WordPress is the world’s most popular blog and content management system but it ignores many important aspects of overall platform management that are critically important to maintaining a successful site. This is by design. WordPress is an extensible platform and as such, the project’s architects defer to the user community to extend WordPress’ functionality with custom plugins to cover functional gaps. In this article we will take a deep dive into 10 easy-to-implement enhancements that will make your site safer, faster, more discoverable by search engines, and more resilient to hacker attacks. Ok, let’s get started!
You’ll need admin access to your WordPress site as well as permissions to install plugins. If you’re planning to build a site from scratch then I recommend the following two how-to guides from the AWS official documentation
1. Linux Operating System Tuning
This first step is only relevant if your WordPress site is on a server that you control, and to which you have SSH access. The default settings for Linux, Apache, MySQL, and PHP generally work well for most WordPress sites. One exception however is the “Maximum File Upload Size” in the PHP settings which defaults to 8mb. Most custom theme packages and custom plugins are larger than 8mb and so this setting is a common stumbling block on new WordPress sites; so much so that we should preemptively set it to a higher value.
The PHP configuration file is located at /etc/php.ini. There are two sets of parameters that you should check and potentially adjust. The first is on or around row 657. Modify post_max_size to 128M.
The second is on or around row 800. Ensure that file_uploads = On, then modify upload_max_filesize to 128M and max_file_uploads to at least 20.
2. Add SSL Encryption With LetsEncrypt
There are immediate and tangible benefits to adding SSL encryption to your WordPress site, and thanks to LetsEncrypt it’s become both easy to setup and free. Adding SSL encryption ensures a private browsing experience for your visitors. It also makes your WordPress site appear more professional and it noticeably improves your Google and Bing page rank. To setup SSL encryption on your WordPress site follow my step-by-step how-to guide for installing LetsEncrypt on your Amazon Linux EC2 instance
3. Rename The WordPress Admin Login Page
The most prevalent WordPress hacking strategies are surprisingly crude, and involve mobilizing large botnets to randomly guess the password to the WordPress admin console. A highly effective counter-measure is to simply change the console login URL to something different so that botnets get a 404 “page not found” error every time they attempt to access your login page to guess the password. We’ll do this with a free plugin named Rename wp-login.php to anything you want. After installing the plugin you’ll find a new input box in the Settings->Permalinks console page where you can set the login URL to any syntactically valid name.
Important: You will be immediately logged out of the WordPress Admin console after updating the name of the login URL. Do not forget the new URL or you will not be able to login again!
And presto, as simple as that, you’ve just thwarted a not-insignificant percentage of hacking attempts on your WordPress site.
4. Add Wordfence Security Plugin
Wordfence Security is a freemium plugin that takes care of most of the heavy lifting regarding site security. This is a full-featured, well-designed and well-supported WordPress security solution. The free version is excellent, and might be all that you need. Setup is mostly automatic and includes a wizard that is designed for regular human beings with a limited understanding of web security concepts (i.e. most people).
5. Add W3 Total Cache Plugin
WordPress greatly simplifies content management; even for multi-user environments with sophisticated editing and publishing practices. But the flip side to WordPress’ user friendliness is a lot of complexity under the hood, and all of that complexity means that your server works hard to serve up pages to your site’s visitors. There are a half-dozen generally-accepted strategies for optimizing performance of WordPress sites, and W3 Total Cache is a fantastic full-featured solution that will enable you to leverage the short-list of strategies that are both high impact and easy to setup. For sites that not very interactive, like this blog for example, you should focus on only three performance strategies
- Browser Caching. It turns out that popular computer browsers like Chrome, Firefox, Safari and others support browser caching, which is similar to page caching. Your computer (or rather, the computer of your site visitor) stores copies of all files that you download so that these pages can be served up instantaneously if and when you visit these pages later on. Browser Caching regards things that your WordPress site can do to the files it serves so as to incentivize visitors’ browsers to cache as many files as possible for as long as possible. Like page caching, W3’s default settings for browser caching work well.
- Content Delivery Networks (CDN). Delivery of large multimedia content to your site visitors is a lot more complicated than it might seem, and it has mostly to do with the geographic location of your site visitors relative to the geographic location of your WordPress server. The farther your visitors are from your web server, the longer it will take them to download large digital content. The extent of performance degradation that your visitors can encounter can be alarming depending on the nature of the WordPress content your are serving. CDN’s cache copies of your digital content in multiple locations around the world in order to bring your content closer to your site visitors. CDN’s usually serve this content from special high-performance servers that can be multitudes faster than your web server. Offloading large multimedia content to a CDN is an effective way to minimize the workload on your server. Bear in mind that a CDN is a 3rd party subscription platform to which you need to subscribe and then configure. I recommend AWS Cloudfront which is inexpensive (its free in most cases) and easy to setup. See my blog article XXX on setting up a Cloudfront CDN for WordPress.
6. Add Yoast SEO Plugin
SEO is of interest to anyone who is part of an online project. On the other hand, it’s highly technical, multidisciplinary, dynamic and rapidly-changing. And frankly, it’s a topic who’s requirements exceed the will and interest level of nearly everyone beyond legitimate SEO professionals. Enter Yoast, a full-featured freemium WordPress plugin that takes care of most, if not all, of what most WordPress sites need. Yoast is so good in fact, and so easy to install that I won’t waste another second of your time — just install it! You won’t be disappointed.
7. Add Google Analytics Dashboard Plugin
If you don’t yet have a Google Analytics account for your WordPress site then you should bite the bullet and do that now. See these instructions for creating a free account. Once your Analytics account is setup you can add your Google Analytics tracking code in addition to adding a helpful Analytics Dashboard to your admin console by installing a free WordPress plugin named Google Analytics Dashboard for WP (GADWP). This plugin automagically takes care of the technical and cumbersome steps for getting your WordPress site setup on Google Analytics.
8. Add RealFaviconGenerator Plugin
Adding a favicon (the little icon in the browser tab next to your site name) is great way to make your site look professional and “complete”. However, many people struggle with two details. First, many people don’t know how to create a favicon in proper ico file format, the format that browsers expect your web server to provide. Additionally, many people don’t know how to add the line of html code to the header section of their pages. Favicon by RealFaviconGenerator is a free plugin that provides an elegant solution for both of these problems. It’s so intuitive that I need not explain further. Yippee!!!!
9. Add WP Custom CSS Plugin
10. Add Updraft Backup Plugin
Last, and most importantly: your site must have an effective backup solution. To be effective, your backup solution should backup ALL of your site’s data: MySQL data, digital multimedia, and program files. Additionally, a backup solution should work unattended and on a regular schedule (daily, weekly, whatever). Lastly, an effective backup solution should save the backup files to an alternative location (i.e. it should NOT save the backup on your web server’s file system). UpdraftPlus WordPress Backup is a freemium plugin that satisfies all of these requirements. I suggest storing your backup files to an AWS S3 bucket. See my step-by-step how-to guide on configuring UpdraftPlus to save to AWS S3.