Optimize WordPress Performance

Your WordPress site deserves to load fast. Ultra Web Hosting includes powerful server-level optimizations like AccelerateWP, Redis Object Caching, SSD storage, Nginx reverse proxy, and generous 384 MB PHP memory limits, all on our shared hosting plans. Combine these with the tips below and you can achieve dramatic speed improvements without upgrading your plan.

03. Upgrade to PHP 8.x

Running a modern PHP version is one of the easiest and most impactful changes you can make. PHP 8.x delivers significant performance improvements over PHP 7.x thanks to JIT compilation, optimized memory usage, and faster execution across the board. Many WordPress sites see page generation times cut in half simply by upgrading PHP.

We currently recommend PHP 8.2 or PHP 8.3 for most WordPress sites. Before upgrading, verify that your theme and plugins are compatible. Most modern, actively maintained plugins fully support PHP 8.x.

04. Page Caching & Browser Caching

Server-Side Page Caching

If you've enabled AccelerateWP (step 1 above), full-page caching is already handled for you. AccelerateWP stores pre-built HTML versions of your pages and serves them directly from Nginx without executing PHP on every request.

If you prefer a plugin-based approach instead, W3 Total Cache or WP Super Cache are solid free options. Important: Do not stack multiple caching solutions. Use AccelerateWP or a caching plugin, not both.

Browser Caching via Expires Headers

Force browsers to cache static files locally so repeat visitors don't re-download images, CSS, and JS every time. Add the following to your .htaccess file before the WordPress rewrite rules:

# Expires Caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/webp "access 1 year"
ExpiresByType image/svg+xml "access 1 year"
ExpiresByType image/x-icon "access 1 year"
ExpiresByType application/pdf "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType font/woff2 "access 1 year"
ExpiresByType font/woff "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>

# Vary Accept-Encoding
<IfModule mod_headers.c>
  <FilesMatch "\.(js|css|xml|gz|html|ttf|eot|woff|woff2|otf|svg)$">
    Header append Vary: Accept-Encoding
  </FilesMatch>
</IfModule>

05. Add a CDN (CloudFlare)

A Content Delivery Network caches your static content on servers around the world, so visitors download assets from a location near them instead of across the country. As a CloudFlare Certified Partner, Ultra Web Hosting offers faster, easier integration and free access to CloudFlare's plan.

How to enable: In cPanel, click the CloudFlare icon in the Software section and follow the guided setup. For WordPress-specific configuration tips, see our guide: CloudFlare for WordPress.

06. Optimize & Lazy-Load Images

Unoptimized images are the #1 cause of slow WordPress sites. A single uncompressed hero image can be larger than the rest of your page combined.

Compress Images

Use a bulk image optimization plugin to compress your existing media library and automatically optimize future uploads:

• Smush - lightweight, great for shared hosting, includes lazy loading
• EWWW Image Optimizer - excellent quality retention, supports WebP conversion
• TinyPNG - aggressive compression, best file size savings
• Imagify - three compression levels, WebP & AVIF support

For manual one-off compression, TinyPNG.com and Kraken.io are excellent browser-based tools.

Use Modern Image Formats

Serve images in WebP format whenever possible - WebP files are typically 25-35% smaller than equivalent JPEGs with no visible quality loss. Most image optimization plugins can auto-convert your existing library to WebP and serve the right format based on browser support. Also prefer JPEG over PNG for photographs - PNG is designed for graphics with flat colors and transparency, not photos.

Enable Lazy Loading

WordPress includes native lazy loading since version 5.5. This defers loading of off-screen images until the visitor scrolls to them, dramatically improving initial page load time. Verify it's active by checking that your <img> tags include loading="lazy". If you're running Smush, it includes enhanced lazy loading with a placeholder shimmer effect.

07. Optimize Your Database

WordPress databases grow over time with post revisions, spam comments, transient options, and orphaned metadata. A bloated database means slower queries on every page load.

WP-Optimize is the best all-in-one plugin for this. It cleans post revisions, spam, trashed items, transients, and runs a MySQL OPTIMIZE on your tables.

Recommended cleanup steps:

1. Back up your database first via phpMyAdmin or cPanel Backups
2. Install and activate WP-Optimize
3. Run all cleanup operations - post revisions, auto-drafts, trashed posts, spam comments, transients, expired transients, pingbacks, trackbacks
4. Run "Optimize database tables" to reclaim space and defragment
5. Verify your site works correctly after cleanup
6. Deactivate and delete WP-Optimize

Limit post revisions to prevent future bloat. Add this to wp-config.php:

define('WP_POST_REVISIONS', 5);

Clean Up Expired Transients

Transients are temporary cached data stored in the wp_options table. When they expire, WordPress does not automatically delete them unless you have an object cache (Redis) active. On sites without Redis, expired transients accumulate and bloat the options table. Clean them in phpMyAdmin if you want to clear all transients (they regenerate as needed):

DELETE FROM wp_options WHERE option_name LIKE '%_transient_%';

You can also optimize tables directly via phpMyAdmin: select your database, check all tables, and choose "Optimize table" from the dropdown.

08. Disable wp-cron and Use a Real Cron Job

This is one of the highest-impact performance changes you can make, and most WordPress guides skip it entirely.

By default, WordPress checks for scheduled tasks (plugin updates, scheduled posts, email digests, backup jobs) by loading wp-cron.php on every single page view. On a site with 100 visitors per hour, that means 100 unnecessary PHP executions just to check if a scheduled task is due. On busy sites, this creates constant, pointless server load.

define('DISABLE_WP_CRON', true);

wget -q -O /dev/null https://yourdomain.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1

/usr/local/bin/php /home/username/public_html/wp-cron.php >/dev/null 2>&1

Why this matters:

• Eliminates a PHP execution on every page load for every visitor
• Scheduled tasks still run reliably, every 5 minutes on the dot
• Actually more reliable than the default - if nobody visits your site for an hour, scheduled tasks don't run at all with WordPress's built-in cron
• On WooCommerce sites this is especially impactful since WooCommerce registers many scheduled tasks

09. Control the Heartbeat API

The WordPress Heartbeat API sends AJAX requests (admin-ajax.php) at regular intervals while you have the WordPress admin open. It powers auto-save, login session management, and real-time dashboard notifications. The problem is the frequency:

• Post editor: every 15 seconds
• Dashboard: every 60 seconds
• Frontend (some themes): every 60 seconds

If you have multiple browser tabs open to the admin, or multiple users logged in, each tab fires its own heartbeat. Three editors with two tabs each means 6 AJAX requests every 15 seconds hitting your server.

Option A: Slow It Down (Recommended)

Add this to your theme's functions.php to reduce the heartbeat to every 60 seconds everywhere and disable it entirely on the dashboard:

// Disable heartbeat on dashboard, slow to 60s elsewhere
function ultra_heartbeat_settings( $settings ) {
    $settings['interval'] = 60;
    return $settings;
}
add_filter( 'heartbeat_settings', 'ultra_heartbeat_settings' );

function ultra_disable_heartbeat_dashboard() {
    $screen = get_current_screen();
    if ( $screen->id === 'dashboard' ) {
        wp_deregister_script('heartbeat');
    }
}
add_action( 'admin_enqueue_scripts', 'ultra_disable_heartbeat_dashboard' );

Option B: Use a Plugin

Heartbeat Control by WP Developer Tools provides a UI to manage heartbeat frequency per location (dashboard, editor, frontend) without editing code.

10. Reduce & Audit Plugins

Every active plugin adds PHP execution time, database queries, and potentially external HTTP requests to every page load. We routinely see WordPress sites with 30+ active plugins where removing half of them cuts load time in half.

Rules of thumb: If you're not actively using a plugin, deactivate and delete it. If two plugins do similar things, pick one and remove the other. Use Query Monitor to identify which plugins are generating the most database queries and consuming the most time. Also see our guide: Do you have a WordPress plugin slowing you down?

11. Minify & Combine CSS & JavaScript

Minification removes whitespace, comments, and unnecessary characters from your CSS and JavaScript files, reducing their size by 10-30%. Combining multiple files into fewer requests also reduces HTTP overhead.

If you're using AccelerateWP, CSS optimization is handled automatically. For additional control, Fast Velocity Minify is a solid free plugin. It does require some tweaking, so if you notice visual or functional issues after enabling it, try toggling individual CSS/JS exclusions in its settings. Always clear your cache after making changes.

12. Core Web Vitals & Performance Testing

Google uses Core Web Vitals as a ranking signal. These three metrics measure real user experience:

• Largest Contentful Paint (LCP) - how quickly the main content loads. Target: under 2.5 seconds. Improve with caching, image optimization, and AccelerateWP's Critical CSS feature.
• Interaction to Next Paint (INP) - how quickly your site responds to user input. Target: under 200ms. Reduce by minimizing JavaScript and eliminating render-blocking scripts.
• Cumulative Layout Shift (CLS) - visual stability during load. Target: under 0.1. Fix by setting explicit image dimensions and avoiding dynamically injected content above the fold.

Test your site with these tools:

• Google PageSpeed Insights - shows both lab data and real-world field data from Chrome users
• GTmetrix - detailed waterfall charts showing exactly what loads and when
• Pingdom - test from multiple locations, sort by load time to find bottlenecks
• Ultra Web Hosting Speed Test - test your site directly from our network to measure actual server response time without CDN or geographic latency

13. Block Bad Bots & Harden WordPress

Malicious bots, SEO scrapers, and brute-force attackers can consume significant server resources, sometimes more than your real visitors. The following .htaccess rules block the most common offenders while preserving access for WP-Cron, payment webhooks, and the WordPress REST API:

# === BOT & SECURITY RULES FOR WORDPRESS - ULTRAWEBHOSTING v1.10 ===

# Block empty user agents
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$
RewriteRule ^.* - [F,L]

# Block common malicious bots
RewriteCond %{HTTP_USER_AGENT} (ahrefs|semrush|mj12bot|dotbot|blexbot|rogerbot|megaindex|majestic|serpstat) [NC]
RewriteRule ^.* - [F,L]

# Allow WP-Cron and webhooks (before blocking curl/wget/python)
RewriteCond %{REQUEST_URI} ^/wp-cron\.php$ [NC]
RewriteRule .* - [L]

RewriteCond %{REQUEST_URI} \?wc-api= [NC,OR]
RewriteCond %{REQUEST_URI} ^/wc-api/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/wc/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/stripe/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/paypal/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/square/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/amazon-pay/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/klarna/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/mollie/ [NC]
RewriteRule .* - [L]

# Block scanner/scraper user agents
RewriteCond %{HTTP_USER_AGENT} (zgrab|nikto|sqlmap|nmap|masscan|curl|wget|python|scrapy|httpclient) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (bytespider|petalbot|yandexbot|baiduspider) [NC]
RewriteRule ^.* - [F,L]

# Block access to sensitive files
<FilesMatch "(wp-config\.php|wp-config\.bak|wp-config\.old|wp-config\.txt|readme\.html|license\.txt)$">
  Require all denied
</FilesMatch>

# Block xmlrpc.php completely
<Files xmlrpc.php>
  Require all denied
</Files>

# Block hidden files and directories
RewriteRule ^\.git - [F,L]
RewriteRule ^\.env - [F,L]
RewriteRule ^\.ht - [F,L]

# Block common attack patterns in query strings
RewriteCond %{QUERY_STRING} (base64_encode|eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (<script|<iframe|<embed) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./\.\./|\.\.%2f|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (union.*select|concat.*\() [NC]
RewriteRule ^.* - [F,L]

# Block PHP execution in uploads
RewriteRule ^wp-content/uploads/.*\.php$ - [F,L]

# Block author enumeration
RewriteCond %{QUERY_STRING} ^author=\d+ [NC]
RewriteRule .* - [F,L]

# Disable directory browsing
Options -Indexes

# Block wp-includes direct PHP execution
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# === END BOT & SECURITY RULES ===

You can also download our full bad bot blocker rules for additional protection.

14. Disable Pingbacks & Trackbacks

Pingbacks and trackbacks were designed for cross-blog communication but are now almost exclusively exploited by spam bots. Disable them in Settings → Discussion by unchecking "Allow link notifications from other blogs."

For posts and pages that were published with pingbacks enabled, run these SQL queries in phpMyAdmin to disable them retroactively:

UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';
UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';

15. Audit External Content Load Times

External resources like third-party fonts, analytics scripts, social embeds, and video players can add HTTP requests your server can't control. Use GTmetrix or Pingdom to sort requests by load time and identify slow external dependencies. Consider self-hosting critical assets like Google Fonts, and defer non-essential scripts like analytics and chat widgets until after the page has loaded.

16. Disable Hotlinking

If your images are indexed by search engines, other sites may link directly to them, consuming your bandwidth and server resources. Use the Hotlink Protection icon in cPanel to prevent unauthorized sites from embedding your images.

17. Remove Version Query Strings

Query strings like ?ver=6.7.1 on CSS and JS files can prevent proper caching by your server and CDN. Add the following to the bottom of your theme's functions.php file (before the closing ?> tag if one exists):

// Remove version query strings from static resources
function ultra_remove_script_version( $src ) {
    $parts = explode( '?ver', $src );
    return $parts[0];
}
add_filter( 'script_loader_src', 'ultra_remove_script_version', 15, 1 );
add_filter( 'style_loader_src', 'ultra_remove_script_version', 15, 1 );

Alternatively, the Remove Query Strings from Static Resources plugin handles this automatically.

18. Audit Autoloaded Options

WordPress loads every row in wp_options with autoload='yes' into memory on every single page load. Deleted or deactivated plugins often leave their options behind with autoload still enabled, wasting memory and slowing startup.

Find the biggest offenders in phpMyAdmin:

SELECT option_name, LENGTH(option_value) AS size_bytes
FROM wp_options
WHERE autoload = 'yes'
ORDER BY size_bytes DESC
LIMIT 20;

Look for options from plugins you no longer use. Common culprits include old analytics plugins, deactivated page builders, and abandoned A/B testing tools that store serialized data blobs.

To turn off autoload for a specific option:

UPDATE wp_options SET autoload = 'no' WHERE option_name = 'old_plugin_settings';

19. Still Need More Performance?

If you've implemented the optimizations above and still need more speed, it may be time to upgrade your hosting plan:

• Ultra Unlimited Pro / WordPress Optimized - higher resource limits, Redis Object Caching included, AccelerateWP Premium features
• VPS & Dedicated Server Plans - full root access, dedicated resources, custom server tuning for high-traffic WordPress

Quick Recap: The Essential Speed Boost

If you only do six things from this guide, do these:

1. Enable AccelerateWP in cPanel - instant full-page caching and Critical CSS (free)
2. Upgrade to PHP 8.2+ in Select PHP Version - up to 2x faster execution
3. Activate Redis Object Caching via AccelerateWP Premium - eliminates redundant database queries
4. Disable wp-cron and use a cPanel cron every 5 minutes - eliminates a PHP execution on every page load
5. Run an image optimization plugin (Smush, EWWW, or Imagify) in bulk mode, then deactivate it
6. Enable CloudFlare CDN via cPanel - global edge caching for your static assets

442 users found this article useful · Last updated March 2026 · Browse all WordPress articles →