One feeling come to my mind that the structure of WordPress has become unsecure than before, so in my opinion, the security measure is necessay If you want to build your blog site with WordPress. Recommend you read this real experience for a while and hope it is helpful for you.

Security measures:

Both of two files will reveal the security hole due to there are some update version information included into the file. And these basic system information will be available to the hackers. Thus, you should delete the two files in order to increase the security after having updated the WordPress version.

The function of automatically updating the different version of the posts will overload the database. Thus, the performance of the website will be degraded, even though this function is helpful for autosave of the posts version. But it is more harm than good.

You can do a trim into the wp-config.php file with adding  the code “define(‘WP_POST_REVISIONS’,false);”. This modification will disable the function of autosave.

p.s. Disable the posts version autosave is different from the posts autosave.

There is a larger amount of mass programs will send comment spam to blog sites in the internet. So, I recommend all of the bloggers to activate the default plugin akismet which is quite helpful for filtering the comment spam. You can activate the plugin with the key which is free acquisition through the akismet. But there is a network wall in China that you’re unable to access normally the akismet site to get the key. I recommend you to use Ruby account proxy to access the external network.

There is a multi-year bug on WordPress that the click link included into the password-reset email is invalid with the message of “the key seems invalid”, whatever new or old users reset their passwords. The reason is the extra ‘>’ character at the end of the link and you need to fix this bug on modifying the code of the /wp-includes/pluggable.php file. Check the details by the link.

There will always be someone using a scanner to check the back of your site and try to brute force the admin password. It is recommended to install the plugin of ‘brute force login protection’ to prevent your sites from hackers and the setting is simple.

P.S. there is a function that the back of site will send a hint to the user after continuously failing to login. And the webmaster can customize the content of the hint in English. It doesn’t support Chinese otherwise the contend will be garbled message.

The install.php file contains account login information which is easily attacked by hackers. Cause the hackers is aimed to acquire the control authority of the destination server or based on these information to execute further attacks, It is necessary to delete this file which is saved in the /wp-admin after you finish establishment of the WordPress.

Recommend to install the best WordPress plugin——Updraft Plus to backup your WordPress site by setting the auto-backup plan. And you can store your backup file into the remoted store server, such as Google Drive, Amazone S3, Dropbox and so on.

To install the recommended plugin to protect your site. This plugin can scan the security hole or malware and prevent the doubtful flow by the fire wall function of Sucuri.

Optimization suggestions:

The website speed of dynamic reads is slow. So, install cache plugin to be able to generate static webpages which will speed up the access of the sites for netizen. And it is friendly to search engine too. I recommend the two WordPress cache plugin, wp super cache and w3 total cache. Both of two plugins are absolutely useful for speeding up the sites.

The google font is default font of the WordPress. It is very useful but unable to be loaded due to the special situation of the China mainland. And it will slow up the access of blog sites. So we can disable the default google font through a plugin or modify the code of the functions.php file. Opening the function.php file and displace the “googleapis” into the “useso”. And then do the same operation to the /wp-includes/script-loader.php. It should be helpful for speeding up the access.

SEO is an abbreviation of “search engine optimization”, Website owners follow it to acquire more flow from google and the other SE. WordPress is friendly with SEO. But we can do more to acquire more flow by SEO measures. There should be a rebots.txt file saved in the root directory on each website. The function of it is to tell the search engine of baidu or google which content are allowed to be caught.  It is recommended to use notepad++ software to edit and save this file. Please check the details by yourself.

p.s. Sitemap is required to be use.

The default link of the permalink is unfit for the SEO. So customize the permalink for adding the SEO key conveniently.

Recommend installing the most comprehensive plugin on the market to deal with all of the important setting with SEO.

Google Analytics will be able to view the access details of how many users access the sites, where are they from, what have they done on the website. The most common plugin of Google Analytics is MonsterInsights which can display an excellent data analysis report in the WordPress management interface.