How to change your WordPress Permalink Structure • Yoast

Changing WordPress Permalink Structure

There are two steps in changing your WordPress permalink structure. The first is simple, go to Settings -> Permalinks and select Post name.

If you don’t have the post name option yet, you’re not on WordPress 3.3, the release of which is imminent. You could wait a bit for the update, or you could just add /%postname%/ as a custom permalink structure.

The second step is to redirect your old permalinks to your new ones. To do that, you have to add redirects to your .htaccess file.

In my domain the redirects is like:

  • Day and Name /%year%/%monthnum%/%day%/%postname%/ :  RedirectMatch 301 ^/([0-9]{4})/([0-9]{2})/([0-9]{2})/(.*)$ http://www.dagorret.net/$4
  • Month and Name /%year%/%monthnum%/%postname%/ : RedirectMatch 301 ^/([0-9]{4})/([0-9]{2})/(.*)$ http://www.dagorret.net/$3
  • Numeric /archives/%post_id% :  RedirectMatch 301 ^/archives/(\d+)$ http://www.dagorret.net/?p=$1
  • Default ?p=123 : You don’t have to do any redirects, WordPress will do it for you.

 

And if you wordpress work in subdirectory redirects like :
RedirectMatch 301 ^/blog/([0-9]{4})/([0-9]{2})/([0-9]{2})/(.*)$ http://www.dagorret.net/blog/$4

via How to change your WordPress Permalink Structure • Yoast.

WordPress 3 – Pros and Cons

Wordpress 3.0

Alright bloggers, web surfers and simple web enthusiasts, we’ve got some fascinating news for you all. Yes, Internet community can’t stop buzzing about the forthcoming release of the new version of #1 blogging software – WordPress 3.0.

  • MU or Multi-User option now will be available to all WordPress 3.0 users. In case you still have no idea what it’s all about we can tell that this is one of the best features that will allow you to manage multiple blogs with different permissions – from a single admin panel. Alright, admit it – we all have at least a couple of blogs to work with, right? So MU is a very good – and anticipated – feature.
  • Another great innovation is the improvement of support for custom post types. These are great news for bloggers because it simplifies their work in creating and managing content, but it doesn’t mean that categories will disappear.
  • Menu management is one of the best improvements in 3.0 release because of the Custom Navigation menu system that will be included into the core – with drag and drop and other usability features brought to various types of menus. This menu enlightens widget management, submenus system and much more.
  • WordPress 3.0 will have a new default design theme that will be called 2010 – you can see the live demo of this design on official WordPress website. As you understand according to the new name of default theme every year WordPress will hopefully get a new default theme.

Wordpress 3.0

  • Custom Background and Image support system will help you create new theme for your blog in a matter of minutes.
  • WordPress 3.0 makes it possible to use the specific author templates. So, you can easily mark your own post or entry with your signature.
  • Canonical Plugins will be available in WordPress 3.0. This means that from the moment it is launched you will be able to easily use your favorite plugins without being afraid that new release of WordPress will kill them.

Alright, these were the good news and now it is time to point out some disadvantages that WordPress still can’t get rid of (and most likely will not even in WordPress 3.0). It is not a secret that WordPress does have some peculiarities that are not quite comfortable for the users. So, here are some issues that were really irritating in older versions and that we wouldn’t want to see in further WordPress versions.

Security is one of the most important features for any platform and old WordPress versions’ minimal requirements of PHP4 and MySQL4 are quite insecure. But we know that now you can easily migrate to PHP5 though this fact only solves the problem partially.

  • Chmod 777 command security risks that were one of the favorite topics to discuss for the at least several years now. Anyways according to the NerdGrind

    This would make your WordPress installation vulnerable to a security attack. Some plugins might ask you to do this temporarily, and then ask you to change the permissions back to 755 after the plugin finishes its setup. This won’t fix your problem without adding more problems. The might allow the plugin upgrade to work, but it won’t fix the WordPress upgrade issue unless you chmod 777 the entire WordPress installation directory, which is a huge security risk, and should never be done.

  • Autosave and revisions issues that sometimes expand your database 20 times from what it was just ten minutes ago. There are some plugins for this problem but we hope this feature can be fixed on a higher level.
  • Re-installing WordPress database can cause WP database class bug. This may cause troubles for users especially considering Multi-User merging process. Hakre on WordPress states that this bug will remain in 3.0 version too.

    When a replacement class is in use, the original WPDB one will get re-created under certain circumstances instead of the replacement one. That breaks the modular DB replacement concept once introduced.

With all that being said, even though WordPress 3.0 may have some bugs (and we’re not saying it will, let’s just hope for the best) the new release is really an amazing event and we can’t wait until it is launched. There is no doubt that the new WordPress 3.0 will change web into a better place, at least a little bit better and safer.

What’s the best thing about it is that most of the Internet users will be a part of these changes. Let us know in the comments what you think the new WordPress 3.0 version will bring into your personal online experience, we’d love to discuss it all while waiting for the big launch!

Securing your WordPress – 2 Part

In Part 1, we saw the basic security concerning wordpress which we can implement without using any plugin just by tweaking and editing some files. Part 2 will discuss about how to make your blog more secure by using some of the advanced security based plugins. Though there are thousands of plugins available for this, I will discuss only the plugins which are good and effective.

Securing WordPress using plugins

Listed below are methods to enhance security of your blog with use of plugins (All Plugins work on WordPress 2.7 and 2.8):

  1. Comment Security: Listed below are some of the plugins which implement security in your blog’s comment sections:
    1. Akismet: This is one of the most basic comment security plugins. Akismet needs a API Key to function which can be accessed from WordPress.com. Akismet is a self learning plugin which detects spam by their pattern and blocks it from showing.
      Alternative: Defensio – Works in same way as Akismet. Deactivate Akismet to use Defensio.
      SpamTask – Works same as above but does not require API Key. You can check stats by registering.
    2. reCAPTCHA Form Plugin: It is based on reCAPTCHA technology which is an hardened and effective form of a simple captcha.
      Alternatives:
      Block-Spam-By-Math – Math Based Captcha.

      trymath Math (in form of ASCII Art) based captcha.

      VidoopCAPTCHA – Image Based Captcha

      Geo Captcha – Shows Captcha only to users from specific countries.

      Captcha shows only to users from some specified countries
      WP Clickcha – Clicking based Captcha instead of typing.

      Search for Captcha Based Plugins – You will find the one most suitable for your purpose.

    3. NOSpamNX: It adds a hidden comment field which spambots 99.9% fill and get blocked. Normal users leave it empty and are let through. For WordPress 2.7.1 and below use Yawasp – Yet Another WordPress Anti Spam Plugin
    4. WP-SpamFree Anti-Spam: It is a plugin which uses Javascript and cookies combination to stop comment, pingback and trackback spam.
    5. Antispam Bee: It is a plugin which replaces comment field to catch spammers.
    6. WP Captcha-Free: It is a plugin which works by validating a hash based on time and other parameters while submission of comment using AJAX.
  2. IP/Behaviour Blocking Based Plugins:
    1. Bad Behavior: It blocks IPs and bots from being your blog served based on their pattern, behaviour and IP Addresses. It can work with other Anti-Spam Plugins to secure your blog and saves bandwidth too.
    2. AVH First Defense Against Spam: It blocks your blog from spammers by checking IPs from a public spammer database, your blacklist and by blocking wp-post-comments.php file(a method without plugin is also there for this).
    3. WordPress Firewall: It blocks spammers from using common parameters into the blog’s url to hack and even blocks sql injection type attacks. It can also block file uploads. Learn more about its filters.
  3. Login/Registration Based Protection:
    1. Semisecure Login Reimagined: It enhances the security of a login page by encrypting the Username and passwords. It is useful if you don’t have SSL certificate or the resources for it. The plugin requires Javascript to work and the webserver to have PHP with OpenSSL Support.
    2. Invisible Defender: It protects registration, login and comment forms by including 2 hidden fields which spambots will fill but not a user.
    3. Limit Login Attempts: It limits the number of retries on failed logging by checking IP or cookies. It can log login attempts and notifies administrator.
    4. Admin SSL: It forces SSL Admin on Login, Admin, Posts, Pages and everywhere with both Private and Shared SSL. WordPress 2.8 Download link.
    5. Stealth Login: It allows you to change the login link and prevents access to wp-login.php directly from spammers.
    6. Restrict Login by IP: It restricts the WordPress login to certain limited ips and gives a error for everybody else.
    7. Invalidate Logged Out Cookies: It invalidates data hold onto the cookies once a user logs out thus preventing the data from being used even if the cookie gets stolen. You need to logout manually for making this protection work.
    8. Chap Login: Encrypts your login details on login page using Chap protocol.
    9. Simple LDAP Authentication: It allows wordpress to authenticate users against a LDAP Server.
  4. WordPress Monitoring Based Protection:
    1. WordPress File Monitor: It monitors wordpress installation for added/deleted/changed files and notifies the administrator on detecting a change.
    2. TAC (Theme Authenticity Checker): It scans all themes for malicious or unwanted code or even static links.
    3. WordPress Security Scan: It scans wordpress installation for vulnerabilities and suggest corrective actions. It also removes WP version information, removes wordpress generator tag and protects wordpress admin and database.
    4. Audit Trail: It keeps track of what goes on inside your blog. It records many types of actions and maintain its log. It can record full content of posts/pages which you can restore to anytime.
  5. General Security Based:
    1. Antivirus for WordPress: It protects blog against Exploits and Spam Injections.
    2. TTC WordPress Security Tool: It blocks cross-site script elements, bad ip addresses, bots and bad user-agents.
    3. Secure WordPress: It implements many of the tweaks mentioned in part 1 like removes error information from login page, removes rsd, wlw and version tag from header, remove core/plugin/theme update information for non-admin and adds index.html to plugins directory.

Securing your WordPress

Maintaining a blog does not only refer to maintaining the content and the backend updates but also is about securing your blog so that it stays protected from any untoward act of phising or hacking attempt. And if you think since your blog does not need much security since it is small in terms of stats or popularity, you are wrong. If any vulnerability is spotted by a hacker on your blog, there are good chances of it being hacked.

Securing WordPress without plugins

Listed below are methods to enhance security of your blog without use of any plugin:

  1. Separate Blog and WordPress Directory – You can separate the wordpress and blog directory in two ways. You can either input the separate urls Admin>>Settings>>General or use wp-config.php to define the two urls. Second approach can be used for troubleshooting purposes when you can’t access Admin Dasboard. In such case make sure that wordpress url is something encrypted. Such config is also useful when you upload default zip file from wordpress.org where wordpress is located in a subdirectory. Also make sure that this will work only if index.php from wordpress root install is copied to the blog url directory. And edit the pathname in the file accordingly in index.php. E.g. if your wordpress is in /home/public_html/domain/wordpress7472/ (http://domain.com/wordpress7472) and blog is at /home/public_html/domain/ (http://domain.com), then the index.php at /home/public_html/domain/ should look like the following:

    1.<?php2.define('WP_USE_THEMES', true);

    3.require('wordpress2472/wp-blog-header.php');

    4.?>

    Comments removed from original index.php as they are not required. Pathname in index.php should be relative to the directory where it resides currently.

  2. Change Default Username – This is the most basic of methods which will definitely help you from few type of attacks which are targetted primarily because wordpress provides default username at first install. To change the username, you need to perform a sql query or directly edit the entry if you are using phpmyadmin. Here is the sql command to change the username:
    1.UPDATE 'wp_users' SET 'user_login' = 'NEWUSERNAME' WHERE 'wp_users'.'ID' =1 LIMIT 1 ;

    If you are not comfortable running a sql query or editing databases, create a new admin user and delete the old one.

  3. Changing Database prefix– WordPress uses the default prefix for its tables which is wp_ which can be easily targetted as anybody would know the table name directly without guessing. Changing this prefix helps a lot to prevent from random SQL attacks. If you are yet to install WordPress, this prefix can be changed during the installing procedure where the installer asks for the prefix.Changing the prefix on a working blog takes a bit more work. Listed below are the steps required to change the wordpress table prefix:
    1. Open the file wp-config.php in your wordpress root directory and find the following line:
      1.$table_prefix = 'wp_';

      and change it to

      1.$table_prefix = 'newprefix_';

      Newprefix can contain any letter, number or underscore but it should not start with a number. You can use wp_webhost125_ or wpwebhost125_ as your newprefix too.

    2. Rename all tables in your SQL Database with the newname. You can use the following sql query to achieve this:
      1.ALTER TABLE wp_users RENAME TO newprefix_users;

      You will have to repeat the same query for all tables.

    3. Changing the table names does not complete the job. There are still some option names using default table prefixes which need to be updated manually. Under the table newprefix_options, find the option named ‘wp_user_roles’ and rename the option name to ‘newprefix_user_roles’. There is no general sql query for doing this because option id of this option name can be different on different blogs.Under the table, newprefix_usermeta, options to be renamed are: ‘wp_capabilities’, ‘wp_user_level’ and ‘wp_autosave_draft_ids’. Last option name will exist only if you have saved some of the draft posts earlier.

    Now the new table prefix should start working as required.

  4. Remove WP Version Information – WordPress generally gives away the version number of your installation at 2 places – in the site’s header and the footer(if the theme displays it). If you are using a older version of WordPress, you should remove it lest it gives hackers information that you are using outdated version which may have some security loopholes in it for them to exploit.Removing information from the footer is easy…just find the php code
    1.<?php bloginfo('version'); ?>

    in your footer.php and delete it. For removing it from your header, it requires you to edit the theme’s functions.php file since it is displayed automatically in header by wp_head() function call from header.php file. Add this line to your theme’s function.php just before the last ?> :

    1.remove_action( 'wp_head', 'wp_generator' );

    Above method of editing functions.php works only in WordPress 2.5 and above. For wordpress versions below, it remove this code from theme’s header.php file:

    1.<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats -->

    This code may appear in your themes if you are using them in WordPress 2.5 or above, as some theme authors may not have removed this.

  5. Disable Remote Publishing if you do not use it – If you are not using any external tools to publish to your blog like Windows Live Writer then you should disable remote publishing. Go to Admin>>Settings>>Writing and uncheck both options mentioned under Remote Publishing: Atom Publishing Protocol and XML-RPC. For the complete disable of remote publishing, add the following lines in your theme’s function.php just before the last ?>:

    1.

    remove_action('wp_head', 'wlwmanifest_link');2.

    remove_action('wp_head', 'rsd_link');

  6. First line removes the link which disables Posting from Windows Live Writer. BTW, adding the rsd_link line will disable pingbacks and trackbacks from working on your blog apart from disabling Remote Publishing. If you need them, don’t add the second line.
  7. Hide your plugins and themes – You don’t want people to know about the themes and plugins used by you. To do that, just visit wp-content/plugins/ and wp-content/themes/ under your blog’s url and upload a empty index.html file into these directories.
  8. wp-config.php hacks: Following is the list of hacks related to the file wp-config.php.Note: All codes which need to be inserted into wp-config.php should be before the line which says stop editing. This is very important for any hack to work properly
    1. Protect wp-config.php file – This file is very important as it contains the username and password of the database on which your blog is hosted. Add the following code in .htaccess file in your blog’s root directory:
      1.<files wp-config.php>
      2.Order deny,allow
      3.deny from all
      4.</files>
    2. Update/Add Security Keys in wp-config.php – Since WordPress 2.6, there are some security keys added to wp-config.php which enhances the security of your WordPress installation as they help to encrypt the cookie information stored by your blog. If you don’t have them or want to change them, visit WordPress.org Secret Key Service to generate random keys and paste the generated code in wp-config.php as it is just before the sentence which says stop editing or replace the existing keys.
    3. Move wp-config.php file– WordPress 2.6+ allows you to move your file out of your wordpress install directory. If your blog is in root directory, best way is to move wp-config.php upto one level higher. For example if your blog is at http://www.domain.com (home/public_html/domain/) then wp-config.php can be kept at home/public_html/ without need of any configuration. This feature is supported by WordPress 2.6+. And if you are using WordPress 2.5 or lower or using wordpress a subdirectory, process of moving the file is different which is mentioned below:
        1. Open the current wp-config.php and copy the portion which contains Database information and authentication keys of wordpress. Now go to the directory where you want to shift the wp-config.php file, create a new file in that folder named something as config.php and paste the earlier copied information. Your wp-config.php should like something as:
          01.<?php
          02.define('DB_NAME', 'blogname');
          03.define('DB_USER', 'username');
          04.define('DB_PASSWORD', 'password');
          05.define('DB_HOST', 'localhost');
          06.define('DB_CHARSET', 'utf8');
          07.define('DB_COLLATE', '');
          08.define('AUTH_KEY', 'abcdefghijklmnopqrstuvwxyz');
          09.define('SECURE_AUTH_KEY', 'abcdefghijklmnopqrstuvwxyz');
          10.define('LOGGED_IN_KEY', 'abcdefghijklmnopqrstuvwxyz');
          11.define('NONCE_KEY', 'abcdefghijklmnopqrstuvwxyz');
          12.$table_prefix = 'newprefix_';
          13.?>

          I have removed the comments from the php file as they are not needed and inflating this tutorial unnecessarily too.

        2. Now instead of above code in wp-config.php, paste the following line in your wp-config.php and save the file.
          1.include('/home/public_html/config.php');

      In effect instead of moving the complete file, you have moved the sensitive portion of wp-config.php which is now at unaccessible location.(home/public_html/ is always unaccessible – you can copy to any such location if this is not your webhosting’s case)

    4. Use SSL for Login/Admin – If you have purchased SSL Certificates for your domain, then you can enable SSL connection for your WordPress login and admin channel by embedding the following code into your wp-config.php:
      1.define('FORCE_SSL_ADMIN', true);

      For more information about SSL on WordPress, read WordPress Codex Article.

  9. Htaccess file hacks: Following is the list of hacks performed to .htaccess file for securing WordPress:
    1. Protect wp-admin directory – You can block all IPs from accessing wp-admin directory except your IP address. Add the following code to your .htaccess file:
      01.AuthUserFile /dev/null
      02.AuthGroupFile /dev/null
      03.AuthName "Example Access Control"
      04.AuthType Basic
      05.<LIMIT GET>
      06.order deny,allow
      07.deny from all
      08.allow from xx.xx.xx.xx
      09.allow from xx.xx.xx.xx
      10.</LIMIT>

      where xx.xx.xx.xx is your IP address.

    2. Protect Public Browsing of All Directories – Dropping index.html file protects only plugins and themes directories and its not practical to drop index.html in every other directory. A better way is to insert the following code in .htaccess file:
      1.Options All -Indexes
    3. Deny comment posting to no referrer requests – Most spammers are bots which post comments to your blog without even accessing or opening your blog and open the file wp-post-comments.php directly without sending any referrer information. The following code if inserted into .htaccess file blocks such bot spammers:
      1.RewriteEngine On
      2.RewriteCond %{REQUEST_METHOD} POST
      3.RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
      4.RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
      5.RewriteCond %{HTTP_USER_AGENT} ^$
      6.RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

      Replace yourblog.com with your blog’s domain.

    4. .htaccess authentication for WordPress Admin– This method will add one more username/password authentication for your WordPress Admin Dashboard. Steps to achieve this are listed below:
      1. Visit Dynamic Drive’s .htaccess Password Generator and fill out the username, password and a path which is inaccessible by anybody (e.g /home/public_html/ )
      2. Copy the code provided for .htaccess into your blog’s wp-admin .htaccess file(create if not created)
      3. Copy the code for .htpasswd file into .htpasswd file into the path provided above ( /home/public_html/.htpasswd )

      Now your WordPress Admin Should be password protected twice!

  10. Use Shell/SSH instead of FTP – SSH/Shell access is much more secure for transferring files than FTP. Use it if your webhosting allows it.
  11. Block WordPress folders from Search Engines – You should block your wordpress folders from being accessed by search engines by inserting the following line in your robots.txt file in your blog’s root directory:
    1.Disallow: /wp-*
  12. Suppress Error Message on Log-In Page – When your login to wp-login.php fails, WordPress always tells you whether the username is wrong or password is. This may be useful for you but is also very useful to a person who is trying to brute attack into your blog. You can suppress this message by inserting the following code just before the last ?> in your theme’s functions.php file:
    1.add_filter('login_errors',create_function('$a', "return null;"));
  13. Change File Permission – Check your file and folder permissions. For wp-config.php, set the file permission as 644. For directories, set the permission as 755 and files as 644.
  14. Choose a strong Password for Admin – Choose a password which should contain random alphabets, numbers and special characters which makes it tough to crack. You can use a Password generator tool for it too.
  15. Make Daily Backups of your Database – You should keep a daily backup of your blog’s database. Use WP-DBManager Plugin to have the database emailed you daily.
  16. Keep Your Blog, Plugins and Themes Updated – Always try to maintain updated versions of your blog, plugins and even the theme.

How to optimize and get better speed with your blog in wordpress

wordpress site optimization speed

wordpress site optimization speedWordPress blogs and sites can be notoriously slow. But fear not – here are ways to make your WordPress blog super speedy and fun for your visitors to view with a few tweaks, hacks and plugins. Be sure to check back because I will be updating this post as I discover new and wonderful ways to optimize and speed up WordPress blogs.

Define goals and create benchmarks:

  1. First, define a goal, such as reducing page load time from 8 seconds to 2 seconds.
  2. Measure your initial state and the results of each modification so that you can quantify any improvement. Test your site’s speed with the Website Speed Test, but do multiple tests since the results can be inaccurate due to fluctuations in your internet connection and other factors.
  3. Use Pingdom to get a detailed analysis of your blog’s loading time and performance.
  4. See what your browser is doing with tools like Firebug’s network tool, Charles Proxy or Wireshark, and review the server logs.
  5. YSlow – analyzes web pages and tells you why they’re slow based on the rules for high performance web sites. YSlow is a Firefox add-on integrated with Firebug. See this presentation from Yahoo! that covers their latest research results and performance breakthroughs. It covers their existing 14 rules, plus 20 new rules for faster web pages. They’ve categorized the optimizations into: server, content, cookie, JavaScript, CSS, images, and mobile.

Reduce the number of dynamic PHP and http calls:

  1. “There is an inherent overhead in each HTTP request. It takes substantially less time to serve one 30K file than it does three 10K files.” So combine all files in a type into a library. Learn how here.
  2. Use different host names to increase the number of active download threads.
  3. Minimize PHP and database queries – Each time a page on your site loads, if your browser has to execute any PHP queries, it adds to the load time. If you replace the PHP queries with static HTML, every time a page loads, your browser just reads the HTML. An example from WP Candy:
    With PHP requests: <title><?php bloginfo(’name’); ?><?php bloginfo(’description’); ?></title>
    Without PHP requests: <title>WPCandy - The Best of WordPress</title>
    Joost de Valk says that you can remove 11 queries to the database by doing the following in your header.php and footer.php files:

    • making your stylesheet URL’s static
    • making your pingback URL static
    • making your feed URLs static
    • removing the blog’s WordPress version
    • making your blog’s name and tagline / description staticSee more examples of how you can replace code in your WordPress template files with static HTML here and here.
  4. Check if you have too many external calls to things like Amazon, eBay, MyBlogLog, etc. Try commenting them out one by one to see if it speeds things up.

Optimize your files: CSS, HTML, Javascript, images, video

  1. Optimize your image files for the web.
  2. Make sure that all images have height and width tags.
  3. Consider hosting your images on an external site like flickr that has huge servers and can handle the load.
  4. Use CSS sprites for static web images. CSS sprites are where the images are added to one larger image file, and laid out in a convenient way. Here’s a CSS Sprites generator.
  5. Do not host videos on your server. Upload them to YouTube, Google Video, or any other video sharing site and let them handle the server load.
  6. Compress your Javascript, using a tool or by removing formatting (and potentially by shortening function and variable names). This can reduce file size by 60%. Add gzip compression to that as well and you’re looking at a serious size reduction.
  7. Compress HTML and CSS by removing HTML formatting, white space (where you divide code among separate lines for easier readability), trimming class names, omitting unambiguous quotes around attributes, etc.
  8. Compress your CSS with the CSS Compress WordPress plugin – Automatically removes comments, new lines, tabs, and gzip compresses (GZIP) any CSS file called with “<?php bloginfo(’stylesheet_url’); ?>” Just activating the plugin with the default Kubrick theme will reduce the CSS file from 8k to 1.7k.
  9. Compress your CSS by using shorthand CSS. Here’s an example from WP Candy:
    Long: .test {margin-top: 7px; margin-right: 1px; margin-bottom: 5px; margin-left: 3px;}
    Short: .test {margin: 7px 1px 5px 3px;}
  10. Use external scripts – Instead of placing tons of code in your header.php file, use external scripts. This allows the browser to cache the script so it won’t have to read it for every other page.
  11. Validate your code at W3C to make sure you don’t have any major errors slowing down your page.
  12. Allow progressive rendering: Load CSS files at the top of the page, from within the head section; load JavaScript files at the bottom of the HTML. And/Or…
  13. Stop slow loading scripts from breaking your blog with IFrameWidgets v1.0 WordPress plugin. Slow widgets or snippets of Javascript can either time-out, or prevent the items below them from loading. The plugin creates WordPress sidebar widgets that run in an IFrame. Since IFrames load in parallel to the rest of the page, slow loading JavaScript widgets won’t affect the rest of the page.

Plugins

  1. Disable or delete unused plugins – some plugins have tons of script and code, and even create database tables in your WordPress database. Use only the plugins you really need, and delete the rest.
  2. Sometimes plugins require that you add a snippet of code to your theme’s template files to call the plugin. Usually, it looks something like this:
    < ?php refer_plugin(); ?>
    However, if for some reason you disable that plugin, you will get an error. Joost de Valk recommends using PHP’s special function called function_exists to prevent the blog from breaking if plugins are disabled or removed. Using it will make the code look like this:
    < ?php if (function_exists(‘refer_thanks’)) { refer_thanks(); } ?>
  3. Control when your WordPress plugins are loaded: WordPress processes all of the code for all active plugins, even if that plugin isn’t used on a particular page. If a particular resource heavy plugin isn’t used on certain pages, then you can tell WordPress not to load it on those pages by wrapping an if statement around the content of each function to check what page is being loaded. Learn more about how to do this here.

Database

  1. Use phpMyAdmin to optimize your database: Log in to phpMyAdmin, select all the tables, and then “repair” and “optimize.”
  2. Delete excess records in your WordPress database. All plugins use the wp_options table to store data, which is the same table used by WordPress to store all settings for your blog, and is accessed every time you open any page. When you deactivate a plugin, these records are left behind, bloating your database. To clean it up you can use the WordPress Clean Options Plugin, which finds orphaned options left after you have removed plugins and removes them from the wp_options table, or manually as follows: Back up your database, login to phpMyAdmin, open your blog’s database, and click on browser for the wp_options table. Go through this table record by record to identify any records left behind by old plugins. (from WordPress Web 2.0 Spot-Er).
  3. Use the Optimize DB plugin to optimize the tables of your database.
  4. Use WordPress Plugin: Fix Database to check all tables in your database and fix any errors.
  5. Lester “GaMerZ” Chan’s WP-DBManager 2.11 plugin sorts your database backup files by date in descending order, can repair databases, and allows automatic scheduling of database backups and optimization.

Caching and protecting for server overload

  1. WP-Cache 2 – caches Worpress pages and stores them in a static file for serving future requests directly from the file rather than loading and compiling the whole PHP code and then building the page from the database.
  2. WP Super Cache – This plugin is a fork of the WP-Cache 2 plugin, and generates html files which are served without ever invoking a single line of PHP.
  3. PHP Speedy – PHP Speedy is a script that you can install on your web server to automatically speed up the download time of your web pages.
  4. Use the Expires and cache-control max age headers for all pages; Make dynamic pages support the if-modified-since request header; Use far future expiry headers on static resources; Use the cacheability engine to test that you have caching and validation set up correctly. If you don’t know what all this means, don’t worry, neither do I, but you can find out more here.
  5. Digg Protector plugin – The Digg Protector will determine if a visitor is from Digg, and if the visitor is indeed from Digg, the plugin will serve them a remotely-hosted version of the image. Otherwise, the plugin will serve the locally-hosted (on that server) image.
  6. Some more caching possibilities: MySQL query cache, PHP Compiler Cache. Learn more here.
  7. Configure Apache for maximum performance.

Sources:

Speed up your website: Part One

How-to: Optimize your site for speed

How to Enable the Default WordPress Object Cache – talks about wp-cache, wp-cache 2, and built in wordpress caching.

Digg Protector

4 Simple Ways To Speed Up WordPress

Speed up and clean up your WordPress!

5 Tips to Help Your Slow or Sluggish Blog or Web Site (WordPress Especially)

Deleting excess records in your WordPress database

WordPress on Speed: 17 Tweaks to Accelerate your WP

The 3 Easiest Ways to Speed Up WordPress

WordPress Theme Hacks

Diggproof & Speed up Your WordPress Blog

WordPress Optimisation: Control When Plugins Are Loaded

Tips to ensure WordPress

The downside to the popularity of WordPress is that it has now become a good target for hackers. With each major release of the platform, there are many security fixes that appear after words. While you can’t control the WordPress code, at least most can’t, the one thing you can do is control your blog. There are many things you can do to ensure you blog is as secure as it can be.

Logo WordPress
Logo WordPress

Change the administrator ID and password. This should be standard practice regardless of whether it is for a WordPress blog or another item such as a router. Never use the default user ID and password. Always create your own ID with a strong password.

Change your database table prefix. By default, when you create your blog’s database the prefix for all the tables is ‘wp_’. Everyone who has used WordPress knows this, so they would know the structure of your database. By changing this prefix, it makes it harder for others to guess the names of your blog’s database tables.

See document “Editing wp-config.php

Secure your WordPress installation. How much you want to secure you WordPress directories depends on how much you want to learn. Some steps include preventing directory browsing,and allowing access to specific files and directories from an IP address. Performing a search in Google will yield many results that can walk you through the process step-by-step.

See : Changing File Permissions

Install a security-checker plugin. There are several plugins that you can install that will check your WordPress installation for any security holes. You don’t need to keep these plugins enabled, but it is good practice to enable once in a while to verify that there are no glaring security issues with your blog.

See : WP Security Scan

Install a backup plugin. It is a good idea to make regular backup copies of your WordPress database, files, and directories. If someone does manage to get into your blog, does some damage to the point where you can’t continue, you can always restore a backup copy and continue within a few hours. There are several plugins that allow you to schedule backups so you don’t have to remember.

See : WP-DB-Backup

While the above list isn’t exhaustive, it provides a good list of items that you can look at when you want to secure your WordPress blog. There is a lot of information online about securing your blog, which you read and learn what works best for you.

Plugins for WordPress

Remove spam comments

Akismet – If you are listed in search engines and have a lot of traffic, you are bound to get massive amount of spam comments. This plugin makes your life much easier and saves you a lot of time. You need to get your free Api-key for this plugin.

Remove broken links

Broken Link Checker – Search engines do not like broken links. Your visitors do not like them either. This plugin scans your posts automatically, shows you broken links in WordPress dashboard and lets you easily unlink them.

Create contact forms

Cforms – If you need a contact form on your site, this plugin is simple to setup and works great. I use it for all contact forms on the blog.

Thank commentators

Comment Redirect – I use this plugin to redirect visitors when they make their first comment on my blog. I redirect them to a thank you page where I thank for the comment, explain about my blog, and ask the reader to subscribe to my RSS newsfeed. Write a comment to this post, and see this plugin in action.

Remove unnecessary code

CSS Compress – I am not much into technical side of WordPress and CSS but I was told that this plugin removes all the unnecessary lines in the WordPress theme code, and that way makes the blog smaller and faster to load.

Combine all RSS subscribers

FeedBurner FeedSmith – I used the original WordPress RSS feed at the beginning of my blog, but then I moved over to Google services. So now I use this plugin as it detects all the old RSS subscribers and redirects them to my new RSS feed.

Make Google happy

Google XML Sitemaps – Google loves sitemaps and indexes sites/articles much quicker if you have a sitemap and you have it submitted to Google Webmaster Tools. Nice and simple way to ensure that Google finds and indexes your blog.

Optimize ping updates

MaxBlogPress Ping Optimizer – WordPress automatically updates all your ping services, even if you just update or edit your article. If you edit your articles a lot, your blog risks of being banned from ping services for excessive pinging. This plugin solves the problem by only pinging your post when you publish it.

Confirm the unconfirmed subscribers

Notify Unconfirmed Subscribers – If you are using Feedburner email subscribe option, you know that some subscribers never confirm their subscription. This plugin lets you easily notify all the unconfirmed subscribers and inform them that they need to take additional step to approve their subscription.

Welcome your visitors

Referrer Detector – This plugin detects where your visitors are coming from and automatically displays the coresponding greeting. So for example when somebody visits my blog via Google.com, they get this message:

Welcome Googler! If you find this page useful, why not subscribe to the RSS feed for more interesting posts in the future?

Track what your visitors are looking for

Search Meter – This plugin tracks what your visitors are searching for in your “search” field. This way you can know what your visitors are looking for and what they find. Tracking this might help you make your blog design more usable and give you some topics to write about.

Notify visitors of new comments

Subscribe To Comments – This plugin allows your blog readers to subscribe to the comments on articles. Each time there is a new comment they will get an email notification. It helps getting visitors to return, getting more comments and building community around your blog posts.

Make Thesis easier

Thesis OpenHook – This plugins allows insertion of Thesis content hooks without editing the theme files. It is only for Thesis theme users. Read more on why I have chosen to go for a premium WordPress theme Thesis.

Remind new visitors to subscribe

What Would Seth Godin Do – This plugin displays a message to your new blog visitors. On howtomakemyblog.com I use it on the bottom of each post as a reminder to subscribe to my RSS news feed. Like this:

If you want to learn more about blogging please subscribe to Dagorret  RSS feed or via email to receive all the latest articles!

List your most popular posts

WordPress.com Popular Posts – I use this plugin in the sidebar to show the 10 most popular posts on my blog. It is avery good way of showing your visitors your most popular posts, and it does improve usability of the site, plus improves your stats like pages viewed per visit, time spent on site and bounce rate.

Get your blog stats

WordPress.com Stats – I use this stats plugin because the WordPress.com Popular Posts plugin takes the data from this plugin to show the most popular posts by number of views. It does not count the views of logged in users, so your visits to your pages will not be counted. You need to get your free Api-key for this plugin.

Never lose any of your material

WordPress Database Backup – This plugins helps you keep a database backup of your blog. It is very simple and easy to use. You can set the plugin to make a regular backup of your blog and send it to you via email automatically. This way you will never lose the articles and archives you have written over the months/years in case of hacker attack or any other security vulnerability.

Speed up your blog

WP Super Cache – Another technical plugin. It will improve your blog’s loading time and will speed up your blog significantly. It helps your server handle a higher load without crashing, which can help in case you hit front page of Digg.com and start getting tons of traffic. Unfortunately the Digg.com part I still haven’t tested.

Create a Twitter field in comments

WP Twitip ID – This plugin adds another field to your blog’s comment form so your readers can add their Twitter ID’s when writing a comment. See this plugin in action on my blog in the comment field at the end of this article.

Show related posts

Yet Another Related Posts Plugin – I use this plugin to show a list of related posts from my blog archives after each article I write. It improves the user experience and increases the time user’s spend on site, pages viewed per visit and bounce rate stats. See it in action after this article where it suggests you what to “see more”.

Extra plugins for those who do not use Thesis

Thesis WordPress Theme that I use on my blog has the following functions automatically built in, so I do not need to use plugins. But if you are using other themes, the following plugins will give you a similar look/effect.

  • All in One SEO Pack – This plugin makes it easy for you to optimize your article titles and other meta tags.
  • Google Analytics – This plugin makes it easy for you to insert your Google Analytics code and start tracking your blog visitors.
  • WP-Note – This plugin lets you insert notes in your article to make them stand out. Kind of similar to the yellow colored notes I have twice in this article.
  • WordPress Gravatars – This plugin lets you display Gravatars of your readers in the comments section and can put your Gravatar on top of your article to show who the article was written by.

Hopefully this list gives you enough plugins to research and experiment with. Good luck with your blog optimization!