WordPress is one of the most powerful and widely used website platforms in the world. Its popularity also makes it a frequent target for performance issues and security abuse, especially when sites are not properly configured.
The good news is that WordPress can be fast, stable, and secure, even for beginners, when a few best practices are followed. This guide outlines the most effective optimizations in order of impact.
If at any point you would prefer assistance, our support team is happy to help. Simply open a support ticket, and we can take care of these steps for you.
Before You Begin
Before making any changes, we strongly recommend creating a full backup of:
-
Your WordPress website files
-
Your WordPress database
Backups ensure you can quickly restore your site if needed.
1. Keep Everything Updated (Most Important)
Outdated software is the leading cause of WordPress performance issues and security vulnerabilities.
Make sure you regularly update:
-
WordPress core
-
Themes
-
Plugins
At a minimum, updates should be applied once per month. In the App Manager, you can enable automatic updates for WordPress, plugins, and themes. This is highly recommended.
2. Use the Latest Supported PHP Version
Newer PHP versions are faster, more secure, and more efficient.
Check available PHP versions in your hosting control panel and:
-
Start with the newest supported version
-
Only downgrade if a specific plugin or theme requires it
PHP version changes usually take effect within a minute. Refresh your browser after changing versions to confirm everything loads correctly.
3. Install Essential Plugins Only
We recommend a minimal, purposeful plugin setup.
Security
Use Wordfence to enable:
-
Brute-force login protection
-
Firewall rules
-
Bot blocking
-
Login attempt limits
Performance
Use LiteSpeed Cache (if available on your plan) and enable the recommended default settings. This provides:
-
Page caching
-
Image optimization
-
File minification
-
Browser caching
Avoid installing multiple plugins that perform the same function.
4. Optimize Page Size and Use Lazy Loading
Large pages place unnecessary load on your server.
Best practices:
-
Break very long pages into smaller sections or multiple pages
-
Enable lazy loading for images and media
-
Limit the number of posts displayed per page (five is a common safe default)
Smaller pages load faster and use fewer server resources.
5. Avoid Using Tags Excessively
Tags are often misunderstood and rarely provide meaningful SEO benefits.
Important notes:
-
Google has stated tags are not used for ranking
-
Excessive tags can create unnecessary database load
-
Categories are usually sufficient for organization
If you remove tags, ensure categories are well-structured for visitor navigation.
6. Remove Unused Plugins and Themes
Unused plugins and themes increase attack surface and resource usage.
Recommendations:
-
Delete any plugins you are not actively using
-
Keep only your active theme and the latest default WordPress theme
-
Aim to keep total plugin count reasonably low
A lean installation is a faster, safer installation.
7. Reduce admin-ajax Usage (Advanced)
The admin-ajax process is commonly abused and can cause high CPU usage.
Disabling or limiting admin-ajax requires careful configuration. We recommend following a dedicated guide or contacting support before making changes.
8. Limit Login Attempts
Limiting login attempts helps block automated attacks.
This feature is included in Wordfence and should be enabled on all WordPress sites.
9. Keep Media Properly Compressed
Large images significantly increase load time and server usage.
Best practices:
-
Compress images before uploading when possible
-
Enable image optimization in your caching or optimization plugin
-
Avoid uploading full-resolution camera images
Well-optimized media improves both speed and user experience.
10. Disable Comments If Not Needed (Optional)
If your website does not require comments:
-
Disable comments entirely using a lightweight plugin
-
Avoid feature-heavy plugins that add unnecessary overhead
This reduces spam and server load.
11. Ensure Proper SSL Redirection (Optional)
Some themes do not automatically redirect traffic to HTTPS.
Before adding a plugin:
-
Confirm whether your site already redirects to HTTPS
-
Only install an SSL redirect plugin if needed
All modern sites should load exclusively over HTTPS.
12. Disable Akismet If Not Required (Optional)
Akismet can block spam, but its impact on performance varies.
If you are already using Wordfence or another security solution:
-
Akismet may not be necessary
-
Consider disabling it if you experience performance issues
13. Avoid Jetpack on Shared Hosting (Recommended)
Jetpack offers many features but can significantly increase resource usage.
On shared hosting:
-
Jetpack is often unnecessary
-
It is better suited for VPS or dedicated servers
If performance matters, it is usually best to leave Jetpack disabled.
14. Disable XML-RPC (Optional but Recommended)
XML-RPC is frequently abused for spam and brute-force attacks.
If you do not use XML-RPC features, you can block it entirely by adding the following to your .htaccess file:
To allow a specific IP address:
If you are unsure whether you need XML-RPC, contact support before making changes.
There are many ways to optimize WordPress, but the steps above cover the most impactful actions that should be applied to every new installation.
Following these guidelines will:
-
Improve performance
-
Reduce CPU usage
-
Increase security
-
Prevent common WordPress issues
If you would like assistance implementing any of these steps, our support team is always available to help.
