Optimisation and utility
This section contains directives which are of utilitarian value and bound to save you some time:
Some servers attempt to serve index.html before index.php. This has the implication that trying to
access your site's root, e.g.
http://www.example.com, will attempt to serve an index.html
first. If this file doesn't exist, it will try to serve index.php. However, all of our WordPress sites
only have the index.php, so this checking slows them down unnecessarily on each page request. This rule
works around this problem. Do note that some servers do not allow this and will result in a blank page or
Internal Server Error page.
If your server has mod_expires installed and activated, enabling this option will cause all files and pages served from the site to have an expiration time of 1 hour, which means that the browser will not try to load them over the network before one hour elapses. This is a very desirable feature, as it speeds up your site.
Please note that some static files are given a longer expiration time of 1 week.
This feature REQUIRES the Automatically compress static resources feature to be enabled.
Up to 15% of visitors to your site may not receive compressed resources when visiting your site, even though you have enabled Automatically compress static resources feature above. The reasoning in explained in detail by Yahoo engineers. Enabling the Force GZip compression for mangled Accept-Encoding headers feature will allow clients (browsers) which send mangled Accept headers to be served compressed content, improving the perceived performance of your site for them.
Normally, accessing your site as
http://www.example.com/index.php will result in the same page being loaded. Except for the
cosmetic issue of this behaviour it may also be bad for search engine optimization as search engines
understand this as two different pages with the same content ("duplicate content"). Enabling this option
will redirect requests to index.php, without additional parameter, to your site's root overriding this
Most web servers are designed to treat www and non-www URLs in the same way. For example, if your
http://www.example.com then most servers will also display it if called as
http://example.com. This has many adverse effects. For starters, if a user accesses the www
site, logs in and then visits the non-www site he's no longer logged in, causing a functional issue with
your site's users. Moreover, the duplicate content rules also apply in this case. That's why we suggest
that you enable one of the redirection settings of this option. The different settings are:
Do not redirect. It does no redirection (turns this feature off)
Redirect non-www to www. Requests to the non-www site will be redirected to the www site, e.g.
http://example.com will be redirected to
Redirect www to non-www. Requests to the www site will be redirected to the non-www site, e.g.
http://www.example.com will be redirected to
Sometimes you have to migrate your site to a new domain. Usually this is done transparently, having both domains attached to the same site on the hosting level. However, while a visitor can access the old domain name, the address bar on his browser will still show the old domain name and search engines will believe that you have set up a duplicate content site, having an adverse impact on your search results. So, you'd better redirect the old domain to the new domain with a 301 redirection to alert both users and search engines about the name change. This is what this option does. You can include several old domains separated by commas. For example:
will redirect all access attempts to example.net and www.example.net to the new domain.
Sometimes you need to redirect certain pages of your site to a secure (HTTPS) address. For example, your WooCommerce checkout page.
Use one URL per site and do not include http:// and your domain name. For example, if you want to
have to enter
eshop.html in a new line of this field.
Assuming that you have a site which is only supposed to be accessed over HTTPS, your visitor's web browser has no idea that the site should not be ever accessed over HTTP. There are two privacy implications for your users:
There is a man-in-the-middle attack known as "SSL Stripping". In this case the user will access your site over plain HTTP without having any idea that they should be using HTTPS instead.
Even if WordPress forwards your user to HTTPS by means of a plugin, the unencrypted (HTTP) request can still be logged by an attacker. With a moderate amount of sophistication on the part of the attacker (basically, some $200 hardware an widely available information) they can efficiently eavesdrop at the very least the URLs visited by your user –undetected but to the most vigilant geeks among your users– and probably infer information about them.
The HSTS header can fix SSL Stripping attacks by instructing the browser to always use HTTPS for this website, even if the protocol used in a URL is HTTP. The browser, having seen this header, will always use HTTPS for your site. An SSL Stripping and other man-in-the-middle attacks are possible only if your user visits your site for the first time in a hostile environment. This is usually not the case, therefore the HSTS header can provide real benefits to the privacy of your users.
For more information on what the HSTS header is and how it can protect your site visitors' privacy you can read the Wikipedia entry on HSTS.
Enabling HSTS will also have the following side effects which are designed to prevent unsafe HTTP redirections and cookie leaking:
Most sites will not notice any difference. If you have a strange setup with different HTTP domain names assigned to the same site but only one HTTPS domain (e.g. a shared SSL setup) you may experience redirection issues. In this case we advise you to disable HSTS. Instead, add the following directive in the "Custom .htaccess rules at the bottom of the file" area:
Header always set Strict-Transport-Security "max-age=31536000"
Enabling this option will prevent remote clients from using the HTTP methods TRACE and TRACK to connect to your site. These can be used by hackers to perform privilege escalation attacks known as Cross Site Tracing (XST). To the best of our knowledge there are no side-effects to enabling this feature.
Some servers use the legacy ISO-8859-1 character set as the default when serving content. While WordPress pages will appear correctly –WordPress sends a content encoding header– other content such as JSON data, CSV exports and Admin Tools' messages to blocked users may appear incorrectly if they're using international characters. If you're unsure, try enabling this option.
Your web server sends an ETag header with each static file it serves. Browsers will ask the server in subsequent requests whether the file has a different ETag. If not, they will serve the same file therefore reducing the amount of data they need to transfer from the server (and making the site load faster). By default ETags are calculated based on the file size, last modified date and the inode number. The latter depends on the location of the file inside the filesystem of the server.
When you have a site hosted on a single server this is great. If your static files are, however, hosted on a server farm this may not be a good idea. The reason is that every static file is stored on different server and while the file size and last modified date might be the same the inode number will differ, therefore causing the browser to perform unnecessary file transfers. This is where this option comes in handy.
Do NOT change this option if your site is hosted on just one server. If you are not sure or have no idea what that means then your site is hosted on just one server and you MUST NOT change this option. Please bear in mind that site speed analysers like YSlow are designed for gigantic sites running off hundreds or thousands of servers. Their site speed checklists DO NOT work well with the vast majority of sites you are working on, i.e. very small sites running off a single server. Treat these checklists as suggestions: you need to exercise common sense, not blindly follow them. If you disable ETags on a small site you are more likely to do harm than good!
The available options are:
Server default. Use whatever setting the server administrator has chosen. If you are not perfectly sure you know what you're doing choose this option.
Full. Send ETags based on file size, last modification date/time and inode number.
Size and Time. Send ETags based on file size and last modification date/time only.
Size only. Send ETags based on file size only.
None (no ETag sent). Disable ETags completely. Do keep in mind that if you do not also enable the Set default expiration option you will be hurting your site's performance BIG TIME.
While surfing, your browser will send out some information about the previous you were visiting (the Referrer that brought you to the new page). This is useful for analytics, for example you can easily track down how many visitors came from Twitter or any other page.
However, there are security implications about the Referrer header. What if on the private area of your website there are sensible information? Think about a private support area, where there is a ticket with the link www.example.com/private-support/help-my-site-www-foobar-com-is-hacked ; you post a reply with a link to a Stack Overflow reply, the user clicks on it and... whops! Now Stack Overflow knows that the site www.foobar.com was hacked.
The Referrer Policy header will instruct your browser when to send the Referrer header and how many information you want to share.
Do not set any policy You're not setting any instruction to the browser
(Empty) You do not want to set the Referrer Policy here (as
header) and the browser should fallback to other mechanisms, for example using the
<meta> element or the
referrerpolicy attribute on
no-referrer Never send the referer header
no-referrer-when-downgrade The browser will not send the referrer header when navigating from HTTPS to HTTP, but will always send the full URL in the referrer header when navigating from HTTP to any origin. It doesn't matter whether the source and destination are the same site or not, only the scheme.
same-origin The browser will only set the referrer header on requests to the same origin. If the destination is another origin then no referrer information will be sent.
origin The browser will always set the referrer header to the origin from which the request was made. This will strip any path information from the referrer information.
Navigating from HTTPS to HTTP will disclose the secure origin in the HTTP request.
strict-origin This value is similar to
above but will not allow the secure origin to be sent on a HTTP request, only HTTPS.
origin-when-cross-origin The browser will send the full URL to requests to the same origin but only send the origin when requests are cross-origin.
Navigating from HTTPS to HTTP will disclose the secure URL or origin in the HTTP request.
strict-origin-when-cross-origin Similar to
origin-when-cross-origin above but will not allow any information to be sent when a
scheme downgrade happens (the user is navigating from HTTPS to HTTP).
unsafe-url The browser will always send the full URL with any request to any origin.