Why do you need to care about it?
- This is about website security and performance. Following this guide will ensure smooth operation of your WordPress site.
1. Update to WordPress 5.2
- Login to Dashboard > Go to Update
- Click on Update Now button and wait for few seconds. Do not press back or reload.
- Check site health
- I have managed to get awesome 100% result and I want to help achieve same.
2. Keep one default theme
- You should keep latest default theme: Twenty Nineteen.
- Delete unused (except Child and its parent theme), also please delete unused plugins.
3. Keep all themes and plugins up to date
- If you do not update themes and plugin in timely manner, your website is most likely to get hacked and goes down. Google may warn Searcher showing “This site may be hacked”.
4. Use latest version PHP 7.3
WordPress 5.2 also check either you are using secure and latest version of PHP or not.
Please do note, Your website can get hacked if your hosting are still using 5.x family.
Today, many plugins works great only with latest version of PHP. So, you must consider upgrading if possible.
If you compare PHP 7.3 to PHP 5.6, it can handle almost 3x as many requests (transactions) per second!
5. Use MariaDB 10.1 or later. Or, MySQL version 5.6 (at least)
- I am using MariaDB latest version which supports UTF8MB4, is a database storage attribute that makes sure your site can store non-English text and other strings (for instance emoticons) without unexpected problems.
- Managing a Cloud VPS? Learn how to install MariaDB. (Ref: step 20)
6. Use HTTPS
- HTTPS requires valid SSL certificate at your website server.
- Chrome will show Not Secure warning if you don’t use HTTPS and providing any kind of web form.
- SSL improves security by encrypted connection, data integrity, providing support for HTTP/2, Geolocation, Push notification and higher trust value.
- Implement HSTS along with it.
- It’s a Google ranking factor.
- Let’s Encrypt, Cloudflare SSL is also free. Still, there shouldn’t be any execuse for not using SSL.
- Premium SSL valid for 1 year cost about $5.66/yr. Check https://www.ssls.com/
Here’s a list of Managed WordPress hosting company that offers one-click Free SSL, latest version PHP and MySQL support.
7. Make sure Cron Job is not disabled
- WordPress uses it checking for updates, publishing schedule posts, etc in the background.
- You can check with “WP-Cron Status Checker” plugin.
- Some hosting company such as Siteground, disable it for the performance reason, ask your host to enable it manually otherwise some function of WordPress will not work at all.
8. Turn of WordPress debugging
- In wp-config.php, make sure WP_DEBUG constant is set to false. This is a default settings.
define( 'WP_DEBUG', false );
- This thing prevent leaking WordPress server personal information.
9. Don’t disable Background updates
- Doing so will put your site at greater risk of getting hacked.
10. Don’t disable Rest API.
- Doing so will prevent WordPress to function properly. Some Android app also requires to be it enabled.