Firstly, let’s take a look at what is WP Embeds then WP Emojis

WP Embeds:

It is responsible for converting links into embed frames like embed videos, images, tweets, audio, and other content into your WordPress site.

wp-embed.min.js does not relate to embedding oEmbed content from other providers: Vimeo, YouTube, etc. You can remove wp-embed.min.js and those embeds will continue to function.

wp-embed.min.js hides the blockquote and reveals the iframe. if removing the wp-embed.min.js script from your website using the below method then reload your page and you’ll notice that the blockquote is visible but the iframe is hidden.

In this article, we will disable wp-embed.min.js and wp-emoji-release.min.js with the code method, if you are not familiar with codes check with a developer first.

Disable wp-embed.min.js

We recommend doing it if you have a child theme.
at child theme > functions.php > add a code

function disable_embeds_code_init() {

 // Remove the REST API endpoint.
 remove_action( 'rest_api_init', 'wp_oembed_register_route' );

 // Turn off oEmbed auto discovery.
 add_filter( 'embed_oembed_discover', '__return_false' );

 // Don't filter oEmbed results.
 remove_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10 );

 // Remove oEmbed discovery links.
 remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );

 // Remove oEmbed-specific JavaScript from the front-end and back-end.
 remove_action( 'wp_head', 'wp_oembed_add_host_js' );
 add_filter( 'tiny_mce_plugins', 'disable_embeds_tiny_mce_plugin' );

 // Remove all embeds rewrite rules.
 add_filter( 'rewrite_rules_array', 'disable_embeds_rewrites' );

 // Remove filter of the oEmbed result before any HTTP requests are made.
 remove_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10 );
}

add_action( 'init', 'disable_embeds_code_init', 9999 );

function disable_embeds_tiny_mce_plugin($plugins) {
    return array_diff($plugins, array('wpembed'));
}

function disable_embeds_rewrites($rules) {
    foreach($rules as $rule => $rewrite) {
        if(false !== strpos($rewrite, 'embed=true')) {
            unset($rules[$rule]);
        }
    }
    return $rules;
}

WP Emojis

Emoji are the ideograms and smileys that are used in electronic messages and Web pages. It is unnecessary at all and adds additional load time.

Disable wp-emoji-release.min.js

at child theme > functions.php > add a code

function disable_emojis() {
 remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
 remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
 remove_action( 'wp_print_styles', 'print_emoji_styles' );
 remove_action( 'admin_print_styles', 'print_emoji_styles' ); 
 remove_filter( 'the_content_feed', 'wp_staticize_emoji' );
 remove_filter( 'comment_text_rss', 'wp_staticize_emoji' ); 
 remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
 add_filter( 'tiny_mce_plugins', 'disable_emojis_tinymce' );
 add_filter( 'wp_resource_hints', 'disable_emojis_remove_dns_prefetch', 10, 2 );
}
add_action( 'init', 'disable_emojis' );

/**
 * Filter function used to remove the tinymce emoji plugin.
 * 
 * @param array $plugins 
 * @return array Difference betwen the two arrays
 */
function disable_emojis_tinymce( $plugins ) {
 if ( is_array( $plugins ) ) {
 return array_diff( $plugins, array( 'wpemoji' ) );
 } else {
 return array();
 }
}

/**
 * Remove emoji CDN hostname from DNS prefetching hints.
 *
 * @param array $urls URLs to print for resource hints.
 * @param string $relation_type The relation type the URLs are printed for.
 * @return array Difference betwen the two arrays.
 */
function disable_emojis_remove_dns_prefetch( $urls, $relation_type ) {
 if ( 'dns-prefetch' == $relation_type ) {
 /** This filter is documented in wp-includes/formatting.php */
 $emoji_svg_url = apply_filters( 'emoji_svg_url', 'https://s.w.org/images/core/emoji/2/svg/' );

$urls = array_diff( $urls, array( $emoji_svg_url ) );
 }

return $urls;
}

If you don’t use a child theme or you want to add it on another way you could add it via the Code Snippets plugin

They are just bots that are constantly looking for possible security flaws in as many indexed domains as possible in order to compromise the site. There are tools that can help you detect these requests and take action like Cloudflare.

Using Cloudflare firewall rules for securing your website is one of the best ways to monitor, control and block bots.
This way is aimed at webmasters who run websites on a Cloudflare-enabled domain. On the free plan, Cloudflare grants five firewall rules that are empty by default.

Cloudflare WAF Rules Tips for Securing WordPress

By adding the below specific rules you can secure WP and block attacks before they even reach your web host’s server.

At your Cloudflare account, from the left menu, go to Security > WAF

Click Create firewall rule

Block wlwmanifest.xml Attack

wlwmanifest.xml is used by Windows Live Writer.

To block wlwmanifest.xml, simply add:

• Field: URI Path
• Operator: contains
• Value: /wlwmanifest.xml

Choose an action: Block

Block xmlrpc.php Attack

You can also block xmlrpc.php one of the most common attacks in the same previous way you did for a wp-includes folder.

Block direct access to PHP files in the wp-content

Block bots hammering the wp-comments-post.php file directly

The rule is as follows:

• Field: URI Path
• Operator: equals
• Value: /wp-comments-post.php

[AND]

• Field: Request Method
• Operator: equals
• POST

[AND]

• Field: Referer
• Operator: does not contain
• Value: yoursite.com (replace with your real domain)

Admin Area

About the admin area, I prefer to use other solutions instead Cloudflare like changing the WordPress default URL of the admin login here an Essential Advice for Improve WordPress Security and Performance.
However, I blocked wp-login.php via Cloudflare except in my country because all admins log in from Jordan.
It’s up to you to do this and pick your country instead of mine.

Here are a few of the solutions you can try and implement for improving the security and performance of the WordPress site:

1- Choose a secure web hosting

The first and most important step if you have still not chosen web hosting yet is to choose a hosting environment that is absolutely secure. Choosing the right host will save a lot of time for you and also pick the right packages that work for your website.

Bluehost Recommended by WordPress

WordPress recommends several hosting providers to host your WordPress website.

One of these hosting providers that recommended by WordPress and we recommended too is Bluehost

Bluehost is very secure with good support through phone or chat.

And you can easily install WordPress to it and here is How to Create a WordPress Website with Bluehost, from choosing a WordPress package to picking a theme.

Important! at this article we provide some methods that require editing the source code of a WordPress which could break your website if not done correctly. If you are not comfortable with any of these methods requiring coding, please check with a developer first.

2- Change the WordPress default URL of the admin login

The default WordPress URL to login to the dashboard is (/wp-admin) or (/wp-login.php).

We suggest changing these default WordPress URLs for admin login by using this plugin WPS Hide Login.

When you define a new custom login URL to your website then the (wp-admin) directory and the (wp-login.php) page become inaccessible, so you must remember and save the new login URL that you defined.

Suggested Plugin: WPS Hide Login

https://wordpress.org/plugins/wps-hide-login/

After active it plugin go to Setting > General > WPS Hide Login: define new Login URL & Redirection URL.

Don’t forget if you’re using any caching plugin you should add the slug of the new login URL to the list of pages not to cache.

Important Note: If you are using another security plugin that may include the option (change the default admin login URL), so don’t use this plugin in this case to avoid any conflicts issues.

In general, don’t use different plugins that did the same job, especially those plugins for security or performance.

3- Disable XML-RPC

Simply without talking deeply technically, XMLRPC.php is a feature that allows for connection to WordPress remotely like to connect to a WordPress via a Smart Phone.

The big problem with XML-RPC function is that it has become a backdoor in WordPress for hackers, scripts, Brute Force Attacks, DDoS attacks or bots.

• Brute Force Attacks – Where an attacker can use xml-rpc to test hundreds of username and password combinations until they are eventually able to gain access to your site. This occurs because xml-rpc does not have the same login attempt limit that exists when you log into WordPress normally.
• DDoS Attack – Where an attacker can use xml-rpc to pingback thousands of IPs. This allows them to send a flood of data and traffic which can cause overages and even have networks paralyzed and shutdown.

To disable XML-RPC on your WordPress there are many plugins that do this for you and some of the general security plugins have an option to do that

Suggested plugin: Disable XML-RPC

https://wordpress.org/plugins/disable-xml-rpc/

Just activate this plugin and it will automatically disable XML-RPC.

or on .htaccess file.

 # Block WordPress xmlrpc.php requests
 <Files xmlrpc.php>
 order deny,allow
 deny from all
 allow from xxx.xxx.xxx.xxx
 </Files>

Replace xxx.xxx.xxx.xxx with an IP address you want to give access to xmlrpc.php or remove access completely by simply removing this line.

3- Disable WP-Cron (wp-cron.php) for Faster Performance

WP-Cron on WordPress is used to schedule a post to publish, check for updates, send email notifications, and more.

WP-Cron on WordPress It is similar to CRON jobs on the host cPanel which is used to schedule tasks at periodic fixed times, dates, or intervals.

It might be a good feature if you need to publish posts at specific dates later on, but the problem with this feature is it slows down the server and impact the performance especially if you run more than WordPress website on the same server or you have a huge web content with a list of tasks that need to be checked by WP-Cron whenever a page is visited which high the load on the server.

For me, I prefer to disable this feature to improve website performance even I have never used the schedule feature, and it is up to you to choose to keep it or disable it according to your needs.

To disable WP-Cron:

1- Go to (wp-config.php) file

2- Add:

define('DISABLE_WP_CRON', true);

Before “That’s all, stop editing! Happy blogging.”

Now wp-cron.php will not run automatically each time someone visits your website.

If you still need a scheduling feature after disabling wp-corn via the above way, you could use plugins like WP Crontrol, Advanced Cron Manager – Debug & Control, or just make your own search for the best choice from many plugins.

4- Avoid using a nulled WordPress theme

Nulled theme means a cracked version of a premium theme.

These nulled themes sometimes include malware or backdoors which provide a subsequent access point to your website for hackers.

You should also use any plugins for malware scanners to detect possible malicious code in nulled/free WordPress Themes before using it, malware scanner like:

Anti-Malware Security and Brute-Force Firewall

https://wordpress.org/plugins/gotmls/

if you are familiar with setup WordPress on localhost, it will be better to use this plugin to scan nulled/free themes locally before uploading it online and using it.

5-Disable Emojis in WordPress

Disabling WP Emojis is one of a lot of WordPress performance optimizations and tweaks you can do to improve your website loading time. Find here How to disable WP Emojis

6- Delete Unused Autoloaded Data in wp_options Table

Honestly, from all tips for improving WordPress performance on the internet that is the one that made a difference to me.

wp_options table stores some data that are no longer used that were left behind by deleted themes, and plugins.
Before deleting entries from the wp_options table, ensure to take a backup of your entire database. This step is critical as we are making mass deletions that can potentially break things on your site.

How to do it?

Go to phpMyAdmin > Select database (left side column) > click on SQL tap (at top) > Inside the text area, enter what wanted from the below queries > click Go

You can then select unwanted rows and click on “Delete.”

1. Check autoloaded data size

SELECT SUM(LENGTH(option_value)) as autoload_size FROM wp_options WHERE autoload='yes';

Anything above 1 MB is most likely slowing down your site.

2- Check Top 100 Autoloaded Items

SELECT option_name, length(option_value) AS option_value_length FROM wp_options WHERE autoload='yes' ORDER BY option_value_length DESC LIMIT 100;

Delete the ones you know aren’t being used anymore. 

3-Find Specific Autoloaded Data

SELECT *
FROM wp_options
WHERE autoload = 'yes'
AND option_name LIKE '%avada%'

This command is useful for targeting specific plugins or themes that you KNOW for certain you aren’t using any longer. In this example I have used the Avada theme before I deleted it, now I want to clean up remnants left from the old theme. Simply replace the string “avada” with anything else you like.

Other essential tips for WordPress security

here is a quick list to keep in mind to secure your WordPress:

– Strong Password

That’s very essential, make sure the password checker gives you high evaluation = Very Strong

– Keep WordPress installation up to date

Make sure you update WordPress continuously, they always solve bugs and security issues every update.

– Download plugins from known resources.

– Use SSL certificate

Read more about why you should move your website to HTTPS / SSL

– Backup WordPress Website

– Remove the inactive user’s accounts in WordPress

Creating a website for your small business or an eCommerce website is remarkably easy to set up WordPress on Bluehost. Everyone can start their website without any advanced technical skills in web development.

What is Bluehost?
Bluehost is a web hosting solutions company that offers plans to host WordPress websites with easy steps. Bluehost has been recommended by WordPress.

Also if you want high-performance hosting you may need to check Bluehost VPS Hosting

Before we start we should mention to you that guide is to set up WordPress with a Bluehost account, not to teach you how to create a theme of WordPress.

Install WordPress on Your Hosting Server for Beginners without any Tech Experience

Here are easy steps to take to get your WordPress website started with one of the Bluehost hosting packages.

1- Go to the Bluehost WordPress Hosting

Click here to go to the WordPress Packages page or image below

Or if you are already on the website, From the navigation menu: WordPress > WordPress Hosting

2- Choose WordPress Plan

Scroll down until see packages, we highly recommend choosing PLUS plan or above for best performance, storage, bandwidth and last thing it allows to you to create more than website in the same hosting ..as arrows in the below image .. then click Select (blue button)

3- Create Domain Name

The next step that will be shown after you click the Select button is to choose a domain name, you have three options: Create a new domain, use a domain you own and create a domain later.

4- Create an Account

Create your account and fill in your information to fields that appear.

Note: for a section of Package Extras: you can uncheck it all, all of it is not necessary.

Don’t forget to check (I have read and agree to Bluehost’s Auto Renewal Terms..etc) then click submit button

5- Complete Setup

You will receive an email that the order is complete with the receipt, and they will ask you to create a password for your account. After you create a password follow the on-screen instructions then you are ready for the final step of choosing your WordPress theme.

6- Choose a WordPress Theme

WordPress will be automatically installed for you. Pick any theme, If you aren’t sure which theme you want, you can go back and change it later.

7- Congrats, You are done

Now you are in a WordPress dashboard that allows you to customize your theme and create web pages. and take the benefits of WordPress CMS.

that’s all.

If you are not familiar with how to create and customize your theme and need help you can kindly contact us.

By default, the maximum upload size in WordPress ranges from 32MB to 256MB depending on the settings of server hosting is giving by default.

To see what is the current max upload size limit allowed in the WordPress site then go to WordPress Admin dashboard → Media → Add New. the allowed max upload size will be shown as the below screenshot image (Yellow highlighted).

If the current max upload size limit doesn’t meet your demand then don’t fret, there are many ways you can reduce the max upload size in WordPress. We will be going to highlight the following ways in this article.

1- Modify php.ini through cPanel

The best way to reduce the maximum upload size in WordPress is through the website cPanel by modifying php.ini file, and here is the easiest way to do that:

• Login to website cPanel

• Go to software section

• Click on MultiPHP INI Editor

• Select the domain name

• Scroll down until you see upload_max_filesize

• Set the value you like followed with M character for Mega, in our case we set 2M.

2- Modify php.ini through upload file via FTP to WordPress root directory

The second way is to look for a php.ini file in the WordPress root directory, if php.ini file is not visible you need to create a new file instead.

1- Create a new file text editor like Notepad.
2- Copy the following code and paste it
upload_max_filesize = 25M
post_max_size = 13M
memory_limit = 15M
3- Save it as php.ini
4- Upload that php.ini file using FTP to the same root folder.

3- Edit Functions.php File

The last way to reduce the upload size limits is by adding these lines of code in the functions.php file of your theme.
@ini_set( 'upload_max_size' , '2M' );
@ini_set( 'post_max_size', '2M');
@ini_set( 'max_execution_time', '300' );
but keep in mind that if you change the WP theme then the max upload size will return to its default values until you edit the functions.php file of the new theme, because of that we recommend edit max upload via PHP.ini if it was possible.

Now you can reset a WordPress password via phpMyAdmin, here 6 easy steps to reset WordPress password it directly from the database using phpMyAdmin.

It easily steps to reset a WordPress password from phpMyAdmin but if you are not familiar with database be careful or call the expert to do it for you.

here the steps to reset a WordPress password via phpMyAdmin, if you just follow images instruction and mark’s you will succeed to do it.

1- login to phpMyAdmin
If you have access to your website cPanel or to your hosting account, log in to your cPanel then at the cPanel dashboard, click on the phpMyAdmin icon, it could be within the database section.

If you are running a website using the local server like XAMPP, WAMPP or MAMPP, just go to http://localhost/phpmyadmin/, or find a link at first screen show to you when you run the program (control panel).

2- In phpMyAdmin, click on your WordPress database name which you need to reset its user password.

3- From the list of tables shows for you find ‘wp_users’ table then click on the ‘Browse’ link next to it.

Note: Table name may a different than (wp_users) it could be any text followed by (_users).

4- from WordPress users list shows to you, click on the edit link of the username wants to change their password.

5- from user information fields find user_pass field under column header.
Now, in the same user_pass row:
– Under the function header, select MD5 from the drop-down list.

– After you choose MD5 in user_pass, in the same row under the value header, write your new password – typing.

6- scroll page down, click Go button.

Congratulations! Now try new WordPress password you set it using phpMyAdmin.

When do you need to reset the WordPress password from phpMyAdmin?
Reset WordPress password using phpMyAdmin it should be your last choice and if you want to that, we alert you should have good knowledge in using phpMyAdmin or follow above steps in this article carefully.
you need to using phpMyAdmin to reset WordPress password in these cases:
– You cannot reset WordPress password via regular way, the regular way is when you enter /wp-admin to login you see an option link (lost your password?), but you can’t be using this option happens when you forget your email of registered username, or maybe you forget email and username together but you still have access to cPanel.

– Your website is in localhost, so if you forget a password at localhost no way to reset password in a regular way we had mentioned because in most cases sending email from localhost websites not working and that’s the common situation.
in localhost mean you run website using XAMPP or WAMPP for example.