Update WordPress
--------------------------------
If you’re not using the latest version of WordPress update now. Make sure you backup your site first!
Update Plugins
--------------------------------
Updating your WordPress plugins to the latest versions can often reduce high CPU usage. If you’re running an old version take a moment to update now.
Avoid beta versions of plugins
--------------------------------
Whilst it’s cool to be at the cutting-edge, only use stable versions of WordPress plugins. Sometimes early release versions (also known as alpha or beta) can have bugs in the code which can cause CPU spikes.
Install a caching plugin
--------------------------------
Caching plugins such as W3 Total Cache and WP Super Cache can dramatically reduce CPU load by caching static copies of your pages on your web space. Static files use less CPU and memory. Keeping you within your shared-hosting limits.
Disable WP-Cron
--------------------------------
WP-Cron manages all the scheduled events in your WordPress site. WP-Cron is a very common cause of high CPU loads as it is called every time someone visits your website. Disabling WP-Cron and replacing with a real Cron Job can drastically reduce CPU-load and prevent the chances your account is suspended due to exceeding your resources. It can be simply disabled by add the below command at "wp-config.php" below line "define('DB_COLLATE', '');":define('DISABLE_WP_CRON', 'true');
Only use plugins you really need
--------------------------------
Do you really need that plugin that constantly checks for broken links? – The more WordPress plugins you have installed, the longer your site will take to load. Deactivate and delete any plugin that you don’t need. Aim for just a handful of plugins. This will speed up your site and keep your visitors happy. If you’ve disabled plugins you don’t need, and still have high CPU usage you’ll need to try debugging each plugin to see if it’s the cause of the CPU spike. First, make sure you’ve taken a backup of your entire WordPress site (files and database). Now try disabling each plugin one by one until the CPU load has been resolved. Once you’ve found the faulty plugin you should hopefully be able to reenable the others without seeing the CPU problems.
Avoid buggy WordPress Themes
--------------------------------
A badly written WordPress Theme or one written with demanding features such as server-side image resizing can be CPU intensive. To rule out problems with your WordPress theme try the following:
a). Check error logs for problems. Login to cPanel and check the Error logs for errors.
b). Contact the theme developer and ask if there are any known issues.
c). Disable any dynamic features built into the theme such as thumbnail resizing. Some WordPress themes have their own image resizing modules which can cause high CPU usage. If possible we recommend disabling them in favor of using the more efficient image resizing built into the WordPress core.
Reduce widgets
--------------------------------
There may be certain widgets that aren’t essential. Check them thoroughly and remove the ones that may not be beneficial for the readers. The more widgets you use the more strain you are enforcing on the server. Hence, to lower server load and CPU usage, get rid of unwanted widgets.
Lower PHP or Database calls
--------------------------------
PHP scripts and database calls also consume a lot of CPU resources. Caching your sites helps but certain database/PHP calls cannot be avoided. Hence, you should go through the plugin's documentation carefully and disable the unnecessary options.
Lower load on index.php file
--------------------------------
At peak hours, your homepage may create a load on your server during peak hours. To lower this load, ensure keeping your homepage simple. Try to lower the number of posts on your homepage and remove unwanted files, links, and high-resolution images. It would be even better if you choose a CDN service like Cloudfront.
Use PHP 8.1
--------------------------------
Switching to PHP 8.1 can dramatically speed up your WordPress website, reducing loading time and freeing up CPU and memory. We recommend testing a staging version of your website with PHP 8.1 before changing the production version. You could change the PHP version from Cpanel --> MultiPHP Manager.
Disable XML-RPC upload
--------------------------------
Add below rules at .htacess to prevent xmlrpc.php. This may prevent xmlrpc.php attack from your domain.# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
Restrict WordPress Admin Area
--------------------------------
Please follow the link to secure the Admin Area.
http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/
Protect the wp-config.php file
--------------------------------
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:order allow,denydeny from all
Change the permission of wp-config.php to 400.
Disallow file editing
--------------------------------
If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.
If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.
To make this work, add the following to the wp-config.php file (at the very end):define('DISALLOW_FILE_EDIT', true);
Secure wp-includes
--------------------------------
The wp-includes folder houses WordPress core files that nobody should have the need to tamper with. To make absolutely sure it doesn’t happen, use the following code at .htaccess.RewriteEngine OnRewriteBase /RewriteRule ^wp-admin/includes/ - [F,L]RewriteRule !^wp-includes/ - [S=3]RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]RewriteRule ^wp-includes/theme-compat/ - [F,L]
Strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS
--------------------------------Header set X-Frame-Options SAMEORIGINHeader set X-XSS-Protection 1;mode=blockHeader set X-Content-Type-Options nosniffHeader always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Header always set Referrer-Policy "same-origin"Header always set Permissions-Policy: interest-cohort=()
