Call Us : +91-98880-01269

How to Optimize your WordPress Installation

These suggestions are only applicable to self-hosted sites and not blogs that are hosted on Also, I assume that you are running WordPress on Apache. Let’s get started:

1. Change the default media upload folder
The default installation of WordPress will store all your images, documents and other uploads inside the wp-content/uploads folder.

It is always a good idea to store your images outside the WordPress folder, preferably on a sub-domain. This offers a few advantages. Your image URLs will be relatively shorter, your daily WordPress backups will be more manageable and, most important, serving images from a different domain will allow parallel downloads and thus improve the page loading time (see Yahoo Performance Rules).

WordPress 3.5 (or later) does not offer an option to change the default media upload folder but there’s a plugin to bring those settings back. Also deselect the option – “Organize my uploads into month- and year-based folders.”

2. Remove unnecessary meta-data from your WordPress site
If you look at the HTML source code of your WordPress site, you will find a couple of meta tags that aren’t really required. For instance, the version of WordPress software running on your server can be easily retrieved by looking at your source header.

This information is like a good hint to WordPress hackers who are looking to target blogs that are using the older and less secure versions of WordPress software. To completely remove the version number and other non-essential meta-data from your WordPress header, add this snippet to your functions.php file found in the WordPress themes folder.
remove_action( ‘wp_head’, ‘wp_generator’ ) ;
remove_action( ‘wp_head’, ‘wlwmanifest_link’ ) ;
remove_action( ‘wp_head’, ‘rsd_link’ ) ;

The WLW-Manifest function (line #2) is used by Windows Live Writer to download the styles / themes used in your WordPress blog. Windows Live Writer users who do not use the live preview feature may turn off this function.

3. Prevent people from browsing your WordPress folder structure

Since you would not like anyone to browse your WordPress files and folders using the explorer view in web browsers, add the following line to your .htaccess file that exists in your WordPress installation directory.

Options All -Indexes

Also make sure that there’s a blank index.php in the wp-content/themes and wp-content/plugins folder of your WordPress directory.

4. Disable HTML in WordPress comments

The comment box is WordPress is a mini HTML editor and commenters can use standing HTML tags like to format their comments. They can even add hyperlinks in their comment. If you would like to disallow HTML in WordPress comments, add this snippet to your functions.php file.

add_filter( ‘pre_comment_content’, ‘wp_specialchars’ );

5. Turn off Post Revisions in WordPress

WordPress includes a helpful document revisions feature to help you track changes and you can also revert to any previous version of your blog posts. Post revisions do however increase the size of WordPress wp_posts table as each revision means an additional row.

To disable post revisions in WordPress, open the wp-config.php file in your WordPress directory and add the following line:

define( ‘WP_POST_REVISIONS’, false);

Alternatively, if you would like to retain the Post Revisions functionality, you may just limit the number of posts revisions that WordPress stores in the MySQL database. Add this line to the wp-config file.

define( ‘WP_POST_REVISIONS’, 3);

Reference: Editing wp-config.php (WordPress Codex)

6. Change the Post Auto-Save Interval

When you are editing a blog post inside the WordPress editor, it will auto-save your drafts as-you-type and this will help in recovering your work in case the browser crashes. The drafts are saved every minute but you can change the default duration to say 120 seconds (or 2 minutes) by adding a line to your wp-config.php file.

define( ‘AUTOSAVE_INTERVAL’, 120 );

7. Hide the secondary WordPress feeds

Your WordPress syndicates multiple RSS Feeds – the blog feed, article feeds, comments feed, category feeds, archive feeds, etc. – and these are auto-discoverable as they are included in the HTML header of your blog pages using the meta tag.

If you just want to publicize your main feeds, add these line to your functions.php file:

remove_action( ‘wp_head’, ‘feed_links’, 2 );
remove_action( ‘wp_head’, ‘feed_links_extra’, 3 );

8. Redirect all feeds to your master RSS feed

In the previous step, we simply removed the RSS feeds from printing inside the header but the RSS feeds still exists. If you would like to have one RSS feed served through FeedBurner and disable all the other feeds, add this to your .htaccess file. Do remember to replace the feed URL with your own.

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator) [NC]
RewriteRule ^feed/?.*$ [L,NC,R=301]

9. Hide Errors on the WordPress Login screen

When you type a non-existent username or an incorrect password while logging into WordPress, it will provide a very detailed error message telling you exactly whether your username is wrong or the password doesn’t match. That’s bad.

Add this to your functions.php file to hide all the login-related warnings from displaying on the screen.

function no_errors_please(){
return ‘GET OFF MY LAWN !! RIGHT NOW !!’;
add_filter( ‘login_errors’, ‘no_errors_please’ );

10. Enable 2-factor Authentication

This is highly recommended. If someone gets hold of your WordPress credentials, they will still need your mobile phone to get into your WordPress dashboard.

Unlike Dropbox or Google, 2-step authentication isn’t part of WordPress yet but you can always use plugins. Authy is popular for enabling 2-factor authentication though I prefer Authenticator since it can be used with the official Google Authenticator app.

11. Change the Permalink Structure

Do not use the default Permalink structure of WordPress since it is bad for SEO.

Go to Options -> Permalinks inside your WordPress dashboard and change your WordPress Permalink structure. The recommended structure, from the SEO and performance perspective, is:


12. Add the missing favicon and touch icons

Your WordPress theme may not even include references to the favicon (favicon.ico) or the Apple touch icons but web browsers and feed readers may still request them from your server. It’s always better to serve a file than returning a 404.

Put a 16×16 favicon.ico and a 144×144 apple-touch.png file in the home directory of your blog. Then add this line to your .htaccess to redirect all apple touch icon requests to that particular file.

RedirectMatch 301 /apple-touch-icon(.*)?.png

13. Disallow indexing of WordPress scripts

You want Google and other search engines to crawl and index your blog pages but not the various PHP scripts that have been used by WordPress or the various plugins and themes.

Open the robots.txt file in your WordPress home directory and add these lines to block the bots from indexing the backend stuff of WordPress.

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Disallow: /feed/
Disallow: */feed/

14. Make the Admin a Subscriber
If your WordPress username is “admin,” create a new user and grant them administrator privileges. Now logout out of WordPress, log in as the new user and change the privilege of the user “admin” from Administrator to Subscriber.

You may even consider deleting the user “admin” and transfer any existing posts /pages to the new user. This is important for security reasons because we don’t people to guess the username that has administrator privileges to our WordPress installation.

15. Hide your XML Sitemaps from Search Engines
XML Sitemaps will help search engines better crawl your site but you don’t want to search engines to actually show your sitemap in search results pages.

Add the following line to your .htaccess to prevent indexing of XML sitemaps.

Header set X-Robots-Tag “noindex”

16. Do not Use WordPress search

Make sure your site search is powered by Google Custom Search and do not use the built-in search feature of WordPress.

WordPress search returns less relevant results and the other advantage is that it will reduce strain on your WordPress server /database since the search queries will be handled through Google.

Alternatively, if you plan to continue with WordPress built-in search, use the Nice Search plugin. It creates better permalinks for your WordPress search pages (/search/tutorials vs /?s=tutorials).

17. Password Protect your wp-admin Directory
You can easily add another layer of security to your WordPress installation by password protecting the wp-admin directory. You’ll thus have to remember two sets of credentials for logging into WordPress – your WordPress password and the password that is protecting the wp-admin directory.

18. Log 404 Errors in Google Analytics
404 errors are a missed opportunity. You can use events in Google Analytics to log your 404 errors including details about the referring site that is pointing to that 404 page of your site.

Add this block inside your Google Analytics tracking code after the _gaq.push function.

_gaq.push([‘_trackEvent’, ‘404’, document.location.pathname +, document.referrer, 0, true]);
19. Delete all the unused Themes and WordPress plugins

The unused plugins and themes won’t affect the performance of your WordPress website but the aim should be to have as little executable code as possible on our server. Thus deactivate and delete the stuff that you no longer need.

20. Stop WordPress from Guessing URLs
WordPress has a strange habit of guessing URLs and it does make mistakes in most cases. Let me explain. If a user request URL but if that page doesn’t exist, WordPress may redirect that user to just because the URLs have some common words.

If you would like WordPress to stop guessing URLs and instead issue a 404 Not Found error for missing pages, put this snippet in the functions.php file:

add_filter(‘redirect_canonical’, ‘stop_guessing’);
function stop_guessing($url) {
if (is_404()) {
return false;
return $url;

21. Set Expiry Headers for Static Content

The static files hosted on your WordPress website – like images, CSS, JavaScript, .txt, etc. – won’t change often and thus you may set Expire Headers against them so that the files get cached on the user’s browser. Thus, on subsequent visits, your site will load relatively faster as the JS and CSS files would be used from the local cache.

Refer to the .htaccess file of the HTML5 boilerplate template for details on setting up expiry headers. If you are using a caching plugin like W3 Total Cache, the cache control is managed by the plugin itself.

ExpiresActive On
ExpiresByType image/gif “access plus 30 days”
ExpiresByType image/jpeg “access plus 30 days”
ExpiresByType image/png “access plus 30 days”
ExpiresByType text/css “access plus 1 week”
ExpiresByType text/javascript “access plus 1 week”

23. Improve the Security of your WordPress Blog
I have discussed WordPress security in detail earlier. The gist is that you should add secret keys to your wp_config.php file, install a file monitoring plugin and also Limit Login to prevent brute force attacks.

24. Disable File Editing inside WordPress
When you are logged into your WordPress dashboard as an admin, you can easily edit any of the PHP files associated with your WordPress plugins and themes. If you would like to remove the file editing functionality (one missing semicolon can take down your WordPress site), add this line to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

25. Remove extra Query Parameters from URLs

If the web address of your WordPress site is, people can still reach your site if they add a few query parameters to the URL. For instance, or are, technically speaking, completely different URLs but will work just fine.

This is bad because it dilutes your link equity (SEO) and, in an ideal situation, you would like all URLs to point to the canonical version. Add this little snippet to your .htaccess file and it will strip the unnecessary query parameters from all incoming requests.

RewriteEngine On
RewriteCond %{QUERY_STRING} !=””
RewriteCond %{QUERY_STRING} !^p=.*
RewriteCond %{QUERY_STRING} !^s=.*
RewriteCond %{REQUEST_URI} !^/wp-admin.*
RewriteRule ^(.*)$ /$1? [R=301,L]