WordPress is a wonderful tool, there’s no doubt about that. As estimated by Who is Hosting this, WordPress takes a slice of 20% of all web today. It's an incredible mark of 75.000.000 websites running WP as you read this article. To me is pretty impressive. Specially if you think about the huge number of websites misconfigured, vulnerable and miserably sluggish and slow. But it doesn’t need to be that way. We all want more speed, right? There we go!
First things first. I need to tell you that this article is intended for coders. If you’re not a developer maybe you’re going to be a bit uncomfortable with some terms and pieces of information, but it doesn’t means you cannot extract some benefits from theses tips though.
Plugins are Evil
Here’s the main reasons:
Slave of Updates. Forever.
Eliminate all the plugins you can. Plugins forces you to an update routine in order to avoid exploitations of security breaches. Besides that, there’s always a chance of malfunctioning after an update procedure.
Loss of Performance
Plugins are designed to cover a wide range of situations and case uses, so it’s expected them to bloat your system with some or lots of features you just don’t need. So it’s way better if you write your own plugins or even function/methods to deal with specific problems. A badly done plugin could easily suck valuable resources from your host’s machine and ruin your performance.
As said before, plugins are vulnerability points. Specially those which are very popular. We’ll cover security topics later. Hold on, please!
To deal with performance issues, the best route is to choose a tool to do all the proper measures. If you don’t do that you’ll be flying without instruments and it’s not good.
Oh, Gosh! Is it a plugin? Yes, it is. But it’s a kind of plugins’ "Mr. M". It’s designed to friendly show you which ones are good and which ones are bad. To me makes more sense going with an external profiler, but it can be an option if you don’t have the means to install XDebug.
I highly recommend you to take a look in Xdebug. It’s a profiler tool that allows you to measure the impact of code in loading time. You can always disable and enable plugins to analyse the impact they have in your website. In fact, XDebug allows you to profile any piece of code, so it’s way more powerful than P3 Profiler. Go for it!
Build your own theme
Stop buying stock WordPress themes. Start your own blank theme and put all the features and HTML yourself.
There’s basic, blank, minimal WordPress theme generators out there. Try out some!
Skeleton Themes Generators
SSD’s in your favor
C’mon, you already know SSD is a huge leap in terms of speed and performance. We all know that the biggest players in the hosting market offers that technology since the very basic plans as well. So, what’s the deal?
To favor static calls and static files over MySQL queries. This simple switch in the approach can dramatically increase Wordpress speed.
Store in "wp-config.php" constants with values you use often like:
- Site path
- Template path
- Categories ID’s and titles
- Most used tags and labels
Avoid doing queries whenever you can. Be it avoiding to query main categories (is a constant now, remember?) or even building a banner or a carousel statically. Yes, request those types of sections as static template parts.
Images: pick up some to call statically
Images that are part of the structure of the website could always be called statically, likewise aspects of the header. Turn it all static! In most of situations it would be very easy and why do you would need to hook a logo in your control panel after all? You’re a developer, my friend!
Could it be static too? Sometimes yes, sometimes not. Remember you have the main categories’ IDs stored as constants? Because of that it would be super easy to build a menu with those IDs instead of doing a query to build it.
Obviously it brings us little downsides, so as the solution’s architect you are, it’s up to you to evaluate the pros and cons for each situation.
To strengthen my argument I’d like to highlight the existence of several tools to turn dynamic websites into static ones. It’s not a new thing, it's true. If you think a bit, most of cache systems are based on write static versions in disk or memory.
If you prefer to turn ALL YOUR WEBSITE into a static version, there’s even plugins like WP2Static.
Take a ride and get your own impressions. For now, let’s move on!
Polishing a bit more
If you reached this point, probably your WP installation is a bit lighter and faster. Now it’s time to polish a polish a bit more.
It’s a multi tool to measure several aspects of page loading, integrating Google PageSpeed and YSlow reports. Plus you get lots of tips and recommendations to speed up your website. It really worth investing some time to learn how it works.
It’s a common mistake developers do: use .png images when a .jpg would be smaller. If you’re not using transparency, then a .png is not necessary. You can turn a banner image from 1Mb size into an 150Kb image. That’s huge. GtMetrix allows you to check if your images have the proper compression level. If not, you should squeeze it a little bit.
Another common mistake is to resize images dynamically. For example: the image has 1920px of width and the theme is displaying the same image but with 400px. Hell, no! There’s lots of techniques to deal with responsive images and serve different versions for each screen size. GtMetrix allows you to check if your theme is resizing images too.
Reduce the Number of Requests
A small but valuable tip: removing all the commenting lines can cause strange behaviours. Stay aware!
Are you still there? Great!
After all the hard work you don’t want someone hacking your system, right? Of course you don’t. I’ll recommend at least three procedures to enforce Wordpress security.
1) CDN — Content Distribution Network
Use a CDN like Cloudflare. Why? With Cloudflare, for instance, you have a security layer before external requests are hitting your website. It can prevents common attacks like DDoS, not only blocking suspect sources and bots, but applying more advanced methods. As bonus you’ll get — Aha! — a good cache service without the need to install — coff coff — additional plugins.
2) Users and Login
Never, never, never, ever keep the user “admin” again. Change it immediately to something not so obvious. Great part of WP attacks are brute force ones. So if the attacker knows your login, he’s going to get access to your admin’s area soon. Help Cloudflare to block attackers using a hard to guess login user. ;)
3) Strong passwords
I’m assuming you already knew that, but It’s worth to tell you again. Always use a strong password.
After these procedures, am I going to be hacked, you could ask?
Hard to guess, but I’d tell you the chances are way smaller. But, remember that you’re using an Open Source platform that is highly aimed by attackers, so it’s always a good idea to keep both eyes opened.
Even more speed
If after all those procedures, your website is still slow. Sorry, bro. It's time to move on from your web host. And it happens a lot!
That’s it! Happy WP coding :)