Everyone wants to know the secret behind a fast loading and robust WordPress site. When a website loads slow or is under attack, it means prospects will not be able to access it. This can lead to loss in conversions, fewer page views, and decrease in customer satisfaction.
On the other hand, secure, fast loading website improves user experience, increases your pageviews, and helps with SEO. Google and other search engines have already started penalizing slower websites by pushing them down in the search results which means lower traffic for slow websites.
Often beginners think that their website is OK just because it doesn’t feel slow on their computer. That’s a HUGE mistake.
Before you begin, check performance of your site by using Google Page Speed and Pingdom Tools. This will give you a before and after comparison. A good page load time is under 2 seconds. However, the faster you can make it, the better it is.
Making changes to your website configuration can be a terrifying thought for beginners, especially if you’re not a tech-geek. But don’t worry, I will show you how you can speed up and secure your WordPress site and keep it that way easily.
WordPress Speed Optimization
Get Better Web Hosting
Your WordPress hosting service plays an important role in website performance. Good hosts like Siteground & A2 hosting take the extra measures to optimize your website for performance.
However, on shared hosting you share the server resources with many other customers. This means that if your neighboring site gets a lot of traffic, then it can impact the entire server performance which in turn will slow down your website.
On the other hand, using a managed WordPress hosting service like WPEngine gives you the most optimized server configurations to run WordPress. They also offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website.
Optimize WordPress Configuration (Caching)
Aside from good web hosting and well-coded plugins, you have to make sure that you’re using proper caching. If your WordPress site is not serving cached pages, then it will overload your server thus causing your website to be slow or crash entirely. The solution is to install a WordPress Caching Plugin
W3 Total Cache is a well-known and high-performance caching solution that brings the best out of your website. The plugin also offers features such as minification, making your files smaller and, therefore, faster to load.
Simply by activating W3 Total Cache and leaving the default configuration, you and your visitors will start noticing the difference.
You can tweak a lot of settings in w3 Total Cache. For most beginners, these options could be quite tricky and confusing. So I’ll visit each in detail. Let’s start with general settings.
This is where you will set up the plugin by configuring basic settings. The first option that you see on this page is Page Cache. It is responsible for creating static cache pages for each page that is loaded, so it is not being dynamically loaded upon each page load. By having this enabled, you will significantly decrease your load time.
For shared hosting which most beginners use, the Disk:Enhanced method is highly recommended. You should check the Enable Page Cache box, and save all settings. This is all you need to do with page caching.
Having static files like that cached for 24 hours does not hurt you. Enable and save. Once you have done that, then lets visit the Performance » Browser Cache page for more settings.
As you can see in the image above, enable everything except for the 404.
Next feature is Minify. Minify simply reduce the size of your static files to save you every single kilobyte that you can. However, sometimes generating that minified file can be more resource intensive then the resource it will save. So it might not be the best fit for every server. As your web host if to enable this or not.
Database caching reduces the server load by caching SQL queries. This eliminates the processing time of querying the database (which may not be a lot for smaller sites). If enabled, it may put a lot of load on our server. So ask your host about this too. Most hosts do not recommend this for shared hosting accounts.
If you have a highly dynamic site, then using the Object Caching will help. This is mainly used if you have complex database queries that are expensive to regenerate. For most beginners, ignore it.
Note: If you’re using a managed WordPress hosting provider, then you don’t need a caching plugin because they take care of it for you.
Optimize Images & Page Size
Images bring life to your content and help boost engagement. But if your images aren’t optimized, they could be hurting more than helping. In fact, non-optimized images are one of the most common speed issues we see on beginner websites.
In their original formats, these photos can have huge file sizes. But based on the image file format and the compression, you can decrease your image size by up to 5x.
There are mainly two image formats: JPEG and PNG. PNG image format is better in quality and larger in filesize than an JPEG. So if our photo or image has a lot of different colors, use JPEG. If it’s a simpler image or you need a transparent image, then use PNG.
Use A High Quality Theme
When selecting a WordPress theme for your website, it’s important to pay special attention to speed optimization. Some beautiful and impressive-looking themes are actually poorly coded and can slow your site way down.
It’s usually better to go with a simpler theme and use quality plugins to get the features you need, than to choose a theme that’s bloated with complex layouts, flashy animations, and other unnecessary features.
Premium WordPress theme shops like StudioPress, Themify, and Array Themes offer themes that are well coded and optimized for speed.
Keep WordPress Clean & Up To Date
If you’re using a poorly coded plugin or theme, then it can significantly slow down your website. Apart from taking care in choosing only high quality plugins and themes, also make sure to have only those plugins installed and activated which you really need and use.
As a well maintained open source project, WordPress is updated frequently. Each update will not only offer new features, but also fix security issues and bugs. Your WordPress theme and plugins may have regular updates, too.
As a website owner, it’s your responsibility to keep your WordPress site, theme, and plugins updated to the latest versions. Not doing so may make your site slow and unreliable, and make you vulnerable to security threats.
Use Excerpts In Blog & Archive Pages
By default, WordPress displays the full content of each article on your homepage and archives. This means your blog page, categories, tags, and other archive pages will all load slower.
Another disadvantage of showing full articles on these pages is that users don’t feel the need to visit the actual article. This can reduce your pageviews, and the time your users spend on your site.
In order to speed up your loading times for archive pages, you can set your site to display excerpts instead of the full content. You can navigate to Settings » Reading and select “For each article in a feed, show: Summary” instead of Full Text.
Split Long Posts Into Short Posts
Readers tend to love blog posts that are longer and more in-depth. Longer posts even tend to rank higher in search engines. But if you’re publishing long form articles with 3000+ words and lots of images, it could be hurting your loading times. Instead, consider splitting up your longer posts into multiple short posts.
If you get a lot of comments on posts, loading all those comments can impact your site’s speed. WordPress comes with a built-in solution for that. Simply go to Settings » Discussion and check the box next to the “Break comments into pages” option.
Use a Content Delivery Network (CDN)
Users in different geographical locations may experience different loading times on your site. That’s because the location of your web hosting servers can have an impact on your site speed. Using a CDN, or Content Delivery Network, can help to speed up loading times for all of your visitors.
A CDN is a network made up of servers all around the world. Each server will store “static” files used to make up your website. Every time a user visits your website they are served those static files from whichever server is closest to them. One of the best known CDNs is StackPath (formerly called MaxCDN).
Don’t Upload Large Files To WordPress
You can directly upload videos to your WordPress site, but it will cost you bandwidth. You could be charged overage fees by your web hosting company, or they may even shut down your site altogether, even if your plan includes “unlimited” bandwidth.
Hosting videos also increases your backup sizes tremendously, and makes it difficult for you to restore WordPress from backup.
Instead, you should use a video hosting service like YouTube, Vimeo, DailyMotion, etc., and let them take care of the hard work. They have the bandwidth for it!
WordPress has a built-in video embed feature, so you can copy and paste your video’s URL directly into your post and it will embed automatically.
External Scripts/HTTP Requests
External scripts such as ads, font loaders, etc can also have a huge impact on your website performance. Many WordPress plugins and themes load all kinds of files from other websites.
These files can include scripts, stylesheets, and images from external resources like Google, Facebook, analytics services, and so on.
It’s ok to use a few of these. Many of these files are optimized to load as quickly as possible, so it’s faster than hosting them on your own website. But if your plugins are making a lot of these requests, then it could slow down your website significantly.
You can reduce all these external HTTP requests by disabling scripts and styles or merging them into one file.
Optimize WordPress Database
After using WordPress for a while, your database will have lots of information that you probably don’t need any more. For improved performance, you can optimize your database to get rid of all that unnecessary information.
This can be easily managed with the WP-Sweep plugin. It allows you to clean your WordPress database by deleting things like trashed posts, revisions, unused tags, etc.
Post revisions take up space in your WordPress database. If a plugin doesn’t specifically exclude post revisions, it might slow down your site by searching through them unnecessarily.
You can easily limit the number of revisions WordPress keeps for each article. Simply add this line of code to your wp-config.php file.
This code will limit WordPress to only save your last 4 revisions of each post or page, and discard older revisions automatically.
Disable Hotlinking and Leaching of Your Content
The sad truth is that your content will probably get stolen sooner or later. One way this happens is when other websites serve your images directly from their URLs on your website, instead of uploading them to their own servers.
In effect, they’re stealing your web hosting bandwidth. Simply add this code to your .htaccess file to block hotlinking of images from your WordPress site.
Note: Don’t forget to change smemark.com with your own domain. You may also want to check our article showing 4 ways to prevent image theft in WordPress.
Some content scraping websites automatically create posts by stealing your content from your RSS feed. You can check out our guide on preventing blog content scraping in WordPress for ways to deal with automated content theft.
Securing Your WordPress Site
Security has become a foremost concern on the Web in the past few years. WordPress is relatively secure out of the box. But since it is open source, everyone, including hackers with a malicious intent, can scour the source code looking for holes in its security.
That is why I’m going to show you some good precautionary steps to take to protect you, your WordPress and most importantly, your users. Note, however, that no website is 100% secure. Your aim is simply to make it as hard as possible for someone to exploit the website.
In fact, you can probably get by all right by following a few simple rules:
Keep WordPress Updated
I said this before in speed optimization. And I am saying it again. Always keep WordPress and all plugins and themes up to date. The sooner you update your site, the better because when they make a new update they also post the vulnerabilities that they fixed. Many WordPress updates contain functional upgrades as well as security fixes. Do not leave yourself exposed to old exploits.
Avoid Default Values
Do not use wp_ as the database table’s prefix. Many WordPress users leave the database table’s prefix as the default, wp_, allowing malicious hackers to search for that specifically in their exploits. By changing the prefix to something unique, you make the database less vulnerable.
Remove admin username. Malicious users know that a large percentage of users will have the user name admin. This means that they need to discover only a single piece of data: your password.
By using a unique user name, they would have to guess twice as much data. Create a new administrative account but this time with a different name, and then delete the admin account.
Strong Password Management
Always use strong passwords, and change your passwords every couple of months. Regardless of the type of site you are running, you may be at risk for a brute-force attack. In the first step when we deleted the admin username, probably deterred most hackers but there are always those that are very persistent or already know your username.
The next step to take is to choose a very difficult password and diverse password. A good way to determine whether or not your password is secure is to enter it into an online password checker like passwordmeter.com or to generate a random password. Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.
Tweak File Permissions
It is very important that you have the proper file permissions to ensure your site’s security. Make your file permissions as strict as possible without preventing you from performing essential tasks such as uploading media from within the admin area.
Many security experts recommend that you restrict your file permissions down to the bare, CHMOD value of 744 which essentially makes it read-only to everyone except you.
Just open your FTP program and right click the folder or file and click on “File Permissions”. If it is 777, you are very lucky that you haven’t already been hacked. You should change the CHMOD value to 744, only giving the “owner” full access.
In my experience, setting all directories as 755 and all files as 644 is best, although you might need to set wp-content/uploads to 777 in order to allow uploads from within the admin area.
Get Web Application Firewall
Sucuri’s web application firewall is probably one of the best protection you can get for your site. They monitor and protect your site from DDoS, malware threats, XSS attacks, brute force attacks, and basically every other type of attack. If you don’t have a firewall on your website, then add one today.
All the above tweaks need not be done manually. The WP Security Scan plugin does some of these things automatically and can assist you with completing the others.
If you follow these rules, you will bypass 99% of all attempts on your website. To circumvent the remaining 1%, you can use a variety of tactics, some of them simple, some requiring a bit more work.
Use A Spam Protection Plugin
Akismet is the number one tool for detecting spam comments. Akismet comes preinstalled with all WordPress installations. It is a plugin tied to a service that ensures your website’s comments section remains spam free.
You will need to activate it and generate an API key. The power of Akismet is that it is cloud-based. It uses data gathered about spammers across millions of websites to provide more effective spam protection than anything you could do locally.
However, if you don’t plan to allow comments on your articles, this step isn’t required. Instead, here’s what you need to do to disable comments.
Navigate to Settings → Discussion, and uncheck “Allow people to post comments on new articles.” This setting can be overridden in each post.
Set Up A WordPress Security Plugin
One aspect of security is backing up; another is actively preventing threats. This is where a plugin like iThemes Security comes in.
It monitors user logins, adds two-factor authentication, sets passwords to expire, monitors files for changes, obscures parts of the website to hide them from malicious code and much more! Most features are set-and-forget, so you can set up the plugin once and be a lot safer as a result!
Backing Up WordPress
No matter how much you invest in security, as long as your website is live, there is a chance it will be exploited, which is just one reason why backing up is so important.
Creating regular WordPress backups is the best thing you can do for your website. Backups give you peace of mind and can save you in catastrophic situations when your site gets hacked or you accidentally lock yourself out.
If something goes wrong and you haven’t set up a back-up system, you could lose all of your online assets.
There are several free and paid backup plugins for WordPress, and most of them are fairly easy to use. The most vital thing is to backup both the database and your files, not just one or the other.
If you want real-time backups, unlimited storage, and don’t want to pay a third-party storage service like Dropbox, then use VaultPress. VaultPress is a backup plugin which integrates with the system completely and takes care of everything automatically.
There are a few downsides of using VaultPress. First, it is a recurring expense that can add up if you have multiple WordPress sites. Secondly, it has recently become part of another product called JetPack. So you will have to subscribe to JetPack, get a WordPress.com account, and install the Jetpack plugin on your site.
If you run a small to medium size website and hate paying monthly fees, then I recommend the popular BackupBuddy plugin. They have their own cloud storage, Stash, which makes it easy for beginners to store their backups in cloud with a matter of few clicks.
It allows you to easily schedule daily, weekly, or monthly backups. It can also automatically store your backups in Dropbox, Amazon S3, Rackspace Cloud, FTP, and even email it to yourself.
If you’d rather not spend money on backing up, UpdraftPlus is a great free option. It allows you to create complete backup of your WordPress site and store it on the cloud or download to your computer.
The plugin supports scheduled as well as on-demand backups. It can automatically upload your backups to Dropbox, Google Drive, S3, Rackspace, FTP, SFTP, email, and several other cloud storage services.
Upon activation, you need to visit Settings » UpdraftPlus Backups page to configure plugin settings. This is where you will set up an automatic backup schedule and a remote location to store your backups.
Next, you need to choose where to store your backup files. It is a bad idea to save your backups on the same location as your website. Losing your website, means you will also lose access to your backup files.
This is why you need to choose a remote cloud storage service to store your backups. Simply click on a remote service to select it, and just follow the instructions.
Another free option is BackWPup. It allows you to create complete WordPress backup for free and store it on the cloud (Dropbox, Amazon S3, Rackspace, etc), FTP, email, or on your computer. Restoring a WordPress site from backup is also very simple.
Whichever WordPress backup plugin you end up choosing, please do NOT store your backups on the same server as your website. By doing that, you are putting all of your eggs in one basket.
If your server’s hardware fails or worst you get hacked, then you don’t have a backup which defeats the purpose of setting up regular backups. This is why I highly recommend storing your backups on a third-party storage service like Dropbox, Amazon S3, Google Drive, etc.
The measures needed to secure a website cannot be discussed in a single book, let alone a poor article. There are many methods and topics we did not look at, such as advanced password encryption, salts and so on. But hopefully, by implementing what we’ve discussed, your website will be much safer.
Hackers usually go for the weakest link, so if your website is not insanely popular and is fairly secure, you should be OK.