Optimize WordPress Performance

Your WordPress site deserves to load fast. Ultra Web Hosting includes powerful server-level optimizations like AccelerateWP, Redis Object Caching, SSD storage, Nginx reverse proxy, and generous 384 MB PHP memory limits, all on our shared hosting plans. Combine these with the tips below and you can achieve dramatic speed improvements without upgrading your plan.

03. Upgrade to PHP 8.x

Running a modern PHP version is one of the easiest and most impactful changes you can make. PHP 8.x delivers significant performance improvements over PHP 7.x thanks to JIT compilation, optimized memory usage, and faster execution across the board. Many WordPress sites see page generation times cut in half simply by upgrading PHP.

We currently recommend PHP 8.2 or PHP 8.3 for most WordPress sites. Before upgrading, verify that your theme and plugins are compatible. Most modern, actively maintained plugins fully support PHP 8.x.

04. Page Caching & Browser Caching

Server-Side Page Caching

If you've enabled AccelerateWP (step 1 above), full-page caching is already handled for you. AccelerateWP stores pre-built HTML versions of your pages and serves them directly from Nginx without executing PHP on every request.

If you prefer a plugin-based approach instead, W3 Total Cache or WP Super Cache are solid free options. Important: Do not stack multiple caching solutions. Use AccelerateWP or a caching plugin, not both.

Browser Caching via Expires Headers

Force browsers to cache static files locally so repeat visitors don't re-download images, CSS, and JS every time. Add the following to your .htaccess file before the WordPress rewrite rules:

# Expires Caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/webp "access 1 year"
ExpiresByType image/svg+xml "access 1 year"
ExpiresByType image/x-icon "access 1 year"
ExpiresByType application/pdf "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType font/woff2 "access 1 year"
ExpiresByType font/woff "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>

# Vary Accept-Encoding
<IfModule mod_headers.c>
  <FilesMatch "\.(js|css|xml|gz|html|ttf|eot|woff|woff2|otf|svg)$">
    Header append Vary: Accept-Encoding
  </FilesMatch>
</IfModule>

05. Add a CDN (CloudFlare)

A Content Delivery Network caches your static content on servers around the world, so visitors download assets from a location near them instead of across the country. As a CloudFlare Certified Partner, Ultra Web Hosting offers faster, easier integration and free access to CloudFlare's plan.

How to enable: In cPanel, click the CloudFlare icon in the Software section and follow the guided setup. For WordPress-specific configuration tips, see our guide: CloudFlare for WordPress.

06. Optimize & Lazy-Load Images

Unoptimized images are the #1 cause of slow WordPress sites. A single uncompressed hero image can be larger than the rest of your page combined.

Compress Images

Use a bulk image optimization plugin to compress your existing media library and automatically optimize future uploads:

• Smush - lightweight, great for shared hosting, includes lazy loading
• EWWW Image Optimizer - excellent quality retention, supports WebP conversion
• TinyPNG - aggressive compression, best file size savings
• Imagify - three compression levels, WebP & AVIF support

For manual one-off compression, TinyPNG.com and Kraken.io are excellent browser-based tools.

Use Modern Image Formats

Serve images in WebP format whenever possible - WebP files are typically 25-35% smaller than equivalent JPEGs with no visible quality loss. Most image optimization plugins can auto-convert your existing library to WebP and serve the right format based on browser support. Also prefer JPEG over PNG for photographs - PNG is designed for graphics with flat colors and transparency, not photos.

Enable Lazy Loading

WordPress includes native lazy loading since version 5.5. This defers loading of off-screen images until the visitor scrolls to them, dramatically improving initial page load time. Verify it's active by checking that your <img> tags include loading="lazy". If you're running Smush, it includes enhanced lazy loading with a placeholder shimmer effect.

07. Optimize Your Database

WordPress databases grow over time with post revisions, spam comments, transient options, and orphaned metadata. A bloated database means slower queries on every page load.

WP-Optimize is the best all-in-one plugin for this - it cleans post revisions, spam, trashed items, transients, and then runs a MySQL OPTIMIZE on your tables. Stick to the default settings for safe cleanup.

Additional database tips:

• Limit post revisions by adding define('WP_POST_REVISIONS', 5); to wp-config.php
• Close comments on pages where they aren't needed
• Delete unused plugins and themes - they can leave orphaned database tables behind
• Schedule WP-Optimize to run weekly for automatic maintenance
• You can also run optimizations directly via phpMyAdmin: select your database → check all tables → choose "Optimize table" from the dropdown

08. Reduce & Audit Plugins

Every active plugin adds PHP execution time, database queries, and potentially external HTTP requests to every page load. We routinely see WordPress sites with 30+ active plugins where removing half of them cuts load time in half.

Rules of thumb: If you're not actively using a plugin, deactivate and delete it. If two plugins do similar things, pick one and remove the other. Use Query Monitor to identify which plugins are generating the most database queries and consuming the most time. Also see our guide: Do you have a WordPress plugin slowing you down?

09. Minify & Combine CSS & JavaScript

Minification removes whitespace, comments, and unnecessary characters from your CSS and JavaScript files, reducing their size by 10-30%. Combining multiple files into fewer requests also reduces HTTP overhead.

If you're using AccelerateWP, CSS optimization is handled automatically. For additional control, Fast Velocity Minify is a solid free plugin. It does require some tweaking, so if you notice visual or functional issues after enabling it, try toggling individual CSS/JS exclusions in its settings. Always clear your cache after making changes.

10. Core Web Vitals & Performance Testing

Google uses Core Web Vitals as a ranking signal. These three metrics measure real user experience:

• Largest Contentful Paint (LCP) - how quickly the main content loads. Target: under 2.5 seconds. Improve with caching, image optimization, and AccelerateWP's Critical CSS feature.
• Interaction to Next Paint (INP) - how quickly your site responds to user input. Target: under 200ms. Reduce by minimizing JavaScript and eliminating render-blocking scripts.
• Cumulative Layout Shift (CLS) - visual stability during load. Target: under 0.1. Fix by setting explicit image dimensions and avoiding dynamically injected content above the fold.

Test your site with these tools:

• Google PageSpeed Insights - shows both lab data and real-world field data from Chrome users
• GTmetrix - detailed waterfall charts showing exactly what loads and when
• Pingdom - test from multiple locations, sort by load time to find bottlenecks

11. Block Bad Bots & Harden WordPress

Malicious bots, SEO scrapers, and brute-force attackers can consume significant server resources, sometimes more than your real visitors. The following .htaccess rules block the most common offenders while preserving access for WP-Cron, payment webhooks, and the WordPress REST API:

# === BOT & SECURITY RULES FOR WORDPRESS - ULTRAWEBHOSTING v1.10 ===

# Block empty user agents
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-$
RewriteRule ^.* - [F,L]

# Block common malicious bots
RewriteCond %{HTTP_USER_AGENT} (ahrefs|semrush|mj12bot|dotbot|blexbot|rogerbot|megaindex|majestic|serpstat) [NC]
RewriteRule ^.* - [F,L]

# Allow WP-Cron and webhooks (before blocking curl/wget/python)
RewriteCond %{REQUEST_URI} ^/wp-cron\.php$ [NC]
RewriteRule .* - [L]

RewriteCond %{REQUEST_URI} \?wc-api= [NC,OR]
RewriteCond %{REQUEST_URI} ^/wc-api/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/wc/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/stripe/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/paypal/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/square/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/amazon-pay/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/klarna/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/mollie/ [NC]
RewriteRule .* - [L]

# Block scanner/scraper user agents
RewriteCond %{HTTP_USER_AGENT} (zgrab|nikto|sqlmap|nmap|masscan|curl|wget|python|scrapy|httpclient) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (bytespider|petalbot|yandexbot|baiduspider) [NC]
RewriteRule ^.* - [F,L]

# Block access to sensitive files
<FilesMatch "(wp-config\.php|wp-config\.bak|wp-config\.old|wp-config\.txt|readme\.html|license\.txt)$">
  Require all denied
</FilesMatch>

# Block xmlrpc.php completely
<Files xmlrpc.php>
  Require all denied
</Files>

# Block hidden files and directories
RewriteRule ^\.git - [F,L]
RewriteRule ^\.env - [F,L]
RewriteRule ^\.ht - [F,L]

# Block common attack patterns in query strings
RewriteCond %{QUERY_STRING} (base64_encode|eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (<script|<iframe|<embed) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./\.\./|\.\.%2f|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (union.*select|concat.*\() [NC]
RewriteRule ^.* - [F,L]

# Block PHP execution in uploads
RewriteRule ^wp-content/uploads/.*\.php$ - [F,L]

# Block author enumeration
RewriteCond %{QUERY_STRING} ^author=\d+ [NC]
RewriteRule .* - [F,L]

# Disable directory browsing
Options -Indexes

# Block wp-includes direct PHP execution
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# === END BOT & SECURITY RULES ===

You can also download our full bad bot blocker rules for additional protection.

12. Disable Pingbacks & Trackbacks

Pingbacks and trackbacks were designed for cross-blog communication but are now almost exclusively exploited by spam bots. Disable them in Settings → Discussion by unchecking "Allow link notifications from other blogs."

For posts and pages that were published with pingbacks enabled, run these SQL queries in phpMyAdmin to disable them retroactively:

UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'post';
UPDATE wp_posts SET ping_status='closed' WHERE post_status = 'publish' AND post_type = 'page';

13. Audit External Content Load Times

External resources like third-party fonts, analytics scripts, social embeds, and video players can add HTTP requests your server can't control. Use GTmetrix or Pingdom to sort requests by load time and identify slow external dependencies. Consider self-hosting critical assets like Google Fonts, and defer non-essential scripts like analytics and chat widgets until after the page has loaded.

14. Disable Hotlinking

If your images are indexed by search engines, other sites may link directly to them, consuming your bandwidth and server resources. Use the Hotlink Protection icon in cPanel to prevent unauthorized sites from embedding your images.

15. Remove Version Query Strings

Query strings like ?ver=6.7.1 on CSS and JS files can prevent proper caching by your server and CDN. Add the following to the bottom of your theme's functions.php file (before the closing ?> tag if one exists):

// Remove version query strings from static resources
function ultra_remove_script_version( $src ) {
    $parts = explode( '?ver', $src );
    return $parts[0];
}
add_filter( 'script_loader_src', 'ultra_remove_script_version', 15, 1 );
add_filter( 'style_loader_src', 'ultra_remove_script_version', 15, 1 );

Alternatively, the Remove Query Strings from Static Resources plugin handles this automatically.

16. Still Need More Performance?

If you've implemented the optimizations above and still need more speed, it may be time to upgrade your hosting plan:

• Ultra Unlimited Pro / WordPress Optimized - higher resource limits, Redis Object Caching included, AccelerateWP Premium features
• VPS & Dedicated Server Plans - full root access, dedicated resources, custom server tuning for high-traffic WordPress

Quick Recap: The 5-Minute Speed Boost

If you only do five things from this guide, do these:

1. Enable AccelerateWP in cPanel - instant full-page caching and Critical CSS (free)
2. Upgrade to PHP 8.2+ in Select PHP Version - up to 2x faster execution
3. Activate Redis Object Caching via AccelerateWP Premium - eliminates redundant database queries
4. Run an image optimization plugin (Smush, EWWW, or Imagify) in bulk mode on your media library
5. Enable CloudFlare CDN via cPanel - global edge caching for your static assets

442 users found this article useful · Last updated March 2026 · Browse all WordPress articles →