It takes two easy steps to install WordPress but you should tweak some of the default settings to further optimize the performance and also improve the security of your WordPress website.
Optimize your WordPress Installation
These suggestions are only applicable to self-hosted WordPress.org sites and not WordPress.com blogs. Also, I assume that you are running WordPress on Apache under Linux. Let’s get started:
1. Move out the media upload folder
WordPress store all your uploaded images and files in the wp-content/uploads folder. You should however move this folder outside the main WordPress folder, preferably on a sub-domain. Thus your WordPress backups will be more manageable (the uploaded files and themes can be backed up separately) and, most important, serving images from a different domain will allow parallel downloads in the browser improving the page loading time.
Open your wp-config.php file and add the following lines to change the location of the wp-content folder. You may also deselect the option – “Organize my uploads into month- and year-based folders.”
2. Remove unnecessary meta tags from WordPress header
If you look at the HTML source code of your WordPress site, you will find a couple of meta tags in the header that aren’t really required. For instance, the version of WordPress software running on your server can be easily retrieved by looking at your source header.
This information is a good hint to WordPress hackers who are looking to target blogs that are using the older and less secure versions of WordPress software. To completely remove the version number and other non-essential meta-data from your WordPress header, add this snippet to the functions.php file found in your WordPress themes folder.
3. Prevent people from browsing your folders
Since you would not like anyone to browse your WordPress files and folders using the explorer view in web browsers, add the following line to your .htaccess file that exists in your WordPress installation directory.
Also make sure that there’s a blank index.php in the wp-content/themes and wp-content/plugins folder of your WordPress directory.
4. Disable HTML in WordPress comments
The comment box in WordPress allows commenters to use HTML tags and they can even add hyperlinks in their comment. The comments have rel=nofollow but if you would like to completely disallow HTML in WordPress comments, add this snippet to your functions.php file.
5. Turn off Post Revisions in WordPress
WordPress includes a helpful document revisions feature to help you track changes to post edits and you can also revert to any previous version of your blog posts. Post revisions do however increase the size of your WordPress wp_posts table as each revision means an additional row.
To disable post revisions in WordPress, open the wp-config.php file in your WordPress directory and add the following line:
Alternatively, if you would like to retain the Post Revisions functionality, you may just limit the number of posts revisions that WordPress stores in the MySQL database. Add this line to the wp-config file to only store the recent 3 edits.
6. Change the Post Auto-Save Interval
When you are editing a blog post inside the WordPress editor, it will auto-save your drafts as-you-type and this will help in recovering your work in case the browser crashes. The drafts are saved every minute but you can change the default duration to say 120 seconds (or 2 minutes) by adding a line to your wp-config.php file.
7. Hide the non-essential WordPress RSS Feeds
Your WordPress installation generates multiple RSS Feeds – the blog feed, article feeds, comments feed, category feeds, archive feeds, etc. – and these are auto-discoverable as they are included in the HTML header of your blog pages using the <link> meta tag. If you just want to publicize your main RSS feed and remove the other feeds from the , add a line to your functions.php file:
8. Maintain a Single RSS Feed, Redirect Others
In the previous step, we simply removed the RSS feeds from printing inside the site header but the RSS feeds still exist. If you would like to have only one RSS feed served through FeedBurner and disable all the other feeds, add this to your .htaccess file. Do remember to replace the feed URL with your own.
9. Disable WordPress Login Hints
When you type a non-existent username or an incorrect password while logging into WordPress, it will provide a very detailed error message telling you exactly whether your username is wrong or the password doesn’t match. That could offer an hint to people who are trying to break into your WordPress blog but, fortunately, we can disable the login warnings.
10. Enable 2-factor Authentication
This is highly recommended. If someone gets hold of your WordPress credentials, they will still need your mobile phone to get into your WordPress dashboard.
Unlike Dropbox or Google, 2-step authentication isn’t part of WordPress but you can always use the Authy plugin to enable 2-factor authentication.
11. Change the Permalink Structure
Do not use the default Permalink structure of WordPress since it is bad for SEO. Go to Options -> Permalinks inside your WordPress dashboard and change yourWordPress Permalink structure to something like:
12. Add Favicon and Touch Icons
Your WordPress theme may not even include references to the favicon (favicon.ico) or the Apple touch icons but web browsers and feed readers may still request them from your server. It’s always better to serve a file than returning a 404.
First, create a 16×16 favicon.ico and a 144×144 apple-touch.png file and upload them to the home directory of your blog. Then add this line to your .htaccess to redirect all apple touch icon requests to that particular file.
13. Disallow Indexing of WordPress scripts
You want Google and other search engines to crawl and index your blog pages but not the various PHP files of your WordPress installation. Open the robots.txt file in your WordPress home directory and add these lines to block the bots from indexing the backend stuff of WordPress.
14. Make the Admin a Subscriber
If your WordPress username is “admin,” create a new user and grant them administrator privileges. Now logout out of WordPress, log in as the new user and change the privilege of the user “admin” from Administrator to Subscriber.
You may even consider deleting the user “admin” and transfer any existing posts /pages to the new user. This is important for security reasons because you don’t want anyone to guess the username that has administrator privileges to your WordPress installation.