new user and grant them administrator privileges. Now logout out of WordPress, log in as the new user and change the privilege of the user “admin” from Administrator to Subscriber.

You may even consider deleting the user “admin” and transfer any existing posts /pages to the new user. This is important for security reasons because you don’t want anyone to guess the username that has administrator privileges to your WordPress installation.

15. Hide XML Sitemaps from Search Engines

XML Sitemaps will help search engines better crawl your site but you don’t want search engines to actually show your sitemap in search results pages. Add this to your .htaccess to prevent indexing of XML sitemaps.

<IfModule mod_rewrite.c>
 <Files sitemap.xml>
  Header set X-Robots-Tag "noindex"
 </Files>
</IfModule>

16. Do Not Use WordPress search

Make sure your site search is powered by Google Custom Search and do not use the built-in search feature of WordPress. WordPress search returns less relevant results and the other advantage is that it will reduce strain on your WordPress server /database since the search queries will be handled through Google.

Alternatively, if you plan to continue with WordPress built-in search, use the Nice Search plugin. It creates better permalinks for your WordPress search pages (/search/tutorials vs /?s=tutorials).

17. Password Protect the wp-admin Directory

You can easily add another layer of security to your WordPress installation by password protecting the wp-admin directory. You’ll however have to remember two sets of credentials for logging into WordPress – your WordPress password and the password that is protecting the wp-admin directory.

18. Log 404 Errors in Google Analytics

404 errors are a missed opportunity. You can use events in Google Analytics to log your 404 errors including details about the referring site that is pointing to that 404 page of your site. Add this snippet in your 404.php file.

<? if (is_404()) { ?>
 _gaq.push(['_trackEvent', '404',
              document.location.pathname + document.location.search,
              document.referrer, 0, true]);
<? } ?>

19. Delete Unused Themes & WordPress plugins

The unused plugins and themes won’t affect the performance of your WordPress website but the aim should be to have as little executable code as possible on our server. Thus deactivate and delete the stuff that you no longer need.

20. Stop WordPress from Guessing URLs

WordPress has a strange habit of guessing URLs and it does make mistakes in most cases. Let me explain. If a user request labnol.org/hello URL but if that page doesn’t exist, WordPress may redirect that user to labnol.org/hello-world just because the URLs have some common words.

If you would like WordPress to stop guessing URLs and instead issue a 404 Not Found error for missing pages, put this snippet in the functions.php file:

add_filter('redirect_canonical', 'stop_guessing');
function stop_guessing($url) {
 if (is_404()) {
   return false;
 }
 return $url;
}

21. Set Expiry Headers for Static Content

The static files hosted on your WordPress website – like images, CSS and JavaScript- won’t change often and thus you may set Expire Headers for them so that the files get cached on the user’s browser. Thus, on subsequent visits, your site will load relatively faster as the JS and CSS files would be fetched from the local cache.

Refer to the HTML5 Boilerplate for details on setting up expiry and compression headers for performance. If you are using a caching plugin like W3 Total Cache, the cache control is managed by the plugin itself.

ExpiresActive On
ExpiresByType image/gif "access plus 30 days"
ExpiresByType image/jpeg "access plus 30 days"
ExpiresByType image/png "access plus 30 days"
ExpiresByType text/css "access plus 1 week"
ExpiresByType text/javascript "access plus 1 week"

23. Improve WordPress Security

I have discussed WordPress security in detail earlier. The gist is that you should add secret keys to your wp_config.php file, install a file monitoring plugin (like Sucuri or WordFence), change the WordPress table prefix and also limit login attempts to prevent brute force attacks.

24. Disable File Editing inside WordPress

When you are logged into your WordPress dashboard as an admin, you can easily edit any of the PHP files associated with your WordPress plugins and themes. If you would like to remove the file editing functionality (one missing semicolon can take down your WordPress site), add this line to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

25. Remove extra Query Parameters from URLs

If the web address of your WordPress site is abc.com, people can still reach your site if they add a few query parameters to the URL. For instance, abc.com/?utm=ga or abc.com/?ref=feedly are, technically speaking, completely different URLs but will work just fine.

This is bad because it dilutes your link equity (SEO) and, in an ideal situation, you would like all URLs to point to the canonical version. Add this little snippet to your .htaccess file and it will strip the unnecessary query parameters from all incoming requests.

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{QUERY_STRING} !=""
 RewriteCond %{QUERY_STRING} !^p=.*
 RewriteCond %{QUERY_STRING} !^s=.*
 RewriteCond %{REQUEST_URI} !^/wp-admin.*
 RewriteRule ^(.*)$ /$1? [R=301,L]
</IfModule>

26. Remove the Admin Bar

This is an annoying feature of WordPress – it adds an admin bar on top of all pages and that is visible to all users who are logged into their WordPress.com accounts. This can however be removed by adding a line to your functions.php file.

add_filter('show_admin_bar', '__return_false');

27. Deal with Ad Blockers

Some of your blog readers may be using ad-blocking software to block ad serving from your site. You can serve alternate content like a list of your popular WordPress posts or embed a YouTube video instead.

28. Insert Branding in your RSS Feed

You can easily add your brand logo to all articles in the RSS feed. And since these are served from your server, you can serve a different image for sites that are plagiarizing your content by republishing your feed. Add this to your functions.php file.

function add_rss_logo($content) {
  if(is_feed()) {
    $content .= "<hr><a href='blog_url'><img src='logo_url'/></a>";
  }
  return $content;
}
add_filter('the_content', 'add_rss_logo');
add_filter('the_excerpt_rss', 'add_rss_logo');

29. Install the Essential Plugins

Here’s a comprehensive list of WordPress plugins that I use and recommend.

30. Stay logged in for a longer period

If you check the “Remember Me” option, WordPress will keep you logged in for 2 week. If you are only logging into WordPress from a personal computer, you can easily extend the expiry date of the authorization login cookie by adding this to your functions.php file.

add_filter( 'auth_cookie_expiration', 'stay_logged_in_for_1_year' );
function stay_logged_in_for_1_year( $expire ) {
  return 31556926; // 1 year in seconds
}

31. Remove the WordPress Emojis

Starting with v4.2, WordPress now inserts Emoji related files in the header of your website. If you are not planning to use the emoticons and emojis in your blog, you may easily get rid of these extra files by adding the following lines to your functions.php file:

remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );

32. Track your Printed Pages

You can use Google Analytics to track the print usage of your website. When a visitor prints any page on your website, an event will be logged into Analytics and you’ll know what kind of content is getting sent to the printer. Similarly, you can also add a QR Code to printed pages and people can easily find the source URL by scanning the code with their mobile phone.

Also see: Linux Commands for WordPress