How to optimize and secure your Wordpress site without plugins

We've built a number of websites over the years.  From websites for nonprofits, to over 250 professional athlete sites, and everything in between, and if there's one thing we have learned, it's how important website speed, security and performance are.  

Website performance has a profound effect on how your website ranks in search results for better SEO, as well as how your visitors engage with your site and your brand.  Slower page load times lead to increases in abandonment - according to Kissmetrics, 40% of people abandon a website that takes more than 3 seconds to load, and 47% of consumers expect a web page to load in 2 seconds or less.

Yes, there are a seemingly endless number of plugins that you can download or install with a quick click of a few buttons, but will they really give you the speed boost and security you need?  Maybe, but what if I told you that some times they can actually cause more damage than good.  Don't believe me - just check out this article from Smashing Magazine that gives some specifics on Wordpress performance improvements that can go wrong.

Don't worry though, we are going to cover how to get the most out of your wordpress website without having to edit a ton of files, or download a bunch of plugins.  You won't need to worry about compatibility or updating issues, or any of the other problems that might arise.  A quick word of caution, make sure to make a backup of your site and database before making ANY changes, including the one's outlined below.

NOTE: This article assumes you have access to your webserver, and is written more specifically for those running Apache.

To boost performance and speed of your wordpress website:

1. Start by moving javascript into the footer (footer.php) to enhance page load times.
   1. You can do this in your functions file, if you're calling your javascript files correctly with wp_register_script and wp_enqueue_script (learn more)
   2. Or if you're calling them from an external source, just move the whole 

      <script type="text/javascript" src="/scripts/emailpage.js"></script>
      

2. Remove the unnecessary calls to your database or options files:
   1. Edit your theme files and look for things like: "<?php get_bloginfo(‘wpurl’); ?>" and replace them with the actual URL.  Hint: You'll usually find these in the header.php and footer.php file.
   2. Code the URLs right into your wp-config file so your site doesn't need to go looking for them in the database each time.  You can do this by opening wp-config.php in a text editor and adding the following lines above "/* That's all, stop editing! Happy blogging. */"

      define('WP_HOME', 'https://www.nonstopwellness.com');

      define('WP_SITEURL', 'https://www.nonstopwellness.com');

3. Limit the number of times you write to your database and number of versions of posts by adding the following to your wp-config.php file, right below the lines you added in the example above:

   1. define('AUTOSAVE_INTERVAL', 120); //  the 120 is the number of seconds to wait to autosave

   2. define('WP_POST_REVISIONS', 5);  // the 5 is the number of posts to save

   3. define('EMPTY_TRASH_DAYS', 7 ); // the 7 is the number of days something remains in the trash

4. Enable mod_deflate in .htaccess - place the following at the top

1.     
   <IfModule mod_deflate.c>
   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/javascript
   AddOutputFilterByType DEFLATE application/x-javascript
   </IfModule>

5. Set expires headers in .htaccess - place the following at the top, below the lines above
   

   1.  # BEGIN Expire headers
       <IfModule mod_expires.c>
       ExpiresActive On
       ExpiresDefault "access plus 5 seconds"
       ExpiresByType image/x-icon "access plus 2500000 seconds"
       ExpiresByType image/jpeg "access plus 2500000 seconds"
       ExpiresByType image/png "access plus 2500000 seconds"
       ExpiresByType image/gif "access plus 2500000 seconds"
       ExpiresByType application/x-shockwave-flash "access plus 2500000 seconds"
       ExpiresByType text/css "access plus 600000 seconds"
       ExpiresByType text/javascript "access plus 200000 seconds"
       ExpiresByType application/javascript "access plus 200000 seconds"
       ExpiresByType application/x-javascript "access plus 200000 seconds"
       ExpiresByType text/html "access plus 600 seconds"
       ExpiresByType application/xhtml+xml "access plus 600 seconds"
       </IfModule>
       # END Expire headers

6. Add cache control headers to .htaccess - place the following below the lines above

   1.  # BEGIN Cache-Control Headers
       <IfModule mod_headers.c>
       <filesMatch "\.(ico|jpe?g|png|gif|swf)$">
       Header set Cache-Control "public"
       </filesMatch>
       <filesMatch "\.(css)$">
       Header set Cache-Control "public"
       </filesMatch>
       <filesMatch "\.(js)$">
       Header set Cache-Control "private"
       </filesMatch>
       <filesMatch "\.(x?html?|php)$">
       Header set Cache-Control "private, must-revalidate"
       </filesMatch>
       </IfModule>
       # END Cache-Control Headers

To add an extra layer of security for your wordpress website, try the following:

1. Delete the first user you create when you're setting up your account.  Oftentimes people create a generic admin user, and that user is given the user number "1".  Pretty easy for a hacker to guess the user name and the user number, then it's just a matter of time and effort to get your password.  From the wordpress admin, create a new user with admin priviledges, log out, and log in as the newly created user.  Then delete the default/admin user.
2. It probably goes without saying, but use a strong password.  This should be something easy for you to remember but hard for someone to guess, and mix it up a little from site to site - don't always use the same password.  Pro Tip: Try using a phrase with some uppercase and lowercase letters and numbers and characters i.e. "ThisIsThePhraseICreatedIn2016".
3. Change the default database table prefix, which is usually "wp_".  You're going to need database access to do this and you can get the full explanation on how to do this safely, here.
4. Turn off file editing through the wordpress admin - this is usually the first thing hackers will try to access if they get into your site.  You can make this update by adding the following to wp-config.php above where you see "/* That's all, stop editing! Happy blogging. */"

   1. define('DISALLOW_FILE_EDIT', true);

5. Frequently update your wordpress salts.  These live in your wp-config.php file and they can be created here - https://api.wordpress.org/secret-key/1.1/salt/
6. Disable the wordpress version which hackers can use to exploit your installation - add the following to functions.php or your custom plugin file

   1. /**
       * Remove the WordPress version
       */
      add_filter('the_generator', '__return_false');
      
      

7. Disallow HTML in wordpress comments within the same file as above

   1. /**
       * Disable HTML in WordPress comments
       */
      
      add_filter( 'pre_comment_content', 'esc_html' );

8. Disable login hints in wordpress, again in your functions.php file:

   1. /**
      * Disable WordPress Login Hints
      */
      function no_wordpress_errors(){
       return 'Please try the right user/pass combination';
      }
      add_filter( 'login_errors', 'no_wordpress_errors' );

9. Always be diligent and keep your wordpress and plugins up-to-date and backed up.

This list, of course, is not exhaustive, but it's a pretty quick and easy way to combat a number of the common issues that may arise when you're creating or maintaing wordpress whether for you or a client.  Your hosting provider can often offer host specific information on performance and security enhancements, but we are ALWAYS here to assist and offer expertise.  Just contact us and we will be in touch to get you on the right path.