How I optimised my WordPress site to load in 600ms

Since building my new Blog site, I have been massaging, testing, and tweaking to get every ms of performance out of it. I’ve managed to optimise it down to around 600ms, which is faster than 95% of websites online.

The site is built on WordPress 5 and runs on a small VPS with 2 vCPU’s and 4GB of RAM at Expeed.

I’ve always hesitated to use WordPress for my Blog. In my day job, I see a lot of poorly managed WordPress sites that run slowly and regularly get hacked.

Unfortunately, it’s the pre-eminent tool for a blog like this one, so I wanted to learn more about it and try to tame it for myself.

WordPress is ubiquitous on the web. Reports put it at powering around 25% of websites currently online.

A large part of the success of WordPress can be attributed to its massive plugin repository. Currently around 45,000 plugins exist that provide every type of functionality imaginable.

So much choice brings with it a level of complexity for the website builder. There are always multiple plugins that can solve the problem you have.

But not all plugins are created equal. Just because you can find a plugin that does what you want, doesn’t mean it’s the right plugin to use. You need to consider a few other factors.

Factors when choosing plugins

Security

As well as being the most popular Content Management System (CMS) on the internet, it’s also the most targeted. Malicious actors are constantly looking for holes in plugins and themes to exploit.

I would recommend you have a look over at https://wpvulndb.com/ to check known vulnerabilities for each of your plugins.

New vulnerabilities are being discovered every day, so you should ALWAYS keep your WordPress version, as well as theme and plugin versions up to date. I’ll talk more about this when I talk about the Wordfence plugin below.

Performance

Every plugin you add to your WordPress install will slow it down to some respect. It’s more lines of code to execute and potentially more database calls to make. While some, like caching plugins, will help the performance of your site, most others will slow it down.

It’s important to understand though, plugins can have a two-fold impact on performance. Firstly, in the generation of the original html file that is sent to the browser, then again on the client side if that plugin inserts CSS or Javascript into your page.

I typically use a tool like GTMetrix to test the speed of the site before and after enabling a plugin, or making significant changes, so I can see if the plugin does something to dramatically change the site performance.

A perfect example of this was a seemingly innocuous plugin used to specify a default featured image changed my site from loading in 600-700ms to over 3 seconds. Needless to say, that plugin was deactivated and deleted rather swiftly.

Finally, functionality

In my opinion, only once you have checked off the two items above, security and performance, should you use a tool that provides the functionality you require. When adding plugins, look at the number of active installs, and try to stick to plugins on the popular, or recommended list. I’ve listed out the plugins I use below. Not all are related to performance, but I’ve followed the path above of ensuring security and performance were primary considerations when choosing.

Choose your hosting wisely

Before we get to the plugins though, I want to talk about Hosting. Good hosting is critical to your website, whether it runs WordPress or not. Be sure to select a fast reliable host with good support. With hosting providers, you typically get what you pay for, so selecting the cheapest option often leads you slow servers, poor support, or both.

I work for Expeed in Australia and host my site with them as I mentioned, on a fairly small VPS. We provide fast, reliable Windows and Linux hosting and virtual servers, so please give us a try, especially if you’re in Australia.

HTTPS and Security

When setting up a new WordPress site in 2019, the first thing before even installing WordPress is to configure SSL on your hosting space.

This will vary between hosts, but your host should be able to assist you if you’re not sure how. If your host doesn’t provide SSL, or give you the Hosting option to add an SSL certificate, you can always set up a free Cloudflare account and get free SSL provided by them.

Having your SSL configured first saves the headache of having to change your configuration later, and means that your site is secure right from the start.

Really Simple SSL

Once your SSL is configured and WordPress is installed, I recommend installing Really Simple SSL. This plugin has very simple settings and helps ensure that you don’t end up with redirect or mixed mode content issues.

Wordfence

The other important security-related plugin to install is Wordfence. Wordfence provides free and premium options. I run just the free module as it provides a great basic level of security.

Out of the box you get a Firewall and Security issue scanner and the setup wizard is very simple to configure.

One of the great features of Wordfence is that it will email you if it detects anything it deems important, for instance, an Admin user logs in to your site, or a WordPress, theme, or plugin update that’s available. I advise keeping an eye out for these emails and actioning them ASAP.

[su_box title=”IMPORTANT” box_color=”#222″]

ALWAYS have a backup strategy for your website. Understand what backups your web host is taking, if any, on your behalf. I strongly recommend that you keep both regular scheduled backups, as well as, take manual backups prior to performing any upgrade, no matter how small. For more info on backups, see the VaultPress plugin information below.

[/su_box]

The dashboard gives you some basic information with just enough subtle hints (like only showing you have ~60% protection unless you upgrade) that you should pay for their premium product.

JetPack

Jetpack is a great plugin suite that incorporates Themes, Performance, Security, Traffic, and Site Activity for free.

They also offer premium packages that provide additional tools like Backup, Premium Themes, Social Media Automation, Malware scanning, an Advertising network, and SEO tools. I’m currently paying for the Premium plan because I wanted the backup and social media automation tools primarily.

Jetpack has a number of plugins that make up the suite. These are the ones I’ve installed.

Askimet Anti-Spam

If you plan to use the built-in commenting engine over an external tool like Disqus, you will want to enable Akimet Anti-Spam. Login to their site and get an API key and add it to the Askimet settings. This tool does a great job at removing the bulk of comment spam that you get to your site.

VaultPress

VaultPress is JetPack’s real-time backup and automated security scanning plugin. Once set up, it’s basically just taking care of itself, taking daily, or real-time backups of the site as you make changes. In addition, they have a nice dashboard that gives you visibility of your backups and security scans.

Images

There are a large number of image compression tools for WordPress. I’ve found that a number of the most popular ones really didn’t provide the level of compression that they claim.

One of the most commonly recommended tools compressed a large jpg from 900Kb to 750Kb, however, when I put the same 900Kb jpg through https://tinypng.com/ it shrunk it down to 350Kb.

I ended using reSmush.it as it was the only one that really compressed the files down to a level I was happy with. In fact, after compressing the images with reSmush.it, I got a perfect score on tinypng’s image test site.

Add to this the fact that I couldn’t see any difference in the images, I was happy.

SEO

There are a few SEO tools for WordPress, but the most popular has to be Yoast SEO. Yoast is an excellent tool that helps you configure important SEO fields like title, description and keywords, but also analyses your post for readability and gives you tips to maximise for your keywords. You can also see and edit the way snippets show for your posts in Google. I have been finding this plugin invaluable when writing my posts.

Utility Plugins

I have a few “utility” plugins that i think are worth a mention. Redirection, Disable Emojis (GDPR friendly) and Shortcodes Ultimate are great tools you can add to your site.

Redirection as you may suspect, manages redirects including 404’s.

Disable Emojis (GDPR friendly) removes a few annoying extra files that WordPress outputs in its markup to support emoji’s.

Shortcodes Ultimate provides a number of code shortcodes to add to your content to add some extra functionality. The IMPORTANT box above that talks about backups uses a shortcode for example.

Caching

I’ve purposely left caching to last as it should be the very plugin that you implement on your site. The reason for that is that it can hide performance issues that you should otherwise be investigating and resolving. Get your site running as optimally as possible, then add caching.

I tried about 4 different caching tools and at the moment have settled on W3 Total Cache. It’s very configurable if you understand what each setting does. If your new to WordPress, or aren’t sure what all the settings mean, perhaps start with once of the more basic caching tools. If you’ve followed my advice above and chosen your theme and plugins wisely, then even the most basic of caching plugins will provide an excellent performance boost to your site.

In summary

To close out this post that turned out a lot longer than I first envisioned, the point I have tried to get across is that performance is critical. There isn’t much point your site looking amazing with huge photos and all the bells and whistles if it’s slow. If it’s slow, Google will rank you poorly, and visitors will get frustrated with long page load times and leave.