WordPress best practices for security, SEO and performance

#WordPress hardening, performance, and SEO: what actually moves the needle in 2026

There is no single ultimate guide to WordPress. Anyone selling you one is selling a listicle. What follows is a practitioner checklist of the changes that consistently move the needle on real client engagements at wppoland.com, organised across three planes that interact more than most write-ups admit: hardening, page weight, and how search engines and LLMs actually parse the result.

The pattern is almost always the same. A site arrives with a plugin graveyard, an unaudited wp_options table, three SEO plugins fighting over the title tag, and a /wp-login.php that takes 200 hits per minute from residential IP rotators. None of that gets fixed by a generic checklist. It gets fixed by knowing which knobs in wp-config.php, which Cloudflare rules, and which schema decisions return time and rankings, and which are theatre.

#What this post is not

This is not exhaustive reference documentation. The Codex of WordPress hardening lives at wordpress.org/documentation/article/hardening-wordpress/ and it is more complete than anything one blog post can be. What this post adds is opinion: which subset of those controls is worth implementing first, in what order, and where the typical “best practices” article quietly skips the painful detail.

If you are running a brochure site on shared hosting, half of the recommendations below are overkill. If you are running WooCommerce with member-only pricing and a payment integration, half of them are the bare minimum.

#Hardening that pays for itself

Most WordPress incidents I have cleaned up traced back to one of three things: a stale plugin with a known CVE, a leaked admin password reused from a breached service, or an XML-RPC or REST endpoint left open to enumeration. Almost nothing traces back to a missing security plugin. The implication is that hardening is mostly configuration, and a small number of wp-config.php constants do more for the threat model than any “all-in-one” security suite.

#The wp-config.php block I drop into every install

define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );
define( 'FORCE_SSL_ADMIN', true );
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
define( 'AUTOMATIC_UPDATER_DISABLED', false );
define( 'WP_POST_REVISIONS', 5 );
define( 'EMPTY_TRASH_DAYS', 7 );

DISALLOW_FILE_EDIT removes the in-dashboard code editor, which is the single most useful blast-radius reduction available. DISALLOW_FILE_MODS goes further and blocks plugin and theme installs and updates from the dashboard entirely; pair it with a deployment pipeline that updates via WP-CLI or Composer. FORCE_SSL_ADMIN stops the embarrassing case where someone briefly hits http:// admin and leaks a session cookie. The revisions and trash limits are not security per se, but they prevent the wp_posts and wp_postmeta tables from becoming the slow query that masks an actual incident.

#Application passwords and 2FA, with a CLI fallback

Application passwords were enabled by default in WordPress 5.6 and almost nobody audits them. Run wp user application-password list <user> for every administrator on every quarterly review. Revoke anything that does not map to a documented integration. Treat any application password attached to a user with manage_options as equivalent to that user’s main credential.

For 2FA, the Two-Factor feature plugin is still the cleanest option, but configure it with the assumption that a phone will eventually be lost. Document the recovery path: SSH into the server and run wp user meta delete <id> _two_factor_* to drop the second factor, then immediately rotate the password. If you skip this step, you will lock a client out of their own production site at a moment that is always inconvenient.

#Move the brute force fight off WordPress

PHP is the worst place to handle a /wp-login.php flood. By the time wp-login.php decides a request is bad, you have already spent CPU bootstrapping WordPress. Push the rate limit one layer up.

On Cloudflare, a Rate Limiting rule that allows ten POSTs to /wp-login.php per ten minutes per IP, combined with a managed challenge for the same path from non-EU geographies if your audience is regional, removes more than 95% of credential-stuffing traffic without ever touching origin. If your stack runs ModSecurity, OWASP Core Rule Set at paranoia level 1 with xmlrpc.php blocked outright is the baseline. Paranoia 2 starts to false-positive on Gutenberg block JSON, so do not jump there without testing the editor.

#File permissions, briefly

Directories 755, files 644, wp-config.php 440 or 400 and owned by the user PHP-FPM runs as, not by root. If your host insists on 777 anywhere, change host. This is not 2008.

#Set Proper File Permissions

File permissions determine who can read, write, and execute files on your server. Incorrect permissions can leave your site vulnerable to attacks. The standard recommended settings are:

• Directories: 755 (rwxr-xr-x)
• Files: 644 (rw-r—r—)

You can modify permissions through your hosting control panel’s File Manager or via FTP client. Most reputable hosting providers set these correctly by default, but it’s worth verifying.

#Implement Login Security Measures

While we focus on core features, several built-in WordPress settings can improve login security. Consider implementing a custom login URL by using pretty permalinks - this makes it harder for automated bots to find your login page.

Additionally, limit login attempts at the server level if your hosting provider offers this feature. Many hosts provide built-in protection against brute force attacks through their firewall configurations.

#SEO that survives contact with reality

The WordPress SEO conversation has been stuck on permalinks and alt text for a decade. Both still matter, but they are not what separates a site that ranks from one that does not in 2026. The four things I see actually move rankings on client sites are: a coherent Schema.org graph, an SEO plugin configured for one job rather than fighting another plugin, hreflang done correctly for multilingual builds, and a sitemap structure that prioritises what the business cares about.

#Schema as a graph, not a checklist

Most SEO plugins emit a flat list of unconnected JSON-LD blocks: an Organization here, an Article there, a BreadcrumbList that references neither. Search engines and LLMs reward a connected graph: Article whose author is a Person whose worksFor is the Organization whose logo is referenced by the WebSite. Both Yoast and Rank Math support this through their respective filters; the work is in defining the graph once and feeding both the user-facing pages and the LLM crawlers a consistent set of @id references. If your about and mentions arrays in front-matter are populated with Wikidata URLs, half this work is already done; the other half is making sure the rendered HTML actually emits them.

#Yoast vs Rank Math: pick one and disable the other completely

The most common collision pattern is two SEO plugins both writing <title> and <meta name="description">, with the result that whichever runs later wins, but both leave their schema in the head. Symptom: duplicate BreadcrumbList, duplicate WebPage, conflicting Article blocks. Google merges what it can and discards the rest, but the signal is muddy. Pick one, deactivate the other, then check the rendered HTML for stale schema cached by an object cache or page cache. Flush both after the migration.

Rank Math tends to win on schema flexibility, Yoast on the opinionated content analysis that authors actually read. Neither matters more than the consistency of using one.

#Hreflang for the six-language builds we ship

If you are running a multilingual site, hreflang is the difference between Google serving the right language to the right country and serving Polish content to Portuguese visitors who then bounce. The annotations have to be reciprocal (every alternate must list every other alternate, including itself), they have to point at canonical URLs, and they have to include x-default. Plugins handle this, but verify in Search Console under International Targeting; silent hreflang errors are common after a slug change.

#Sitemap priorities, the WordPress default versus what you want

WordPress core ships /wp-sitemap.xml, which is fine for small sites and inadequate for everything else because it does not let you weight or exclude. Yoast and Rank Math both publish /sitemap_index.xml with separate post-type indices, which is what you want. The non-obvious move: exclude the attachment post type from sitemaps unless you are running a media library that is itself the product. Attachment URLs spawned by image uploads do not need to be in Google’s index; they dilute crawl budget on larger sites and produce thin-content soft 404s on smaller ones.

#Optimize Your Permalinks

Permalinks are the permanent URLs to your individual pages and posts. WordPress defaults to a numeric format (/?p=123), which provides no information to search engines or users. Instead, use a descriptive permalink structure that includes your post title.

To change your permalink structure, go to Settings > Permalinks in your Dashboard. The “Post name” option is generally recommended as it creates clean, readable URLs like yourdomain.com/your-post-title/.

For custom post types or categories, you can also configure custom structures. Just ensure your URLs are concise and include relevant keywords when appropriate.

#Create Quality Content with Proper Structure

Search engines prioritize content that provides value to users. Structure your articles using heading tags (H1 for titles, H2 for main sections, H3 for subsections) to create a logical hierarchy. This helps search engine crawlers understand your content organization.

WordPress’s Block Editor makes it easy to add headings, lists, and other structural elements. Use the built-in blocks to create:

• H2 and H3 headings for section organization
• Numbered lists for step-by-step content
• Bullet points for quick tips
• Quote blocks for testimonials or citations
• Table blocks for comparative data

#Optimize Images for SEO

Images can significantly impact your page load times and SEO performance. Before uploading images to WordPress, compress them using online tools or image editing software. WordPress also includes basic image optimization settings.

When adding images, always include descriptive alt text - this improves accessibility and provides search engines with context about the image content. You can add alt text through the Image block sidebar in the Block Editor or via the Media Library.

#Leverage Categories and Tags

WordPress’s taxonomy system helps organize your content and improve site navigation. Categories are broad groupings (like “Technology” or “Business”), while tags are more specific descriptors. Both help search engines understand your content structure.

Create logical category hierarchies and use relevant tags sparingly. Avoid over-tagging, as this can dilute your content’s relevance signals. A typical post should have 1-2 categories and 5-10 relevant tags.

#Use Excerpts Effectively

Excerpts are brief summaries of your posts that appear in various contexts - search results, archive pages, and RSS feeds. Write custom excerpts that include your primary keyword naturally. You can set custom excerpts in the Document settings sidebar of the Block Editor.

#Enable XML Sitemaps

WordPress automatically generates XML sitemaps that help search engines discover and index your content. These sitemaps are accessible at yourdomain.com/wp-sitemap.xml. Search engines like Google can use these sitemaps to understand your site structure and find new content quickly.

You don’t need a plugin - WordPress has included native sitemap functionality since version 5.5. Simply submit your sitemap URL through Google Search Console to help search engines find it.

#Performance: where the time actually goes

Most “WordPress is slow” tickets I open turn out to be one of four things, in roughly this order: a bloated wp_options autoload, an external font on the critical path, an oversized hero image without fetchpriority, and a cache plugin shipping the wrong cache key for logged-in users. Hosting matters, but it is rarely the bottleneck if the above four are wrong.

#Prune wp_options autoload first

This is the highest-leverage performance change in WordPress and almost nobody runs it on a schedule. Every page load issues SELECT option_name, option_value FROM wp_options WHERE autoload = 'yes', and on a site that has accumulated five years of plugin debris that query can return three or four megabytes. Sixty to eighty percent of those rows are typically transients left by uninstalled plugins or settings that have no business being autoloaded.

wp db query "SELECT option_name, LENGTH(option_value) AS size FROM wp_options WHERE autoload='yes' ORDER BY size DESC LIMIT 30"

Anything over 100KB and not actively in use becomes a candidate. wp option set <name> --autoload=no for things you want to keep but rarely read; outright delete orphaned plugin rows. On a recent WooCommerce engagement this single pass cut TTFB from 880ms to 310ms with zero code changes.

#Object cache, not just page cache

Page caching solves the anonymous-visitor case. Object caching solves the logged-in-user, WooCommerce, and admin-screen case, which is where the actual conversion path lives. Redis via the official redis PECL extension and the Redis Object Cache plugin is the boring, correct answer. Memcached works but the WordPress ecosystem has standardised on Redis, so go with the flow.

Verify it is actually doing work: wp redis status should show a hit ratio above 90% on a warm site. Below that and either the eviction policy is wrong (use allkeys-lru) or something is calling wp_cache_flush() more aggressively than it should.

#Cloudflare: Page Rules versus Workers for /wp-json

For static HTML, a Cache Rule that caches (http.host eq "example.com" and not http.request.uri.path contains "/wp-admin" and not http.cookie contains "wordpress_logged_in_") for an hour is enough. The trickier case is /wp-json for headless or partially-headless sites. Page Rules cannot vary on auth headers cleanly, so if you are caching the REST API for anonymous traffic, do it in a Worker that explicitly bypasses on Authorization and Cookie: wordpress_logged_in_* and respects Cache-Control: private. The number of sites that ship logged-in user data to anonymous visitors because they cached /wp-json/wp/v2/users at the edge is depressingly high.

#Images: lazy by default, eager where it counts

WordPress 5.5+ adds loading="lazy" to images automatically, which is correct for everything below the fold and wrong for the LCP element. The hero image of a landing page should carry fetchpriority="high" and explicitly loading="eager". The simplest implementation is a small filter on wp_get_attachment_image_attributes that flips both attributes when the attachment ID matches the post’s featured image and the context is the singular template.

AVIF first, WebP fallback, JPEG only as a last resort. Serve from the same origin if you can, because cross-origin image fetches still cost a TLS handshake even on HTTP/3.

#Critical CSS and the font question

Inline the above-the-fold CSS for the homepage and any high-traffic landing page. Tools like Critters or the Penthouse-based extractors built into modern build pipelines do this well; for WordPress specifically, a Cloudflare Worker that injects extracted critical CSS into the head and defers the full stylesheet is the path of least resistance if you do not own the build pipeline.

For fonts, self-host. font-display: swap is non-negotiable. A single 30KB WOFF2 subset usually beats anything Google Fonts can serve, and it removes a third-party DNS lookup from the critical path.

#Clean Your Database

Over time, your WordPress database accumulates unnecessary data - post revisions, spam comments, transient options, and deleted post metadata. This bloat can slow database queries and increase backup sizes.

To clean your database manually:

1. Delete spam comments through Comments > Spam
2. Remove post revisions (consider limiting revision numbers in wp-config.php)
3. Delete unused media from the Media Library
4. Remove expired transients using database management tools

#Minimize External Requests

Each external resource (fonts, scripts, stylesheets) requires additional HTTP requests that slow page loading. WordPress loads several scripts and stylesheets by default - review which ones you actually need and disable unnecessary ones through theme functions or server configuration.

For fonts, consider using system fonts or self-hosted web fonts instead of external font services. This reduces DNS lookups and connection overhead.

#Implement Lazy Loading

WordPress includes built-in lazy loading for images and iframes. This technique defers loading of below-the-fold content until users scroll toward it, improving initial page load times. Lazy loading is enabled by default in modern WordPress versions.

To verify it’s working, check your HTML source for loading="lazy" attributes on image tags.

#Integration and Maintenance

The three pillars of WordPress excellence - security, SEO, and performance - are interconnected. A secure site builds trust with visitors and search engines. Good SEO ensures your content reaches its intended audience. Fast performance keeps visitors engaged and improves search rankings.

#Regular Maintenance Schedule

Establish a routine maintenance schedule to keep your site running smoothly:

• Weekly: Check for WordPress core, theme, and plugin updates
• Monthly: Review analytics data and search console reports
• Quarterly: Perform comprehensive backups and security audits
• Annually: Review and update content relevance

#Monitor Site Health

WordPress includes a Site Health tool that identifies potential issues. Access it through Tools > Site Health in your Dashboard. The tool provides recommendations for improving performance and security.

#Document Your Setup

Maintain documentation of your WordPress configuration, including:

• Installed themes and their versions
• Custom modifications to theme files
• Server configuration details
• Backup schedules and storage locations

This documentation helps troubleshoot issues and ensures continuity if you need to migrate or rebuild your site.

#What to do tomorrow morning

If this list feels overwhelming, the order I would work it on a real engagement is:

1. Drop the wp-config.php constants block and verify the dashboard editor is gone.
2. Run the wp_options autoload query and prune anything over 100KB that does not justify its weight.
3. Audit application passwords with wp user application-password list for every administrator.
4. Push /wp-login.php rate limiting to Cloudflare.
5. Pick one SEO plugin, deactivate the other, then check the rendered HTML for orphaned schema.
6. Fix the LCP image with fetchpriority="high" and self-host the fonts.

The full list above takes a sprint, not an afternoon. Anyone selling a one-hour fix for all four planes is selling a listicle.

#Sources

Learn more about WordPress security services at WPPoland.

• WordPress Block Editor Documentation
• Writing Posts in WordPress
• Hardening WordPress
• WordPress SEO Guide
• WordPress Housekeeping
• Learn WordPress
• WordPress Security Guide
• WordPress SEO Best Practices
• Evergreen Content Examples