Covering the full spectrum of WordPress Optimization possibilities as well as WordPress security.

1. WordPress
Optimization and Security
Leeds, September 2012
http://gdig.de/think12
Bastian Grimm, Managing Partner - Grimm Digital

2. About me
 Background: PHP & Java
– Dev. CMS, shops & forums
– Wazap! Game Search Engine
 Online Marketing since 2004
– SEO strategy consulting, in-house
trainings & workshops, WordPress
@basgr
SEO, bla bla…
 Links, Links, Links…need some?
 Stuff to play with…
2

3. Get the Slide-Deck
http://gdig.de/think12
3

4. Credits for facts & graphic: http://yoast.com/wordpress-stats/

5. Credits for facts & graphic: http://yoast.com/wordpress-stats/

6. Section #1: Configuration

7. #1 Settings > PermaLinks
Get rid of those dates
(IDs), they look awful!
/%postname%/

8. #2 Settings > Privacy
Make sure you actually
allow search engine to
access your contents!
8

9. #3 Fix your Themes’ Page Title
Open header.php in your
themes’ folder, search
for “wp_title” – it’s going
be the first match!
<title><?php wp_title(); ?></title>
That’s the ONLY
thing you need!
9

10. Section #2: WordPress SEO

11. #4 WordPress SEO by Yoast 1/9
Make sure to uncheck this!
Enables setting noindex,
canonical & 301 (for users)
on a per-post basis

12. #4 WordPress SEO by Yoast 2/9
You surely don‘t need paged
archives, categories, etc. –
they‘re targeting the same
keys anyways.
Affiliate sites mainly have
pages, no need for RSS.
Check all of them!

13. #4 WordPress SEO by Yoast 3/9
Set proper page title &
description, also choose
author for SERP listing

14. #4 WordPress SEO by Yoast 4/9
Use help section to get
details an all 30+ variables!
Keep unchecked unless
you’re publishing news.
Default value has been
changed w/ last update.

15. In addition: Post-level settings
You can overwrite defaults
on a per-post level using
the “Advanced” settings.
15

16. #4 WordPress SEO by Yoast 5/9
Usually you just need one
(unless having a HUGE
amount of content) –
“noindex” the other one!

17. #4 WordPress SEO by Yoast 6/9
Especially w/ single-authored
blogs, those are a 1:1 copy of
your homepage.
301 is the better solution!

18. #4 WordPress SEO by Yoast 7/9
For larger sites, check to auto-
generate XML sitemaps.
Remember to check excludes!

19. #4 WordPress SEO by Yoast 8/9
Make absolutely sure
you‘re using these!

20. BTW: Clean those URL-Slugs
WP Permalauts
Especially important for
Germany, France, etc.
http://wordpress.org/extend/plugins/wp-permalauts/

21. #4 WordPress SEO by Yoast 9/9

22. Trust me… things change!
Check out SEO data transporter
to switch SEO plug-ins!
22

23. Migration made easy: Painless switching!
SEO Data Transporter
http://wordpress.org/extend/plugins/seo-data-transporter/

24. Section #3: Plug-ins
24

25. Make absolutely sure
you only use plug-ins
from trusted authors!

26. #5 Fix your Pagination
Better crawl-ability, better WP-PageNavi
indexation – what else u want?
WordPress pagination
s*cks, replace it!
http://wordpress.org/extend/plugins/wp-pagenavi/

27. #6 Improve internal Cross-Linking
Yet Another Related
Posts Plugin
http://wordpress.org/extend/plugins/yet-another-related-posts-plugin/

28. #7 Auto-optimize Image Attributes
SEO Friendly Images
Forces post title &
image name to be used
as img alt-attribute
http://wordpress.org/extend/plugins/seo-image/

29. #8 Redirect old Contents
Redirection
http://wordpress.org/extend/plugins/redirection/

30. #9 Mask your Affiliate Links
Eclipse Link Cloaker
http://eclipsecloaker.com/

31. Don’t forget to tweak your robots.txt
We don‘t want some WP
User-Agent: * specific files & folders
Disallow: /wp-admin/
Disallow: /feed/
Disallow: /comments/feed/
Disallow: /*/trackback/$
Disallow: /*/feed/$
Disallow: /*.css$ Adjust according to your
Disallow: /*.js$
Disallow: /r/
Link Cloaker settings.
31

32. #10 Have Rich-Snippets if possible
Schema Creator
http://wordpress.org/extend/plugins/schema-creator/

33. Section #4: Security

34. #11 Never EVER do this!
These sites are
more than worse…

35. A quick peak into some theme files…
LOL! „family friendly“
links – my a*s…
35

36. A quick peak into some theme files…
functions.php: This theme
won‘t be working without
those links…
36

37. #12 Always use TAC to do a pre-check!
Theme Authenticity
Checker (TAC)
http://builtbackwards.com/projects/tac/

38. It get’s worse: base64 encoded footer
Are you really sure you want
to see that footer.php file?
38

39. Right… NICE FOOTER!
39

40. If you are REALLY curious…
 http://ottodestruct.com/decoder.php
 http://www.tareeinternet.com/scripts/byterun.php
 http://www.tareeinternet.com/scripts/decrypt.php
 http://rot13-encoder-decoder.waraxe.us/
The PHP code isn’t “really”
encrypted, rather kind of obfuscated.
Reversing is possible!

41. PLEASE… stay away
from “free” WordPress
themes – they’re not
free, really!

42. #13 Keep your installation clean
Remove all non-active
plug-ins as well as themes!
42

43. #14 Do updates regularly!
 WP Updates Notifier to get emails
on out-dated components (core,
themes & plug-ins) for all blogs:
– http://wordpress.org/extend/plugins
/wp-updates-notifier/
 ManageWP can do one-click mass
updates (core, themes, plug-ins
again) for all your blogs:
– http://managewp.com/features

44. #15 Daily scan your Theme
WP AntiVirus
http://wordpress.org/extend/plugins/antivirus/

45. #16 Harden your Security Settings
Secure WordPress
Most important: Remove version
number from ALL components &
block malicious URL requests.
http://wordpress.org/extend/plugins/secure-wordpress/

46. #17 Protect wp-admin by .htaccess
Put an .htaccess to your
/wp-admin/ for basic
passwd. protection.
You can also try the “Lockdown WP
Admin” plug-in to protect PHP files in
wp-admin as well as the login itself.
http://wordpress.org/extend/plugins/lockdown-wp-admin/

47. #18 Fix File & Folder Permissions
WP-Security Scan
Very important: chmod your
wp-config.php to be read-only!
http://wordpress.org/extend/plugins/wp-security-scan/

48. Section #5: Maintenance
48

49. #19 Do a Theme Test Drive
Live-Testing a new theme
without anyone else
noticing… nice!
http://wordpress.org/extend/plugins/theme-test-drive/

50. #20 Debug your WordPress #1
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

51. #20 Debug your WordPress #1
http://wordpress.org/extend/plugins/p3-profiler/

52. #20 Debug your WordPress #1
http://wordpress.org/extend/plugins/p3-profiler/

53. #20 Debug your WordPress #1
http://wordpress.org/extend/plugins/p3-profiler/

54. #21 Debug your WordPress #2
Debug Objects
http://wordpress.org/extend/plugins/debug-objects/

55. #22 Enable Akismet
Just enable, get an API key
and turn „auto-delete“ on!

56. #23 Backup Database & Files
BackWPup
http://wordpress.org/extend/plugins/backwpup/

57. #24 Watch out for Errors
 Knowledge is power
 Use a 404 logger
– Analytics software
– Redirection (built-in)
– Webserver logs
 Setup 301 redirects
accordingly using
“Redirection”, again.
Image-Credits: http://gdig.de/i

58. #25 Maintain Categories & Tags
Term Mgmt. Tools
Mass merge &
change parents
http://wordpress.org/extend/plugins/term-management-tools/

59. Section #6: Performance

60. GWT Site Performance Info
This is really not so good…!
60

61. Scoring domains by
performance; check it out!
https://developers.google.com/pagespeed/

62. #26 Compress those Images
13.2% savings WP Smush.it
for one image!
http://wordpress.org/extend/plugins/wp-smushit/

63. Or try this one - if you don’t like Yahoo…
Run‘s awesome CW Image
image optimization Optimizer
but requires Unix
„littleutils“
http://wordpress.org/extend/plugins/cw-image-optimizer/

64. #27 Setup a Caching Plug-in
W3 Total Cache
http://wordpress.org/extend/plugins/w3-total-cache/

65. #28 Combine multiple CSS files
 Combine CSS files into one to
reduce the number of HTTP requests
 Minify the big file by removing white-
spaces, etc. to reduce file size per request
– Check: W3Total > Performance > Minify!
 Same goes for JavaScript as well… and put those
JS files into the footer, if possible!
65

66. #29 Do CSS-Sprites
http://spriteme.org/

67. #30 Off-load JS-Libs
WP Use Google Libraries
Simply enable the plug-in &
serve JS libs from Google‘s CDN!
http://wordpress.org/extend/plugins/use-google-libraries/

68. Section #7: Scale that Sh*t!

69. WordPress + Cloning Installations
1. Setup WP w/ optimized settings
– Permalinks, Plug-ins, Settings, etc.
2. Use Xcloner to multiply setup
– Easier vs. re-doing 1/ over & over again
3. Use ManageWP for maintenance
– Perfect mass management solution
4. Or: Update using browser favorites
– Just replace hostnames in your list
69

70. Maybe give xMarkPro a try?
Looks very promising…
But I didn’t find the time to test it
in full detail yet, Sorry.
http://xmarkpro.com/

71. WordPress + Multisites
1. Use default WordPress and install
2. Edit wp-config.php:
– define('WP_ALLOW_MULTISITE', true);
3. Install WP “MU Domain Mapping”
– Copy “sunrise.php” to “wp-content”
4. Edit wp-config.php, again:
– define('SUNRISE', 'on');
Bonus: “Clone Sites for WPMU“
http://codex.wordpress.org/Create_A_Network

72. OMCap 2011 - Online Marketing Konferenz Berlin
And that’s it! …
13.10.2011
Wait, still not enough? 72

73. Section #8: wp-config.php Tweaks

74. How to do it?
Just find this
beast…
… don’t use this
piece of sh*t…
… and put directives
before here!

75. Moving the “wp-content” folder
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content');
WP_CONTENT_DIR points to “new”
the full local path (no trailing slash)
define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content');
WP_CONTENT_URL points to “new”
full URI (no trailing slash either)

76. Auto-saving & Revision-handling
define('AUTOSAVE_INTERVAL', 160 );
WP uses Ajax to auto-save revisions
to the post as you edit. Change the
interval if necessary (default=60)
define('WP_POST_REVISIONS', 3);
… or (not recommended):
define('WP_POST_REVISIONS', false); Limit WP to create a maximum
number of revisions per post
using WP_POST_REVISIONS

77. SSL Logins & Administration
define('FORCE_SSL_LOGIN', true);
Set FORCE_SSL_LOGIN to “true” to
force all logins to happen over SSL.
(still allows non-SSL admin sessions)
define('FORCE_SSL_ADMIN', true);
Use FORCE_SSL_ADMIN to force all
logins and all admin sessions to
happen over SSL (can be slow…)

78. Enable DB Auto-Repair
Go edit „wp-config.php“
and add this line – easy!
define('WP_ALLOW_REPAIR', true);
Afterwards, you need to call the repair script manually:
http://example.com/wp-admin/maint/repair.php

79. OMCap 2011 - Online Marketing Konferenz Berlin
Finally! …
13.10.2011
Well, well… one more! 79

81. Thanks! Questions?
mail@grimm-digital.com
twitter.com/basgr
linkedin.com/in/bastiangrimm
facebook.com/grimm.digital
http://gdig.de/think12
Bastian Grimm, Managing Partner - Grimm Digital