1) WP Core Files
Depending on your setup, you may not need some default WordPress features enabled. In fact, unless you absolutely need them, some features such as XML-RPC should actually be disabled for security purposes.
ToolKit enables you to selectively dequeue or modify several common WP core functions for better performance and security.
- Disable Emojis Site-Wide
Normally about 12KB, WordPress 4.2 and higher began loading CSS and JS for the new Emoji framework.
If you do not use any emojis on your site, you can disable this and reduce your server requests and site size a bit more.
- Disable Dashicons
Nearly 50kb in size, the CSS for Dashicons are normally needed anytime the top WP Admin Bar is displayed.
That being said, logged out or normal site visitors normally do not see the WP Admin Bar so you can dequeue this and shave off a bit of unneeded bloat.
Enabling this will dequeue the Dashicons CSS from loading if the WP Admin Bar is not displayed. Learn More About Dashicons
- Disable oEmbed
This feature of WP core allows users to directly embed online content from Youtube, Twitter, and other websites sites by simply inserting a website URL.
Many websites do not actually need this feature and can easily disable this. Disabling oEmbed will dequeue and remove the /wp-includes/js/wp-embed.min.js server request. Learn More About oEmbed
- Disable RSS Feeds
By default, WordPress comes with a few default feeds. They are generated by template tags for bloginfo() for each type of feed, and are typically listed in the sidebar and/or footer of most WordPress Themes.
Unless you are using your site as a blogging platform that needs to be compatible with RSS readers, you can disable RSS feeds on your website. Learn More About RSS Feeds
- Disable XML-RPC
XML-RPC is an API framework used by WordPress for communicating between third-party apps, plugins, and blogs.
It can also be used to remotely post and manage content on your WP site. Thus, unless you are using JetPack or require this particular feature, you can disable XML-RPC to strengthen security against hackers and protect against brute force attacks. Learn More About XML-RPC
- Disable Rest API
Keep in mind that many plugins, admin dashboard widgets, and even the Gutenberg Editor use the REST API.
The WP REST API allows any anonymous user access to a variety of your site’s metadata. This can be exploited by hackers and nefarious bots that are launching DDoS or brute-force password attacks on WP sites.
They can use this API to list the usernames of anyone who has published any post or page on a WordPress site. The list of users displayed via this API almost always includes a user with admin level access.
Thus many performance and security plugins which disable the REST API do so for users that are either not logged in or for non-administrators.
Tip: If “Disable Rest API” is enabled, any site attempting to connect to this site via Syncer will not be able to do so.
- Disable Gutenberg CSS Block Library Site-Wide
For Elementor users that do not use Gutenberg at all, you can disable this. Disabling this will dequeue /wp-includes/css/dist/block-library/style.min.css (saves approx 25 KB) .
- Disable Comment Reply Site-Wide
If you have disabled comments site-wide, you can dequeue the comment reply JS which is normally loaded by WordPress by default.
If you are using Facebook or Discus for comments, you can also disable the default WP comment reply JS (/wp-includes/js/comment-reply(.min).js)
2) Source Code
You can now use ToolKit to help clean your site’s frontend source code. This can help harden the security of your site, while also reducing how much sensitive info you reveal to any site visitor.
- Remove Query Strings
WP commonly appends version numbers and query strings such as “?” or “&” on the ends of certain assets (CSS, JS). Some CDNs may have issues caching these, and some performance tests often recommend removing query strings.
Please keep in mind that some page builders use query strings for live site editing and versioning, so enabling this while you are working on the site is not recommended.
However, once you are done editing your site, you can enable this feature.
- Remove Rest API Links
Enabling this feature will dequeue and remove the REST API links from your site header.
- Remove RSS Feed Links
RSS Feeds are included and enabled by default in WordPress core. Most users do not require or use the RSS system and thus can disable it.
We have included the ability to disable RSS feeds under the Common WP Files tab in Booster. Enabling this feature removes the RSS Feeds link and reference from the front end source code of your site
- Remove Really Simple Discovery (RSD) Link
RSD is normally needed for XML-RPC clients, remote management of posts, and pingbacks.
However, most sites do not utilize these features and can easily dequeue RSD from loading on the front end (great for performance and security).
- Remove WP Shortlinks
By default, all WordPress installs have an extra server request for your page/post shortlink.
Often times this is not needed due to most users pretty permalink settings (https://yourdomain.com/post) and thus can be dequeued to save a server request (great for performance with no impact on SEO).
- Remove Windows Live Writer Link
Does your site utilize tagging support with Windows Live Writer (WLM)? If not, you can enable this to remove it from your site.