WP开发教程 WordPress导师在线教程
Below is a checklist of hardening, cleanup, and performance-tweaks you can apply in your theme’s functions.php (or better yet, a small “theme-utilities” plugin). Feel free to cherry-pick what fits your project.
1. Secure the Theme
1.1 Hide WordPress Version
Expose as little as possible; stripping version numbers helps thwart scripted exploit scans.
php复制编辑// Remove version from <meta> generator tag
add_filter( 'the_generator', '__return_empty_string' );
// Remove version query parameter from enqueued CSS/JS
function remove_wp_version_param( $src ) {
if ( strpos( $src, 'ver=' ) ) {
$src = remove_query_arg( 'ver', $src );
}
return $src;
}
add_filter( 'style_loader_src', 'remove_wp_version_param' );
add_filter( 'script_loader_src', 'remove_wp_version_param' );
1.2 Disable XML-RPC
If you aren’t using remote publishing or Jetpack, turn this off.
php复制编辑// Completely disable XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );
// Optionally block access at .htaccess:
// <Files xmlrpc.php>
// Order Deny,Allow
// Deny from all
// </Files>
1.3 Lockdown REST API
If you only need it for logged-in users:
php复制编辑add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error(
'rest_not_logged_in',
'You must be logged in to access the REST API.',
array( 'status' => 401 )
);
}
return $result;
});
1.4 Disable File Editing in Dashboard
Prevents exec of arbitrary PHP from Appearance → Editor.
php复制编辑// In wp-config.php, set:
define( 'DISALLOW_FILE_EDIT', true );
2. Remove Unnecessary Features
2.1 Disable Emojis
Emojis add extra JS/CSS on every page.
php复制编辑function disable_wp_emojicons() {
remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
remove_action( 'wp_print_styles', 'print_emoji_styles' );
remove_filter( 'the_content', 'wp_staticize_emoji' );
remove_filter( 'the_excerpt','wp_staticize_emoji' );
remove_filter( 'comment_text','wp_staticize_emoji_for_comment' );
}
add_action( 'init', 'disable_wp_emojicons' );
2.2 Disable Embeds
Prevent auto-embedding others’ content and the extra JS.
php复制编辑function disable_wp_embeds() {
remove_action( 'rest_api_init', 'wp_oembed_register_route' );
remove_filter( 'oembed_dataparse', 'wp_filter_oembed_result' );
remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
remove_action( 'wp_head', 'wp_oembed_add_host_js' );
add_filter( 'embed_oembed_discover', '__return_false' );
add_filter( 'tiny_mce_plugins', function( $plugins ) {
return array_diff( $plugins, ['wpembed'] );
});
}
add_action( 'init', 'disable_wp_embeds', 9999 );
2.3 Deregister Unused Scripts/Styles
If you don’t use the block editor or certain features:
php复制编辑function dequeue_unused_assets() {
if ( ! is_admin() ) {
// Example: remove Gutenberg block front-end CSS
wp_dequeue_style( 'wp-block-library' );
wp_dequeue_style( 'wp-block-library-theme' );
}
}
add_action( 'wp_enqueue_scripts', 'dequeue_unused_assets', 100 );
3. Improve Performance by Code
3.1 Leverage Browser Caching & Asset Versioning
Serve your own fingerprinted files.
php复制编辑// Enqueue with a file-modification timestamp
function theme_enqueue_assets() {
$css_ver = filemtime( get_template_directory() . '/assets/css/style.css' );
wp_enqueue_style( 'theme-style', get_template_directory_uri() . '/assets/css/style.css', [], $css_ver );
}
add_action( 'wp_enqueue_scripts', 'theme_enqueue_assets' );
3.2 Lazy-Load Images & Iframes
Use native lazy loading attributes.
php复制编辑add_filter( 'wp_get_attachment_image_attributes', function( $attr ) {
$attr['loading'] = 'lazy';
return $attr;
});
add_filter( 'iframe_embed_html', function( $html ) {
return str_replace( '<iframe', '<iframe loading="lazy"', $html );
});
3.3 Limit Post Revisions & Heartbeat
Reduce DB bloat and AJAX churn.
php复制编辑// In wp-config.php:
define( 'WP_POST_REVISIONS', 3 );
define( 'AUTOSAVE_INTERVAL', 300 ); // seconds
// Throttle Heartbeat API:
add_filter( 'heartbeat_settings', function( $settings ) {
$settings['interval'] = 60; // seconds
return $settings;
});
3.4 Preload Key Assets
Tell browsers which resources are most important.
php复制编辑add_action( 'wp_head', function() {
echo '<link rel="preload" href="' . get_template_directory_uri() . '/assets/fonts/your-font.woff2" as="font" type="font/woff2" crossorigin>';
});
3.5 Database & Transient Cleanup
Offload stale transients on shutdown to keep the options table lean.
php复制编辑add_action( 'shutdown', function() {
global $wpdb;
$wpdb->query(
"DELETE FROM {$wpdb->options}
WHERE option_name LIKE '\_transient\_%'
AND option_name NOT LIKE '\_transient\_timeout\_%'"
);
});
Final Tips
- Code-split your JS (e.g. only enqueue block scripts on
is_admin()). - Use a PSR-4 autoloader for your theme classes to speed up
functions.phpparsing. - Profile with Query Monitor (in dev) to catch slow queries or duplicated hooks.
- Consider object-caching (Redis/Memcached) for high-traffic sites.
- Minify and combine your CSS/JS via build tools (Webpack, Gulp, etc.) before enqueue.
By systematically removing unused bits, hardening endpoints, and optimizing asset delivery and database usage, you’ll have a leaner, more secure, and faster theme.
