Documentation

Every audit check explained: what the problem is, what it causes, and how to fix it.

Security

• Directory Listing on /uploads/: Accidental Exposure If /wp-content/uploads/ shows a file index, you have exposed backups, internal docs and files that were never meant to be public.
• HSTS: enforcing HTTPS at the browser level in WordPress HSTS tells the browser never to request the site over HTTP again. An essential layer beyond the standard redirect.
• Mixed content on an HTTPS site: detect and clean unencrypted links An HTTPS page loading an HTTP resource is flagged as insecure, hurting UX and SEO. A guide to find and fix.
• WP_DEBUG in production: why it is dangerous and what to use instead Debug mode in production exposes file paths, versions and code internals to every visitor. Safe disable with private logging preserved.
• WordPress XML-RPC: A Legacy Interface Almost No One Needs XML-RPC exposes the site to brute force, pingback DDoS amplification, and ongoing CVEs. Disable it without breaking Jetpack.
• xmlrpc.php Still Reachable: Server-Level Blocking Is Mandatory Disabling XML-RPC inside WordPress is not enough while the file still responds. Only a server-level block truly closes it.
• No HTTPS: Why It Fails Even When You "Have Nothing to Protect" A site over HTTP is flagged "not secure", loses search ranking and leaks sessions. Migrate to HTTPS without breaking content.
• Session Cookie Flags: Secure, HttpOnly, SameSite Without these three flags, an admin session can be hijacked via XSS, HTTP sniffing, or CSRF. Configure them correctly.
• Brute-force protection for WordPress: three essential layers Without brute-force protection, a WordPress site faces thousands of login attempts per minute. Build a multi-layer defence step by step.
• Hiding the WordPress Version: Why It Helps and Why It Is Not Enough WordPress leaks its version in several places. Hiding it reduces bot noise but is no substitute for actually updating.
• Hiding the WordPress login URL: when it helps and when it does not Replacing /wp-login.php with a random slug drops 99% of log noise. A complementary layer to strong passwords and 2FA.
• wp-config.php permissions: why 600 or 640, never more wp-config.php holds your database password and secret keys. Permissions that are too open turn it into attack material.
• Blocking /wp-admin/install.php on a live WordPress site install.php is used once during initial setup. Leaving it reachable exposes the site to future vulnerabilities.
• Public REST API User Endpoint: Username Enumeration via /wp-json/wp/v2/users The /wp-json/wp/v2/users endpoint leaks usernames to unauthenticated visitors. Block it without breaking the site.
• HTTP Security Headers: Cheap Defense Against XSS, Clickjacking and MIME Attacks X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP — four headers that block a long list of client-side attacks.
• How many WordPress administrator accounts should your site really have Every admin account is an attack vector. A complete guide to trimming admin counts without disrupting day-to-day work.
• Enforcing HTTPS site-wide: from installed certificate to full enforcement An installed certificate alone is not enough. Force HTTPS with 301 redirects, database link rewrites and mixed-content cleanup.
• Password policy in WordPress: why the strength meter is not enough WordPress shows a strength meter but does not enforce - users can tick 'confirm weak password'. Real enforcement, step by step.
• User Enumeration via ?author=N: Username Discovery Visiting /?author=1 triggers a redirect that exposes the login slug. Block it without breaking author archives.
• WordPress Salts: Why to Rotate Them and When Salts encrypt every session cookie. Rotating them logs out every user and revokes access for any compromised session.
• The 'admin' username problem in WordPress and how to remove it safely The username 'admin' is half the work for an attacker. Replace it with a safe administrator without losing any content.
• Recently Created Administrators: A Compromise Indicator A new admin you did not create is a red flag. Verify, revoke, and close the door behind the attacker.
• WordPress Core Update: Why You Should Not Postpone Even One Day Minor updates are security fixes. Major updates need planning. How to ship both without breaking the site.
• WordPress automatic updates: what to enable and what to keep manual Automatic security updates close vulnerabilities without relying on you. A guide to configuring core, plugins and themes the right way.
• The WordPress file editor: why to disable it before it is too late The built-in theme and plugin editor turns any admin compromise into full code injection. Two lines disable it.
• PHP Files Inside wp-content/uploads: A Hack Indicator and How to Clean Up Finding PHP files inside wp-content/uploads almost always means a webshell was uploaded. Here is how to detect, remove and prevent it.
• Sensitive files exposed at the WordPress root: .git, .env, wp-config.bak A .git folder, .env file or wp-config backup reachable via the browser leaks every secret on the site. How to detect and block.
• WordPress database prefix: why to change from wp_ and how to do it safely The default wp_ prefix makes SQL-injection exploitation easier. A safe procedure to change it without breaking the site.
• WordPress core file integrity: detecting malicious modifications A core file that differs from the official release is a strong breach indicator. Guide to detection, comparison and safe restoration.
• Vulnerable Plugins: Detection, Updating and Replacement A plugin with a known CVE is an open door for attackers. Detect, patch, and replace plugins safely when no fix exists.
• SSL Certificate Approaching Expiry: Renew Without Downtime An expired certificate fully blocks the site. Start renewal at least seven days before — never on the last day.

SEO

• Canonical URL on the Homepage: Why It Matters and How to Verify It A single canonical tag on the homepage consolidates Google signals to one URL and prevents ranking dilution across variants.
• Discourage Search Engines: How One Checkbox Kills All Your SEO A single checkbox in Reading settings can erase your site from Google entirely. How to detect, fix and verify.
• Valid JSON-LD: Structured Data That Drives Rich Results in Google JSON-LD describes your content to Google and unlocks rich results - significantly higher click-through rates.
• Open Graph and Twitter Cards: Controlling How Shares Look on Social OG and Twitter Card tags control how shares render on Facebook, LinkedIn, WhatsApp, and Twitter. Without them, every share looks flat.
• Permalinks: URL Structure That Speaks to Google and Users The permalink structure shapes every URL - and the default "Plain" setting hurts both SEO and UX.
• robots.txt: Controlling What Google Crawls on Your Site robots.txt directs bots where to go and where not. Without it or misconfigured, you waste crawl budget and expose internal paths.
• Site Icon (Favicon): Your Brand's First Impression in Browser Tabs The favicon is the small icon in browser tabs. Without one, the site looks unfinished and is hard to find in bookmarks.
• Sitemap in robots.txt: A Small Signal With Big Impact A Sitemap: line in robots.txt helps every bot discover the sitemap automatically - not just Google.
• WordPress Tagline: The Signal That Travels Everywhere The tagline shows up in title tags, meta description, RSS, and og: tags. The default "Just another WordPress site" is a disaster.
• Trailing Slash: URL Consistency That Prevents Duplicate Content Trailing slashes must be consistent. Otherwise Google sees /page/ and /page as two separate URLs with identical content.
• Viewport Meta: The One-Line Tag That Makes Your Site Mobile-Friendly Without a viewport tag, mobile renders the page as if it were a 980px screen - tiny text and Google flags it Not mobile-friendly.
• XML Sitemap: The Declaration That Speeds Up Indexing An XML sitemap lists every URL you want Google to crawl. With it, new posts get indexed within hours.
• SEO Title Length: The 50-60 Character Range That Doubles CTR The title tag has a physical limit in results. Long titles truncate, short ones waste space. The sweet spot is 50-60.
• Duplicate SEO Titles and Descriptions: How Keyword Cannibalization Hurts Rankings Multiple pages sharing the same title or meta description make Google split signals and surface the wrong page.
• Missing H1 on the Homepage: SEO and Accessibility Impact The H1 tag is a page's main heading and a primary topic signal. A homepage without an H1 looks unfocused.
• Multiple H1 Tags on One Page: Semantic Confusion and Signal Dilution Multiple H1s confuse Google - the algorithm cannot tell which one represents the main topic.
• HTML Sitemap: User Navigation and Internal Linking Boost An HTML sitemap complements the XML one - it serves humans, helps internal linking, and improves user experience.
• XML Sitemap: The Official Declaration of Your Pages to Google An XML sitemap accelerates Google's discovery of new content from days to hours. Without one, Google relies on internal links only.
• Noindex Pages Inside sitemap.xml: A Logical Conflict That Wastes Crawl Budget A noindex page listed in sitemap.xml sends Google contradictory signals and erodes trust in the entire sitemap.
• Posts Without a Featured Image: Sharing and Discover Impact A post without a featured image looks weak in archives, RSS, and social shares. Google Discover filters it out.
• WordPress Date and Time Format: SEO and UX Impact An undefined or broken date format breaks structured data fields, RSS feeds, and how Google renders search results.
• Empty Categories and Tags: The Thin Content Risk in WordPress Archives Taxonomies with no posts produce empty archive pages that Google flags as low quality - hurting the entire domain.
• Homepage Title Tag: The Strongest Signal on Your Most Important Page The homepage title tag determines your search-result headline and directly impacts rankings, CTR, and brand recall.
• Hreflang Tags: Managing a Multilingual Site Correctly Hreflang tags tell Google which language version to serve each user. Errors cause duplicate content and wrong-language results.
• Stale Top Content: Refreshing Popular Posts to Defend Rankings Popular posts not refreshed in 18+ months lose rankings. Updating dates, adding info, and improving examples lifts rankings back.
• Images Without Width and Height: Core Web Vitals and CLS Impact Images without explicit dimensions cause Cumulative Layout Shift - a Core Web Vitals metric Google uses for ranking.
• Broken og:image: When Social Shares Lose Their Preview The og:image tag declares the social preview image. When broken, every share looks flat and loses CTR.

Performance

• WordPress Heartbeat API: Why It Slows Admin and How to Throttle It Correctly Heartbeat fires admin-ajax every 15-60 seconds from every open tab. Throttle it without breaking autosave.
• HTTP/2 and HTTP/3 on WordPress: Why a Modern Protocol Is Critical for Load Times HTTP/2 saves dozens of round-trips on a page with 50+ assets. Make sure the site truly runs on it - not legacy HTTP/1.1.
• Object Cache on WordPress: Why Redis/Memcached Triple Your Site Speed Object cache stores DB queries in memory across requests. On WooCommerce this is a 5x throughput improvement at peak traffic.
• PHP OPcache: Why It Is Mandatory on Every WordPress Site and How to Tune It OPcache stores PHP bytecode in memory and shaves 30-60% off every request's compile time. Set it up correctly.
• Page Cache on WordPress: The Difference Between 50ms and 500ms on Every Request Page cache stores ready HTML so WordPress never runs for cached visitors - the single biggest impact on site speed and traffic capacity.
• PHP memory_limit on WordPress: What It Should Be and How to Raise It Correctly Insufficient memory_limit causes random crashes. How to raise it on any host and what value is realistic.
• WP-Cron vs System Cron: Why to Switch and How to Do It Without Breaking Jobs WP-Cron only fires when a visitor lands on the site - unreliable in production. Move scheduled jobs to a real system cron.
• WordPress Image Optimization: Cut Weight Without Sacrificing Quality Images make up 60-80% of page weight. Proper optimization saves megabytes with no visible quality loss.
• Heavy Autoload Options in WordPress: Detect, Fix, and Prevent Slowdowns Heavy autoload options in wp_options slow every request. Learn how to detect, clean, and prevent regression.
• Image Lazy-Loading Rate in WordPress: Diagnose Issues and Fix Without Breaking LCP WordPress applies native lazy loading since 5.5, but plugins and themes often break it. How to diagnose and fix.
• WordPress Autoload Size: Why It Is Critical for Performance and How to Shrink It Keeping total autoload weight in wp_options under 1MB is a real performance target. How to measure, clean, and keep it down.
• Post Revisions in WordPress: Why They Bloat the Database and How to Limit Them Safely A post edited 80 times leaves 80 redundant rows. Limit future revisions and clean existing ones safely.
• PHP Version on WordPress: Why 8.2/8.3 Is Mandatory and How to Upgrade Safely PHP 8.2 is 30-40% faster than 7.4. EOL versions are a security exposure. Upgrade without surprises.
• HTTP Compression (gzip/Brotli) on WordPress: Why It's Mandatory and How to Enable It Right gzip or Brotli compression shrinks HTML/CSS/JS by 60-80% and slashes load times, especially on mobile. Here's how to enable it correctly.
• The Biggest Autoload Option: Find and Neutralize the Single Worst Offender When a single autoload option weighs hundreds of KB it slows every request on its own. Find the offender and neutralize it safely.
• Migrate MyISAM to InnoDB: Why It's Mandatory and How to Do It Safely MyISAM is a legacy storage engine with table-level locks and no transactions. Here is how to migrate to InnoDB without data loss.
• Disabling WordPress Emoji Scripts: Why It Matters and How to Do It Right wp-emoji injects 13KB of render-blocking JS on every page - useless on modern devices. Remove it cleanly and quickly.
• How Many Plugins Is Too Many? Balancing Features and Performance on WordPress 40+ plugins slow every request. But it is not the count alone - it is which plugins. Here is how to balance.
• Third-Party Scripts on WordPress: How GA, Pixel, and Chat Slow the Site and What to Do Every third-party script adds DNS+TCP+SSL+download. Ten scripts = 5 seconds of delay. Consolidate and defer.
• Modern Image Formats on WordPress: Move to WebP and AVIF for 30-50% Savings JPG and PNG waste 30-50% of bytes. WebP and AVIF are supported by every modern browser - here is how to migrate.
• Spam Comments and Trashed Posts: Why They Slow the Database and How to Clean Safely Spam comments, trashed posts, and orphaned meta bloat the database and slow queries. Clean them without touching live content.
• Heavy uploads Folder on WordPress: Why It Is Not Just "Disk Space" and How to Shrink It uploads above 2GB creates backup, migration, and cost issues. Clean it without breaking image links.

Accessibility

• HTML5 Landmarks: header, nav, main and footer for Screen Reader UX Semantic landmarks let blind users jump straight to main content. Here is how to replace divs with real HTML5 landmarks in your theme.
• Skip Link in WordPress: Jump to Main Content with One Tab Press A skip link lets keyboard users bypass repeated navigation. Here is how to add it to your theme with CSS that reveals only on focus.
• Heading Hierarchy in WordPress: H1-H6, Document Outline and Screen Readers Broken headings confuse screen readers and hurt SEO. Here is how to build a clean outline: one H1, gradual descent and WAVE verification.
• RankPlus Accessibility Widget: What It Does and What It Doesn't An accessibility widget lets visitors customise the experience - but does not replace accessible code. Here is how to enable it and what else is needed.
• Image Alt Text in WordPress: Accessibility, SEO and Practical Coverage An image without alt text blocks screen readers and hurts SEO. Here is how to add descriptions, separate content from decoration and reach full coverage.
• Video Captions in WordPress: Accessibility, Silent Viewing and SEO A video without captions blocks deaf users and loses silent viewers. Here is how to add VTT files, enable auto-captions and lift overall accessibility.
• Focus Outline in WordPress: Why You Must Never Hide It outline:none on focus makes keyboard navigation impossible. Here is how to bring focus visible back with modern CSS without breaking design.
• Generic Link Text in WordPress: Why "Click Here" Breaks A11y and SEO "Read more" and "click here" mean nothing to a screen reader or to Google. Here is how to replace them with descriptive text without breaking design.
• html lang Attribute in WordPress: Language for Screen Readers and SEO Without lang="en", screen readers mispronounce content and SEO loses context. Here is how to ensure the attribute is correct on every page.
• Form Labels in WordPress: Why label Beats placeholder Every Time An unlabelled input is not accessible. Here is how to link a label to every input, when to use aria-label and why placeholder is never enough.

Maintenance

• Expired Transients in the DB: Cleanup, Optimisation and Hygiene Expired transients are not auto-deleted. Here is how to clean thousands of dead rows from wp_options and keep the DB lean.
• Missed WP-Cron Events: Diagnosing Stuck Hooks and Recovering Jobs When WP-Cron events go unrun for over a day, backups stop, emails stall and sync jobs fail. Here is how to find the stuck hook and bring it back.
• WordPress Backup Strategy: A Complete Setup and Recovery Guide A WordPress site without backups is a ticking bomb. Here is how to set up reliable off-site backups, test restores and avoid total data loss.
• Stale doing_cron Transient: Releasing the WP-Cron Lock When the doing_cron transient stays locked, every scheduled task stops. Here is how to clear it and find the root cause.
• WP-Cron Status: Why to Disable It and Move to System Cron Internal WP-Cron does not run on schedule. Here is how to disable it, set up a server cron and finally get reliable timing.
• Dormant WordPress Users: Safe Cleanup and a Preventive Policy Subscriber accounts dormant for years are an attack vector. Here is how to identify them, delete safely and define an ongoing policy.
• Server Clock Drift on WordPress: Causes, Impact and NTP Fix When the server clock drifts, scheduled posts publish at the wrong time, API signatures fail and logs mislead investigations. Here is how to fix it.
• WordPress Database Upgrade: When, Why and How to Run It Safely After a core update the database schema must be upgraded too. Here is how to run upgrade.php or wp core update-db safely, with a backup and a check.
• Missed Scheduled Posts: Causes, Quick Fix and Root-Cause Solution A scheduled post that did not publish is a symptom of WP-Cron not firing on time. Here is how to ship it now and stop it from recurring.
• Missing .htaccess on Apache: Consequences and Rewriting It On Apache without .htaccess, permalinks return 404 and security headers vanish. Here is how to restore the file with the right rules.
• A Bloated WordPress debug.log: Tracking the Source and Cleaning Up A huge debug.log means the site is leaking PHP errors. Here is how to find the offending plugin or theme and stop them coming back.
• Inactive WordPress Themes: Why Leaving Them Hurts Unused themes remain reachable code editable from wp-admin. Here is how to keep only what you need and remove the rest.
• Duplicate WordPress Plugins: Why It Hurts and How to Pick One Two SEO plugins, two cache plugins or two security plugins fight for the same resources. Here is how to find the duplicates and pick one.
• Inactive WordPress Plugins: Security Risk and Removal Guide An inactive plugin is code on the server that can still be exploited. Here is how to decide what to remove and do it safely.

Dashboard

• 30-Day Uptime SLA: Diagnosing Downtime and Climbing Back to 99.9% An uptime below 99.9% means more than 43 minutes of downtime per month. Here is how to read the logs, find the cause and prevent recurrence.
• Domain Expiry: What To Do When RankPlus Warns It's Close An expired domain wipes the site off the internet. Here is how to renew, enable auto-renew and prevent domain squatting.
• SSL/TLS Certificate Expiry: Why Let's Encrypt Stopped Renewing An expiring SSL certificate triggers a red browser warning. Here is how to find why auto-renew failed and renew immediately.