In a previous post we worked through setting up your WordPress site on NearlyFreeSpeech. Now I thought I’d write about the additional configuration steps I take with my WordPress sites once I have the base install up and running. These are generic and can be used across any installation which is why I’ve separated them out from the specific steps in the NearlyFreeSpeech set up guide.
In this post I’m focusing on the security improvements you can make to your configuration. These are either via a plugin or through some configuration file changes. I’ll also pick up on the functionality / appearance improvements which you can make in a subsequent post.
A note on editing the functions.php file
This post recommends editing the functions.php file to improve aspects of your WordPress site. Note that the functions.php file is actually tied to your theme so you will lose any customisations you make to it if you change themes. Where I recommend you edit the functions.php file it is probably better to use a plugin (I do!) such as ‘Code Snippets’ (https://wordpress.org/plugins/code-snippets/screenshots/) to manage any code that you would otherwise add to functions.php. This plugin then lets you managed each piece of code like its own plugin and you can turn it on and off and it will survive across theme changes. It adds its own section to the sidebar which acts like the ‘Plugins’ section.
Fix wp-cron (for NearlyFreeSpeech hosted sites – found on the NFS support site)
You can schedule your WordPress posts to appear in the future but unfortunately on NFS the integration of WordPress with the server’s cron service doesn’t work out of the box. This will also effect any regularly scheduled jobs you may have running in WordPress e.g. using a plugin which emails you a backup of your databases on a regular basis.
The default wp-cron.php which is installed with WordPress doesn’t play nice with NFS and has a history of locking problems, so when a site gets busy it can go crazy and wind up running dozens of times at once trying to figure out if it should be running at all (and the answer is almost always “no”). Say goodbye to your blog performance!
Fixing this issue takes two easy steps…
1. Simply add this text to your wp-config.php file:
define( 'DISABLE_WP_CRON', true );
2. Go to the site info panel in NFS and add an hourly scheduled task for your site that consists of this URL:
(Replacing your site’s actual name for example.nfshost.com.) You don’t need to use curl or wget; a scheduled task that has a URL as its command will automatically be treated as a web request.
Preventing robots.txt and favicon.ico 404 errors)
Requests for these two files can generate many 404 errors if the files don’t exist. The way WordPress handles 404 errors is very inefficient, and can result in unnecessary strain on high-traffic sites if either of these files do not exist. You can create these files according to your preferences, but if you don’t need them and just want to avoid the performance penalty and resource cost of having requests for them return 404 errors, it’s well worth creating two empty files via ssh command line in the root directory of your site:
- touch robots.txt
- touch favicon.ico
Install Google Analytics
Google Analytics is the best way to find out about visitors to your site., e.g. how many, from where, what times, how did they get there, …
Register for an Analytics account and set up a new site in Analytics. Follow all the steps and get the code that Google gives you.
You could insert the code in the header.php file which is included with your theme but then if you changed theme you would lose your tracking code. It is best to use a plugin which can keep your header persistent. I like the ‘Insert Headers and Footers’ plugin. It is very basic and does exactly what we need. Install that and copy the analytics code into the header box.
There are also dozens of plugins specifically for inserting Analytics code but you don’t need anything specific and I expect they also do stuff in the background that you may not want.