WordPress saves revisions of every post by default. Limiting the number saves database space. Add to your wp-config.php file (before “That’s all, stop editing!”). For more on improving performance.
define( 'WP_POST_REVISIONS', 3 );Set 0 to disable completely or a number (e.g. 3-5) to limit.
WordPress loads wp-block-library.css on every page, even when the site does not use blocks. If your theme does not use Gutenberg blocks, you can remove it. Add to your functions.php file. For more on CSS optimization.
add_action( 'wp_enqueue_scripts', function() {
wp_dequeue_style( 'wp-block-library' );
wp_dequeue_style( 'wp-block-library-theme' );
wp_dequeue_style( 'global-styles' );
}, 100 );Note: If the page has block content, the CSS may break.
WordPress adds REST API links (wp-json) to wp_head. If you do not need public API access, remove the links. Add to your functions.php file. For more on securing the REST API.
remove_action( 'wp_head', 'rest_output_link_wp_head' );
remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
remove_action( 'template_redirect', 'rest_output_link_header', 11 );WordPress automatically updates minor versions. If you prefer to control updates manually, add the code. For more on disabling automatic updates.
define( 'AUTOMATIC_UPDATER_DISABLED', true );
add_filter( 'auto_update_core', '__return_false' );
add_filter( 'auto_update_plugin', '__return_false' );
add_filter( 'auto_update_theme', '__return_false' );Add lines 2-4 to functions.php. Add line 1 to wp-config.php.
WordPress adds meta tags for shortlink, RSD (Really Simple Discovery), and wlwmanifest (Windows Live Writer). Most sites do not need them. Add to your functions.php file. For more on securing WordPress.
remove_action( 'wp_head', 'wp_shortlink_wp_head' );
remove_action( 'wp_head', 'rsd_link' );
remove_action( 'wp_head', 'wlwmanifest_link' );
remove_action( 'wp_head', 'wp_generator' );WordPress loads jQuery Migrate for backward compatibility. If your site and plugins support modern jQuery, you can remove Migrate and save an HTTP request. Add to your functions.php file. For more on performance optimization.
add_action( 'wp_default_scripts', function( $scripts ) {
if ( ! is_admin() && isset( $scripts->registered['jquery'] ) ) {
$script = $scripts->registered['jquery'];
if ( $script->deps ) {
$script->deps = array_diff( $script->deps, array( 'jquery-migrate' ) );
}
}
} );WordPress adds ?ver=X.X to CSS and JS files. Removing the version parameter can improve caching. Add to your functions.php file. For more tips on removing scripts and styles.
add_filter( 'script_loader_src', function( $src ) {
return remove_query_arg( 'ver', $src );
}, 15, 1 );
add_filter( 'style_loader_src', function( $src ) {
return remove_query_arg( 'ver', $src );
}, 15, 1 );XML-RPC allows remote connections to your WordPress site (e.g. from the app or for Pingbacks). Most sites do not need it, and it can be exploited. To disable, add to your functions.php file. For more tips on securing your WordPress site.
add_filter( 'xmlrpc_enabled', '__return_false' );The WordPress REST API is public by default. If you do not need public access, restrict it to logged-in users. Add to your functions.php file. For more ways to secure the WordPress REST API.
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You must be logged in.', array( 'status' => 401 ) );
}
return $result;
} );preconnect lets the browser start a connection to an external server earlier, reducing load time. Useful for Google Fonts, CDNs, and more. Add to header.php or via wp_head. For more on improving Google Fonts loading with preconnect.
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>