This article is our checklist and guide when setting up any new WordPress website to improve security and performance for any WP website created by us.
Plugins we will mention in this article are optional, you could get other plugins that do the same job, but here we suggest plugins that were tested by us.
For example, we recommend changing the default login of WordPress and disabling XML-RPC, we suggest two plugins to do that two jobs, but you could use one security plugin to do both jobs.
Here are a few of the solutions you can try and implement for improving the security and performance of the WordPress site:
1- Choose a secure web hosting
The first and most important step if you have still not chosen web hosting yet is to choose a hosting environment that is absolutely secure. Choosing the right host will save a lot of time for you and also pick the right packages that work for your website.
Bluehost Recommended by WordPress
WordPress recommends several hosting providers to host your WordPress website.
One of these hosting providers that recommended by WordPress and we recommended too is Bluehost
Bluehost is very secure with good support through phone or chat.
And you can easily install WordPress to it and here is How to Create a WordPress Website with Bluehost, from choosing a WordPress package to picking a theme.
Important! at this article we provide some methods that require editing the source code of a WordPress which could break your website if not done correctly. If you are not comfortable with any of these methods requiring coding, please check with a developer first.
2- Change the WordPress default URL of the admin login
The default WordPress URL to login to the dashboard is (/wp-admin) or (/wp-login.php).
We suggest changing these default WordPress URLs for admin login by using this plugin WPS Hide Login.
When you define a new custom login URL to your website then the (wp-admin) directory and the (wp-login.php) page become inaccessible, so you must remember and save the new login URL that you defined.
Suggested Plugin: WPS Hide Login
https://wordpress.org/plugins/wps-hide-login/
After active it plugin go to Setting > General > WPS Hide Login: define new Login URL & Redirection URL.
Don’t forget if you’re using any caching plugin you should add the slug of the new login URL to the list of pages not to cache.
Important Note: If you are using another security plugin that may include the option (change the default admin login URL), so don’t use this plugin in this case to avoid any conflicts issues.
In general, don’t use different plugins that did the same job, especially those plugins for security or performance.
3- Disable XML-RPC
Simply without talking deeply technically, XMLRPC.php is a feature that allows for connection to WordPress remotely like to connect to a WordPress via a Smart Phone.
The big problem with XML-RPC function is that it has become a backdoor in WordPress for hackers, scripts, Brute Force Attacks, DDoS attacks or bots.
- Brute Force Attacks – Where an attacker can use xml-rpc to test hundreds of username and password combinations until they are eventually able to gain access to your site. This occurs because xml-rpc does not have the same login attempt limit that exists when you log into WordPress normally.
- DDoS Attack – Where an attacker can use xml-rpc to pingback thousands of IPs. This allows them to send a flood of data and traffic which can cause overages and even have networks paralyzed and shutdown.
To disable XML-RPC on your WordPress there are many plugins that do this for you and some of the general security plugins have an option to do that
Suggested plugin: Disable XML-RPC
https://wordpress.org/plugins/disable-xml-rpc/
Just activate this plugin and it will automatically disable XML-RPC.
or on .htaccess file.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
Replace xxx.xxx.xxx.xxx with an IP address you want to give access to xmlrpc.php or remove access completely by simply removing this line.
3- Disable WP-Cron (wp-cron.php) for Faster Performance
WP-Cron on WordPress is used to schedule a post to publish, check for updates, send email notifications, and more.
WP-Cron on WordPress It is similar to CRON jobs on the host cPanel which is used to schedule tasks at periodic fixed times, dates, or intervals.
It might be a good feature if you need to publish posts at specific dates later on, but the problem with this feature is it slows down the server and impact the performance especially if you run more than WordPress website on the same server or you have a huge web content with a list of tasks that need to be checked by WP-Cron whenever a page is visited which high the load on the server.
For me, I prefer to disable this feature to improve website performance even I have never used the schedule feature, and it is up to you to choose to keep it or disable it according to your needs.
To disable WP-Cron:
1- Go to (wp-config.php) file
2- Add:
define('DISABLE_WP_CRON', true);
Before “That’s all, stop editing! Happy blogging.”
Now wp-cron.php will not run automatically each time someone visits your website.
If you still need a scheduling feature after disabling wp-corn via the above way, you could use plugins like WP Crontrol, Advanced Cron Manager – Debug & Control, or just make your own search for the best choice from many plugins.
4- Avoid using a nulled WordPress theme
Nulled theme means a cracked version of a premium theme.
These nulled themes sometimes include malware or backdoors which provide a subsequent access point to your website for hackers.
You should also use any plugins for malware scanners to detect possible malicious code in nulled/free WordPress Themes before using it, malware scanner like:
Anti-Malware Security and Brute-Force Firewall
https://wordpress.org/plugins/gotmls/
if you are familiar with setup WordPress on localhost, it will be better to use this plugin to scan nulled/free themes locally before uploading it online and using it.
5-Disable Emojis in WordPress
Disabling WP Emojis is one of a lot of WordPress performance optimizations and tweaks you can do to improve your website loading time. Find here How to disable WP Emojis
6- Delete Unused Autoloaded Data in wp_options Table
Honestly, from all tips for improving WordPress performance on the internet that is the one that made a difference to me.
wp_options table stores some data that are no longer used that were left behind by deleted themes, and plugins.
Before deleting entries from the wp_options table, ensure to take a backup of your entire database. This step is critical as we are making mass deletions that can potentially break things on your site.
How to do it?
Go to phpMyAdmin > Select database (left side column) > click on SQL tap (at top) > Inside the text area, enter what wanted from the below queries > click Go
You can then select unwanted rows and click on “Delete.”
1. Check autoloaded data size
SELECT SUM(LENGTH(option_value)) as autoload_size FROM wp_options WHERE autoload='yes';
Anything above 1 MB is most likely slowing down your site.
2- Check Top 100 Autoloaded Items
SELECT option_name, length(option_value) AS option_value_length FROM wp_options WHERE autoload='yes' ORDER BY option_value_length DESC LIMIT 100;
Delete the ones you know aren’t being used anymore.
3-Find Specific Autoloaded Data
SELECT *
FROM wp_options
WHERE autoload = 'yes'
AND option_name LIKE '%avada%'
This command is useful for targeting specific plugins or themes that you KNOW for certain you aren’t using any longer. In this example I have used the Avada theme before I deleted it, now I want to clean up remnants left from the old theme. Simply replace the string “avada” with anything else you like.
Other essential tips for WordPress security
here is a quick list to keep in mind to secure your WordPress:
– Strong Password
That’s very essential, make sure the password checker gives you high evaluation = Very Strong
– Keep WordPress installation up to date
Make sure you update WordPress continuously, they always solve bugs and security issues every update.
– Download plugins from known resources.
– Use SSL certificate
Read more about why you should move your website to HTTPS / SSL