Guides

7 things that you should do after installing WordPress

Just installed Wordpress? Here are my top 7 recommendations for you.

5 months ago   •   3 min read

By Aquasp
Table of contents

Introduction

Starting a fresh WordPress site in 2026? Whether it's a blog, eCommerce store, or portfolio, these tweaks will supercharge speed, lock down security, and ensure buttery-smooth performance from day one.

No paid tools required — just free plugins and quick configs. Let's dive in!

1. Auto-Resize & Compress Images on Upload

Images are the #1 bandwidth killer. Don't upload a 10MB photo and hope for the best — automate compression to keep your site lean.

Recommended Plugin: Resize Image After Upload (Free, 90K+ active installs, 4.8/5 rating)

  • Install & activate it first thing.
  • Set max width/height (e.g., 1920px wide) and compression level (default 82% JPEG quality is solid).
  • It auto-resizes JPEG/PNG/GIF on upload, slashes file sizes by 50–80%, and boosts SEO with faster load times.

Pro tip: For bulk-optimizing existing images, pair it with Smush (free tier handles 50 images/month).

Result: Pages load 2–3x faster, less server strain, happier Google rankings.

2. Strip Out Unnecessary Bloat

WordPress ships with "extras" you might not need — like Gutenberg blocks, XML-RPC, or emoji scripts. Trim the fat for a lighter core.

Recommended Plugin: Unbloater (Free, 10K+ active installs, 5/5 rating)

  • Simple dashboard under Settings > Unbloater.
  • Recommended toggles:
    • Backend: Disable auto-updates (if you handle them manually), limit post revisions to 3, hide update nags for non-admins, disable XML-RPC.
    • Frontend: Remove RSD/WLW manifests, shortlinks, feed links, jQuery Migrate, emoji scripts.
    • Block Editor: Fully disable Gutenberg (if using Classic Editor) or remove unused blocks.
    • Extras: Block DNS prefetch to WordPress.org, remove generator meta tag.

Everything is reversible — toggle off if issues arise. This cuts database queries and JS/CSS bloat by 20–30%.

3. Tame the Heartbeat API

WordPress' Heartbeat API pings your server every 15–60 seconds for autosave, user presence, etc. Great for collaboration, but it spikes CPU on shared hosting.

Recommended Plugin: Heartbeat Control (Free, 90K+ active installs, 4.1/5 rating)

  • Go to Settings > Heartbeat Control.
  • Set intervals: 60 seconds (frontend), 120 seconds (dashboard/editor).
  • Or disable entirely on frontend if you don't need live previews.

Unbloater can handle this too. Expect 10–20% CPU savings on idle sessions.

4. Limit Post Revisions

By default, WordPress saves 25 revisions per post — bloating your database over time (e.g., a 1,000-post site = 25K+ entries).

Add to wp-config.php (before "That's all, stop editing!"):

// Limit to 3 revisions (or false to disable)
define('WP_POST_REVISIONS', 3);

Unbloater has a toggle for this. Clean up old ones with WP-Optimize (free).

Result: Smaller DB = faster queries and backups.

5. Disable XML-RPC (Unless Needed)

XML-RPC enables remote posting/apps but is a brute-force magnet (most bots target it).

  • If using Jetpack/mobile apps: Keep it, but whitelist your IP.
  • Otherwise: Block via .htaccess (Apache/LiteSpeed):
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
# Allow from YOUR.IP.ADDRESS (uncomment if needed)
</Files>

Unbloater or Loginizer (free, 1M+ installs) can disable it too.

6. Lock Down Logins with Rate Limiting

Bots hammer /wp-login.php 24/7. Limit attempts to stop brute-force attacks cold.

Top Pick: Limit Login Attempts Reloaded (Free, 2M+ installs, 4.9/5 rating)

  • Defaults: 3 failed attempts → 15-min lockout (escalates to 24h).
  • Covers wp-admin, XML-RPC, WooCommerce, custom logins.
  • Logs + notifications included.

Alternative: BruteGuard (Free, cloud-based botnet blocking via shared network).

Loginizer (1M+ installs) adds 2FA + reCAPTCHA for extra layers.

Test: Try wrong logins — you'll see instant blocks.

7. Vet Plugins Before Installing

Not all plugins are equal — some bloat your site with 1MB+ RAM usage or JS errors. Always check:

  • WP Hive: Chrome extension + site for automated tests (memory, page speed impact, PHP/WordPress compatibility, DB footprint). E.g., Yoast SEO 20.1: +0.1s load time, 1MB RAM (heavier than average).
  • PluginTests.com: Basic compatibility/smoke tests for 98% of WP.org plugins (activation errors, obvious breaks).

Quick Example (2025 Benchmarks):

  • Yoast SEO: Solid but resource-heavy (+0.1s load, 1MB RAM). Great for readability.
  • Rank Math SEO: Lighter (no load impact, <250KB RAM), more free features. Often 4x faster in tests.

Aim for lightweight picks — only add "heavy" ones if essential.

Wrap-Up

Implement these today, and your site will launch 2–3x faster, more secure, and future-proof. Total time: ~30 minutes. No excuses!

Got more tips? Drop them in the comments.

If this helped, share with a friend or subscribe to The Self Hosting Art. Thanks for reading! 🚀

Spread the word

Keep reading