Bastian Grimm presented 40 WordPress tips across 6 sections: security, SEO, engagement, maintenance, and performance. The tips included hardening security settings, optimizing images, caching plugins, offloading static content, and debugging. The overall presentation emphasized optimizing a WordPress site for speed, security, and SEO.

1. 40 WordPress Tips
- Security, Engagement, SEO & Performance -
http://gdig.de/sydney1
Sydney, April 2013
Bastian Grimm, Managing Partner - Grimm Digital

2. About me
SEO Trainings, Seminars & Strategy Consulting
WordPress Security, Consulting & Development
@basgr
Berlin-based Full-Service Performance Marketing Agency
2

3. http://gdig.de/sydney1

4. Who is running WordPress?!

5. See… that‘s the issue!
You’re the “hackers” most-loved target!

6. Section #1: Security

7. #1 Setup WordPress properly
Use unique keys and salts to add
random elements for encryption!
Use a cryptic prefix to prevent
automated scripts and SQL injections.
$table_prefix = ‘wp_VzQCxSJv7uL_ ‘;
https://api.wordpress.org/secret-key/1.1/salt/

8. #2 Protect your wp-config.php
<files wp-config.php>
order deny,allow
deny from all This needs to go into your WP roots’
</files> .htaccess file to prevent external access
Did you know this? Event better… move
wp-config.php outside of „www“.

9. #3 Remove the default „admin“
Setup new user as admin; logout.
Login w/ new admin; delete old one.
Make sure to use a STRONG
password, pleeaaasssseeee!
http://www.random.org/passwords/

10. #4 Lock-out multiple failed logins
Limit Login Attempts
http://wordpress.org/extend/plugins/limit-login-attempts/

11. #5 Never EVER do this!
These sites are
more than worse…

12. A quick peak into some theme files…
LOL! „family friendly“
links – my a*s…
12

13. A quick peak into some theme files…
functions.php: This theme
won‘t be working without
those links…
13

14. #6 Always use TAC to do a pre-check!
Theme Authenticity
Checker (TAC)
http://builtbackwards.com/projects/tac/

15. It gets worse: base64 encoded footer
Are you really sure you want
to see that footer.php file?
15

16. Right… NICE FOOTER!
16

17. If you are REALLY curious…
 http://ottodestruct.com/decoder.php
 http://www.tareeinternet.com/scripts/byterun.php
 http://www.tareeinternet.com/scripts/decrypt.php
 http://rot13-encoder-decoder.waraxe.us/
The PHP code isn’t “really”
encrypted, rather kind of obfuscated.
Reversing is possible!

18. PLEASE… stay away
from “free” WordPress
themes – they’re not
free, really!

19. #7 Update your blogs regularly!
 WP Updates Notifier to get emails
on out-dated components
(core, themes & plug-ins) for all
blogs:
– http://wordpress.org/extend/plugins
/wp-updates-notifier/
 ManageWP can do one-click mass
updates (core, themes, plug-ins
again) for all your blogs:
– http://managewp.com/features

20. #8 Keep your installation clean
Remove all inactive
plug-ins as well as themes!
20

21. #9 Scan your Theme daily
WP AntiVirus
http://wordpress.org/extend/plugins/antivirus/

22. #10 Harden your Security Settings
Secure WordPress
Most important: Remove version
number from ALL components &
block malicious URL requests.
http://wordpress.org/extend/plugins/secure-wordpress/

23. #11 Protect wp-admin
Recommended: Try the “Lockdown
WP Admin” plug-in to protect PHP files
in wp-admin as well as the login itself.
Put an .htaccess to your
/wp-admin/ for basic
passwd. protection.
http://wordpress.org/extend/plugins/lockdown-wp-admin/

24. #12 Fix File & Folder Permissions
WP-Security Scan
Very important: chmod your
wp-config.php to be read-only!
http://wordpress.org/extend/plugins/wp-security-scan/

25. #13 Move the “wp-content” folder
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content');
WP_CONTENT_DIR points to “new”
the full local path (no trailing slash)
define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content');
WP_CONTENT_URL points to “new”
full URI (no trailing slash either)

26. #14 SSL Logins & Administration
define('FORCE_SSL_LOGIN', true);
Set FORCE_SSL_LOGIN to “true” to
force all logins to happen over SSL.
(still allows non-SSL admin sessions)
define('FORCE_SSL_ADMIN', true);
Use FORCE_SSL_ADMIN to force all
logins and all admin sessions to
happen over SSL (can be slow…)

27. Section #2: WordPress SEO

28. #15 WordPress SEO by Yoast
Make sure to uncheck this!
Enables setting
noindex, canonical & 301
(for users) on a per-post
basis

29. #15 WordPress SEO by Yoast
You surely don‘t need paged
archives, categories, etc. –
they‘re targeting the same
keys anyways.
Affiliate sites mainly have
pages, no need for RSS.
Check all of them!

30. #15 WordPress SEO by Yoast
Set proper a page title &
description, also choose
author for SERP listing

31. #15 WordPress SEO by Yoast
Use help section to get
details for all 30+ variables!
Keep unchecked unless
you’re publishing news.
Default value has been
changed w/ last update.

32. In addition: Post-level settings
You can overwrite defaults
on a per-post level using
the “Advanced” settings.
32

33. #15 WordPress SEO by Yoast
Usually you just need one
(unless having a HUGE
amount of content) –
“noindex” the other one!

34. #15 WordPress SEO by Yoast
Especially w/ single-authored
blogs, those are a 1:1 copy of
your homepage.
301 is the better solution!

35. #15 WordPress SEO by Yoast
For larger sites, check to auto-
generate XML sitemaps.
Remember to check excludes!

36. #15 WordPress SEO by Yoast
Make absolutely sure
you‘re using these!

37. BTW: Clean those URL-Slugs
WP Permalauts
Especially important for
Germany, France, etc.
http://wordpress.org/extend/plugins/wp-permalauts/

38. #15 WordPress SEO by Yoast

39. Trust me… things change!
Check out SEO data transporter
to switch SEO plug-ins!

40. Migration made easy: Painless switching!
SEO Data Transporter
http://wordpress.org/extend/plugins/seo-data-transporter/

41. Section #3: More SEO…

42. Credits: http://bit.ly/T8wMwO
Make absolutely sure you only
use plug-ins from trusted authors!

43. #16 Fix your Pagination
Better crawl-ability, better WP-PageNavi
indexation – what else u want?
WordPress pagination
s*cks, replace it!
http://wordpress.org/extend/plugins/wp-pagenavi/

44. #17 Improve internal Cross-Linking
Yet Another Related
Posts Plugin
http://wordpress.org/extend/plugins/yet-another-related-posts-plugin/

45. #18 Auto-optimize Image Attributes
SEO Friendly Images
Forces post title &
image name to be used
as img alt-attribute
http://wordpress.org/extend/plugins/seo-image/

46. #19 Redirect old Contents
Redirection
http://wordpress.org/extend/plugins/redirection/

47. #20 Have Rich-Snippets if possible
Schema Creator
http://wordpress.org/extend/plugins/schema-creator/

48. #21 Mask your Affiliate Links
Eclipse Link Cloaker
http://eclipsecloaker.com/

49. Don’t forget to tweak your robots.txt
We don‘t want some WP
User-Agent: * specific files & folders
Disallow: /wp-admin/
Disallow: /feed/
Disallow: /comments/feed/
Disallow: /*/trackback/$
Disallow: /*/feed/$
Disallow: /*.css$ Adjust according to your
Disallow: /*.js$
Disallow: /r/
Link Cloaker settings.
49

50. Section #4: Engagement

51. #22 Responsive WP-Slider in Seconds
Soliloquy Slider
http://soliloquywp.com/

52. #23 Create an „UberMenu“
UberMenu
http://gdig.de/ubermenu

53. #24 Create beautiful Popups
Ninja Popups
http://gdig.de/npopup

54. #25 Fix your Internal Search
Relevanssi Search
http://wordpress.org/extend/plugins/relevanssi/

55. #26 Selling goods within WordPress?
Easy Digital Downloads
https://easydigitaldownloads.com/

56. #27 Make it multi-lingual
WPML
http://wpml.org/

57. #28 Make it work on Mobile Devices
WPtouch
http://wordpress.org/extend/plugins/wptouch/

58. Section #5: Maintenance
58

59. #29 Do a Theme Test Drive
Live-Testing a new theme
without anyone else
noticing… nice!
http://wordpress.org/extend/plugins/theme-test-drive/

60. #30 Debug your WordPress
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

61. #30 Debug your WordPress
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

62. #30 Debug your WordPress
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

63. #31 Debug your WordPress
Debug Objects
http://wordpress.org/extend/plugins/debug-objects/

64. #32 Enable Akismet
Just enable, get an API key
and turn „auto-delete“ on!

65. #33 Backup Database & Files
BackWPup
http://wordpress.org/extend/plugins/backwpup/

66. #34 Watch out for Errors
 Knowledge is power
 Use a 404 logger
– Analytics software
– Redirection (built-in)
– Webserver logs
 Setup 301 redirects
accordingly using
“Redirection”, again.
Image-Credits: http://gdig.de/i

67. #35 Maintain Categories & Tags
Term Mgmt. Tools
Mass merge &
change parents
http://wordpress.org/extend/plugins/term-management-tools/

68. Section #6: Performance

69. Scoring domains by
performance; give it a try!
https://developers.google.com/pagespeed/

70. #36 Compress those Images
13.2% savings WP Smush.it
for one image!
http://wordpress.org/extend/plugins/wp-smushit/

71. Tip: Make images even smaller!
Use tinyPNG to optimize
PNG files without loosing in
quality (up to 70% savings)
JPEGmini does the same for JPEG
files and will reduce your images
massively (up to 80% smaller)!
http://tinypng.org/ & http://www.jpegmini.com/

72. #37 Setup a Caching Plug-in
W3 Total Cache
http://wordpress.org/extend/plugins/w3-total-cache/

73. #38 Combine multiple CSS files
 Combine CSS files into one to
reduce the number of HTTP requests
 Minify the big file by removing white-
spaces, etc. to reduce file size per request
– Check: W3Total > Performance > Minify!
 Same goes for JavaScript as well… and put those
JS files into the footer, if possible!
73

74. #39 Do CSS-Sprites
http://spriteme.org/

75. Tip: Move static contents to a CDN
Latency is crucial – especially if you’re serving a global
audience, offloading statics to a CDN will give additional
performance.
CDN Overview: http://gdig.de/cdns

76. #40 Off-load JS-Libs
WP Use Google Libraries
Simply enable the plug-in &
serve JS libs from Google‘s CDN!
http://wordpress.org/extend/plugins/use-google-libraries/

77. How to make your site lightning-fast…
http://www.slideshare.net/bastiangrimm

78. OMCap 2011 - Online Marketing Konferenz Berlin
And that’s it! …
13.10.2011 78

79. Thanks! Questions?
mail@grimm-digital.com
twitter.com/basgr
linkedin.com/in/bastiangrimm
facebook.com/grimm.digital
http://gdig.de/sydney1
Bastian Grimm, Managing Partner - Grimm Digital