Perfmatters, configuration guide

If tomorrow I was told that I could only take one plugin to a desert island, I would most probably take Perfmatters and if I had a fan club, I would sign up and go to all their concerts.

I’ve been using it since January 2021 and it has been one of the plugins that has solved the most problems and the one that contributes the most and the best to lighten the loading speed

Essential

It is one of those tools that you don’t even question the remote possibility of not paying when the annual renewal day arrives. Which, by the way, is very economical for use on a single site. It only costs 24.95 dollars and has a 15% discount for subsequent renewals. So from the second year onwards it’s $21.21 for a measly $21.21.

As I have reviewed some of its features separately, a more in-depth analysis and setup tutorial was pending. That is the aim of this post.

About the configuration

Disclaimer: Needless to say, the on and off icons I’ve added are from my configuration, which is the best I could get for this blog. That doesn’t mean it’s the ideal one for your environment

Every scenario is different. You will have to study each option and understand it, experiment with its behaviour and decide what is best in your case. For this, there is nothing better than testing your options one by one and evaluating the results.

Another thing to keep in mind is that duplicate tools will collide. There are other plugins like WP Rocket or the server cache plugin with Litespeed that have the same functions and do exactly the same thing. Activating them together can cause conflicts. You will have to evaluate which one works best and stick with only one of them.

General tab

The general tab contains the most common tools. Next to all of them you will find a link to their corresponding help. Don’t be afraid to try them. Everything is reversible. Clicking the switch will return everything to its original state and nothing has happened here

Disable emojis

In WordPress version 4.2 of 2015, support for emojis was added to the core for older browsers.

Although they are not too heavy (18 KB plus other JS) you can disable them because they load the wp-emoji-release.min.js JavaScript on every page of your blog and one less request is always one less request.

Disable dashicons

Dashicons is the official icon font of the WordPress admin since version 3.8. Some templates use it on the front-end by loading the dashicons.min.css CSS. However, many modern themes and plugins already use their own icons, SVGs, or no icons at all. So if you are not using dashicons you can disable them because the stylesheet adds unnecessary loading time and also blocks rendering.

Disabling them from Perfmatters does not affect the WordPress admin panel, which uses them. Only dashicons on the front-end will be removed when you are not logged in.

Disabling embeds

When you add any link from your blog in the editor, WordPress recognises it and displays it as such (if you haven’t changed the styling).

If you don’t care about embeds, you can disable them and lighten the load a bit. I haven’t turned them off because I’ve noticed that links with previews tend to get good click-through rates when used as related links between paragraphs.

Embedding or embeds came with WordPress version 4.4. The downside is that they came with an extra code that is added by including yet another JavaScript to load: wp-embed.min.js

Disabling embeds on your blog also prevents other blogs from embedding links from your site with that preview, however it removes the oEmbed-specific JavaScript, disables filtering of oEmbed results
, removes oEmbed link discovery and also removes all embed rewrite rules
.

Disable XML-RPC

XML-RPC is a protocol that was added in WordPress 3.5 to allow remote connections and, unless you are using the WordPress App to publish or edit your blog from mobile, it is important to disable it because it poses serious security risks.

Very few plugins require it, I only know of one that uses it: JetPack. A multifunction plugin that is not recommended because it considerably hampers performance.

Once XML-RPCXML-RPC is deactivated, just check its status by visiting yourdomain.com/xmlrpc.php to make sure that it only returns a 403 error message.

You can also check it in this checker. If you get a message like this it means XML-RPC is disabled.

Remove jQuery Migrate

It was introduced in WordPress 3.6 and is no longer enabled by default since WP 5.5 and higher.

Although most templates and plugins don’t need it, there are still a few that require it for some minor function. In my case there are two plugins that use it, Ultimate Membership Pro and Rank Math for a stats bar (which I don’t use) that is only displayed for admins. Some cookie consent management plugins still used it until recently.

jQuery Migrate is a resource for developers that allows code with older dependencies to communicate with new code.

Chances are you don’t have any plugins that need it, so jQuery Migrate is adding the unnecessary overhead of the jquery-migrate.min.js JavaScript

Still, check the documentation of your plugins before disabling it or ask their developers (we’ll see how to disable it for specific sites later)

Hide WordPress version

This option has no mystery, it simply hides the version of WordPress you have installed from prying eyes as a security measure.

This, which can be done in different ways, is useful in case you are late in updating something where vulnerabilities appear with your version that could be exploited or the core could be compromised. At least by hiding the version you are making it less easy for attackers looking for loopholes.

Although only one line of code is removed, and it is done mainly for security reasons, for optimisation lovers, it’s just another pinch that adds to the total to be subtracted.

Remove the wlwmanifest link

This is a tag that appears in every WordPress installation and was used by Windows Live Writer, which stopped being updated and supported in January 2017.

As above, it’s just unnecessary code, so one less line.

Remove RSD link

Another leftover tag that appears in every WordPress installation.

If you edit your site from the browser you don’t need it at all. It is also used by some third-party applications that use XML-RPC requests, which you are supposed to have already disabled. So that’s unnecessary code to remove.

Remove the short link

This is used to create a short link with numbers for your pages and post that adds this tag:

If you are using “nice” short permalinks, such as domain.com/%postname% then there is no reason to keep this unused, more unnecessary code to throw away.

Disabling the RSS Feed

WordPress generates different types of RSS feeds by default. Although RSS feeds are still useful for a blog, if your site is rather static or you simply don’t use it as a blog you can disable the feed.

Remove links from RSS feeds

Just as WordPress generates RSS feeds, it also generates links to those RSS feeds for your pages, posts, comments, categories, tags, etc. You can leave your RSS feeds enabled and still remove the RSS feed links. The purpose of this is to remove additional and most likely unused code from your page.

Disable autopingbacks

A pingback is basically an automatic comment with a link that is created as a notification on your blog when another blog links to you. An autopingback is created when you link to an article within your own blog.

Nowadays hardly anyone uses them and the external pingbacks you may receive are usually spammy, just waste resources and can even create malicious or temporary links that are broken and therefore detrimental to SEO.
Like trackbacks, they belong to the past of blogging, when linking as a blogging philosophy was tradition as part of netiquette.

Disabling the REST API

The WordPress REST API provides API endpoints for WordPress data types that allow developers to interact with sites remotely by sending and receiving JSON objects

It allows data to be cross-referenced with other sites and with software written in PHP or any other language.

There are different plugins, services and applications that use the REST API, according to Perfmatters these are some of them:

Yoast SEO and Ryte dashboard widget, Jetpack, some contact forms, Wordfence and some specific WooCommerce dashboard widgets.
It is also used by the Gutenberg block editor to communicate when making page and post edits. If you disable it completely you will get an “Update failed” error.

Perfmatters offers three options. Enabled (default), disabled for non-administrators and disabled when logged out.

Remove REST API bindings

By default, a REST API link is included in the header of the type:

<link rel='https://api.w.org/' href='https://domain.com/wp-json/' />

A header is also sent in each request and an API tag is added to the Really Simple Discovery (RSD) endpoint. All of this code can be dispensed with by activating the option to remove its links.

Disable Google Maps

Just that, disable the Google Maps API.

Some WordPress templates and plugins have the Google Maps API built in and often don’t offer a way to disable it. Google Maps can wreak havoc on your blog’s performance even though the requests are loaded asynchronously. Normally a request is made via the official Google Maps API.

Just to load a map on your blog, up to 20 HTTP requests can be made to Google Maps. Depending on the integration you can make fewer or even more requests.

If you don’t need them, you should disable them.

Exclude deactivation of Google Maps by post ID number

However, if you have no choice but to embed maps, you can exclude the deactivation only for those posts where you need to add them. To do this you must add in the following box the ID of each post separated by commas.

Disabling the password strength meter

This was introduced in the latest versions of WordPress and WooCommerce. It is a built-in password strength meter that forces users to use strong passwords and loads several files such as: /wp-admin/js/password-strength-meter.min.js and /wp-includes/js/zxcvbn.min.js

zxcvbn.min.js can weigh more than 800 KB

If you use WooCommerce, the file is also sometimes found in this path:

/wp-content/plugins/woocommerce/assets/js/frontend/password-strength-meter.min.js

Depending on each template and how the developer has queued things up, sometimes these files are loaded site-wide. For performance reasons, they should only be loaded on the “account”, “payment” and “password reset” pages.

If you still find these scripts among the requests after disabling it, please consult your template documentation and the documentation of any plugins you think may be making use of this feature.

Disabling comments

If you do not need the comments or you have decided to end the spam by the most radical way you can disable the option for your readers to comment. The comment form will disappear.

This is the list of actions that Perfmatters will try to perform when the Disable comments option is enabled:

• Disable the built-in recent comments widget.
• Remove the X-Pingback header.
• Remove comment feed links.
• Disable comment feed requests.
• Remove comment links from the admin bar.
• Remove comment support for all post types.
• Close comment filters.
• Remove comment links from the administration menu.
• Disable the built-in discussion page.
• Hide comments from the control panel.
• Hide the comment settings option from the profile page.
• Return a blank comment template when requested.
• Remove the comment reply script.

Remember that if you opt for a softer option you can close comments only on certain posts from the edit of each post by unchecking this box.

Or from Settings/comments you can set them to close after a certain number of days.

Remove URLs from comments

By default, WordPress comments include a website field that creates a nofollow link (although spammers don’t mind this) in the comment author’s name.

If you don’t want to deal with links that break over time, have too few comments, or simply want to stamp out spam, you can delete all those URLs added by visitors in comments in one fell swoop.

Enabling this will also remove the URL field from the form for future comments.

Add a blank favicon

If you already have a favicon on your site, you should leave this option disabled.

Adding a white favicon is useful if you are creating and testing a lot of new WordPress installations. Adding a blank favicon saves you from having to upload a favicon for each site. Also, if you forget it, it can generate a 404 error in the speed testing tools.

Remove global styles

Starting with WordPress 5.9, additional inline code was added to enhance duotone styles (CSS and SVG code). Most users probably won’t use this feature, and the problem is that it adds 311 lines (unminified) of code to each page of your site that are split like this:

196 lines of CSS before the tag and 115 lines of SVG code which is also added before the tag.

Much of the code uses!important; tags, which is also not ideal.
Perfmatters believes this may be a bug, so they are adding this option as an easy way to remove all this unnecessary code while it is being resolved.

Hearbeat, reviews and autosave

The WordPress Heartbeat API uses /wp-admin/admin-ajax.php to execute AJAX calls from the web browser

This is great because it saves your drafts and prevents an unexpected shutdown from causing you to lose them, but it can also cause high CPU usage and crazy amounts of PHP calls. For example, if you leave your control panel open, it will keep sending POST requests to this file at a regular interval, every 15 seconds. You can increase the frequency up to 60 seconds to mitigate this.

In the first option you can choose when and where it is triggered.

The third option allows you to limit the number of revisions of your entries to save space, for example if you set it to 10 only the last 10 will be saved and the previous ones will be deleted.

Finally, you can set the auto-save interval for drafts. By default, WordPress automatically saves them every 60 seconds. However, if you increase the interval you will have to manually save more frequently, this prevents the browser from crashing so much while you are in the administration area and also saves less writes to the database.

Woocommerce

About the optimization options for WooCommerce I will only say that they exist, but I will avoid any comment as it is customary in this house not to review anything that I do not have very clear, as is the case. I uninstalled WooCommerce in July 2021 and I hardly remember anything about the response to these optimizations so I refer you to their documentation:

• Disable WooCommerce scripts and styles
• Disable cart snippets
• Disable the WooCommerce status box
• Disable WooCommerce widgets

Login URL

Another interesting feature is the ability to change the default login URL to the admin area that WordPress sets in yourdomain/wp-admin. It does exactly the same as pugins like WPS Hide Login.

You will find three fields:

In the first one you can change the wp-admin login url to whatever you want, such as “yourdomain.com/potato”, thus avoiding brute force attacks and others, which usually target the default url. Just write it down and/or try not to make it a weird url with too many characters so you don’t forget it (although you can always retrieve it by going to the wp_options / perfmatters_options table)

The second field (Disabled Behavior) sets which url the visitor landing on yourdomain/wp-admin will be sent to with three possibilities:

• Message (default): Displays a message to the visitor. You can customize the message with any text you want by adding it in the field Message.
• 404 Template: The user will be sent to a 404 page.
• Home URL: The user is redirected to the home page.

Assets

This is where it gets really interesting.

Script Manager, the icing on the cake

The Perfmatters Script Manager is without a doubt their most powerful and useful tool. This alone is worth every penny of the little you pay for the plugin and its support.

It allows you to disable the scripts and CSS used by each plugin and prevent them from loading on a post or page, in both places or site-wide, filter by logged in or logged out users, by devices and add exceptions, even for categories and tags

This can drastically increase loading speed (especially of the homepage) by eliminating unnecessary requests where plugins are not used, such as forms or anything else.

Mandatory Usage Mode (MU) takes Script Manager much further. It gives much more control and provides the ability to disable WordPress plugin queries and hooks, as well as inline CSS and JS. Now you can control all aspects of a plugin, from its front-end scripts, inline code and MySQL queries wherever you want.

In its global view you will find all applied settings in case one day you need to rearrange them, modify them, add new ones or remove some.

It has a quite complete documentation. If you are not used to this kind of tools it can be intimidating at first, but as soon as you try it you will discover that it is very easy to use.

JavaScript

Defer and delay JavaScript.

Both of these can help to improve FCP and LCP

Adding the defer attribute to every non-critical JavaScript file speeds up the first content painting (FCP) of the page. This means that the JavaScript is downloaded during HTML parsing and executed after the page has finished loading (when parsing has finished). In other words, the javascript download is pushed to the bottom of the page so that it is done at the end of the process.

With delay , the LCP and TBT results are improved. The JavaScript is delayed according to the user interaction, speeding up the first painting of the page when something is not needed immediately, such as heavy scripts from third parties like Google Adsense, Google Analytics, Facebook conversion pixels or Google Ads and similar.

For both options you can add exceptions and enable Delay Timeout behaviour, this sets a timeout that will automatically load scripts after 10 seconds if no user interaction has been detected. This is optional and is disabled by default.

Delay Timeout

If you enable this option you have the possibility to set the delay timeout to a different value using one of these filters.

The one in the example sets it to 7 seconds.

add_filter('perfmatters_delay_js_timeout', function($timeout) {
    return '7';
});

They advise not to set the timeout value too short, otherwise the JS delay function will not work correctly. Also, regardless of the timeout, 99% of the time everything will fire on the first user interaction whether it’s scroll, click or first mouse movement.

CSS

Perfmatters says the easiest way to resolve the “Reduce unused CSS” warning is to enable this feature, which I reviewed when it was still in beta, that does it all automatically. The developers claim to have tested it on hundreds of URLs (using different templates and settings) and these are some of the results they claim to have obtained:

• Average FCP decrease of 15.20%.
• Average LCP decrease of 19.66%.
• Average TTI decrease of 14.95%.

Before activating the “Remove unused CSS” feature in Perfmatters they recommend removing any existing CSS preloads that have been configured in Perfmatters (excluding Google Fonts local stylesheets).
Do not merge CSS (things that are often done with WP Rocket, Litespeed, Autoptimize and others). CSS merge is an obsolete optimisation technique since HTTP/2. In some cases, combining CSS can hurt performance (in my case it hasn’t) and lastly make sure you’re not trying to remove unused CSS with another plugin.

There are three methods of removal:

• Delay (default): All original CSS stylesheets (unused CSS) are delayed and loaded on user interaction. This is the recommended option.
• Asynchronous: All original CSS stylesheets (unused CSS) are loaded via async. This method can help to avoid pop-in, as the stylesheets are executed asynchronously while the page loads. This method will result in a slightly higher LCP/FCP than the delay behaviour.
• Remove: All original CSS stylesheets (unused CSS) are removed. This is the most aggressive method but will also probably require exceptions to be added. It is recommended for advanced users only.

There is no secret here other than to experiment in a test environment and measure the results, both in isolation and in interaction with the other functions.

Code

A useful classic that many other plugins include, something that can even be done by hand, but which simplifies and facilitates the operation of adding custom code to the header, body or footer of your blog

The following fields print code directly to the front-end, so it must be valid HTML. This includes inline CSS inside

It does not support server-side languages such as PHP. To add custom PHP code it is recommended to use the Code Snippets plugin.

Preloading

In Preloading, the first option called"Instant Page" uses the instant.page library and loads a small JS file of less than 2 KB(instantpage.js) locally on your site and is used to preload URLs when a user hovers over a link, or image in the desktop version. On mobile, a URL is preloaded after the user starts tapping the link on their screen and before they release it.

After 65 milliseconds, preloading of the URL starts automatically in the background.

This tool is the equivalent of Litespeed's"Instant Click" and WP Rocket's"Preload Links", so if you use this option in either of these two plugins you should deactivate it to try Perfmatters.

In my case it has worked a little better than the equivalent option in Litespeed although it should be noted that in some cases it can increase the server load.

As with the Javascript and CSS options, the use of preloading and preconnection should be used according to your needs based on different tests.

Preloading critical images (those above the fold), is an option still in Beta that can help to reduce the time taken to paint larger content (LCP) in Core Web Vitals.

These are typically images such as a logo, a featured image in a post, a main image on a landing page, etc. When you preload them, they move to the top of the waterfall and essentially tell the browser that they have priority and should be loaded immediately.

You can choose between zero, to preload none (the default option), and five images. Permatters recommends choosing two or three at most as Chrome has a limit of two preloaded images that will appear at the top of the waterfall.

Lazy loading

Another performance-related classic that WordPress has included natively since its 5.4 release in 2020.

In my case I use the Litespeed option because in the tests I found slightly better results, even so, the Perfmatters one works really well and also applies it to the CSS of the background images

Fonts

Another good thing. This option, added to version 1.7.4 of Perfmatterswas released on 7 June 2022. It allows you to host and load Google Fonts locally with a couple of clicks.

The advantages of hosting fonts locally are many, you gain full control over them, you eliminate all those requests and therefore the loading time and you can decide how to serve them.

The function automatically locates any Google Fonts reference that exists on your blog, downloads the corresponding fonts from fonts.google.com and hosts them locally on your server in the directory: /wp-content/cache/perfmatters/your-domain.com/fonts/

This post explains its use in more detail.

CDN

There is nothing special here and there is little to comment. A tool, always useful to add the CDN you use. As I use QUIC.CLOUD, I haven't needed it yet.

Analitycs

Although I don't use it now as I started the transition to Matomo and I relegated the management of the Analytics script to my RGPD/CCPA cookie consent management plugin , which also manages it correctly, but I know it works very well with Perfmatters because I used it back in the day.

From here you can host the Google Analytics script locally. This helps speed up your site by reducing additional DNS lookups and solving the "exploiting browser cache" problem of their script.

According to Perfmatters, ironically, Google's own script throws up a warning about caching, but this is because they have a very short HTTP cache header expiry. If you host it yourself, the HTTP cache headers from your own CDN or server will be automatically applied. In other words, you gain full control over the script's caching.

They also note that this tool is not officially supported by Google, but has been used for years without any problems.

Hosting Google Analytics locally and serving the script from your own CDN or server also allows you to take advantage of a single HTTP/2 connection.