Title: Performance & Security Author: JMR.codes Published: 20. oktober, 2014 Last modified: 12. juni, 2026 --- Søk i utvidelser ![](https://ps.w.org/wp-performance-security/assets/banner-772x250.png?rev=3568221) ![](https://ps.w.org/wp-performance-security/assets/icon.svg?rev=3568221) # Performance & Security Av [JMR.codes](https://profiles.wordpress.org/jmrcodes/) [Last ned](https://downloads.wordpress.org/plugin/wp-performance-security.zip) * [Detaljer](https://nb.wordpress.org/plugins/wp-performance-security/#description) * [Omtaler](https://nb.wordpress.org/plugins/wp-performance-security/#reviews) * [Installering](https://nb.wordpress.org/plugins/wp-performance-security/#installation) * [Utvikling](https://nb.wordpress.org/plugins/wp-performance-security/#developers) [Brukerstøtte](https://wordpress.org/support/plugin/wp-performance-security/) ## Beskrivelse A self-hosted site manager’s toolkit: the security hardening, performance tuning, admin cleanup, content controls and email handling you’d otherwise install half a dozen micro-plugins for — as independent modules on a single settings page (Settings Site Toolkit). Every module is off by default and registers no hooks while disabled, so the plugin changes nothing until you opt in. 🔐 **Security** — disable XML-RPC, hide the WordPress version, disable user enumeration( author scans, sitemaps, oEmbed, author archives), block the REST users endpoint, disable the file editors, block readme/license files, security headers (with optional HSTS), disable application passwords, session management, and an admin audit log. 🔓 **Login Page** — change the login URL, login rate limiting, hide detailed login errors, username-only sign-in, disable the language switcher, record each user’s last login, and login screen branding (use your site identity automatically or a custom logo from the media library). 🚀 **Performance** — control autosave and post revisions, remove asset version query strings, throttle the Heartbeat API, remove wp_head bloat and generator tags, dequeue unused default assets (emoji, jQuery Migrate, Block Library CSS), disable self-pings, scheduled database maintenance, DNS prefetch/preconnect hints, and manage generated image sizes. 🛠️ **Admin / UX** — hide the front-end toolbar, change the WordPress greeting, replace the account menu with a logout button, dashboard widget manager, custom admin footer, maintenance mode, media library user isolation, environment indicator, suppress update notices on non-production, trim the WordPress toolbar menu, and an «All Settings» menu item. 📝 **Content & Editorial** — customize excerpts, disable the block editor per post type, disable trackbacks, targeted comment controls (media comments, plain-text links, minimum length), disable comments entirely, disable oEmbed, and restore the Links Manager. 📧 **Email & Notifications** — disable selected notification emails, and redirect or block all outgoing email on non-production environments. If you have further suggestions, please contact us via the [plugin support page](https://wordpress.org/support/plugin/wp-performance-security). If this plugin is useful for managing your WordPress settings, please [leave a review](https://wordpress.org/support/view/plugin-reviews/wp-performance-security). Developed by [JMR.codes](https://jmr.codes). ## Installasjon 1. Unzip the plugin and copy the `wp-performance-security` folder to the `/wp-content/ plugins/` directory 2. Aktiver pluginnen gjennom ‘Plugins’-menyen i WordPress ## Vurderinger Det er ingen omtaler av denne utvidelsen. ## Bidragsytere og utviklere «Performance & Security» er programvare med åpen kildekode. Følgende personer har bidratt til denne utvidelsen: Bidragsytere * [ JMR.codes ](https://profiles.wordpress.org/jmrcodes/) [Oversett «Performance & Security» til ditt språk.](https://translate.wordpress.org/projects/wp-plugins/wp-performance-security) ### Interessert i utvikling? [Bla gjennom koden](https://plugins.trac.wordpress.org/browser/wp-performance-security/), sjekk ut [SVN-repositoriet](https://plugins.svn.wordpress.org/wp-performance-security/), eller abonner på [utviklingsloggen](https://plugins.trac.wordpress.org/log/wp-performance-security/) med [RSS](https://plugins.trac.wordpress.org/log/wp-performance-security/?limit=100&mode=stop_on_copy&format=rss). ## Endringslogg #### 1.1.1 Version bump due to Subversion issues #### 1.1.0 This is a major release. The plugin has been rebuilt around a modular framework: every feature is now an independent module on a single **Settings Toolkit** page(« Performance & Security Toolkit»), and each module is off by default and adds no overhead until you switch it on. The old «Performance & Security» settings page has been retired, and your existing 1.0 settings are migrated to the equivalent modules automatically when you upgrade. **Requirements** * Now requires WordPress 6.2 or later (the audit log uses the `%i` SQL identifier placeholder added in WordPress 6.2). * Now requires PHP 7.4 or later. **New — 49 modules across six sections** * Security: Disable XML-RPC; Hide WordPress version; Disable user enumeration ( blocks author scans, with optional removal from XML sitemaps and oEmbed, author- archive redirect and author-link unlinking); Block REST API user endpoint; Disable theme/plugin file editor; Block access to readme/license files; Add security headers (duplicate detection, optional HSTS gated on HTTPS); Disable application passwords; Session management (log out other sessions on password change, optional session-lifetime cap); Admin audit log (Tools Audit Log) with a daily retention purge. * Login Page: Change login URL; Login rate limiting; Hide detailed login errors( with a custom message); Disable login via email address (username-only sign-in); Disable the login language switcher; Record user last login time (adds a sortable« Last Login» column to the Users screen); Customize login screen branding (use your site identity automatically, or set a custom logo from the media library, link and title). * Performance: Disable autosave or increase the autosave interval; Limit post revisions; Remove version query strings from assets; Control the Heartbeat API; Remove additional wp_head bloat (including per-source generator tags for WordPress, WooCommerce, Google Site Kit, Performance Lab, Modern Image Formats and Speculative Loading); Dequeue unused default assets (emoji, jQuery Migrate, Block Library CSS and more); Disable self-pings; Database maintenance (scheduled cleanup with a «Run now» button); DNS prefetch / preconnect hints; Manage generated image sizes. * Admin / UX: Hide the toolbar on the front end; Change the WordPress greeting; Replace the account menu with a logout button; Dashboard widget manager; Custom admin footer text (with optional database statistics); Maintenance / coming soon mode; Media library user isolation; Environment indicator; Suppress update notices on non-production environments; Remove the WordPress toolbar menu; Add an «All Settings» menu item. * Content & Editorial: Disable the block editor (Gutenberg) per post type; Disable trackbacks and pingbacks; Disable oEmbed; Disable comments (thorough, with granular keep-toggles); Disable comments on media files; Disable active links in comments; Minimum comment length; Customize excerpts (word length and «more» text); Enable the Links Manager. * Email & Notifications: Disable email notifications (auto-update, background-update, successful-core-update and password-reset emails, each individually toggleable); Redirect outgoing email on non-production environments (to a catch-all address, or block it entirely). **Changed** * Settings have moved to Settings Toolkit (titled «Performance & Security Toolkit»); the «Settings» link on the Plugins screen now points there. Your existing settings are migrated automatically — no reconfiguration needed. **Removed** * GZIP compression — removed with no in-plugin replacement. Compression belongs at the server or CDN level (enable it in cPanel/Plesk or ask your host): that is more reliable, avoids conflicts with caching plugins, and supports Brotli. * Several niche legacy options were retired because they need theme code to be useful or duplicate settings handled better elsewhere: excerpts on Pages, the« Read more» anchor tweak, content/excerpt auto-formatting toggles, custom post types in search and RSS, tags on pages and in queries, and HTML5 markup support. The comment-form URL-field removal was also dropped, as it cannot be done reliably across both classic and block themes. **Fixed** * The «WordPress greeting» option now works — and in every language. The previous version hooked too early to ever modify the toolbar greeting, so it had no effect. * «Disable self-ping» can now be saved. The legacy checkbox was missing from the settings whitelist and never persisted. **Security** * Login rate limiting now reads the proxy-appended client IP instead of the spoofable left-most X-Forwarded-For value, and the lockout window no longer extends on already-blocked attempts (which could permanently lock out everyone sharing an IP). * Maintenance mode now also returns a 503 for anonymous REST API requests, so posts and pages are not readable via /wp-json while the site is hidden. * Media library user isolation now covers the list view and the REST media endpoint, not only the grid view. * The login-screen logo URL is quoted inside its CSS to prevent CSS injection, and author-enumeration blocking also catches the array form (?author[]=1). #### 1.0.0 * Security: settings are now saved through the WordPress Settings API with a dedicated nonce and a `manage_options` capability check * Security: all stored settings are sanitised against a whitelist of known options( unknown keys are discarded) * Security: all settings and URLs are escaped on output * Fixed fatal errors on PHP 8 caused by `create_function()` * Fixed the custom login logo, login URL, login title and minimum comment length options, which previously referenced settings out of scope * Fixed reactivation overwriting saved settings * Custom post types in search results now use `pre_get_posts` so the option works as described * The settings page now lists all options on a single page, grouped into fieldsets by feature type #### 0.9.2 * Removed Google Analytics section now that Universal Analytics are no longer supported #### 0.9.1 * Fixed a bug on the login screen #### 0.9 * Fixed a bug with comments being disabled by default * Remove oEmbed support option * Remove jQuery migrate option * Improved emoji removal to include dns-prefetch of image sources #### 0.8 * Tested against WP 5.0.1 * Open Sans was dropped from WP 4.6 in favour of system fonts – so this option will only show for older versions of WP * Updated Google Analytics to support Google Tag Manager (gtag.js) * Added the ability to hide existing comments * Jetpack devicepx option only shown if Jetpack is active * Improved handling of custom post type options * Added support for enabling (and disabling) the Links Manager * Removed SVG support due to changes in WP since 4.7 * Minor code improvements #### 0.7 * Added new feature to remove the styles and scripts that make up emoji support, which was added in WP 4.2 #### 0.6 * Fixed a range of alerts that appear in debug mode #### 0.5 * Fixed issue where plugin might conflict with WP Super Cache #### 0.4.1 * Minor changes to plugin settings in WP #### 0.4 Minor code changes * JS only loaded on plugin page * Changed default settings, all plugin options set to the WordPress defaults #### 0.3 * Updated plugin to allow for internationalization * Added icon #### 0.2 * Added support for adding Google Analytics tracking code * Added a toggle to remove the admin bar from front-facing pages * Added a setting to enforce and set the minimum number of characters required in a comment #### 0.1 * Initial launch ## Meta * Versjon **1.1.1** * Sist oppdatert **5 dager siden** * Aktive installasjoner **30+** * WordPress-versjon ** 6.2 eller nyere ** * Testet opp til **7.0** * PHP-versjon ** 7.4 eller nyere ** * Språk * [English (US)](https://wordpress.org/plugins/wp-performance-security/) * Stikkord * [performance](https://nb.wordpress.org/plugins/tags/performance/)[security](https://nb.wordpress.org/plugins/tags/security/) [toolkit](https://nb.wordpress.org/plugins/tags/toolkit/) * [Avansert visning](https://nb.wordpress.org/plugins/wp-performance-security/advanced/) ## Vurderinger 5 av 5 stjerner. * [ 2 5-star reviews ](https://wordpress.org/support/plugin/wp-performance-security/reviews/?filter=5) * [ 0 4-star reviews ](https://wordpress.org/support/plugin/wp-performance-security/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/wp-performance-security/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/wp-performance-security/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/wp-performance-security/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/wp-performance-security/reviews/#new-post) [Se alle omtalene](https://wordpress.org/support/plugin/wp-performance-security/reviews/) ## Bidragsytere * [ JMR.codes ](https://profiles.wordpress.org/jmrcodes/) ## Brukerstøtte Har du noe å si? Trenger du hjelp? [Vis brukerstøtteforumet](https://wordpress.org/support/plugin/wp-performance-security/) ## Donér Vil du støtte videreutviklingen av denne utvidelsen? [ Doner til denne utvidelsen ](https://buymeacoffee.com/jmrcodes)