WordPress.org logo

WordPress Security, WordPress Help, and WP optimization and development. Run WordPress and your servers as efficiently and secure as possible. These articles provide a broad overview of WordPress security, optimization and developent with specific recommended approaches. This is of huge importance for every WordPress developer and website owner. Harden your WordPress website security with these valuable tips!

In the first place how to optimize WordPress performance on Windows Server IIS. Secondly how to use WordPress plugins for speed, optimization & security. Tips! And PHP and MySQL! After all this is everything we want.

Secure wp-content/uploads in Linux Apache and Windows Server IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably and in my opinion without the use of a security plugin. Denying access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config on Windows Server IIS, and here is how.

Read more
No spam

Here is how to change Akismet interval to three days instead of 15 days for deleting spam comments using the akismet_delete_comment_interval filter.

Read more

Whenever WordPress is using a lot of CPU and you have Wordfence Security plugin enabled, it is recommended to double check some settings. Unfortunately the Wordfence “Live Traffic Options” (“Traffic logging mode”) feature can cause high CPU usage and load issues for WordPress websites. Therefore, I recommend you disable this feature to improve the performance of your WordPress website.

Read more

In a previous post I explained that clearing PHP opcode caches before WordPress Updates helps in streamlining the update process. WordPress updates no longer fail because of cached file locations. Did you know you can automatically flush opcode caches like Redis when you publishing a post or page in WordPress? Doing so ensures you and your visitors see the newly created content immediately.

Read more
Security?

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

Read more

Here is how to increase WordPress’ memory limit (WP_MEMORY_LIMIT) properly. I see this done wrong over and over again in WordPress plugins and themes. In a worst case scenario this may even decrease the available amount of memory for WordPress! So be careful with the advice you follow. In this post I show you one correct way of setting WordPress WP_MEMORY_LIMIT and PHP memory_limit settings.

Read more

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able to use (some of) its functionality like Jetpack? This post gives you some insight.

Read more

Recently the WordPress Jetpack email sharing service is often abused by spammers. They use the Send to Email Address for sending spam. All these kind of “Tell a Friend” scripts are abused a lot. Here is how to disable email share service in Jetpack.

Read more

The default WordPress theme Twenty Seventeen’s content width can be easily changed to full width. All you need is this bit of CSS.

Read more

Verify WordPress Core files md5 checksums against WordPress’ checksums API, using this standalone PHP file. I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.

Read more

In various hosting environments, WordPress core-, plugin- and theme updates sometimes fail because of enabled opcode caches. Popular PHP opcode caches are OPcache, WinCache and APC. This little WordPress Must Use Plugin tries to flush opcode caches. Making your live a bit easier when updating WordPress Core, Plugins and Themes.

Read more

WinCache, or Windows Cache Extension for PHP, is a PHP accelerator that is used to significantly increase the speed of PHP applications running on Windows Server IIS. Besides increasing the speed of PHP applications, WinCache decreases CPU usage making it a win win situation extension.

Read more

WordPress load testing with ApacheBench.

ab is a small benchmark utility that comes with Apache. It’s a really simple HTTP load generating tool, ideal for a simple WordPress load & speed test. How fast does your WordPress site respond? How many HTTP requests per second can your server handle? These are questions on which ab can shed some light.

Read more

How to measure WordPress’ loading time and executed database queries?

During an HTTP request, WordPress executes a lot of queries on your MySQL database. Not just the database queries take time, also loading and executing PHP takes time. How do you measure this?

Read more

Who said WordPress is slow on Windows Server IIS? Gzip compress and serve WP-Super-Cache or Cache Enabler static HTML files, to supercharge your WordPress blog. Here is how to serve gzip compressed HTML files through Windows Server IIS: create smaller, compressed, static HTML files, that are downloaded faster. This works with WP-Super-Cache and Cache Enabler on IIS!

Read more