WordPress Tweaks
Enable or disable individual WordPress tweaks. Disabled tweaks don’t load any code.
Most “performance” toggles in WordPress page builders or SEO plugins are actually just “Code Cleaning” or “Security through Obscurity.”
They rarely make a site feel “faster” to a human, but they do reduce the bloat in your <head> and slightly improve how bots crawl your site.
Here is how these categorize across General Performance, SEO-specific, and Security/Housekeeping.
Most “performance” toggles in WordPress page builders or SEO plugins are actually just “Code Cleaning” or “Security through Obscurity.”
They rarely make a site feel “faster” to a human, but they do reduce the bloat in your <head> and slightly improve how bots crawl your site.
Here is how these categorize across General Performance, SEO-specific, and Security/Housekeeping.
1. Performance & Speed Optimization
These toggles physically reduce the amount of data a visitor’s browser has to download or the number of tasks your server has to perform.
| Feature | Category | Why? | How |
|---|---|---|---|
| Optimize Heartbeat | Server CPU | WordPress “pulses” every 15s to check for autosaves/notifications. This slows that pulse to 60s or kills it on the frontend to save server energy. | |
| Remove Gutenberg CSS | Asset Bloat | WordPress loads a stylesheet for its “Block Editor” on every page. If you use a builder like Breakdance, this file is dead weight. | |
| Disable Emojis | Asset Bloat | Removes a JS file and CSS that replaces standard browser emojis with custom WP ones. Saves 1 HTTP request and a few KB. | |
| Remove jQuery Migrate | Asset Bloat | A “compatibility” file for ancient plugins. Modern sites (Breakdance-built) don’t need it, saving another JS download. | |
| Remove Query Strings | Caching | Removes ?ver=1.2 from URLs. Some older CDN/Proxy servers won’t cache files if they see a query string at the end. | |
| Disable Admin Icons | Asset Bloat | Prevents dashicons.min.css from loading for logged-out users. Regular visitors don’t need the “admin” icon font. |
2. SEO & Metadata Cleanup
These don’t necessarily make the site “faster,” but they clean up the “Head” of your website code to make it easier for search engines to understand what’s important.
| Feature | Category | Why? |
Remove hentry Class | Schema/SEO | Prevents Google from seeing “Microformats” data. Useful if you want to use your own professional Schema without WP adding “hidden” errors. |
| Disable Shortlink Tag | SEO Cleanup | Removes the <link rel='shortlink'> tag. It’s a redundant URL that can confuse crawlers about which version of the page is the “real” one. |
| Relational Links | SEO Cleanup | Removes “Next” and “Previous” post links from the header. Mostly obsolete; clearing them out reduces “code noise” for bots. |
| Disable RSS Links | SEO/User Exp | If you don’t have a blog, this stops bots from trying to find and “scrape” your RSS feed. |
| Disable OEmbed/Embeds | Code Cleanup | “Prevent others embedding this site” Removes discovery links, embed.js, and REST endpoint. Nobody can easily embed your content in their site. Zero impact on your ability to add YouTube etc. |
| Code Cleanup | “Disable outbound embeds” Stops WordPress auto-converting pasted URLs (YouTube, Twitter, etc.) into embedded players. Use this if you want clean URLs in content instead of iframes, or if you’re handling embeds manually via Breakdance. | |
| WP REST Metadata | Code Cleanup | Removes the link in your header that points to the JSON API. Keeps your source code cleaner and more private. |
3. Security & Hardening (The “Keep Bots Out” List)
These don’t make the site faster for a human, but they stop your server from being “noisy” to hackers and reduce the success of automated attacks.
| Feature | Category | Why? |
| Disable XML-RPC | Security | An old way for apps to talk to WP. It is the #1 target for “Brute Force” login attacks. If you don’t use the WP Mobile App, kill it. |
| Disable Pingbacks | Security/Spam | Prevents other sites from “pinging” yours when they link to you. Primarily used today for spam and DDoS “reflection” attacks. |
| WP Version / Generator | Security | Hides exactly which version of WordPress you are running. This makes it harder for bots to target you with version-specific exploits. |
| Disable REST API (Public) | Security | Stops random people/bots from viewing your user list or site structure via the JSON API. |
| Remove X-Powered-By | Security | Hides the “PHP” version info from the server header. One less piece of intel for a hacker. |
| RSD & WLW Links | Security/Relic | “Really Simple Discovery” and “Windows Live Writer” are 20-year-old tools for blog editors. They are useless today and reveal site info. |
| If you enable… | Does it remove the RSD Link? | Does it stop Pingbacks? | Does it lock the “Door”? |
| Remove RSD Link | Yes | No | No |
| Disable Pingbacks | No | Yes | No |
| Disable XML-RPC | Yes | Yes | Yes |
Conflict Management
The “Litespeed” & “Breakdance” Problem
When two tools try to do the same thing, you usually get one of three results:
- Redundant (Safe): Both tools try to “Unset” a variable. The first one wins, the second one finds nothing to do. (e.g., Removing WP Version). Impact: None.
- Conflict (Error): One tool moves a file, the second tool looks for that file to optimize it, can’t find it, and throws a PHP Warning. (e.g., Minifying CSS). Impact: Errors in logs.
- Logical Overlap (Performance): If Litespeed Cache is “Optimizing Heartbeat” and your plugin “Disables” it, your plugin will likely win because it prevents the script from even triggering, whereas Litespeed might just be trying to buffer the response.
Example: Heartbeat Control
- SCOS Software: uses a PHP filter to change the frequency or
wp_deregister_script. - Litespeed: Can do the same, but it often does it via the
.htaccesslevel or its own optimization engine. - Verdict: Turn it on in ONE place. Your software is better because it’s “closer to the code.” If you enable both, you aren’t “double-saving” energy; you’re just making the server run two checks to perform one action.
The “Breakdance Note” Strategy
Since SCOS Site Essentials, Breakdance and SEOPress have a massive overlap, you should centralize these settings.
Advice: If you use Breakdance, toggle them there. Breakdance handles the “Frontend” (what the user sees) very efficiently. If you use SEOPress for these, it adds a tiny bit of PHP overhead to “filter” them out after the fact.
oEmbed Word of Caution:
Before you disable oEmbed, make sure you don’t plan on pasting a YouTube link into a text block and having it automatically turn into a video. That is exactly what that toggle breaks.
A Note on “Disable REST API”
Be careful with “Disable REST API for Non-Logged Users.” * Breakdance uses the REST API for its builder and some dynamic elements.
- Contact Form plugins (like Contact Form 7) often use it for submissions.
- Search features sometimes rely on it.
If disabling it make sure you add/allows exceptions for specific endpoints those plugins need, otherwise, your forms might “spin” forever and never send.
| Feature | Category | Sub-Category | Why | How |
|---|---|---|---|---|
| Disable Emojis | Performance & Speed | Scripts & Styles | WordPress loads an emoji detection script, a stylesheet, and a DNS prefetch to s.w.org on every page — even if you use zero emojis. Modern OS/browsers render emoji natively. | 7× remove_action strips the script + styles from wp_head, admin, feeds, and email. tiny_mce_plugins filter drops wpemoji from TinyMCE. wp_resource_hints filter kills the DNS prefetch. |
| Remove jQuery Migrate | Performance & Speed | Scripts | jQuery Migrate is a shim that lets old jQuery 1.x code run on modern jQuery. Costs ~9KB on every page. If your theme/plugins are modern, it’s dead weight. | Hooks into wp_default_scripts, strips jquery-migrate from jQuery’s dependency array. Frontend only — admin is untouched. |
| Optimize Heartbeat | Performance & Speed | Server CPU | WordPress “pulses” every 15s via AJAX (/wp-admin/admin-ajax.php) to power autosave, post locking, and dashboard widgets. On the frontend it has no value and burns server PHP cycles. | heartbeat_settings filter changes interval from 15 → 60s in admin. wp_deregister_script('heartbeat') via init priority 1 kills it entirely on the frontend. |
| Remove Query Strings | Performance & Speed | Caching | URLs like style.css?ver=6.4.1 tell proxy caches and CDNs to treat each version as a unique file. Some older CDNs/proxies ignore query strings and serve stale files. Removing them gives clean cache keys. | script_loader_src + style_loader_src filters at priority 15 strip ?ver= params using remove_query_arg. |
| Remove RSD Link | Code Cleanup | Head Bloat | Really Simple Discovery is a 2002-era protocol for desktop blog editors (like MarsEdit) to find your API endpoints. Zero value for modern sites. | Single remove_action('wp_head', 'rsd_link'). |
| Remove Windows Live Writer Link | Code Cleanup | Head Bloat | A manifest link for Microsoft’s discontinued Windows Live Writer desktop app (2003–2017). Dead protocol, dead app. | Single remove_action('wp_head', 'wlwmanifest_link'). |
| Remove WordPress Version | Security + Code Cleanup | Fingerprinting | The <meta name="generator" content="WordPress 6.x"> tag broadcasts your exact WP version. Makes automated vulnerability scanning trivially easy. | remove_action('wp_head', 'wp_generator'). Note: version also leaks via RSS feed and some script/style ?ver= params — this only covers the meta tag. |
| Disable XML-RPC | Security | Attack Surface | XML-RPC (/xmlrpc.php) is a legacy remote API. It’s a common brute-force and DDoS amplification target. 99% of sites don’t need it — Jetpack being the main exception. | xmlrpc_enabled filter returns false. wp_headers filter removes the X-Pingback response header that advertises the endpoint. |
| Disable REST API (non-logged) | Security | Access Control | The REST API exposes user data, content, and can be probed. Limiting it to logged-in users reduces enumeration and abuse. Has a built-in whitelist for WooCommerce + Brighter endpoints that must stay public. | rest_authentication_errors filter returns WP_Error 401 for unauthenticated requests. Whitelists /wp-json/wc/, /wp-json/brighter/, /wp-json/brighter-core/, /wp-json/brighter-x/. |
| Prevent Inbound Embeds | Code Cleanup | Discovery Leakage | Stops other sites from easily embedding your content. Zero impact on what you can embed. Cleans up 2 <head> tags and one REST route. No user-facing impact. | Removes REST oEmbed endpoint Removes <head> discovery linksRemoves embed.js host scriptinit priority 9999: remove_action('rest_api_init', 'wp_oembed_register_route'), remove_action('wp_head', 'wp_oembed_add_discovery_links'), remove_action('wp_head', 'wp_oembed_add_host_js'). |
| Disable Outbound Embeds | Performance & Speed | Page Weight / Iframes | Prevents WordPress converting raw pasted URLs into embedded players. Saves the oEmbed HTTP fetch on page load. Use when Breakdance controls embeds or you want URLs to stay as links. | Removes autoembed and run_shortcode from the_contentDisables oEmbed auto-discovery Removes the dataparse filter remove_filter('the_content', [$wp_embed, 'autoembed'], 8) + remove_filter('the_content', [$wp_embed, 'run_shortcode']) + embed_oembed_discover → false + remove_filter('oembed_dataparse', 'wp_filter_oembed_result', 10). |
Conflict/Overlap Notes (for “who wins” decisions)
| Tweak | Likely also in… | Decision guide |
|---|---|---|
| Disable Emojis | SEOPress, Perfmatters, WP Rocket, LiteSpeed | Pick one. If LiteSpeed is handling it, disable yours. Check with “View Source” — if emoji-release script is gone, it’s working. |
| Remove Query Strings | WP Rocket, LiteSpeed, Perfmatters | Can conflict. CDNs + caching plugins often handle this better with extra logic. Disable yours if your caching plugin covers it. |
| Optimize Heartbeat | WP Rocket (“Heartbeat” tab), Perfmatters | Same filter, last one registered wins. Your code doesn’t kill it on admin, WP Rocket gives more granular control. You may want to defer to WP Rocket if active. |
| Disable XML-RPC | Wordfence, iThemes Security | Wordfence has extra logic (rate limiting the file directly). If Wordfence is active, it wins — disable yours to avoid double filtering. |
| Disable REST API | Wordfence, iThemes Security | Your code has Brighter-specific whitelist logic that generic plugins won’t have — your code should be the winner here. |
| Remove WP Version | SEOPress, Yoast SEO (via options), security plugins | Low conflict risk, remove_action is idempotent. Safe to leave both on. |
