WordPress is the most used blogging system and, thanks to the great community that works to enhance its features, nowadays it is used as full content management system. WordPress rocks, dude!
For these reasons it is (maybe) one of the most hacked CMS. In some cases a website proudly powered by WP could be slow without a correct configuration and administration.

There are some tricks that allow us to boost our WordPress installation in a few minutes. Below there is a list of useful tips to secure and speed up your blog system. Take your time for reading, they are very simple and they could be helpful to save your time in the future.

Make Back-Up

A simple and basic rule that can save you in many cases. Remember to frequently back up your website root folder (with all files) and database, so you can restore your site anytime.
You can use PhpMyAdmin to make a quick copy of your SQL DB. Enter in your database structure, go to export, select all tables in SQL format (don’t forget to check “Add DROP TABLE”, I also use a GZIP compression).

Use the last version of WordPress

It’s essential to update your WordPress to fix bugs and security issues. You can use Automatic Upgrade (Tools -> Upgrade in your admin area), or a Three Step Manual Upgrade, to know more about how to stay updated you can read Upgrading WordPress.

Use a Solid Password and Protect your WP-Admin Folder

WordPress installation creates a default admin user with a random password. Are you still using the random default password? Change it and choose a new strong password, immediately!
It is a good thing to change the default username for the admistrator. In Users section of the admin area you can manage your profile.

Protect the wp-admin Directory with a server-side password. Put a .htaccess file in the directory that you want to protect. Below the code of the .htaccess.


AuthName "WP-Admin"
AuthType Basic
AuthUserFile /path/to/passwd #(the path to .htpasswd)
Require valid-user


Use htpasswd to create a passwd file (.htpasswd) and put it in a non-web accessible directory (htpasswd -c /path/to/passwd username).

Protect wp-config.php

First of all you should set up secret keys in your wp-config.php. Why? Begining from the 2.6 version, WordPress includes a new set of security features for passwords and password hashing and cookie security and, if you want to increase the security of your site, you can use this generator to add secret keys.


define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');


Wp-Config contains sensible data and for this reason you must protect this file in your .htaccess.


# protect wpconfig.php
<files wp-config.php>
Order deny,allow
deny from all
</files>


Block Search Engine Access to the WP- Folder

The WP- folders don’t need to be indexed by search engines, so to block their access to these system folders you can write in your robots.txt file the following line.


Disallow: /wp-*


Bad Behavior Plugin

Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Bad Behavior also transcends other link spam solutions by working in a completely different, unique way. Instead of merely looking at the content of potential spam, Bad Behavior analyzes the delivery method as well as the software the spammer is using. In this way, Bad Behavior can stop spam attacks even when nobody has ever seen the particular spam before.

Login Lock-Down Plugin

Login LockDown tabulates the IP address and timestamp of every failed WordPress login attempt, so, when a certain number of attempts are detected within a short period of time from the same IP range, the plugin disables all requests from that range. This can prevent brute force password attack.

Secure WordPress

Secure WordPress is a little help to secure your WordPress installation. It removes Error information on login page; adds index.html to plugin directory, removes the wp-version, except in admin area.

Optimize Images on your Server

Images are important for the great impact on the design of a website, but if the pictures on our webpages aren’t optimized we could have some troubles with the load time and bandwith of the website.

So you should use a good compression for your image, depending on your software, to find the right balance between quality and dimension of the file.
Rcently I’ve read a good article on Web Designer Wall about the image’s compression using two different software, Fireworks vs Photoshop Compression.

Enable GZIP Compression

Compression is a quick and effective way to save bandwidth and speed up your website. Apache allows the compression through mod_deflate and adding the following code in you .htaccess you will enable the GZIP compression of your webpages.


# BEGIN GZIP
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/xml text/css application/x-javascript application/javascript
</ifmodule>
# END GZIP


Test your compression using GZIP-Test.

Minify CSS and Compress Javascript files

To minify your CSS (and speed up your website), you can use one of the available tools, such as Styleneat, or php library, such as Minify.

Something else to do is to put all of your JavaScript into a single file and load it in the bottom of the page (footer.php).

Yo can use Firebug with Page Speed on Mozilla Firefox to test and optimize your webpages.

Reduce the Number of Links to External Websites

External websites and scripts can take a lot of time to load depending on the server connection. You should limit widgets and connections to other sites, in fact, reducing the number of hostnames from which resources are served, we can minimize the number of DNS resolutions and the RTT delays.

Caution! Reducing the number of unique hostnames has the potential to reduce the parallel downloads in the page and this may increase response times. You should find the right balance.

Page Speed can help you in this “mission”.

Optimize and Repair Database

Periodically you should optimize your database. go to the Database Structure for your WordPress instalaltion, check tables having overhead, select the Optimise Tables option and repair.

There is a plug-in that allows the database optimization from the admin area of WordPress, WP-Optimize.

Turn Off Post Revisions

To turn off Post Revisions feature (if you don’t need it), add this following code to wp-config.php:


define('WP_POST_REVISIONS', false);


Remove Unused Plugins

Browse your list of plugins you’re using and try to optimize your WordPress deleting unused plugins.
If you have more than 15 plugins active on your blog, ask yourself if you really need them and delete the less useful ones.

WP Super Cache Plugin

WP Super Cache Plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts.

Go to Source