The document outlines essential strategies for optimizing and securing WordPress sites, emphasizing the importance of using trusted plugins, maintaining clean installations, and regularly updating components. Key recommendations include enforcing security measures like SSL, managing file permissions, and utilizing SEO plugins effectively. Additionally, it covers performance enhancements such as image optimization, caching, and mobile compatibility through various suggested plugins.

1. WordPress
Optimization & Security
London Affiliate Conference
February 2013
http://gdig.de/lac13
Bastian Grimm, Managing Partner - Grimm Digital

2. About me
SEO Trainings, Seminars & Strategy Consulting
WordPress Security, Consulting & Development
@basgr
International „Expired Domains“ marketplace
2

3. Get the Slide-Deck
http://gdig.de/lac13
3

4. Who is running WordPress?!

5. See… that‘s the issue!
It’s the “hackers” most-loved target!

6. Section #1: Security

7. #1 Never EVER do this!
These sites are
more than worse…

8. A quick peak into some theme files…
LOL! „family friendly“
links – my a*s…
8

9. A quick peak into some theme files…
functions.php: This theme
won‘t be working without
those links…
9

10. #2 Always use TAC to do a pre-check!
Theme Authenticity
Checker (TAC)
http://builtbackwards.com/projects/tac/

11. It get’s worse: base64 encoded footer
Are you really sure you want
to see that footer.php file?
11

12. Right… NICE FOOTER!
12

13. If you are REALLY curious…
 http://ottodestruct.com/decoder.php
 http://www.tareeinternet.com/scripts/byterun.php
 http://www.tareeinternet.com/scripts/decrypt.php
 http://rot13-encoder-decoder.waraxe.us/
The PHP code isn’t “really”
encrypted, rather kind of obfuscated.
Reversing is possible!

14. PLEASE… stay away
from “free” WordPress
themes – they’re not
free, really!

15. #3 Keep your installation clean
Remove all non-active
plug-ins as well as themes!
15

16. #4 Do updates regularly!
 WP Updates Notifier to get emails
on out-dated components (core,
themes & plug-ins) for all blogs:
– http://wordpress.org/extend/plugins
/wp-updates-notifier/
 ManageWP can do one-click mass
updates (core, themes, plug-ins
again) for all your blogs:
– http://managewp.com/features

17. #5 Daily scan your Theme
WP AntiVirus
http://wordpress.org/extend/plugins/antivirus/

18. Register now!
Really, it’s free!
http://bluemonitor.net/en/

19. #6 Harden your Security Settings
Secure WordPress
Most important: Remove version
number from ALL components &
block malicious URL requests.
http://wordpress.org/extend/plugins/secure-wordpress/

20. #7 Protect wp-admin by .htaccess
Put an .htaccess to your
/wp-admin/ for basic
passwd. protection.
You can also try the “Lockdown WP
Admin” plug-in to protect PHP files in
wp-admin as well as the login itself.
http://wordpress.org/extend/plugins/lockdown-wp-admin/

21. #8 Fix File & Folder Permissions
WP-Security Scan
Very important: chmod your
wp-config.php to be read-only!
http://wordpress.org/extend/plugins/wp-security-scan/

22. #9 Moving the “wp-content” folder
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content');
WP_CONTENT_DIR points to “new”
the full local path (no trailing slash)
define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content');
WP_CONTENT_URL points to “new”
full URI (no trailing slash either)

23. #10 SSL Logins & Administration
define('FORCE_SSL_LOGIN', true);
Set FORCE_SSL_LOGIN to “true” to
force all logins to happen over SSL.
(still allows non-SSL admin sessions)
define('FORCE_SSL_ADMIN', true);
Use FORCE_SSL_ADMIN to force all
logins and all admin sessions to
happen over SSL (can be slow…)

24. BTW: How to do it?
Just find this
beast…
… don’t use this
piece of sh*t…
… and put directives
before here!

25. Section #2: WordPress SEO

26. #11 WordPress SEO by Yoast
Make sure to uncheck this!
Enables setting noindex,
canonical & 301 (for users)
on a per-post basis

27. #11 WordPress SEO by Yoast
You surely don‘t need paged
archives, categories, etc. –
they‘re targeting the same
keys anyways.
Affiliate sites mainly have
pages, no need for RSS.
Check all of them!

28. #11 WordPress SEO by Yoast
Set proper page title &
description, also choose
author for SERP listing

29. #11 WordPress SEO by Yoast
Use help section to get
details an all 30+ variables!
Keep unchecked unless
you’re publishing news.
Default value has been
changed w/ last update.

30. In addition: Post-level settings
You can overwrite defaults
on a per-post level using
the “Advanced” settings.
30

31. #11 WordPress SEO by Yoast
Usually you just need one
(unless having a HUGE
amount of content) –
“noindex” the other one!

32. #11 WordPress SEO by Yoast
Especially w/ single-authored
blogs, those are a 1:1 copy of
your homepage.
301 is the better solution!

33. #11 WordPress SEO by Yoast
For larger sites, check to auto-
generate XML sitemaps.
Remember to check excludes!

34. #11 WordPress SEO by Yoast
Make absolutely sure
you‘re using these!

35. BTW: Clean those URL-Slugs
WP Permalauts
Especially important for
Germany, France, etc.
http://wordpress.org/extend/plugins/wp-permalauts/

36. #11 WordPress SEO by Yoast

37. Trust me… things change!
Check out SEO data transporter
to switch SEO plug-ins!

38. Migration made easy: Painless switching!
SEO Data Transporter
http://wordpress.org/extend/plugins/seo-data-transporter/

39. Section #3: Plug-ins

40. Credits: http://bit.ly/T8wMwO
Make absolutely sure you only
use plug-ins from trusted authors!

41. #12 Fix your Pagination
Better crawl-ability, better WP-PageNavi
indexation – what else u want?
WordPress pagination
s*cks, replace it!
http://wordpress.org/extend/plugins/wp-pagenavi/

42. #13 Improve internal Cross-Linking
Yet Another Related
Posts Plugin
http://wordpress.org/extend/plugins/yet-another-related-posts-plugin/

43. #14 Auto-optimize Image Attributes
SEO Friendly Images
Forces post title &
image name to be used
as img alt-attribute
http://wordpress.org/extend/plugins/seo-image/

44. #15 Redirect old Contents
Redirection
http://wordpress.org/extend/plugins/redirection/

45. #16 Mask your Affiliate Links
Eclipse Link Cloaker
http://eclipsecloaker.com/

46. Don’t forget to tweak your robots.txt
We don‘t want some WP
User-Agent: * specific files & folders
Disallow: /wp-admin/
Disallow: /feed/
Disallow: /comments/feed/
Disallow: /*/trackback/$
Disallow: /*/feed/$
Disallow: /*.css$ Adjust according to your
Disallow: /*.js$
Disallow: /r/
Link Cloaker settings.
46

47. #17 Have Rich-Snippets if possible
Schema Creator
http://wordpress.org/extend/plugins/schema-creator/

48. #18 Fix your Internal Search
Relevanssi Search
http://wordpress.org/extend/plugins/relevanssi/

49. If you make it multi-lingual…
WPML
http://wpml.org/

50. Section #4: Mobile

51. #19 Make it work on Mobile Devices
WPtouch
http://wordpress.org/extend/plugins/wptouch/

52. Or try: WordPress Mobile Pack
Mobile Pack
Contains various add-ins such as
Mobile Theme, Widgets, Switcher, etc.
http://wordpress.org/extend/plugins/wordpress-mobile-pack/

53. Section #5: Maintenance
53

54. #20 Do a Theme Test Drive
Live-Testing a new theme
without anyone else
noticing… nice!
http://wordpress.org/extend/plugins/theme-test-drive/

55. #21 Debug your WordPress
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

56. #21 Debug your WordPress
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

57. #21 Debug your WordPress
P3 (Plugin Perf. Profiler)
http://wordpress.org/extend/plugins/p3-profiler/

58. #21 Debug your WordPress
Debug Objects
http://wordpress.org/extend/plugins/debug-objects/

59. #22 Enable Akismet
Just enable, get an API key
and turn „auto-delete“ on!

60. #23 Backup Database & Files
BackWPup
http://wordpress.org/extend/plugins/backwpup/

61. #24 Watch out for Errors
 Knowledge is power
 Use a 404 logger
– Analytics software
– Redirection (built-in)
– Webserver logs
 Setup 301 redirects
accordingly using
“Redirection”, again.
Image-Credits: http://gdig.de/i

62. #25 Maintain Categories & Tags
Term Mgmt. Tools
Mass merge &
change parents
http://wordpress.org/extend/plugins/term-management-tools/

63. Section #6: Performance

64. Scoring domains by
performance; check it out!
https://developers.google.com/pagespeed/

65. #26 Compress those Images
13.2% savings WP Smush.it
for one image!
http://wordpress.org/extend/plugins/wp-smushit/

66. Or try this one - if you don’t like Yahoo…
Run‘s awesome CW Image
image optimization Optimizer
but requires Unix
„littleutils“
http://wordpress.org/extend/plugins/cw-image-optimizer/

67. #27 Setup a Caching Plug-in
W3 Total Cache
http://wordpress.org/extend/plugins/w3-total-cache/

68. #28 Combine multiple CSS files
 Combine CSS files into one to
reduce the number of HTTP requests
 Minify the big file by removing white-
spaces, etc. to reduce file size per request
– Check: W3Total > Performance > Minify!
 Same goes for JavaScript as well… and put those
JS files into the footer, if possible!
68

69. #29 Do CSS-Sprites
http://spriteme.org/

70. #30 Off-load JS-Libs
WP Use Google Libraries
Simply enable the plug-in &
serve JS libs from Google‘s CDN!
http://wordpress.org/extend/plugins/use-google-libraries/

71. How to make your site lightning-fast…
http://gdig.de/smxspeed
71

72. OMCap 2011 - Online Marketing Konferenz Berlin
And that’s it! …
13.10.2011
Wait, still not enough? 72

73. If you’re into automation…
Auto Poster
http://www.nextscripts.com/

75. Thanks! Questions?
mail@grimm-digital.com
twitter.com/basgr
linkedin.com/in/bastiangrimm
facebook.com/grimm.digital
http://gdig.de/lac13
Bastian Grimm, Managing Partner - Grimm Digital