How to Backup, Secure and Optimize WordPress

As soon as your site is up and running, the importance of backing it up and battening down the hatches (i.e., ensuring everything is secure) really can't be overestimated. Losing data and/or being hacked is an absolute disaster — and, worse still, may cause such lasting damage to your business that things continue to go south well after you've managed to 'fix' things. The goal of this guide is to ensure you've not only prepared for the worst, but also optimized everything for the best possible performance too: A subject we'll be returning to in a later guide as well.

-Note: WinningWP content is free to all. If you make a purchase through referral links on our site, we earn a commission (learn more).

With WordPress running nicely on your site, it's important to take a bit of time to make sure it continues to do so. This is the task of website optimization, and this guide will walk you through the three most important types:

  • Keeping your site backed up.
  • Securing your site.
  • Optimizing your site for search engines and load time.

Most of the tools we'll recommend in this guide are 'set and forget', and will let you get on with the parts of your website you really want to be handling -- but with the peace of mind that everything is safe, secure, and running well. Let's get right to it.

How to Backup WordPress

It’s imperative to keep regular backups of your WordPress site. Backups ensure that your site is always safe, and, in the event of a hack, human error, or hosting problem, you'll be able to quickly get everything back up and running properly.

Without a backup, if something goes wrong with your site you risk losing everything. This isn’t scary hyperbole; this is the very real risk you run by not having a backup.

A backup is just a snapshot of your website. This should be done regularly, and the backup should be kept securely in the cloud by a third party. A good WordPress backup tool needs to do four things:

  1. Back up your whole WordPress site, including the database (where content is stored) and files (including themes and plugins).
  2. Work reliably in the background at regular intervals.
  3. Store your files securely in the cloud for a reasonable amount of time (at least a month).
  4. Allow for easy restoration when needed.

As we’ll discuss in a moment, there are a couple of services that meet all of these criteria -- and one in particular that's very easy to set up and does a significantly better job than its competitors.

What about Backups Offered by Your Web Host?

Before we talk about how to setup WordPress backups, let’s consider backups offered by many web hosts (including all of those we recommend). If you use a host offering backups, do you need to worry about a separate backup service?

In short, yes. While backups offered by web hosts are useful to have, you shouldn’t rely on them, and you should always also use a third-party backup system.

Backups from your web host are not to be relied upon, because they risk putting all of your proverbial website eggs in one basket. If something bad happens to your website, you’ll want to restore a backup. Yet, if something bad happens to your host, you won’t be able to access your website -- or your backup.

Instances of hosts losing backups are rare, but they do happen, even on high-profile sites. Furthermore, some hosts have even managed to lose literally all of their customers’ data. Unfortunately, you’re only likely to find out if this is the case with your host when you need your backup the most. This situation is easy to avoid: Web hosts are not specialized backup providers, and should not to be treated as such.

Keeping a backup with a third party (such as those we’ll recommend in a moment) increases redundancy, and will ensure your site is as safe as possible. Now that we’ve established the fact that literally everyone should be using a backup service, let’s look at the best options.

VaultPress: The Best Backup Tool for WordPress

Fortunately, backing up your WordPress site is easy, affordable, and the entire thing can be automated; you’ll only need to access your backup if and when the worst happens, and you need it.

The best WordPress backup service is VaultPress. Created by the quasi-parent company of WordPress, Automattic, VaultPress is offered as a paid add-on to the popular Jetpack plugin.

VaultPress meets all four of the criteria we set out earlier, and it’s very affordable. Specifically, it's available as part of Jetpack Personal for $3.50 a month or $39 a year.

To install VaultPress, you’ll first need Jetpack. Head to your WordPress Dashboard, then Plugins → Add New. Search for Jetpack and then Install and Activate. You’ll be prompted to connect your site to

Animated image showing how to install the Jetpack plugin for WordPress.

To secure VaultPress access, you’ll want to select at least the Personal plan. You can pay either monthly or annually.

Screenshot of the Jetpack payment plan options.

Head through the checkout, and then follow prompts to Set Up Your Plan and Install VaultPress. Once done, you can return to your WordPress Dashboard.

Screenshot showing the VaultPress setup.

Once back at your Dashboard you’ll find VaultPress as a new menu item under Jetpack. The plugin will already be backing up your site; this first backup may take a while. VaultPress will already be set up to automatically back up your site every 24 hours.

Screenshot showing VaultPress undertaking the initial backup

You can access backups and make any restorations by heading to the VaultPress Dashboard or following the 'Visit Dashboard' link from the VaultPress screen on the WordPress Dashboard. If the worst ever happens, this is where you go to fix things. You can also make VaultPress more efficient by providing other access: Head to the Settings tab, and you can set up SSH access (allowing VaultPress to access your site’s server) and/or SFTP access (letting VaultPress edit your files).

Screenshot showing the VaultPress Settings page

Our recommended WordPress host, WP Engine, only offers SFTP; these details can be accessed right from your WP Engine User Portal (see instructions here). Once these are set up, you can happily leave VaultPress to do its thing.

VaultPress is by far the best WordPress backup option, but, if you’d like a free option instead, then go with BackWPup. This is the best free backup plugin, offering regular backups to a variety of cloud storage services, including Dropbox, Amazon S3, and Microsoft Azure.

It’s worth reiterating that everyone should have a WordPress backup solution, and VaultPress is the best option for most people. Make use of it!

Securing WordPress

WordPress is secure software that takes security exceptionally seriously. However, as the most popular tool in the world for making a website, it's a target, and, in the same way you take measures to make your computer more secure, you should also take measures to make your website more secure.

You should be thinking about security best practices and services to bolster your site’s security. We’ll tackle each of these in turn.

Before we get into the details on WordPress security, it’s worth mentioning WordPress hosting. Web hosts can do an awful lot to protect your website, and the best managed WordPress hosts will do a lot of what we’ll cover next for you -- and more -- with security professionals constantly working on their infrastructure to make sure all of the sites they host are secure. If you’re unfamiliar with what type of host you have, then see the differences between shared and managed hosting and the managed hosts we recommend.

WordPress Security Best Practices

Below are the best practices in WordPress security that every single WordPress website should be using. As you read these, it’s a good idea to pause and put them into practice right away.

Keep WordPress, WordPress themes, and WordPress plugins updated. This is easy: Keep everything updated, all of the time. Updates frequently address security issues, so keeping everything updated will ensure your site is not open to risk from any of these.

You can tell WordPress to automatically update everything for you by heading to Plugins → Add New and searching for Advanced Automatic Updates. Install and Activate the plugin. Next, head to Settings → Advanced Automatic Updates and tick all the automatic update options. If you’d like a notification email, you can enter your email address. Save Changes, and you’re done!

Screenshot of the Advanced Automatic Updates plugin settings page

Note that there's some risk with automatically updating everything, as you may experience incompatibilities (i.e., your site breaks). However, for the vast majority of WordPress sites, there won’t be any problems -- and the security benefits outweigh the risk. For peace of mind, you may wish, however, to enable email notifications -- and you can always restore a backup using VaultPress if anything is awry.

Use a very strong password. You can have all of the security in the world, but if a hacker can guess your password, it’s no use. You should use a complex password generated by a dedicated website or, ideally, a password manager such as 1Password, KeePass or LastPass.

On the topic of passwords, you should also use an additional layer of security called 'two-factor authentication', and lock out people entering a wrong password too many times. Two-factor authentication requires a password and an additional piece of information, such as a code sent in a text message, for a user to be able to log in. This adds a strong layer of security, as, even if a hacker is able to find your password, with two-factor authentication on, they won't be able to log in. We’ll cover how to do this in the next section.

Don’t use the admin username. The default username for many WordPress installations is 'admin'. You shouldn't use this, and, if it’s present on your site, you should delete it. The commonality of the admin username means hackers will often default to it when attempting to gain access to your site. Avoid this by using an alternative username: Even just your name is fine.

These are the basic security best practices; it's important to follow these at all times on your site. We'll now move on to the more complex WordPress security services.

WordPress Security Services

With WordPress security best practices in place, we can now turn to the security services you can use to bolster your site’s safety. There are plenty of different services, all doing different things, so it’s important to understand what different types of security services there are, and then look at which ones you need.

The three primary types of WordPress security services are:

  1. Firewalls and prevention.
  2. Scanners and detection.
  3. General utility.

Technically, a fourth category is 'all-in-one' security plugins. However, as none of the 'all-in-one' plugins do a better job than the specialist plugins, we’ll skip over these. Let’s now look at the best service for each of the three categories in turn.

The Best Firewall and Prevention Plugin Is Wordfence (Paid)

A firewall or 'web application firewall' (WAF for short) is your first line of defense, and will prevent hackers from accessing your website and causing harm.

You want your WAF to be able to block three types of hacks:

  • General attacks and hacks such as SQL injections, remote code execution, exploitation of software vulnerabilities, cross site scripting (XSS), and so on.
  • Distributed denial of service attacks where hackers send a huge amount of traffic to your site with the aim of making it unavailable.
  • The newest hacks, even if WordPress itself or the theme or plugin that's exploitable haven’t been updated yet.

Most WordPress WAF products also offer general utility tools, although there are separate free tools that can also do these tasks (which we’ll discuss later), so these should be treated as a bonus rather than a necessity.

Wordfence does all of these very well, and is available for a reasonable $99 a year (or even less if you purchase more licenses for multiple years at a time).

Start your installation by purchasing Wordfence Premium and copying the API key you’re given to your clipboard.

Screenshot of the WordFence API management screen

You’ll now need to head to your WordPress Dashboard and install Wordfence’s free plugin if you haven’t already. Do this by heading to Plugins → Add New, searching for Wordfence and then installing and activating the plugin. You’ll be asked if you want to take a tour on activation; you can close this and follow these instructions for extra detail! Head to Wordfence → Options, and under 'Your Wordfence API key' paste in the API key you copied to your clipboard earlier.

Screenshot of the WordFence API screen

Scroll to the bottom of the page, Save Options, and you’ll have Wordfence Premium activated.

Screenshot showing WordFence Premium activated

You’ll be asked if you want to reload the page and enable premium options. You’d like to do so! We can now set up Wordfence’s Premium settings. This only takes a minute, and is just a case of running through the menu items:

Scan: This page is where Wordfence scans your site for infected files. This is really powerful. You’ll want to run a scan right away, and then check the Scheduling tab and make sure Wordfence is handling extra scans automatically. We’ll talk more about scans later in this guide.

Screenshot of WordFence's automatic scanning feature

Firewall: This page controls Wordfence’s WAF. Follow the prompt to Optimize the Firewall, selecting the detected server configuration and downloading the .htaccess file provided. You may need to wait a couple of minutes for the changes to take effect.

Animated screenshot showing configuration options for WordFence's WAF

Wordfence puts its WAF by default into 'learning mode', so it can understand your site. It’s recommended to keep learning mode on for a week before setting the Firewall Status to Enabled and Protecting. The default settings should be fine for the rest of the Firewall options -- although you may wish to head to the Brute Force Protection tab and decrease the number of wrong password attempts allowed, as well as the time period these wrong attempts are counted over.

Options: You can skip right to the options page, as the default settings for other pages will be fine for most people. Enable the Premium Features on the options page, making sure to save changes after.

The major alternative to Wordfence is Sucuri. Sucuri offers very similar features to Wordfence (and a nicer user interface), but it's much more expensive: Plans start at $199.99 a year for an equivalent product to Wordfence (Website Security Platform tier).

While the headline features for Wordfence and Sucuri are very similar, they differ in how their WAF is set up. Wordfence’s WAF runs on your server, whereas Sucuri’s is cloud based. Wordfence claim their setup is more secure, as visitors must go through their WAF to access your site, whereas Sucuri claim theirs is faster, as they can handle the security while you just handle your website. Wordfence in turn claim that cloud-based WAFs can be bypassed, while Sucuri say their WAF can be set up to avoid bypass.

Through these claims and counter-claims, the message is Wordfence is more secure but may slow down your site, and Sucuri is faster but may let attacks through. There are clearly trade-offs for each, and we’re not yet at a point where we can say definitively that one method is superior to the other. Until that point, we’ll continue recommending Wordfence, as their offering is significantly cheaper.

The free option here is cloud-based WAF Cloudflare. Cloudflare offers a very generous free plan that offers a WAF and a bunch of other features, including a CDN (we’ll talk about these more later in the guide). If you don’t want to pay for a WAF, Cloudflare is better than nothing. Installation is a lot more complicated than with other security services, however. You’ll find full and easy-to-follow details in our how to install WordPress guide.

Whichever WAF you decide to go with, make sure you at least choose one. It’ll do an awful lot to keep your website safe.

The best scanner and detection plugin is Wordfence (free).

A scanner and detection plugin is like Antivirus software on your computer: It scans your website, alerts you to anything that’s wrong, and then helps you to fix it.

While you’ll need to pay for Wordfence to gets its WAF capability, a free version is available that includes scanning and detection. Wordfence’s free plugin will scan every single file on your site thoroughly -- including comparing all WordPress files to what’s on -- and alert you to any inconsistencies, issues, or hacks. You then have the option to clean up your site right there and then.

Installing the free Wordfence plugin is the same as the paid -- so see above -- but you’ll have fewer options available. After activation, you will still, however, be able to access Wordfence → Scan, where you can start new scans of your site. Press the big scan button to start, and then wait while the plugin checks everything out.

Animated screenshot showing starting a WordFence site scan

Once the scan is complete, Wordfence will alert you to any problems and give you options for how to deal with them. You’ll want to investigate each issue, viewing the file or seeing how it has changed (if appropriate). If the file is obviously malicious, you should delete or repair, but if, as with the example below, the issue is Wordfence being overzealous (the issue in question is a functionality plugin), you can safely tell Wordfence you’ve resolved the issue. Repeat this until there are no longer any issues.

Screenshot showing a false positive result in WordFence's site scan

If nothing shows up on the scan, your site is clean! Congratulations! You’ll want to scan your site regularly; as mentioned in the section above, Wordfence Premium will scan your site automatically for you, but if you’re using the free version you’ll need to run this manually. Once a week is realistic for most sites.

Sucuri also offers a free scanning and detection plugin. As with the WAF, this is also very good, but Wordfence’s free version is clearly superior, offering deeper scanning and better removal. If you’re unable to use Wordfence, though, this is a great alternative.

The Best General Utility Security Plugin Is Jetpack

We’ve already mentioned Jetpack in this guide, recommending it because of its excellent VaultPress service. The same Jetpack plugin happens to be the best general utility security plugin.

Jetpack offers two really useful general security features:

  • Really good two-factor authentication support.
  • Brute force protection (preventing hackers from trying lots of passwords).

Wordfence Premium will do both of these things for you, but as Jetpack lets you route logins through the (more secure) login system and accompanying two-factor authentication it’s a better choice.

Jetpack’s security features are very easy to activate: Install the plugin from your WordPress Dashboard by heading to Plugins → Add New and searching for Jetpack. Install and Activate the plugin, then follow prompts to connect to a account.

Once you have Jetpack connected to, head to Jetpack → Settings on your WordPress Dashboard. Click the Security tab, and then enable 'Block Suspicious-Looking Sign in Activity'.

Screenshot of the Jetpack brute force security options

The box underneath will allow you to turn on two-factor authentication. You’ll first need to toggle on letting users log in using accounts, then 'Require Accounts to Use Two-Step Authentication'. Two-Step is another name for two-factor authentication. Jetpack’s settings save automatically, so you’re all done.

Having the option to log in with two-factor authentication is no use if users can just ignore the option, so next you need to disable the default login form to force users to log in via Do this by heading to Plugins → Add New on your WordPress Dashboard and searching for Functionality. Install and activate the Functionality plugin, then head to Plugins → Edit Functions. Paste in the line of code below at the bottom of the plugin file:

add_filter( 'jetpack_remove_login_form', '__return_true' );

Screenshot of a functionality plugin disabling the standard WordPress login, using Jetpack instead

Update the file, and you’re all done! Next time a user logs in, they’ll be prompted to do so through their account and will only have this option. This makes logins to your site much more secure.

Screenshot of the WordPress login page only offering a login

The Professional tier of Jetpack ($99 a year, instead of the $39 a year Personal tier required for VaultPress) also offers security scanning in a similar vein to Wordfence and Sucuri, but, for now at least, Wordfence and Sucuri are superior products for this.

The final general security plugin you need is iThemes Security, which makes it very easy to make sure some security best practices are in place on your site. As usual, head to Plugins → Add New and search for iThemes Security. Install and Activate the plugin. Head to the new Security tab, and you'll be asked to use some quick setup options and enter an API key. You don't want to do these, as other plugins we’ve recommended duplicate much of the functionality of iThemes Security, so we only want to activate the modules we’re using.

From the iThemes Security Dashboard, head to the WordPress Tweaks options, Enable and then Configure Settings. Run through and check all of the tick boxes, then head back up the page to the XML-RPC settings. XML-RPC, among other things, lets you use the WordPress mobile apps, and is needed for Jetpack to connect to your site. Unfortunately, it’s also a significant security risk, so, ideally, we’d like to disable. As we need Jetpack to work, though, we won’t do this. Instead, make sure the 'Multiple Authentication Attempts per XML-RPC Request' option is set to 'Block'.

Screenshot of the iThemes Security plugin blocking exploitation of XML-RPC

Save those settings, then Enable the System Tweaks module, and Configure Settings. You’ll want to run through all of these and tick them all, Saving Settings when you’re done. Note that these tweaks can cause problems with themes and plugins, so be sure to check your site afterwards. If anything is awry, disable the System Tweaks one by one and check your site after each until you find the culprit.

Screenshot of the iThemes Security plugin's System Tweaks settings

Next up, Enable and Configure Settings for the WordPress Salts options. These settings add a random text string to your password when it’s stored (so the password you enter stays the same), making it much harder to hack. Tick the box, Save Settings, and the plugin will get to work. You’ll be logged out after this has happened.

Screenshot of the iThemes Security plugin's WordPress Salts settings

That’s all for iThemes Security, and the final utility security plugin we’ll be looking at! You should now have complete coverage for your WordPress site.

Make use of the services we recommend here. As we’ve shown, they don’t take long to set up and will make sure your website is actively protected. This, along with the security best practices outlined earlier, will make your site as secure as possible.

Now that you have a backed up, secure WordPress website, we can move on to optimization.

How to Optimize Your WordPress Website

Website optimization deals with how to improve your website. The focus is typically on improving performance, whether that’s how fast your site loads or how well your site ranks in search engines.

Website optimization is an industry in itself, so I'll just mention the automatic optimization techniques that are available. We'll focus on two areas here: SEO and speed.

Optimizing Your Website for Search Engines: Understanding Search Engine Optimization

Search Engine Optimization, or SEO, is a huge industry focused on one key question: How do I get more people to find my website in search engines?

Fortunately for the industry, this is an incredibly complicated question. Search engines use complex algorithms to determine the most relevant content to display for each result, tweak these daily, and make major updates multiple times a year.

Yet, the basics aren’t especially difficult. This guide is focused on optimization, so we’re going to focus on on-page optimization in this section. This is an extremely important part of SEO, and is one of the easiest things you can do to improve your search engine rankings. For a wider take on SEO, read our full WordPress SEO guide.

The easiest WordPress SEO gains come from using an SEO plugin. The best and most popular plugin is Yoast SEO. Yoast will make a number of on-page optimizations easier for you. We’ll run through how to install the plugin, and then how to use the most beneficial settings.

Install Yoast SEO by heading to Plugins → Add New and searching for Yoast SEO. Install and Activate the plugin.

Screenshot of the Yoast SEO plugin's contextual help

With the plugin installed, you can now start putting it to work! First, head to the new SEO menu and follow the prompts to go through the plugin’s onboarding setup. This will get your basic settings sorted, and connect the plugin to Google’s Webmaster Tools. On completion, you’ll be taken back to the main plugin settings page. On this and any other settings pages, you can get contextual help and video tutorials by expanding the 'Help Center' tab.

Screenshot of the Yoast SEO XML Sitemaps options

Next up, you want to set up your XML sitemap. This will tell Google which pages on your site it should be looking at. You’ll find details about this on the XML Sitemap's submenu item. You’ll want to make sure any post types you don’t want displaying in search results (such as media pages that just display images, video or other media) are disabled, any particular posts you don’t want showing in search engines are excluded, and any taxonomies (such as categories and tags) you don’t want showing in search engines are excluded.

Let’s now open up an individual post or page. This is where Yoast SEO comes in: The plugin does real-time analysis of each page on your website, and shows you how you can improve in an easy-to-read and easy-to-understand format. You’ll find Yoast’s analysis on the editing screen for any post, page, or other post type underneath the content. The general rule here is simple: Aim for at least an amber light (and ideally a green one).

Screenshot of the Yoast SEO on-page article optimization options

Yoast SEO will encourage you to do a number of easy on-page optimizations, including selecting a 'target keyword' (the search term you want people to use to find your post), using that keyword throughout the content and in titles, and setting the title and description you want to appear in search results. These are all intuitive to use and very well documented within the plugin, so we won’t dwell on them here.

It’s well worth spending some time with Yoast SEO on your site and using the help videos to see how you can get the most out of the plugin. If you don’t want to use Yoast SEO, see this post for a comparison of Yoast SEO plugin and its main alternative.

Plugin aside, there are a couple of other easy wins to be had with SEO. You’ll want to ensure you’re doing all of these:

  • Keep content regularly updated. Google loves fresh content! You should be updating highly time-sensitive content as much as once a month, and revisiting blog posts once a year. Fresher content tends to rank more prominently in search engines, and has other benefits for how frequently search engines check your site. This is how you show a last updated date for content.
  • Encourage comments. Search engines want to see discussion and community on your site! Encourage comments by asking readers questions, and keep the discussion going by responding to comments. Here are some of the best commenting plugins for WordPress.
  • Encourage social shares. Similar to the above, social shares are a signal to search engines that readers like what they see and the content is good. Here are some of the best social sharing plugins for WordPress.
  • Improve your URL structure. By default, WordPress does a poor job of displaying your site’s URLs (also known as permalinks). You’ll get SEO benefits from displaying 'pretty' permalinks, with the keywords you’re attempting to target included. Here’s how to change your permalink structure.
  • Link to your own posts. This is known as 'internal linking', and is as simple as including relevant links to other posts on your own site when creating or editing content. This gives search engines an idea of which pages on your site are most important and most relevant.

Install Yoast SEO, follow these guidelines, and you’ll be in good stead. For further reading on SEO, read this guide from Yoast or this SEO guide from industry-leaders Moz for a more general overview.

Speed Optimization

Part two of looking at website optimization concerns speed: How fast does your site load? Can it load faster? Fortunately for the industry that’s popped up around site speed, your website can almost certainly always load faster.

Visitors expect your website to load in under two seconds, and will leave your site if they’re left waiting around for too long. Speed optimization also relates to SEO: Google takes site speed into account when generating its rankings. A slow website could cause visitors to be unhappy and leave, and your search rankings to drop.

Speed optimization is really important. Putting this into practice is just a case of running through the best practices in a couple of different categories and testing the results. This guide is going to cover the easy wins for making your website faster -- the 20% of things you can do that deliver 80% of the results. For more detail, see our guide on speeding up WordPress.

How Fast Does Your Website Load?

Before you start, run some tests: How fast does your website load? This is exceptionally important! You need to have a before and after picture so you can gauge how you’re improving site speed.

You can test how fast your site loads using a tool called GTmetrix. Load up the site, enter your URL and click Analyse. Your site will be scanned, and you’ll then be presented with a couple of metrics. Note down your site’s loading time in seconds, Google PageSpeed score, and YSlow score. We’ll come back to these later, and hopefully see a big improvement.

Screenshot of a GTmetrix speed test of WinningWP

Note: You can also set GTmetrix to regularly monitor your site and alert you to any speed variations. How to do this is covered in our guide on monitoring a WordPress website.

A similar service is offered by Pingdom. Pingdom doesn’t offer regular testing for free, as GTmetrix does, but its one-off tests are more consistent than its competitors, so you’ll also want to run your site through Pingdom and note down its loading time in seconds.

Once you know how fast your website loads, we can start making it faster.

Hosting Is Incredibly Important for Load Times

Before we continue, let’s talk again about hosting: Hosting is still really important.

Hosting plays a huge part in how fast your site loads -- both day-to-day and when you have a large amount of traffic on the site. The key technical features required from a fast host are:

  • NGINX support (the fastest server software)
  • PHP 7 support (the latest version of PHP, the coding language WordPress is written in)
  • SSL (required for HTTPS)
  • HTTP/2 support (delivers files faster)
  • Server side caching (allows for faster site load times)
  • SSD drives (makes for faster file loads on servers).

We’ve already recommended looking at managed WordPress hosting in this guide, but we’ll do it again: A good managed host will handle all of the above and ensure your website loads very fast, even when your site experiences large volumes of traffic.

If you’re using shared hosting, then a good shared host will meet the technical requirements and still make sure your site is pretty quick; if you’re using a bad shared host, then no matter how many of the best practices listed here you follow, you’re not going to be able to get your site loading quickly.

It’s well worth looking at how your current host stacks up before proceeding further. Indeed, if your site is taking longer than eight to ten seconds to load with no optimization, you’ll want to look at changing hosts.

Test Your Plugins

Next, test the impact of the plugins you’re using. The long-held mantra when it comes to WordPress plugins is 'don’t use too many'. But this is misleading: You don’t want to be using too many resource-intensive plugins.

You can use a plugin called Query Monitor to research how many times each of your themes and plugins are making requests to the WordPress database. You can then remove high-impact plugins, replace them with a lighter alternative, or try to mitigate the impact of each plugin.

Looking at the overall number of plugins isn't necessarily helpful. Furthermore, just because a plugin takes up a significant amount of load time, doesn’t mean it should be deactivated. Good caching will mitigate the effect of resource-intensive plugins, although not completely. It’s important to conduct a more nuanced analysis here.

Animated screenshot showing how to use the Query Monitor WordPress plugin

Install Query Monitor by heading to the WordPress Dashboard → Plugins → Add New and searching for Query Monitor. Install and Activate the plugin. You can now head to your site’s homepage to see a new menu in the WordPress Admin Bar: QM. This is where Query Monitor will do its analysis. Hover over this and click Queries by Component. This will take you to a table where you can see how many database queries each component on your site is running, the time taken to run these, and the totals.

My results, for example, show the three queries the Yoast SEO plugin is running take up nearly the same amount of time as my theme’s 40-plus queries. The time involved here -- 0.01 seconds -- is really not significant, but it’s useful to note that one plugin accounts for nearly a third of this. I should therefore consider finding an alternative and re-testing, or deactivating any other plugins that aren't in use.

Your site’s homepage will likely produce different results to archive pages and posts, so also run Query Monitor on these pages and make the same analysis.

Database queries are a useful metric when working out the resource insensitivity of plugins, but they’re not the be-all-and-end-all. Here are some further useful rules for analyzing a plugin:

  • Any plugin loading extra resources onto a page is adding to load time. Slider, email marketing, and contact form plugins are especially bad for this, as they’ll typically load the JavaScript required to power their functionality, whether or not it’s in use on the page. We’ll cover how to deal with this in the next section of this guide.
  • Plugins that provide features only for logged-in users can be ignored, as these won’t load for regular site visitors.
  • Any plugin doing unnecessary work on every page load should be deactivated -- or this feature needs to be turned off. Jetpack’s social sharing and site stats are a good example of this, as is Wordfence’s live traffic feature.
  • Jetpack deserves a special note: Jetpack is typically one of the most resource-intensive plugins, but it also does a lot of useful things. Just deactivating it would cost you all of those benefits. Instead of deactivating completely, head to Jetpack → Settings on the WordPress Dashboard and disable the features you’re not using.

Query Monitor is an incredibly powerful plugin, so spend the time digging into its data and identifying where your site is being slowed down. Try to mitigate the effects of resource-intensive plugins by deactivating features, and, where that’s not necessary, consider (and test) an alternative. If you’re not using a plugin or can live without its functionality, deactivation is a surefire way to reduce impact.

Choosing your plugins correctly is extremely important. You can read more about how to choose and install WordPress plugins and WordPress plugins we recommend.

WP Rocket Is the Best Caching Plugin for WordPress

We can now move on to really speeding up your website. The first thing we’ll look at is caching. Caching works by generating your WordPress site once and then serving that generated site to subsequent visitors, rather than having to generate the WordPress site every time. For a more detailed look at what caching is and why it’s important, see this post.

You can get the benefits of caching on your WordPress website by using a caching plugin.

The best caching plugin available for WordPress is WP Rocket. WP Rocket has more features (it also does a lot of the other speed optimizations we’ll discuss later), is easier to set up and -- crucially -- is faster than all of the alternatives. While many of the alternatives are free -- and WP Rocket comes in at $39 for a single site license -- the ease of use and extra speed will be worth it for most people.

Note: Our recommended managed WordPress host WP Engine has its own caching solution included in all of its plans. This doesn’t make WP Rocket totally redundant, as it offers other speed features, but it does mean you won’t need its main feature, caching.

WP Rocket is really easy to set up (which is one of its benefits). You’ll need to purchase the plugin and follow the prompts to download. Next, head to your WordPress Dashboard, and then go to Plugins → Add New. Select Upload Plugin, and then select the ZIP file you’ve just downloaded.

Screenshot showing how to install WP Rocket

Press Install Now, and then Activate Plugin. The plugin automatically turns on caching and a couple of other features (GZIP compression and image optimization), although you can access extra settings by heading to Settings → WP Rocket.

Screenshot showing the WP Rocket settings

The additional options here include lazyloading (where images only load when visible to the user -- this speeds up load times), file optimization, loading of Javascript files in the footer (this also speeds up load times), database optimization, CDN and Cloudflare options, and a whole bunch more. These extra settings are important, but aren’t related to caching, so we’ll skip over them here: For more details, read our full WordPress speed optimization guide.

WP Rocket is the best caching plugin for most people, but if you’d prefer a free option then you should use WP Super Cache.

WP Super Cache offers much fewer features than its rocket-powered competitor, but it does a good job of the basic caching functionality. Unless you’re using managed WordPress hosting, you’ll need a caching plugin, and if you don’t want to pay for WP Rocket, you should use WP Super Cache.

Caching your WordPress site will deliver a huge speed boost. It’s easy to set up, so make use of one today!

Use a Content Delivery Network

A CDN, or content delivery network, is a great way of optimizing your WordPress website. A CDN serves assets on your website (such as images and video) from a location geographically closest to your visitor. As the data has to travel a shorter distance, the assets -- and your site -- load faster.

For example, without a CDN, visitors will have to load content from a single location, regardless of where they are. With a CDN, however, a visitor from the USA can have data sent from the USA; a visitor from Europe can have data sent from Europe, and a visitor from Australia can have data sent from Australia. All of this makes for a faster website and happier visitors.

Note: Some of the best WordPress hosts (such as WP Engine and Flywheel) include a CDN in their hosting packages. If you're using a host with a CDN included, you can skip this section (although double check your included CDN is on!).

The best CDN for WordPress is MaxCDN. MaxCDN is the most popular CDN service for WordPress -- and with good reason. It’s very fast, and at $9 a month is reasonably priced. It’s also very easy to set up. Create an account at MaxCDN for whichever tier you need, and activate your account.

Screenshot showing MaxCDN purchase screen

You’ll need to log in to your site (which requires going back to the homepage) and create a Pull Zone by clicking Zones → Create Pull Zone → Entering a name and your site's URL, and clicking Create.

Animated screenshot showing how to create a pull zone using MaxCDN

If you have SSL on your site (as denoted by https in URLs), you'll now need to click Manage, and then SSL. You should now copy the SSL URL, as this is the URL of your CDN. Click the Shared SSL tab, and then Enable. Finally, click the HTTP/2 tab and Enable that as well. If you don't have SSL enabled, copy the CDN URL from the Summary page.

Animated screenshot showing how to add SSL to MaxCDN

We now need to add a subdomain to your site (such as through which the CDN will push files. Doing this requires logging into your web host and adding a CNAME DNS record. For most hosts, this can be done through cPanel.

Log in to cPanel and click Simple DNS Zone Editor. Scroll to the Add a CNAME Record box and type cdn in the name field -- cPanel will auto-fill the rest of the field for you. Click the CNAME field and paste in the URL for the CDN we copied to your clipboard earlier. Now, you're all done!

Animated screenshot showing how to add a CNAME for MaxCDN in cPanel

We now need to connect the CDN to WordPress. We can do this through WP Rocket: Head to Settings → WP Rocket and click on the CDN tab. Tick the box to Enable Content Delivery Network, and, in the box below, enter the subdomain you just created, for example If you have SSL on your site, make sure to add the subdomain with https rather than http. Save Changes and you're done!

Animated screenshot showing how to add a CDN to WordPress using WP Rocket

You can now load up your site, and the CDN should kick in! You can double check by testing your site in Pingdom, scrolling down and looking for in the File Requests section.

Screenshot showing files successfully served from the CDN

Finally, if you just want a very basic (and free) solution, then Jetpack is once again able to help. Jetpack offers a free CDN for images only called Photon. Photon is limited, but is exceptionally easy to set up. Ideally use a fully fledged CDN, but, if you'd prefer not to, Photon is better than nothing.

That concludes our look at CDNs. There are other CDNs available; you can read more about the different WordPress CDN services here.

Additional Speed Optimization Tools

We’ve now covered the most important speed optimization tools and tricks; these will get you the best return on speed improvement for time involved.

You can now go back and test your site’s speed again (using GTmetrix and Pingdom): You should see big performance gains.

The work doesn’t stop here, though. There are plenty more extra speed optimization tactics that can eke out extra performance on your site.

If you're using our recommended caching plugin, WP Rocket, you'll have a lot of these done for you already, but if you want to avoid paying for the plugin or just want to understand the extra details read our full WordPress speed guide.

We’ve now finished optimizing our site, and can wrap up!

Final Thoughts

The three-part approach to WordPress site management of backups, security and optimization will keep your WordPress site healthy.

It’s very important to keep on top of this throughout your site’s life; spend some time implementing the techniques and tools recommended here, and then allocate an hour or so each month to making sure everything is in order and you’re up-to-date with best practices.

There is, of course, a lot more you can do than what's covered here. This is especially true for website optimization: You’ll want to read our full speed optimization guide for further details.

Whatever your next steps with WordPress, see the rest of the WinningWP Guides for step-by-step details. Enjoy!

Enjoyed the above? Read on: View More Guides

WinningWP Staples

There's more to us than just WordPress guides. Here's a few favorites:

Glossary of Terms
Overwhelmed by jargon? WordPress terms explained in plain English.

(View Page)

Plugins, tools and services
Under the Hood
Wondering what plugins, tools and services we used here at WinningWP? We spill the beans...

(View Page)

WordPress Deals
WordPress Deals & Coupons
Save oodles of cash on some of the best hosting, themes & plugins around!

(View Page)

What Next?!

Everything backed up, secured and optimized? Great! What's Next?

Get Creative!

Next, you'll likely be at about the right stage to start making a few customizations!

Choose Hosting!

Still trying to navigate the WordPress hosting minefield? Here's a handy Guide to Choosing the Best Service!


Good luck!

Without a proper backup, losing data can be a devestating setback. Being hacked is almost always a huge blow to your site's reputation, your brand's credibility, and may even have near fatal repercussions for your business as a whole; and failing to optimize your site, whilst almost always nowhere near as bad as losing data or being hacked, can slowly erode your company's bottom line without you ever even realizing it. Be sure to do everything you can to avoid falling into any one of these traps!

Love WordPress? Follow us on Twitter