Images enhance the user’s experience and help get a message across, all the merrier. But while it’s tempting to start throwing images everywhere, avoid rolling like a mad imagery scientist. With images, less is more. And a sound strategy for managing images on a WordPress site is key.

You have to remember that your WordPress site won’t load too well if you’ve just uploaded a 4MB hero image to your home page. That isn’t the best policy. So, what is the best practice for managing images for WordPress? Glad you asked!

Let’s take a little journey into the world of web images and WordPress, shall we?

First things first… getting the images

Before you start worrying about managing images for a WordPress site, you first must have images. Barring a photographer, a couple great sources are iStock Photo and Getty Images, to name just a few.

These online repositories were specifically created for folks that need one or more images for their brand or site.

With both repositories, there is a monthly or yearly fee for obtaining the image or images. And if you want to use some of the images for commercial use, the fees can get a little steep. But they both have millions of images to choose from.

Finally, if you’re on a budget, like the rest of us, there are royalty-free sites like Pixabay. On Pixabay, there are tons of images to choose from that are typically free to use, with no need for photo credits. (Although credits are a nice gesture and appreciated by the contributor.)

Where you don’t want to grab images from is Google.

Most of these images are copyrighted intellectual property. If you really need to use one of the images, you will need to try and contact the original creator of the image and then obtain the right to use said image.

This can be not only a long and painful process but could result in great expense. Using a copyrighted image, without permission, could land you in hot water with a cease-and-desist order. No one has time for that.

Image sizes

How big is too big? That is the question of the ages. Ideally, you want to take the original image and resize it externally, with an appropriate application to get the large image cut down to the actual size that is to be used on your website.

Most WordPress themes have set sizes for things like hero shots (the main image on a page) and other features. So, you should try to size your main image to the proper dimensions before uploading it. Never just upload a huge, unedited pic to your site and then rely on coding to resize it for you.

A resized image, online, is still the large file size that was uploaded. It’s just coded to look smaller.

So, you can have a 2,000 x 2,000-pixel image appear to be only 200 x 200 pixels on the screen. But it’s still the file size of the 2,000 x 2,000-pixel image! Now you have a massive load time on your website’s pages.

For the pages of a site, you alo should resize your images to the appropriate size, as well, which is usually much smaller than the hero shot. Then it is acceptable to allow the site’s coding to resize the thumbnails for you, because these main body images are typically pretty small, anyway.

Image editing

You have an image that you need to work with. Now what? Well, you will need to go in and resize and possibly clean up the image in question before you upload it to the WordPress site. Fortunately, there are many applications out there that can be used for this very task.

My personal go to is Adobe Photoshop.

With Photoshop, you can edit and resize images to your heart’s content. It also has an amazing compression engine that can compress images into a multitude of web formats and makes them ready for upload.

That sounds fine and dandy, but what if I’m on a tight budget? Anything out there for free?

Again… glad you asked. There are free image editing websites out there. While not as powerful as Photoshop, they still have pretty amazing editing capabilities and even function in much the same way as Adobe’s star product.

One website I’ve used before is Pixlr. This is a totally free website that affords you with a host of notable features for editing photos.

Once you’ve edited your image(s), you can save them to your local machine and then upload them to the WordPress site.

Another online image editing site is befunky. With befunky, you can edit images, too, but its editing capabilities are much simpler than Pixlr and far more reduced than Photoshop. However, in a pinch, it’s still fun to work with.

Preferred compression and file formats

Once you have your image sized and edited, you will need to save it with the best compression and file format. The compression is, in part, what determines the file size. The format is the file type. Optimally, you want as small a file size as possible, and there are several file types to choose from.

For hero shots, you want to keep the file size down to under a MB — but that’s up for debate. For the main body images, you want to keep them down to only a few KB. This will ensure a fast load time for your pages. The file types commonly accepted online are:

• PNG — Portable Network Graphics
• JPEG — Joint Photographic Experts Group
• WebP — Pronounced “Weppy,” a raster image format

For images that need a transparent background, PNG is great. But with transparency comes a slightly larger file size. JPG or JPEG files are good for compressed images, but you get some quality loss when you really need to compress them a great deal.

WebP is a newer file type, developed to get a small file size but also to keep much of the original image quality. However, not all hosting plans come equipped to handle this file type yet — at least not without certain PHP extensions, like ImageMagick installed.

Displaying images on your site

Now that you have images resized and uploaded, you’ll want to be able to make these images load as fast as possible. Even though you’ve crunched the image down, a little more smooshing is still a good idea. There are several plugins on the market that can help you with managing images for the WordPress site:

• Smush — This is the most popular, award-winning (and not to mention free) WordPress image compression plugin. It uses the latest image data compression algorithms, known as lossless compression, that removes unused data and compresses images without losing any quality. I have personally used this one, with great success.
• EWWW Image Optimizer — This is among the best WordPress image compression plugins. It helps to reduce your website’s bandwidth by optimizing images. A primary feature of this plugin is that it has no speed limits and unlimited file-size support (up to 150 MB).
• ShortPixel Image Optimizer — ShortPixel is another excellent WordPress image optimizer with a great interface. It’s fast, easy on the eyes, and has some fantastic features.

• Optimus — If bandwidth is your primary concern, this is the best plugin for you because it reduces the image size up to 70%, depending upon the file format, of course.
• Imagify — This is a premium WordPress plugin meant to optimize your images to speed up website load times. It’s designed to handle everything for you, automagically. It is set up to run when you upload each new image. This way, you can optimize everything in one go.

Ok. You’ve edited your images, crunched and saved them, and then uploaded and smooshed them further. Now what? Now you have to display your images. By default, your theme will display images throughout the site in a certain way. But if you have the need for an image gallery, then you might want to consider these plugins:

• Modula — This plugin allows you to create pretty and responsive grid style galleries with very little configuration. It’s compatible with Block Editor, Beaver Builder. and Elementor.
• NextGEN Gallery — NextGEN has been around the block for quite some time. Thus, it is typically the go-to plugin for most people. It is highly customizable and has great functionality. It’s a favorite for photographers and folks who work with images as a career.

• Envira Gallery — This one comes in a lite version and a premium (paid) version. The features are more basic than those found in Modula and NextGEN. But it does have the ability for deep linking and pagination, for larger galleries.
• Photo Gallery by 10web — 10web’s image plugin is cool because it also allows for ecommerce functionality, social sharing, and has various slideshow effects.
• FooGallery — Also a simple gallery, it still has some nice hover effects, lightbox, pagination, and retina support. It too comes in a pro (paid) version.

Image protection

You have worked so hard to make a site look pretty with imagery. Now, how do you keep your hard work from being swiped by someone who visits your site? After all, it is pretty easy to just right click on an image and save it to your desktop.

So, what’s to stop that from happening?

Well, there are several ways to approach image protection. It just depends on your goal. One thing you can do is to disable the right click on your site altogether. The above-mentioned plugin Envira comes with image protection.

You can also get a plugin called WP Content Copy Protection. It will disable right-clicking on your entire website. However, you can also set it to protect selected pages, posts, and categories, too.

Watermarking is another age-old tactic used to protect your images.

The plus side to this method of protection is that when someone does swipe your image, they then have your logo and/or trademark on it that they would then have to attempt to remove via Photoshop. Typically, most people will avoid grabbing an image with a watermark on it altogether.

The downside to this method of protection is now all your images have watermarks on them and, based on how you watermarked them, this can be unsightly.

Another way to steal the images from your website is by loading them from the original source. The image will load from your server, or hosting plan, and will then be displayed on third-party websites without your permission, of course.

You can disable the hotlinking of images from your WordPress site with a little bit of coding in the .htaccess file. Just add this code to the .htaccess file in your WordPress site’s root directory:

#Disable image hotlinking with forbidden custom image option

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?google.com [NC]

RewriteRule .(jpg|jpeg|png|gif)$ – [NC,F,L]

*Be sure to replace yourdomain.com with your site’s domain name!

Finally, you can also add copyright notices on your site, but most people ignore those anyway. I wouldn’t really bother worrying too much about this method.

Closing thoughts on managing images for WordPress

You should now have a generous mitten full of imagery tidbits at your fingertips that will hopefully be able to steer you in the right direction while making a WordPress site shine with pretty images — and still maintain fast load times.

These suggestions are subject to change and/or debate. But what kind of a world would we live in if we couldn’t change or debate?

WordPress is a powerful web application and is used by up to 43% of the internet, to date. But with great popularity comes great threats. With numbers like these, many would-be attackers are constantly on the lookout for weaknesses in your site — a good reason to implement these WordPress security best practices, right now.

WordPress security best practices

Sans the usual best practices — like keeping your core files, theme(s) and plugins up to date — there are also many other factors to take into consideration. File and directory permissions, and more are necessary to keep safe that which you’ve worked hard on and treasure.

1. Update file permissions

The default file permissions for all files on a WordPress site are typically set to 644. The default directory permissions are set at 755. There are scenarios that warrant differences.

For instance, it is a good idea to have your wp-config.php file set to permissions stronger than 644.

I know of folks who set that file’s permissions to 440. This helps make it harder for the riff raff to access the file. Some people set theirs to 600. That’s fine too.

You can change the file and directory’s permissions via File Manager, in your hosting plan. You can also alter these permissions in your favorite FTP program.

2. Disable the xmlrpc.php File

What is this file? Well, simply put, the XMLRPC is a system that allows for remote updates to WordPress from other applications. To make sure your site stays secure, it’s a good idea to disable xmlrpc.php completely.

However, if you need some of the functions necessary for remote publishing and the Jetpack plugin (for instance), you should use a workaround plugin that allows for these features while still fixing all the security gaps.

One plugin that comes to mind is called Disable XML-RPC. This plugin uses the built-in WordPress filter xmlrpc_enabled to simply disable the XML-RPC API on a WordPress site. This renders it unobtainable by someone looking to compromise your site.

Another plugin that comes to mind is the Disable XML-RPC Pingback plugin, which lets you disable just the pingback functionality. This means that you will still have access to other features of XML-RPC if you need happen to need them — for instance, if you’re running Jetpack. There are other plugins that will also disable this file. See below for more details on that plugin.

Both plugins are easy to use. You just have to install and activate them. They do the rest for you.

In the event that you want to have more control over how the XMLRPC plugin works, you can instead install the REST XML-RPC Data Checker plugin. Once installed and activated, you would just need to go to Settings > REST XML-RPC Data Checker, and then click the XML-RPC tab.

Once there, you will be able to navigate through the interface to better control the xmlrpc.php file and what it does.

If you already have a ton of plugins and want to avoid installing yet another, you can control the xmlrpc.php file via the .htaccess file by adding this line to it:

add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

That will just turn it off altogether.

You can also edit the .htaccess file with this command:

<Files xmlrpc.php>

Order Allow, Deny

Deny from all

</Files>

Or have your hosting provider disable the file itself.

3. Hide your sensitive details

Once you’ve got your site all dialed in and live, hide certain details from the public eye that might lure someone towards wanting to compromise all your arduous work. A nice plugin for this is called Hide My WP Ghost. This plugin is a paid plugin, but it’s worth the coin, and it’s on sale now for a 5-pack license.

This plugin does a fantastic job of hiding your core files, file paths, login page, and more. It performs the following functions, to name just a few:

• Change the wp-admin and wp-login URLs
• Change lost password URL
• Hide /wp-login path
• Disable XML-RPC access

• Change URLs using URL Mapping
• Weekly security checks and reports
• Email support, and more

4. WAF/CDN protection

A big step towards protection is blocking people you don’t want to have access to your site, altogether. This can be accomplished via a WAF (web application firewall) combined with a CDN (content delivery network).

Fortunately, GoDaddy offers this type of protection through Sucuri. Once purchased and set up, you can go into the firewall settings and enable GeoBlocking, if you so desire, and block entire countries from accessing your site.

The WAF will also help to speed up your site, since it does a wonderful job of blocking the known bad IPs and allowing the good ones to access your site.

5. Combat comment Spam

Another nuisance is comment form spam. There is a great way to limit or prevent this type of problem. The method I like is to utilize the plugin called wpDiscuz.

With this plugin, wpDiscuz will take over your site’s commenting and check against a host of bad actors, filtering out bad or malicious comments by forcing the commenter to enter credentials to comment. You get an email sent to you with each successful comment on your site, so you can then moderate further, if needed.

6. Enable CAPTCHA

It is highly recommended that you also enable CAPTCHA on all forms on your site(s). This will aid in the prevention of form spam. There are several types of CAPTCHA additions out there. Some ask the user to solve a math equation, some have a puzzle to solve, others have you select a series of pictures, and there are more variations.

7. Enable 2-factor authentication (2FA)

A tried-and-true way of keeping out the knuckleheads out there who would seek to do your site harm is to enable 2-factor authentication on every user of your site. If you are on your site all the time, it can be a mild inconvenience to have to enter the 2FA each time you log in. But that is a small price to pay for the security of your site.

A good plugin that can be used to enable 2FA is Wordfence. Just install the plugin and go to this article to see how to enable it.

8. Change the WP-admin URL

The default admin URL has been the same, on WordPress, for years. All bad actors know it and routinely attempt to gain access to your site via said URL. The above mentioned Hide My WP Ghost plugin does a great job of obscuring this URL by simply changing it.

9. Add server-level protection

If your WordPress site is hosted on a server, you can enable other security features that will help keep your site safe. One such feature is in WHM. You can help prevent or limit the possibility of an AnonymousFox compromise by simply turning off Reset Password for cPanel Accounts and Reset Password for Subaccounts.

Simply go to WHM > Tweak Settings > search for password. From there, for the Reset Password for cPanel Accounts and Reset Password for Subaccounts features, select Off. This will help in preventing a bad actor from accessing — and then changing — the cPanel and subaccounts passwords.

The second thing you’ll want to do, if your site is hosted on a server, is to disable shell access to all your cPanel accounts. Just go to WHM > Manage Shell Access > Disable Shell for all cPanel accounts.

10. Strong login credentials

Last among our WordPress security best practices, but certainly not least, always use strong passwords and obscure usernames. I can’t tell you how many times I’ve come across passwords like Password123!. Another common mistake is making the username something relative to the site itself.

If you want to get compromised, that is a sure-fire way to do it.

Long and randomly generated passwords, in conjunction with usernames that have nothing to do with the site, are always your best combo.

Another great idea is to continually change your passwords. It might seem like a pain, but that pales in comparison to getting hacked. How often you change your passwords is up to your discretion. — just as long as you do. (You’ll be glad you did.)

Closing thoughts on WordPress security best practices

All in all, you have worked so hard for your intellectual property (or your client’s). Why not keep it safe? These few, but helpful, WordPress security best practices can go a long way toward a successful and compromise-free website for years to come.