WordPress is a framework which is great for rapid development because it is so quick and easy to set up. Check out the famous WordPress 5 minute install.
However, if you want to really make sure that your installation is working as efficiently and securely as possible, there are a few extra tweaks I tend to add in to most sites I set up.
During the setup, you are prompted to set a couple of site variables. It’s easy to skip these and leave them as their default values, but don’t.
Changing the default table prefix from ‘wp_’ to something else means that:
- You can have multiple WordPress sites on one database without overwriting eachother’s tables.
- If a hacker gains access to your database, they will have a harder time working out what tables you have.
Don’t leave the default admin user called ‘admin’. Brute force attacks can more easily gain access if they only have to guess the password.
This must be done when you first set up the site as it’s lots more difficult to change the admin username after the initial setup.
Limit Previous Post Versions
WordPress keeps previous versions of posts which is handy in case you accidentally save something and you want to revert a post. However this can result in bloated database tables if your site has a lot of posts or is updated frequently.
By adding this setting in to your wp_config.php file you can limit post revisions to something reasonable, or disable revisions altogether.
define('WP_POST_REVISIONS', 3); or define('WP_POST_REVISIONS', false);
WordPress automatically saves posts as you write them every 60 seconds. This adds a little more overhead to the page, and is usually a bit unnecessary.
Adding this setting into wp_config.php allows you to amend this interval to something more reasonable like 5 minutes.
define('AUTOSAVE_INTERVAL', 300); // 5 mins
Move wp_content Directory
There are some security advantages to moving your wp_content directory away from the site root. It may deter some automated bots which scan your domain for recognised directory patterns.
Anybody who looks even a little more closely at your site will still be able to work out where wp-content is, but it’s another small step towards making your site look a little less like a standard WordPress installation.
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/path/wp-content'); define('WP_CONTENT_URL', 'http://mysite.com/path/wp-content');
One of my biggest problems with WordPress is its greedy habit of creating thumbnails of all sizes for every uploaded image, whether that thumbnail is used or not. This can cause your uploads directory to grow very large very quickly, so anything that can be done to keep this in check is useful.
If your theme uses custom image sizes, update the thumbnail sizes in Settings > media to be the same as those in your theme. If you don’t need any of the default image sizes like ‘medium’ or ‘large’ set the width and height values to zero to prevent WordPress from generating these thumbs.
It’s useful to have a cache plugin like WP Super Cache set up on your site, even if you don’t think you need it right now.
When your site becomes so popular that the server starts to fall over, it’s a lot harder to start installing a cache plugin. Have the plugin ready to go, and you can just activate the cache or even use the ‘lockdown’ mode if your site happens to get tweeted by Stephen Fry.
If your site is going to use comments, definitely sign up to Akismet which will help filter out spam comments.
If you’re not using comments, make sure you disable all the comments features in Settings > Discussion to make sure people can’t sign up or submit content.