XML-RPC allows remote connections to your WordPress site (e.g. from the app or for Pingbacks). Most sites do not need it, and it can be exploited. To disable, add to your functions.php file. For more tips on securing your WordPress site.
add_filter( 'xmlrpc_enabled', '__return_false' );The WordPress REST API is public by default. If you do not need public access, restrict it to logged-in users. Add to your functions.php file. For more ways to secure the WordPress REST API.
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You must be logged in.', array( 'status' => 401 ) );
}
return $result;
} );preconnect lets the browser start a connection to an external server earlier, reducing load time. Useful for Google Fonts, CDNs, and more. Add to header.php or via wp_head. For more on improving Google Fonts loading with preconnect.
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>WordPress adds loading="lazy" to images by default, but not to iframes (YouTube, maps, etc.). The following code adds lazy loading to iframes. For more performance tips, see the Guide to Google PageSpeed for WordPress.
add_filter( 'the_content', function( $content ) {
return preg_replace( '/<iframe/', '<iframe loading="lazy"', $content );
} );If you want to redirect users who land on a non-existent page (404) to the homepage, add the following code. Note: Google recommends showing a custom 404 page. For more on what causes 404 errors and how to handle them.
add_action( 'template_redirect', function() {
if ( is_404() ) {
wp_redirect( home_url(), 302 );
exit;
}
} );Sometimes you want search engines not to index a specific post type (e.g. landing pages). The following code adds noindex, nofollow to a specific CPT. For more on preventing search results from being indexed.
add_action( 'wp_head', function() {
if ( is_singular( 'your_post_type' ) ) {
echo '<meta name="robots" content="noindex, nofollow">' . "n";
}
} );Replace your_post_type with your CPT slug.
HPOS (High-Performance Order Storage) improves order performance in WooCommerce. You can enable it via code. For more on enabling HPOS in WooCommerce.
add_action( 'before_woocommerce_init', function() {
if ( class_exists( AutomatticWooCommerceUtilitiesFeaturesUtil::class ) ) {
AutomatticWooCommerceUtilitiesFeaturesUtil::declare_compatibility( 'custom_order_tables', __FILE__, true );
}
} );Then enable it under WooCommerce > Settings > Advanced > Features.
The WordPress Heartbeat API sends AJAX requests to the server every 15-60 seconds (depending on context – editor, dashboard, etc.). It is useful for auto-save and session management, but on shared hosting it can cause high CPU load. For more ways to improve your site speed, see the Guide to Google PageSpeed for WordPress Users.
If you want to slow down the Heartbeat or disable it completely, add the following code to your functions.php file:
/**
* Disable or slow down WordPress Heartbeat API
*/
add_action( 'init', function() {
// Option 1: Disable Heartbeat completely
wp_deregister_script( 'heartbeat' );
// Option 2: Slow down Heartbeat to 60 seconds (uncomment and remove Option 1)
// add_filter( 'heartbeat_settings', function( $settings ) {
// $settings['interval'] = 60;
// return $settings;
// } );
}, 1 );Note: Fully disabling Heartbeat may affect auto-save in the post editor. If you need auto-save, use Option 2 (slow down to 60 seconds) instead of full disable.
WordPress loads emoji scripts (wp-emoji-release.min.js, etc.) on every page by default. Most sites do not need this, and the scripts add unnecessary HTTP requests and a bit of overhead.
To remove the emoji scripts, add the following code to your functions.php file:
/**
* Remove WordPress emoji scripts
*/
remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
remove_action( 'wp_print_styles', 'print_emoji_styles' );
remove_action( 'admin_print_styles', 'print_emoji_styles' );
remove_filter( 'the_content_feed', 'wp_staticize_emoji' );
remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );
remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
add_filter( 'tiny_mce_plugins', function( $plugins ) {
return is_array( $plugins ) ? array_diff( $plugins, array( 'wpemoji' ) ) : array();
} );Result: fewer HTTP requests and lighter pages. For more performance tips, see the Guide to Google PageSpeed for WordPress Users.
By default WordPress blocks comments on Custom Post Types. To enable comments on a custom post type, add comments under supports where you register it (line 32):
function snippet_custom_init() {
$labels = array(
'name' => 'Snippet',
'singular_name' => 'Snippet',
'add_new' => 'Add New Snippet',
'add_new_item' => 'Add New Snippet',
'edit_item' => 'Edit Snippet',
'new_item' => 'New Snippet',
'all_items' => 'All Snippets',
'view_item' => 'View Snippet',
'search_items' => 'Search Snippets',
'not_found' => 'No snippets found',
'not_found_in_trash' => 'No snippets found in trash',
'parent_item_colon' => '',
'menu_name' => 'Snippets',
);
$args = array(
'labels' => $labels,
'exclude_from_search' => false,
'public' => true,
'publicly_queryable' => true,
'show_ui' => true,
'show_in_menu' => true,
'query_var' => true,
'rewrite' => array( 'slug' => 'snippet' ),
'capability_type' => 'post',
'has_archive' => true,
'hierarchical' => false,
'taxonomies' => array('category'),
'menu_position' => null,
'supports' => array( 'title', 'author', 'thumbnail', 'excerpt', 'comments', 'editor' )
);
register_post_type( 'snippet', $args );
}
add_action( 'init', 'snippet_custom_init', 0);