Sometimes you want search engines not to index a specific post type (e.g. landing pages). The following code adds noindex, nofollow to a specific CPT. For more on preventing search results from being indexed.
add_action( 'wp_head', function() {
if ( is_singular( 'your_post_type' ) ) {
echo '<meta name="robots" content="noindex, nofollow">' . "n";
}
} );Replace your_post_type with your CPT slug.
HPOS (High-Performance Order Storage) improves order performance in WooCommerce. You can enable it via code. For more on enabling HPOS in WooCommerce.
add_action( 'before_woocommerce_init', function() {
if ( class_exists( AutomatticWooCommerceUtilitiesFeaturesUtil::class ) ) {
AutomatticWooCommerceUtilitiesFeaturesUtil::declare_compatibility( 'custom_order_tables', __FILE__, true );
}
} );Then enable it under WooCommerce > Settings > Advanced > Features.
If you want to use the Classic Editor for a specific post type, add the following code. For more on creating Custom Post Types.
add_filter( 'use_block_editor_for_post_type', function( $use, $post_type ) {
if ( $post_type === 'your_post_type' ) {
return false;
}
return $use;
}, 10, 2 );Replace your_post_type with your CPT slug.
WordPress loads oEmbed scripts for embedding content from YouTube, Twitter, etc. If you do not use embeds, remove them. For more performance tips, see the Guide to Google PageSpeed for WordPress.
remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
remove_action( 'wp_head', 'wp_oembed_add_host_js' );
remove_action( 'rest_api_init', 'wp_oembed_register_route' );
add_filter( 'embed_oembed_discover', '__return_false' );
add_filter( 'oembed_dataparse', '__return_false' );WordPress adds logged-in to the body when a user is logged in, but only in the admin. The following code adds a class on the frontend too. Useful for custom styling or showing different content. For more on WordPress hooks and filters.
add_filter( 'body_class', function( $classes ) {
if ( is_user_logged_in() ) {
$classes[] = 'logged-in-user';
}
return $classes;
} );XML-RPC allows remote connections to your WordPress site (e.g. from the app or for Pingbacks). Most sites do not need it, and it can be exploited. To disable, add to your functions.php file. For more tips on securing your WordPress site.
add_filter( 'xmlrpc_enabled', '__return_false' );The WordPress REST API is public by default. If you do not need public access, restrict it to logged-in users. Add to your functions.php file. For more ways to secure the WordPress REST API.
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You must be logged in.', array( 'status' => 401 ) );
}
return $result;
} );The WordPress Heartbeat API sends AJAX requests to the server every 15-60 seconds (depending on context – editor, dashboard, etc.). It is useful for auto-save and session management, but on shared hosting it can cause high CPU load. For more ways to improve your site speed, see the Guide to Google PageSpeed for WordPress Users.
If you want to slow down the Heartbeat or disable it completely, add the following code to your functions.php file:
/**
* Disable or slow down WordPress Heartbeat API
*/
add_action( 'init', function() {
// Option 1: Disable Heartbeat completely
wp_deregister_script( 'heartbeat' );
// Option 2: Slow down Heartbeat to 60 seconds (uncomment and remove Option 1)
// add_filter( 'heartbeat_settings', function( $settings ) {
// $settings['interval'] = 60;
// return $settings;
// } );
}, 1 );Note: Fully disabling Heartbeat may affect auto-save in the post editor. If you need auto-save, use Option 2 (slow down to 60 seconds) instead of full disable.
WordPress loads emoji scripts (wp-emoji-release.min.js, etc.) on every page by default. Most sites do not need this, and the scripts add unnecessary HTTP requests and a bit of overhead.
To remove the emoji scripts, add the following code to your functions.php file:
/**
* Remove WordPress emoji scripts
*/
remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
remove_action( 'wp_print_styles', 'print_emoji_styles' );
remove_action( 'admin_print_styles', 'print_emoji_styles' );
remove_filter( 'the_content_feed', 'wp_staticize_emoji' );
remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );
remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
add_filter( 'tiny_mce_plugins', function( $plugins ) {
return is_array( $plugins ) ? array_diff( $plugins, array( 'wpemoji' ) ) : array();
} );Result: fewer HTTP requests and lighter pages. For more performance tips, see the Guide to Google PageSpeed for WordPress Users.
Adding this code to your .htaccess file will prevent external access to the wp-config.php file. For more tips on securing your WordPress site, see the linked post.
<files wp-config.php>
order allow,deny
deny from all
</files>