Wordfence 7.8.0 Is Out! Here Is What Is Included

Wordfence 7.8.0 is out! A huge thanks to our quality assurance team, our team of developers and our ops team for planning, implementing and releasing Wordfence 7.8.0. This release has several fixes to make Wordfence even more robust, and includes a fundamental change in the way our signup works.

Since our launch in 2012, the signup flow for Wordfence has not required you to leave your own WordPress installation and come to our website. We briefly required this, but removed it 10 days after launch.

Wordfence has grown to a community of over 4 million active websites and a very large number of paying customers. Wordfence is now downloaded over 30,000 times every day. Today we spend a huge amount of money on providing the services that our free and paid community needs to stay secure. Privacy laws have also changed profoundly since 2012.

Scaling up our operations has required us to get better at capacity planning, which means knowing how many installations we’re getting, how many are bots or spam, who is communicating with our servers during a scan, and whether it is a real website running Wordfence, a nulled plugin or someone simply using our resources to power something unrelated to Wordfence.

Privacy laws have also added the need for us to be able to communicate with our free customers to alert them to privacy policy and terms of use changes.

This has required us to adjust our signup flow to match other popular plugins out there, like Akismet. Many customers may find this is a clearer signup workflow because we no longer need to shoehorn a complex user experience into a set of modals on a site where we don’t control presentation.

This change will not disrupt any of our existing free or paid customers. If you have a free API key that Wordfence automatically fetched when you installed it, that key will remain valid and your site will continue uninterrupted. If you have a paid Wordfence API key, your key will continue to work without disruption. We are not requiring any existing customers to visit our site to install a new key.

The only users this affects are new free Wordfence installations. The installation process is quite simple. You install Wordfence and are directed to our site. You can choose a paid or free option. If you choose the paid option, you’ll go through our checkout process as usual. If you choose free, we’ll email you your key. The email includes a button that you can click to automatically take you back to your site where your key will be automatically installed. The email also includes your Wordfence key in case you need to manually install it.

A side benefit of this new process is that our free customers will now have a record of their API key in their email inbox for future reference.

If you have any questions related to this change, our customer service team is standing by to assist you on our forums for free customers, and via our ticket system for paid customers. We welcome your input.

We’re including the full changelog for Wordfence 7.8.0 below. You’ll notice that we’ve mentioned that additional WooCommerce support is on its way, so keep an eye out for that.

Thanks for choosing Wordfence!

Mark Maunder – Wordfence Founder & CEO.

Wordfence 7.8.0 Changelog

Change: Updated Wordfence registration workflow

For new installations of Wordfence, registering for a new license key now occurs on wordfence.com instead of within the plugin interface. Allows us to provide a more complete signup experience for our free and paid customers. Also allows us to do better capacity planning.

Improvement: Added feedback when login form is submitted with 2FA

When logging in with two-factor authentication, the “Log In” button is now disabled during processing, so that it is clear the button was clicked. Sometimes on slower sites, it was hard to tell whether the login was going through, leading users to click more than once.

Fix: Restored click support on login button when using 2FA with WooCommerce

Clicking the “Log In” button after entering a 2FA code on a WooCommerce site was no longer working, while pressing “Enter” still worked. Both methods now work as expected. Additional support for WooCommerce is coming in the near future.

Fix: Corrected display issue with reCAPTCHA score history graph

The reCAPTCHA score history graph was sometimes displayed larger than intended when switching tabs. It now has a set size, so that it does not become unusually large.

Fix: Prevented errors on PHP caused by corrupted login timestamps

One Wordfence user reported an error on PHP 8, and upon investigation, we found that a timestamp for some user records contained invalid data instead of the expected timestamp. We don’t expect this to occur on other sites, but in case another plugin had modified the value, we now check the value before formatting it as a timestamp.

Fix: Prevented deprecation notices on PHP 8.2 related to dynamic properties

Future versions of PHP will no longer allow use of variables on an object unless they are previously declared. This is still allowed even in PHP 8.2, but PHP 8.2 can log a warning about the upcoming change, so Wordfence has been updated to declare a few variables where necessary, before using them.

Did you enjoy this post? Share it!

Source :
https://www.wordfence.com/blog/2022/11/wordfence-7-8-0-announcement/

How to Install and Configure Free Hyper-V Server 2019/2016?

Microsoft Hyper-V Server is a free version of Windows hypervisor that can be used to run virtual machines. In this guide, we’ll look at how to install and configure Microsoft Hyper-V Server 2019  (this guide also applies to Hyper-V Server 2016).

Contents:

Microsoft announced that they won’t not be releasing a Hyper-V Server 2022 version. This is because they are currently focusing on another strategic product, Azure Stack HCI.

Hyper-V Server 2019 is suitable for those who don’t want to pay for a hardware virtualization operating system. The Hyper-V has no restrictions and is completely free. Key benefits of Microsoft Hyper-V Server:

  • Support of all popular OSs. There are no compatibility problems. All Windows and modern Linux and FreeBSD operating systems support Hyper-V;
  • A lot of different ways to backup virtual machines: simple scripts, open-source software, free and commercial versions of popular backup programs;
  • Although Hyper-V Server doesn’t have a Windows Server GUI (graphical management interface), you can manage it remotely using a standard Hyper-V Manager console or Windows Admin Center web interface;
  • Hyper-V Server is based on a popular Windows Server platform, familiar and easy to work with;
  • You can install Hyper-V on a pseudoRAID, for example, Inter RAID controller, or Windows software RAID;
  • You do not need to license your hypervisor, it is suitable for VDI or Linux VMs;
  • Low hardware requirements. Your processor must support software virtualization (Intel-VT or VMX by Intel, AMD-V/ SVM by AMD) and second-level address translation (SLAT) (Intel EPT or AMD RV). These processor options must be enabled in BIOS/UEFI/nested host. You can find full system requirements on the Microsoft website;
  • It is recommended to install Hyper-V on hosts with at least 4 GB RAM.

Do not confuse a Windows Server 2022/2019/2016 (Full GUI or Server Core edition) with the Hyper-V role installed with Free Microsoft Hyper-V Server 2019/2016. These are different products.

It is worth to note that if you are using a free hypervisor, you are still responsible for licensing your virtual machines. You can run any number of VMs running any open-source OS, like Linux, but you have to license your Windows virtual machines. If you are using Windows Server as a guest OS, you must license it by the number of physical cores on your Hyper-V host. See more details on Windows Server licensing in a virtual environment here 

What’s New in Microsoft Hyper-V Server 2019?

Let’s consider the new Hyper-V Server 2019 features in brief:

  • Added support for Shielded Virtual Machines for Linux;
  • VM configuration version 9.0 (with hibernation support);
  • ReFS deduplication support;
  • Core App Compatibility: the ability to run additional graphic management panels in the Hyper-V server console;
  • Support for 2-node Hyper-V cluster and cross-domain cluster migration

How to Install Hyper-V Server 2019/2016?

You can download Hyper-V Server 2019 ISO install image here: https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2019.

download microsoft hyper-v server 2019 iso image

After clicking on the “Continue” button, a short registration form will appear. Fill in your data and select the language of the OS to be installed. Wait till the Hyper-V image download is over. The .iso file size is about 3 GB.

hyper-v server download

Installing Microsoft Hyper-V Server is identical to installing Windows 10/11 on a desktop computer. Just boot your server (computer) from the bootable USB flash drive with the Microsoft Hyper-V Server installation image (the easiest way to burn the ISO image to a USB drive is to use the Rufus tool). Then follow the instructions of the Windows setup wizard.

install hyper-v server 2019

Manage Hyper-V Server Basic Settings Using Sconfig

After the installation, the system will prompt you to change the administrator password. Change it, and you will get to the hypervisor console.

set hyper-v administrator password

Please note that Hyper-V Server does not have a familiar Windows GUI. You will have to configure most settings through the command line.

sconfig tool - configure hyper-v basic settings

There are two windows on the desktop — the standard command prompt and the sconfig.cmd script window. You can use this script to perform the initial configuration of your Hyper-V server. Enter the number of the menu item you are going to work with in the “Enter number to select an option:” line.

  1. The first menu item allows you to join your server to an AD domain or a workgroup; join hyper-v to domain or workgroup
  2. Set a hostname for your Hyper-V Server;
  3. Create a local administrator user (another account, besides the built-in administrator account). I’d like to note that when you enter the local administrator password, the cursor stays in the same place. However, the password and its confirmation are successfully entered;
  4. Enable remote access to your server. Thus, you will be able to manage it using Server Manager, MMC consoles, and PowerShell, connect via RDP, check its availability using ping or tracert;
  5. Configure Windows Update. Select one of the three modes:
    • Automatic (automatic update download and installation)
    • DownloadOnly (only download without installation)
    • Manual (the administrator decides whether to download or install the updates)
  6. Download and install the latest Windows security updates.
  7. Enable RDP access with/without NLA.
  8. Configure your network adapter settings. By default, your server receives the IP address from the DHCP server. It is better to configure the static IP address here;configuring ip addres on hyper-v server
  9. Set the date and time of your system.
  10. Configure the telemetry. The Hyper-V won’t allow you to disable it completely. Select the mode you want. hyper-v telemetry settings

You can also configure the date, time, and time zone using the following command:

control timedate.cpl

Regional settings:

control intl.cpl

These commands will open standard Windows consoles.

set time and date on hyper-v

Note! If you accidentally close all windows and see the black Hyper-V screen, press Ctrl+Shift+Esc to start the Task Manager (this keyboard shortcut works in an RDP session as well). You can use Task Manager to start the command prompt or the Hyper-V configuration tool (click File -> Run Task -> cmd.exe or sconfig.cmd).

How to Remotely Manage Hyper-V Server 2019?

To conveniently manage Free Hyper-V Server 2019 from the graphic interface, you can use:

  • Windows Admin Center – a web-based console;
  • Hyper-V Manager — can be installed both on Windows Server and Windows 10/11 desktop computers.

To manage the Hyper-V Server 2016/2019, you will need a computer running x64 Windows 10/11 Pro or Enterprise edition.

Remotely Manage a Non-Domain Hyper-V Server with Hyper-V Manager

Let’s look at how to remotely connect to a Hyper-V Server host from another Windows computer using the Hyper-V Manager console. In this article, we assume that you have a Hyper-V Server and a Windows 10 computer in the same workgroup.

First, make settings on the Hyper-V Server. Start the PowerShell console (powershell.exe) and run the following commands:

Enable-PSRemoting
Enable-WSManCredSSP -Role server

Answer YES to all questions. Thus you will configure the automatic startup of the WinRM service and enable remote management rules in your firewall.

hyper-v: enable winrm and credssp server

Now let’s move on to setting up the Windows 10 or 11 client computer that you will use to manage your Hyper-V Server host.

The Hyper-V server must be accessible by its hostname.  In the domain network, it must correspond to the A-record on the DNS server. In a workgroup environment, you will have to create the A record manually on your local DNS or add it to the hosts file (C:\Windows\System32\drivers\etc\hosts) on a client computer. In our case, it looks like this:

192.168.13.55  HV19

You can add an entry to the hosts file using PowerShell:

Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "192.168.13.55 hv19"

Add your Hyper-V server to the trusted host list:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "hv19"

If the account you are using on a client computer differs from the Hyper-V administrator account (and it should be so), you will have to explicitly save your credentials used to connect to the Hyper-V server to the Windows Credential Manager. To do it, run this command:

cmdkey /add:hv19 /user:Administrator /pass:HV1Pa$$w0drd

Check the network profile you are using on the Windows 10 client. If the network type is Public, you need to change the location to Private:

Get-NetConnectionProfile|select InterfaceAlias,NetworkCategory

windows: set network category to private

Set-NetConnectionProfile -InterfaceAlias "EthernetLAN2" -NetworkCategory Private

Run the command:

Enable-WSManCredSSP -Role client -DelegateComputer "hv19"

enable-wsmancredssp client

Now run the gpedit.msc command to open the Local Group Policy Editor.

  1. Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation;
  2. Enable the parameter Allow Delegating Fresh Credentials with NTLM-only Server Authentication;
  3. Click the Show button and add two string values: wsman/hv19 and wsman/hv19.local
  4. Close the GPO editor console and update your local group policy settings using the command gpupdate /force
gpo: allow delegating ntlm credentials for hyper-v server

Now you need to install the Hyper-V Manager console in Windows. Open the Programs and Features snap-in and go to Turn Windows Features on or off. In the next window, find Hyper-V, and check Hyper-V GUI Management Tools to install it.

Also, you can install the Hyper-V Manager snap-in on Windows 10/11 using PowerShell:

Enable-WindowsOptionalFeature -Online –FeatureName Microsoft-Hyper-V-Management-Clients

install hyper-v manager gui on windows 10

Run the Hyper-V Manager snap-in (virtmgmt.msc), right-click Hyper-V Manager and select Connect to Server. Specify the name of your Hyper-V Server.

hyperv manager: connect remote server

Now you can manage Hyper-V Server settings, and create and manage virtual machines from the graphical console.

manage hyper-v server from win10

Managing Hyper-V Server with Windows Admin Center

You can use the Windows Admin Center (WAC) to remotely manage a Hyper-V Server host. WAC is a web-based console and dashboard to manage Windows Server, Server Core, and Hyper-V Server hosts.

Enable the rules to allow SMB connections in Windows Defender Firewall on the Hyper-V Server:

Set-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Enabled true -PassThru

Now you need to download (https://aka.ms/WACDownload) and install the Windows Admin Center agent on your Hyper-V host. Download WindowsAdminCenter2110.2.msi on any Windows computer. You can copy the installation MSI file to the Hyper-V Server using a remote SMB connection to the administrative share C$. Run the following command on your Windows client device:

Win+R -> \\192.168.13.55\C$ and enter the Hyper-V administrator password. Create a folder and copy the MSI file to the Hyper-V Server host.

copy windowsadmincenter.msi to hyperv server

Now run the WAC installation from the Hyper-V console:

c:\distr\WindowsAdminCenter2110.2.msi

install windows admin center on hyper-v

Install WAC with default settings.

You can secure your remote connection using WinRM over HTTPS.

After the installation is complete, you can connect to your Hyper-V Server from a browser, just go to the URL https:\\192.168.13.55:443

You will see the dashboard of your Hyper-V Server host. Here you can check basic information about the server, resources used, etc.

WAC Hyper-V dashboard

Hyper-V host settings can be configured under WAC -> Settings -> Hyper-V Host Settings. The following sections are available:

  • General
  • Enhanced Session Mode
  • NUMA Spanning
  • Live Migration
  • Storage Migration
Configure Microsoft Hyper-V Server using Windows Admin Center web console

You will primarily use two sections in the WAC console to manage Hyper-V:

WAC: manage Hyper-V VMs from browser

Next, I will look at some ways to manage Hyper-V Server settings using PowerShell

Configuring Hyper-V Server 2019 Host with PowerShell

You can configure Hyper-V Server settings using PowerShell. There are over 238 cmdlets available in the Hyper-V module for managing Hyper-V hosts and VMs.

Get-Command –Module Hyper-V | Measure-Object

Configure the automatic start of the PowerShell console (instead of cmd.exe) after logon.

New-ItemProperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run -Name PowerShell -Value "cmd /c start /max C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noExit" -Type string

set powershell.exe as a default processor on hyper-v server

Now, when you log into the server, a PowerShell prompt will appear.

How to Configure Hyper-V Server 2019 Network Settings with PowerShell?

If you have not set the network settings using sconfig.cmd, you configure them through PowerShell. Using Get-NetIPConfiguration cmdlet, you can view the current IP configuration of network interfaces.

Get-NetIPConfiguration - view ip setting on hyper-v

Use PowerShell to assign a static IP address, netmask, default gateway, and DNS server addresses. You can get the network adapter index (InterfaceIndex) from the output of the previous cmdlet.

New-NetIPAddress -InterfaceIndex 4 -IPAddress 192.168.1.2 -DefaultGateway 192.168.1.1 -PrefixLength 24

set ip addres on hyper-v server using New-NetIPAddress

Set-DnsClientServerAddress -InterfaceIndex 4 -ServerAddresses 192.168.1.3,192.168.1.4

Set-DnsClientServerAddress

To configure IPv6, get the interface name using the Get-NetAdapter cmdlet from the PowerShell NetTCPIP module.

Get-NetAdapter

Check the current IPv6 setting using the following command:

Get-NetAdapterBinding -InterfaceDescription "Intel(R) PRO/1000 MT Network Connection" | Where-Object -Property DisplayName -Match IPv6 | Format-Table –AutoSize

hyper-v set ipv6 settings powershell

You can disable IPv6 as follows:

Disable-NetAdapterBinding -InterfaceDescription "Intel(R) PRO/1000 MT Network Connection " -ComponentID ms_tcpip6

Enable Hyper-V Remote Management Firewall Rules

You can view the list of cmdlets to manage Windows Firewall using Get-Command:

Get-Command -Noun *Firewall* -Module NetSecurity

powershell NetSecurity module to manage firewall on hyper-v host

To allow full remote management of your server, run the following commands one by one to enable Windows Firewall rules using PowerShell:

Enable-NetFireWallRule -DisplayName "Windows Management Instrumentation (DCOM-In)"
Enable-NetFireWallRule -DisplayGroup "Remote Event Log Management"
Enable-NetFireWallRule -DisplayGroup "Remote Service Management"
Enable-NetFireWallRule -DisplayGroup "Remote Volume Management"
Enable-NetFireWallRule -DisplayGroup "Windows Defender Firewall Remote Management"
Enable-NetFireWallRule -DisplayGroup "Remote Scheduled Tasks Management"

Configuring Hyper-V Storage for Virtual Machines

We will use a separate partition on a physical disk to store Hyper-V files (virtual machine files and iso files). View the list of physical disks on your server.

Get-Disk

Get-Disk - get physical disk info

Create a new partition of the largest possible size on the drive and assign the drive letter D: to it. Use the DiskNumber from Get-Disk results.

New-Partition -DiskNumber 0 -DriveLetter D –UseMaximumSize

Then format the partition to NTFS and specify its label:

Format-Volume -DriveLetter D -FileSystem NTFS -NewFileSystemLabel "VMStorage"

Learn more on how to manage disks and partitions using PowerShell.

Create a directory where you will store virtual machine settings and vhdx files using the New-Item cmdlet:

New-Item -Path "D:\HyperV\VHD" -Type Directory

Create D:\ISO folder to store OS installation ISO images (distros):

New-Item -Path D:\ISO -ItemType Directory

In order to create a shared network folder, use the New-SmbShare cmdlet. Grant full access permissions to the local server administrators group:

New-SmbShare -Path D:\ISO -Name ISO -Description "OS Distributives" -FullAccess "BUILTIN\Administrators"

For more information on the basic configuration of Hyper-V Server and Windows Server Core from the command line, see this article.

Configure Hyper-V Server Host Settings with PowerShell

List current Hyper-V Server host settings using this command:

Get-VMHost | Format-List

Set-VMHost - change hyper-v server settings via powershell

By default, Hyper-V stores virtual machine configuration files and virtual disks on the same partition where your operating system is installed. It is recommended to store VM files on a separate drive (partition). You can change the default VM folder path with this command:

Set-VMHost -VirtualMachinePath D:\Hyper-V -VirtualHardDiskPath 'D:\HyperV\VHD'

Creating a Virtual Switch for Hyper-V VMs

Create an external switch connected to the physical NIC of the Hyper-V server. Your virtual machines will access the physical network through this network adapter.

Check the SR-IOV (Single-Root Input/Output (I/O) Virtualization) support:

Get-NetAdapterSriov

Get the list of connected network adapters:

Get-NetAdapter | where {$_.status -eq "up"}

Bind your virtual switch to the network adapter and enable SR-IOV support if it is available.

Hint. You won’t be able to enable or disable SR-IOV support after creating the vswitch. You will have to recreate the switch to change this parameter.

New-VMSwitch -Name "Extenal_network" -NetAdapterName "Ethernet 2" -EnableIov 1

Use these cmdlets to check your virtual switch settings:

Get-VMSwitch
Get-NetIPConfiguration –Detailed

This completes the initial setup of Microsoft Hyper-V Server 2016/2019. You can move on to creating and configuring your virtual machines.

We described PowerShell commands for managing Hyper-V and virtual machines in more detail in this article.

Source :
http://woshub.com/install-configure-free-hyper-v-server/

How to Deploy Dell SupportAssist using SCCM | ConfigMgr

In this guide, I will show you how to deploy Dell SupportAssist using SCCM (ConfigMgr). We’ll get the latest version of the Dell SupportAssist tool, create an application in SCCM, and then deploy it to our computers.

According to Dell, the SupportAssist is an automated proactive and predictive support solution for computers and tablets. SupportAssist also evaluates the health of your servers, storage, and networking devices to eliminate downtime before it even starts.

When you purchase brand-new laptops and desktop computers from Dell, SupportAssist is already preinstalled. SupportAssist is installed on most Dell PCs with Windows 10 and Windows 11. You can find it by searching for “SupportAssist” in your Windows start menu. Home users can use the Dell SupportAssist tool to update drivers, including the system BIOS, and resolve problems.

Configuration Manager is the best choice for Dell SupportAssist deployment on multiple computers. You can deploy the Dell Support Assist to client computers and allows users to install it via Software Center. An added advantage of Dell SupportAssist deployment using SCCM is Dell provides .msi installer for application deployment for enterprises.

If you are using Configuration Manager to manage Dell laptops, you can use the application model to deploy Dell SupportAssist software to client computers using SCCM. The application can also be added to a task sequence, which lets you use the bare-metal deployment scenarios to install Dell SupportAssist on new laptops.

Recommended ArticleDeploy Windows 11 22H2 using SCCM | Configuration Manager

What is Dell SupportAssist Tool?

Let’s understand what exactly is the Dell SupportAssist tool and identify its features. The SupportAssist by Dell is the smart technology, available on your PC that will keep it running like new by removing viruses, detecting issues, optimizing settings and telling you when you need to make updates.

With SupportAssist tool, you can perform the following

  • Update your drivers and applications for peak PC performance
  • Remove virus and malware infested files before then can harm your system.
  • Scan your PCs hardware to find issues and deliver proactive and predictive support.
  • Clean files, tune performance, and adjust network settings to optimize speed, storage space and stability.

The Dell SupportAssist also has an OS Recovery environment that enables you to diagnose hardware issues, repair your computer, back up your files, or restore your computer to its factory state. The Dell Support Assist OS Recovery is only available on certain Dell laptops with a Microsoft Windows 10/11 operating system that was installed by Dell.

Download Dell SupportAssist MSI Installer

Dell provides the .msi installer for SupportAssist and the same installer can be used for deployment with SCCM. You can download the Dell SupportAssist .msi installer from the following direct download link. Note that this is an offline installer and will include all the installation files without having the system connect to internet to download further files.

Along with Dell SupportAssist msi installer, I recommend you to download a logo for the application. We will assign this logo to the Dell SupportAssist application in SCCM. Copy both the installer and logo to a separate folder on SCCM server or shared folder. We will reference the same folder when we create the Dell SupportAssist application in ConfigMgr.

Recommended ArticleHow to Import Dell CAB Drivers into SCCM

Dell SupportAssist .MSI Install and Uninstall Commands

If you want to manually install the Dell SupportAssist using command line, you can download the .msi installer and install it with following commands.

The Dell SupportAssist silent install command is as follows:

msiexec /i "SupportAssistx64-3.10.4.18.msi" /q

To uninstall the Dell SupportAssist silently using command line, run the below command.

msiexec /x {E0659C89-D276-4B77-A5EC-A8F2F042E78F} /q

Each MSI installer has a unique product code and this can be seen under the installer properties. Configuration Manager uses the product to detect if the Dell SupportAssist application already exists on system. If you are curious to know the detection method for Dell SupportAssist application, SCCM basically uses the MSI product code: {E0659C89-D276-4B77-A5EC-A8F2F042E78F} of the installer.

After you have created the Dell Support Assist application in SCCM, go to the Application deployment properties and switch to Detection Method tab. Here you can see the detection method used for Dell SupportAssist application. We see the MSI product code being used for the application detection.

Dell SupportAssist Detection Method
Dell SupportAssist Detection Method

Create Dell SupportAssist Application in SCCM

Let’s create a new application for the Dell SupportAssist in SCCM.

  • Launch the Configuration Manager console.
  • Go to Software Library > Overview > Application Management.
  • Right-click Applications and select Create Application.
Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

On the General window, select Automatically detect information about this application from installation files. The application type should be Windows Installer (*.msi file) and specify the location of the Dell SupportAssist msi file. Click Next.

Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

With MSI installers, the Configuration Manager can import information such as product code, install commands, uninstall commands, detection methods etc. In the below screenshot, we see the product information has been populated from Dell SupportAssist MSI installer and imported into SCCM.

Application name: Dell SupportAssist
Publisher: 
Software version: 

Deployment type name: Dell SupportAssist - Windows Installer (*.msi file)
Product Code: {E0659C89-D276-4B77-A5EC-A8F2F042E78F}
Installation behavior: Install for system

Content location: \\corpcm\Sources\Applications\SupportAssist\
Number of files: 2
Content files: 
dellSA_logo.jpg
SupportAssistx64-3.10.4.18.msi
Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

In the General Information tab, enter the basic information about the Dell Support Assist application. For example, you can specify the application name, publisher details, software version etc. The details that you specify here will be displayed to users when the Dell SupportAssist application is selected in Software Center.

The Configuration Manager also populates the silent installation command for Dell SupportAssist from the .msi installer. You may modify the existing command and add additional parameters supported for .msi installation.

Silent Command Line for Dell SupportAssist installation = msiexec /i "SupportAssistx64-3.10.4.18.msi" /q
Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

Review the Support Assist application settings on Summary window and click Next. On the Completion tab, click Close button to exit the create application wizard.

Create Dell SupportAssist Application in SCCM
Create Dell SupportAssist Application in SCCM

This completes the steps to create application for Dell SupportAssist in SCCM. After this step, the application will appear in the Application node of Configuration Manager console.

Specify an Icon for Dell SupportAssist Application

Configuration Manager lets you specify a logo for Application via the Application Properties and this logo appears along with the application in Software Center. If you are looking to customize software center, use the following guide to customize software center appearance and branding. Assigning an application logo is not mandatory, but it helps users identify the application quickly in Software Center.

The newly created Dell SupportAssist application is located in Software Library\Overview\Application Management\Applications of Configuration Manager console. Right-click on Dell SupportAssist application and select Properties.

Specify an Icon for Dell SupportAssist Application
Specify an Icon for Dell SupportAssist Application

In the Application properties window, choose the Software Center tab. Click on Browse and select an icon for Dell SupportAssist and click Apply and OK.

Specify an Icon for Dell SupportAssist Application
Specify an Icon for Dell SupportAssist Application

Deploy Dell SupportAssist using SCCM | ConfigMgr

In this section, we will look at the steps to deploy the Dell SupportAssist using SCCM (ConfigMgr). The deploy software wizard contains steps where you can distribute the content to DP’s along with the application deployment.

When you perform Dell SupportAssist deployment using SCCM, you deploy it either to a device collection or user collection. Typically, applications are deployed to device collections, and we will use the same approach here. You can create device collections for Windows 10 and Windows 11 computers using the following guides.

Once the device collections are ready, you can deploy the application using the deploy software wizard. To deploy the Dell SupportAssist application, launch the Configuration Manager console. Navigate to Software Library\Overview\Application Management\Applications. Right-click Dell SupportAssist application and select Deploy.

Deploy Dell SupportAssist using SCCM
Deploy Dell SupportAssist using SCCM

On the General page of Deploy Software Wizard, click Browse and select a device collection to which you want to deploy the Support Assist application. Click Next.

Deploy Dell SupportAssist using SCCM
Deploy Dell SupportAssist using SCCM

On the Content page, click Add button and specify the distribution points to which you would like to distribute the Dell Support Assist application content. You may also select distribution point groups when you have numerous distribution points. Click Next to continue.

Deploy Dell SupportAssist using SCCM
Deploy Dell SupportAssist using SCCM

On the Deployment Settings window, specify the settings to control the deployment. Select the Action as Install and Purpose as Available. Learn the difference between Available and Required deployment in SCCM. Click Next.

Dell SupportAssist Deployment using SCCM
Dell SupportAssist Deployment using SCCM

On the Scheduling tab, you can specify the schedule for the deployment. If you want to deploy the application as soon as possible, then don’t configure anything under Scheduling. Click Next.

Dell SupportAssist Deployment using SCCM
Dell SupportAssist Deployment using SCCM

Specify the user experience settings for the application deployment. For user notifications, select the option “Display in Software Center and show all notifications“. Click Next to continue.

Deploy Dell SupportAssist using SCCM User Experience Settings
Deploy Dell SupportAssist using SCCM User Experience Settings

In the Alerts tab, click Next. Review all the Dell SupportAssist deployment settings on Summary tab and click Next. On the Completion window, click Close.

The Dell SupportAssist application is now distributed to the select distribution points and the client machines should now have the application listed in the Software Center. This completes the steps for Dell SupportAssist deployment with Configuration Manager.

Deploy Dell SupportAssist using SCCM Completion
Deploy Dell SupportAssist using SCCM Completion

Test Dell SupportAssist Deployment on Client Computers

After you have created the Dell SupportAssist application and deployed it to device collection, it’s time to test the deployment on devices. Log in to a client computer, and launch the Software center. Click on the Applications tab and select Dell SupportAssist application. To install the application, click the Install button.

Test Dell SupportAssist Deployment on Client Computers
Test Dell SupportAssist Deployment on Client Computers

The Dell Support Assist application is now downloaded from the local distribution point server for installation. The installation commands specified during the application creation are executed. You can monitor the application installation process by reviewing the AppEnforce.log located on the client computer.

To locate the AppEnforce.log file and other important files, refer to the SCCM Log files which contains all the log files for troubleshooting issues.

Matched exit code 0 to a Success entry in the exit codes table” confirms that the Dell Support Assist application has been installed successfully on the computer. The uninstall command that we specified during application packaging should also work fine.

+++ Starting Install enforcement for App DT "Dell SupportAssist - Windows Installer (*.msi file)" ApplicationDeliveryType - ScopeId_67D9092A-81B2-464F-8F38-4D634303C416/DeploymentType_ccf9c1b2-8d31-4cab-87e9-56c700d64d52, Revision - 1, ContentPath - C:\Windows\ccmcache\2, Execution Context - System
    Performing detection of app deployment type Dell SupportAssist - Windows Installer (*.msi file)(ScopeId_67D9092A-81B2-464F-8F38-4D634303C416/DeploymentType_ccf9c1b2-8d31-4cab-87e9-56c700d64d52, revision 1) for system.
    Prepared working directory: C:\Windows\ccmcache\2
Found executable file msiexec with complete path C:\Windows\system32\msiexec.exe
    Prepared command line: "C:\Windows\system32\msiexec.exe" /i "SupportAssistx64-3.10.4.18.msi" /q /qn
Valid MSI Package path = C:\Windows\ccmcache\2\SupportAssistx64-3.10.4.18.msi
    Advertising MSI package [C:\Windows\ccmcache\2\SupportAssistx64-3.10.4.18.msi] to the system.
    Executing Command line: "C:\Windows\system32\msiexec.exe" /i "SupportAssistx64-3.10.4.18.msi" /q /qn with user context
    Working directory C:\Windows\ccmcache\2
    Post install behavior is BasedOnExitCode	AppEnforce
    Waiting for process 3896 to finish.  Timeout = 120 minutes
    Process 3896 terminated with exitcode: 0
    Looking for exit code 0 in exit codes table.
    Matched exit code 0 to a Success entry in exit codes table
Test Dell SupportAssist Deployment on Client Computers
Test Dell SupportAssist Deployment on Client Computers

Source :
https://www.prajwaldesai.com/deploy-dell-supportassist-using-sccm/

Allow RDP Access to Domain Controller for Non-admin Users

By default, only members of the Domain Admins group have the remote RDP access to the Active Directory domain controllers‘ desktop. In this article we’ll show how to grant RDP access to domain controllers for non-admin user accounts without granting administrative privileges.

Many of you can quite reasonably ask: why would ordinary domain users should have access to the DC desktop? Indeed, in small or middle size infrastructures, when several administrators with the privileges of domain admins maintain them, you’ll hardly need this. In most cases, delegating some administrative permissions in Active Directory or using PowerShell Just Enough Administration (JEA) is sufficient.

However, in large corporate networks maintained by many administrators, it may become necessary to grant RDP access to the DC (usually to branch office DC’s or RODC) for different server admin groups, monitoring team, on-duty administrators, or other technical staffs. Also, from time to time some of the third-party services, not managed by the domain administrators, are deployed on the DC, and there’s a need to maintain these services.

Contents:

Tip. Microsoft doesn’t recommend to install the Active Directory Domain Services and Remote Desktop Service role (terminal server) on a single server. If there is only one physical server, on which you want to deploy both DC and RDS, you’d better use virtualization, since Microsoft virtualization licensing policy allows you to run two virtual servers under the same Windows Server Standard license.

To Sign in Remotely, You Need the Rights to Sign in through Remote Desktop Services

After the server has been promoted to the domain controller, you cannot manage local users and groups from the Computer Management mmc snap-in. When you try to open Local Users and Groups (lusrmgr.msc) console, the following error appears:

The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.
The computer xxx is a domain controller. This snip-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.

As you can see, there are no local groups on the domain controller. Instead of the local group Remote Desktop Users, the DC uses the built-in domain group Remote Desktop Users (located in the Builtin container). You can manage this group from the ADUC console or from the command prompt on the DC.

Display the members of the domain group Remote Desktop Users on the domain controller using the command:

net localgroup "Remote Desktop Users"

As you can see, it is empty. Add a domain user it-pro to it (in our example, it-pro is a regular domain user without administrative privileges):

net localgroup "Remote Desktop Users" /add corp\it-pro

Make sure that the user is added to this group:

net localgroup "Remote Desktop Users"

net localgroup "Remote Desktop Users"

You can also verify that the user is now a member of the Remote Desktop Users domain group using the ADUC (dsa.msc) snap-in.

domain builtin group Remote Desktop Users

However, even after that, a user still cannot connect to the DC via Remote Desktop with the error:

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or if the right has been removed from the Administrators group, you need to be granted the right manually.

you need remote desktop services rights

Group Policy: Allow Log on through Remote Desktop Services

To allow a domain user or group a remote RDP connection to Windows, you must grant it the SeRemoteInteractiveLogonRight privileges. By default, only members of the Administrators group have this right. You can grant this permission using the Allow log on through Remote Desktop Services policy.

In Windows 2003 and older this policy is called Allow log on through terminal services.

To allow remote connection to the domain controllers for members of the Remote Desktop Users group you need to change the settings of this policy on your domain controller:

  1. Launch the Local Group Policy Editor (gpedit.msc);
  2. Go to the GPO section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment;
  3. Find the policy Allow log on through Remote Desktop Services;After the server is promoted to the DC, only the Administrators group (these are Domain Admins) remains in this local policy.
  4. Edit the policy, add the domain group Remote Desktop Users (like this: domainname\Remote Desktop Users), or directly the domain user, or a group (domain\CA_Server_Admins) to it;
  5. Update the Local Group Policy settings on the DC using the command: gpupdate /force

Note that the group that you added to the Allow log on through Remote Desktop Services policy should not be present in the “Deny log on through Remote Desktop Services” policy , because it has a higher priority (check the article Restricting Network Access under local accounts). In addition, if you are restricting the list of computers on which users can log on, you need to add the DC name to the properties of the AD account (LogonWorkstations user attribute).

Note. To allow a user to log on to the DC locally (via the server console), you must add the account or group to the policy “Allow log on locally”. By default, this permission is allowed for the following domain groups:

  • Backup Operators
  • Administrators
  • Print Operators
  • Server Operators
  • Account Operators

It is better to create a new security group in the domain, for example, AllowLogonDC and add user accounts to it that need remote access to the DC. If you want to allow access to all AD domain controllers at once, instead of editing of the Local Policy on each DC, it’s better to add a the user group to the Default Domain Controllers Policy using the GPMC.msc console (change the policy settings in the same section: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment -> Allow log on through Remote Desktop Services).

Warning. If you change the Default Domain Controllers Policy, don’t forget to add the domain/enterprise administrator groups to the policy Allow log on through Remote Desktop Services, otherwise they will lose remote access to the DCs.

default domain controller policy: allow logon over rdp

Now the users (groups) you added to the policy will be able to connect to the AD domain controllers via RDP.

If you need to grant non-administrator users the permissions to start/stop certain services on a DC, use the following guide.

The Requested RDP Session Access is Denied

In some cases, when connecting via RDP to a domain controller, an error may appear:

The requested session access is denied.
the requested rdp session access is denied

If you are connecting to the DC under a non-admin user account, this could be due to two problems:

  • You are trying to connect to the server console (using the mstsc /admin mode). This connection mode is only allowed for administrators. Try to connect to the server using mstsc.exe client in normal RDP mode (without /admin option);
  • The server may already have two active RDP sessions (by default, you can’t use more than two simultaneously RDP sessions on Windows Server without RDS role). You cannot log off other users without administrator permissions. You need to wait for the administrators to release one of the sessions.


Source :
http://woshub.com/allow-non-administrators-rdp-access-to-domain-controller/

How to setup SMTP Relay in Office 365

If you plan to keep your existing on-prem exchange server then it can be used / utilized as a SMTP Relay server. Else, if you plan to decommission the exchange server for good, you can utilize Office365 as a SMTP Relay server to relay the emails.

There are three ways to setup SMTP Relay in Office 365:

  • SMTP Auth client Submission
  • Direct Send
  • Office 365 SMTP Relay

I recommend using either Office 365 SMTP Relay method or Direct Send method to configure SMTP Relay in Office 365. Please refer to the section Direct Send vs Office 365 SMTP Relay which will help you decide which one to use for your organization.

Below are some suggestions which can help you choose between Office 365 SMTP Relay and Direct Send method.

📌 Direct Send Method does not work if you want to send the email to External recipients for example any Gmail, Yahoo, Hotmail email address. Direct End method can send an email to External recipients if the External Organization is also using Office 365 to host the mailboxes.

📌If your requirement is to send emails to Internal and any External domain recipients then choose Office 365 SMTP Relay Method.

1. SMTP Auth client Submission Method

Below are the Pre-requisites for using SMTP Auth client submission method to configure SMTP relay in Office365:

  • Licensed Office365 User Mailbox is required.
  • SMTP AUTH must be enabled for Mailbox which will be used to send the emails.
  • Device must support TLS 1.2 or above (Please check the vendor documentation to confirm this).

If your authentication policy disables basic authentication for SMTP, clients cannot use the SMTP AUTH protocol. Microsoft will disable Basic authentication for all new and existing tenants starting from 1st Oct 2022. Therefore, this is my least recommended option for configuration of SMTP relay in Office 365.

Direct Send vs Office 365 SMTP Relay

Direct Send method and Office 365 SMTP Relay method both use MX Endpoint of your domain to configure SMTP Relay. Both can be used when your environment has SMTP AUTH disabled.

Use Direct Send when you need to send messages to recipients in your own organization who have mailboxes in Office 365. Direct send will not work if you want to send email to External email address (Gmail, yahoo, hotmail etc.). However, If the external recipient mailboxes are also hosted on Office 365, it will work fine.

Direct Send does not require your device or application to have a static IP address to configure it. However, Static IP address is recommended so that an SPF record can be created for your domain. The SPF record helps avoid your messages being flagged as spam.

Direct Send and Office 365 Relay both does not require your device to Support TLS.

Direct Send method Office 365 SMTP Relay
Source:Microsoft. How Direct Send Works ?
FeatuesDirect SendOffice 365 SMTP Relay
Send to Internal UsersYesYes
Send to External UsersNo (Yes, for external recipients having Office365 Mailboxes)Yes
Network Port RequirementPort 25Port 25
TLS RequirementOptionalOptional
Requires AuthenticationNoneDevice / Printer / Application must have Static IP address assigned.

2. Configure SMTP Relay in Office 365 using Direct Send method

In the previous section of this blog post, I have explianed the difference between Direct Send and Office 365 SMTP Relay method. If Direct Send meets your requirements and you do not have any requirements for sending an email to External recipients like Gmail, yahoo, hotmail etc. You can follow below steps to configure it.

1. Find MX Endpoint of your Domain

To find the MX Endpoint of your domain, You need to follow below steps:

  1. Login on Microsoft 365 admin center.
  2. Go to Settings and click on Domains.
  3. Click on your organization domain name. For example: techpress.net.
  4. Click on DNS records Tab.
  5. You can find MX Endpoint on DNS records tab. Click on it to Open.

You will find the MX Endpoint under Points to address or value column. Click on it to copy it on a notepad.

The format of the MX Endpoint is yourdomain-com.mail.protection.outlook.com

Locate MX Endpoint of your domain from Microsoft 365 admin center
Locate MX Endpoint of your domain from Microsoft 365 admin center

2. Find the Static IP Address of the Device or Application [Optional]

As Microsoft Recommends to use Static IP Address for Direct Send Method but its not mandatory. If your Device or Application is not using a static IP address, make sure you assign a static IP address and then note down the IP Address of the device on a notepad. We will add static IP address of the device in your domain’s SPF record.

3. Update SPF Record [Optional]

This is also an optional step but highly recommended by Microsoft. Updating SPF record with Static IP Address of your Device or Application will help to avoid your emails being marked as SPAM. SPF records identifies which servers are allowed to send emails on behalf of the your domain.

Example:

  • Device / Printer IP Address: 10.20.1.56
  • Currently configured SPF recordv=spf1 include:spf.protection.outlook.com -all

Add your Device / Application IP Address in the SPF record as below:

v=spf1 ip4:10.20.1.56 include:spf.protection.outlook.com -all

4. Configure your Device / Application for Direct Send SMTP Relay

Last and final step is to configure your Device / Application and add SMTP relay details so that Device / Application can send emails using the Direct Send SMTP Relay. In our Example, we will be using a Printer to configure Direct Send. Let’s see which SMTP settings needs to be configured on the Printer.

If you want to configure SMTP Relay for a device other than your printer, You can still use below SMTP details to configure it.

SMTP ServerPortTLSUserNamePassword
MX Endpoint

For Example:
<yourdomain>-<domain extension.mail.protection.outlook.com
25Not Required (Recommendation is to enable if this option is available)Any Email Address of your domain. This user does not require a mailbox.
For example: myscanner@techpress.net
Not required (you can turn off SMTP Authentication)

Example:

I have captured a screenshot of one of my Printers to show you how to configure Direct Send. You can use the same settings to configure Direct Send on any other device as well. This screenshot is just for your reference:

Office 365 SMTP Relay Direct Send method Configuration on Konika Minolta printer
Office 365 SMTP Relay Direct Send method Configuration on Konika Minolta printer

5. Create Bypass Spam Filtering Rule [Optional]

This step is optional and you do not need to create a bypass SPAM Filtering rule in Exchange Online. You have updated SPF record with your device IP address which should avoid the emails sent from your device to be marked as SPAM.

If your emails are still going into the SPAM folder. You can create a SPAM Bypass rule in office365 for the email ID which you have used to send the email from on the device. 

  • Login to Exchange online management portal
  • Click on Mail flow -> Rule -> Create a Rule.
Create SPAM Bypass rule for the Device IP on Exchange Admin Center
Create SPAM Bypass rule for the Device IP on Exchange Admin Center

3. Configure using Office 365 SMTP Relay Method

Office 365 SMTP Relay Method - How it Works?
Source: Microsoft. Office 365 SMTP Relay Method – How it Works?

Direct Send method has limitations of sending the emails to external recipients. However, Office 365 SMTP Relay does not have that kind of limitation in place. You can use Office 365 SMTP Relay Method to send the email to any External recipient. Let’s check the steps to configure Office 365 Relay on your Device.

1. Find Public IP Address of the Device or Application

First thing you need to do is to find the public IP address of the Device or Application. If your device is not assigned with a Public IP and is using Dynamic IP address, Please update it to use Static IP Address. Copy the IP address in a notepad. We will need this IP Address while configuring a Connector in Exchange Online.

2. Create a Connector on Exchange Admin Center

Next step is to create a connector on Exchange Admin Center. Please follow below steps to create a connector:

  1. Login on Microsoft Exchange Admin Center
  2. Click on Mail Flow and then Connectors
  3. Click on + Add a connector
  4. On Add a Connector Page. Select Connection from Your organization’s email server and Connection to Office 365 and click on Next to proceed.
Create a new connector on Exchange Admin Center for configuration of SMTP Relay
Create a new connector on Exchange Admin Center for configuration of SMTP Relay
  1. Provide a Connector Name and Description. Click on Next to Proceed.
Provide a Name and Description of the Connector
Provide a Name and Description of the Connector
  1. On Authenticating sent email page. Select the option “By verifying that the IP address of the sending server matches one of the following addresses, which belongs exclusively to your organization“.

Add your Device / Application IP Addresses into the list. Add all Device’s IP addresses which you want to configure for Office 365 SMTP Relay. For example, In my organization I have 3 Printers which I want to configure for SMTP Relay. Therefore I have added the IP addresses of those 3 printers here.

Add Printer IP Addresses in Authenticating sent email
Add Printer IP Addresses in Authenticating sent email
  1. On Review connector page, you can review the connector configuration and click on Create connector to create this Connector.
Review Connector page on Exchange Admin Center
Review Connector page on Exchange Admin Center

3. Update SPF Record

Now you need to update the SPF record and add all the Device IP’s in the SPF record which you added in the connector created on Exchange Admin Center.

Example:

  • Device / Printer IP Addresses: 10.1.20.122, 10.2.1.11 and 10.2.5.89.
  • Currently configured SPF recordv=spf1 include:spf.protection.outlook.com -all

Add your Device / Application IP Addresses in the SPF record as below:

v=spf1 ip4:10.1.20.122 ip4:10.2.1.11 ipv4:10.2.5.89 include:spf.protection.outlook.com -all

4. Find MX Endpoint of your Domain

To find the MX Endpoint of your domain, You need to follow below steps:

  1. Login on Microsoft 365 admin center.
  2. Go to Settings and click on Domains.
  3. Click on your organization domain name. For example: techpress.net.
  4. Click on DNS records Tab.
  5. You can find MX Endpoint on DNS records pag. Click on it to Open.

You will find the MX Record under Points to address or value column. Click on it to copy it on a notepad.

The format of the MX Endpoint is yourdomain-com.mail.protection.outlook.com

Locate MX Endpoint of your domain from Microsoft 365 admin center
Locate MX Endpoint of your domain from Microsoft 365 admin center

5. Configure your Device / Application for Office 365 SMTP Relay

Last and final step is to configure your Device / Application and add SMTP relay details so that Device / Application can send emails using the Office 365 SMTP Relay.

SMTP ServerPortTLSUserNamePassword
MX Endpoint

For Example:
<yourdomain>-<domain extension.mail.protection.outlook.com
25Not Required (Recommendation is to enable if this option is available)Any Email Address of your domain. This user does not require a mailbox.
For example: myscanner@techpress.net
Not required (you can turn off SMTP Authentication)

6. Create SPAM Bypass rule [Optional]

Please refer to the section of Configuration of SMTP Relay using Direct Send method where the steps to create SPAM bypass rule is given. This is an optional troubleshooting step and can be used in case the emails are being marked as SPAM.

Troubleshooting Office 365 SMTP Relay

Now we have setup Office 365 SMTP Relay. In case of any issues in email delivery, you can use below steps to troubleshoot.

Check SMTP AUTH at organization level

You can use below command to check SMTP AUTH at organization level. As we are not using SMTP client submission method, SMTP AUTH should be disabled.

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

Copy

Check SMTP AUTH at Mailbox level

Get-CASMailbox "Sonia Neil " | fl SmtpClientAuthenticationDisabled

Copy

If you see the output of the command as SmtpClientAuthenticationDisabled: That means this setting is controlled by the corresponding SmtpClientAuthenticationDisabled parameter on the Set-TransportConfig cmdlet for the whole organization.

Test Port 25 using Telnet

If you are facing any issues in email delivery then you can verify if Port 25 is opened or blocked on the Firewall. If Port 25 is blocked then you may need to ask the Network admin to open it for the device IP which is sending emails. You can follow below steps to test Port 25 via Telnet.

  1. Launch Command Prompt on a PC (IP of the PC should be in the same subnet as Device / Printer / Application)
  2. Type Command telnet <MX EndPoint> 25 and press Enter.

(If telnet command is not recognized on the Windows 10 or Windows 11 PC. The Please first Install Telnet Client by going to Start menu -> Type “Turn Windows featured on or off” and find Telnet Client, Select it and click OK).

Install Telnet Client on Windows
Install Telnet Client on Windows
  1. Once Telnet is installed on your Windows device. You can open a command prompt and type below command to test if Port 25 is opened or not.

Telnet <your MX endpoint> 25

Test Port 25 using Telnet
Test Port 25 using Telnet

Once you enter on the above command, you should get a response from the server. Which means that Port 25 is opened.

Test Port 25 using Telnet
Test Port 25 using Telnet

Send a Test email using Telnet

If you want to check the email delivery then you can use the Telnet command and send a test email. This test can confirm if there are any issues in email delivery. You can follow below steps to test a test email using telnet.

  1. Login on a computer in the same subnet as the Device / Printer / Application.
  2. Open Command prompt as administrator.
  3. Type command Telnet <your MX endpoint> 25.
Send a Test email using Telnet
Send a Test email using Telnet
  1. You will get a response back after press enter on the Telnet command. On Telnet Console Type below commands:

ehlo

mail from – Type from email address

rcpt to – Type recipient email address to send a test email.

If the recipient receives this test email then there is no issue witth email delivery.

ehlo
MAIL FROM:<myscanner@techpress.net>
250 2.1.0 Sender OK
RCPT TO:<internal email ID>
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
SUBJECT:Hello World

This is a test message

Thanks,
John A.

. <Dot to end the email>

Copy

Check if ISP Public IP Address is banned

When you are sending an email using Telnet and if you get a message saying that your sending IP is banned. Then you need to unblock / remove your IP from banned list so that Devices on your network can send email.

Check if ISP Public IP Address is banned using Telnet
Check if ISP Public IP Address is banned using Telnet

To remove your ISP Public IP Address from banned list, you need to login on https://senders.office.com and type your email ID and ISP Public IP Address of your organization. Follow the instuctions on the site to get your IP De-listed. This may take from 30 minutes to couple of hours to unblock your IP.

After you get your IP De-listed from https://senders.office.com. Try to send an email using Telnet again. This time if your IP is successfully de-listed, the recipient should receive the email.

Check if ISP Public IP Address is banned using Telnet
Check if ISP Public IP Address is banned using Telnet

Test email has been received successfully.

Test email received using Telnet
Test email received using Telnet

Delisting / Unblock of ISP Public IP on Spamhaus.org

When you are sending an email using Telnet and if you get a message saying that service unavailable, Client host <your ISP Public IP address> blocked using Spamhaus. You need to visit the URL https://www.spamhaus.org/query/ip/<ISP Public IP Address> to get your IP De-listed.

Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org

How to unblock your ISP Public IP on spamhaus.org

Please follow below steps to unblock your ISP Public IP from spamhaus.org.

  1. Once you land on https://www.spamhaus.org/query/ip/<ISP Public IP Address> site. Click on Show details and then click on “I am running my own mail server“.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Select I am running my own mail server and clicon on Next steps.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Complete the form for unblocking your ISP Public IP. Provide a NameEmail Address and Provide details regarding the issue. Once you complete this form. click on Submit button.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Form has been submitted. You can now wait for email verification link from Spamhaus.org.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Below is the email I received to verify my email address. Click on the link in the email for Email Verification.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org
  1. Delisting has been successful. You can now try to use Telnet to send a test email to confirm email delivery issue has been rectifed. You can also check the Device / Printer / application to confirm if its able to send the email now.
Delisting / Unblock of ISP Public IP on Spamhaus.org
Delisting / Unblock of ISP Public IP on Spamhaus.org

Conclusion

In this blog post, we have seem how to setup SMTP Relay in Office 365. There are three ways to configure it. But the most recommended option is Office 365 SMTP Relay Method. Second best method is Direct Send method which can be used if you do not have the requirements to send the emails to External recipients like gmail, yahoo etc.

Third method which is least recommended is SMTP Auth Submisson method. As It requires a licensed mailbox and SMTP AUTH to be enabled for that mailbox. There is a cost associated with licensed mailbox and Microsoft does not recommend SMTP AUTH to be enabled.

We have also see the troubleshooting steps in case of email delivery issues. These troubleshooting steps helped me fixed issues while working on Office 365 relay for Multiple clients.

Source :
https://techpress.net/office-365-smtp-relay-setup-and-configuration/

Confirmed: Metro Group victim of cyber attack

[German]Since Monday, October 17, 2022, many Metro stores worldwide have been struggling with severe IT problems. I had already suspected a cyber attack on the Metro Group in a post and I had reports from Austria, from France as well as comments from German Metro customers as well as employees. However, a cyber attack remained unconfirmed so far. Now Metro AG has confirmed such an attack to heise – and on its website.


Advertising


Metro Group with IT problems

I had already reported about the IT problems at Metro Group in the blog post Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected. Since Monday, October 17, 2022, Metro wholesales stores have been struggling with massive IT problems. No invoices or daily passes could be issued and online orders had also disappeared, Metro customers reported. A blog reader had provided me with the following photo of a Metro notice board.

IT-Störung bei Metro
Notification about IT disruption at a Metro wholesale store

The suspicion of a cyber attack has not been confirmed by company spokespersons till today (October 21, 2022). But I have had reports from German blog readers, reporting IT issues since days and some people told me, it’s a cyber attack as a root cause.

Not only Austria and France are affected, but Metro AG worldwide. In Germany, too, the same problem has existed since last Monday. No more stock or prices can be updated or checked in the store. The checkout system is still working but also sluggishly, resulting in long lines. If you want to reserve something digitally, that doesn’t work either.

One reader noted that from what he observed, the IT problems have been going on since Friday afternoon (October 14, 2022). A reader informed me on Facebook that their email systems had delivered a 442 connection Failed-Error when communicating with the Metro mail system last Monday. By the afternoon of October 19, 2022, communication with the Metro Group email system was working again – so something is happening.


Advertising


Metro confirms cyber attack

First a speaker from Metro AG confired to German IT magazine heise a cyber attack on it’s IT systems. After searching the Metro AG site today, I finally found the following statement. It says (translated in English):

Metro cyber attack confirmation
Metro cyber attack confirmation (addenum: here is an English version)

T-Security Incident at METRO

METRO/MAKRO is currently experiencing a partial IT infrastructure outage for several technical services. METRO’s IT team, together with external experts, immediately launched a thorough investigation to determine the cause of the service disruption. The latest results of the analysis confirm a cyber attack on METRO systems as the cause of the IT infrastructure outage. METRO AG has informed all relevant authorities about the incident and will of course cooperate with them in every possible way.

During the operation of METRO stores and the regular availability of services, disruptions and delays may occur. The teams in the stores have quickly set up offline systems to process payments. Online orders via the web app and online store are being processed, but there may be individual delays here as well.

We will continue to analyze and monitor the situation intensively and provide updates if necessary.
METRO sincerely apologizes for any inconvenience this incident may cause to customers and business partners.

So they confirmed just a cyber attack, but stay tight lipped about the details. No information, whether it’s a ransomware infection nor about a possible attack vector.

Metro AG is a listed group of wholesale companies (for purchases in the gastronomy sector). Headquartered in Düsseldorf, the group employs more than 95,000 people in 681 stores worldwide, most of them in Germany. In Germany, the company mainly operates the Metro wholesale stores. Sales are 24.8 billion euros (2020).

Similar articles:
Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected
Ransomware Attack on electronic retail markets of Media Markt/Saturn
Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand

Source :
https://borncity.com/win/2022/10/21/metro-gruppe-doch-opfer-eines-cyberangriffs/

Over 45,000 VMware ESXi servers just reached end-of-life

Over 45,000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract.

Lansweeper develops asset management and discovery software that allows customers to track what hardware and software they are running on their network.

As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.

The company analyzed data from 6,000 customers and found 79,000 installed VMware ESXi servers.

Of those servers, 36.5% (28,835) run version 6.7.0, released in April 2018, and 21.3% (16,830) are on version 6.5.0, released in November 2016. In total, there are 45,654 VMware ESXi servers reaching End of Life as of today

The findings of Lansweeper are alarming because apart from the 57% that enter a period of elevated risk, there are also another 15.8% installations that run even older versions, ranging from 3.5.0 to 5.5.0, which reached EOL quite some time ago.

In summary, right now, only about one out of four ESXi servers (26.4%) inventoried by Lansweeper are still supported and will continue to receive regular security updates until April 02, 2025.

However, in reality, the number of VMware servers reaching EOL today, is likely far greater, as this report is based only on Lansweeper’s customers.

VMWare versions detected on net scans
VMWare versions detected on net scans (Lansweeper)

The technical guidance for ESXi 6.5 and 6.7 will carry on until November 15, 2023, but this concerns implementation issues, not including security risk mitigation.

The only way to ensure you can continue to use older versions securely is to apply for the two-year extended support, which needs to be purchased separately. However, this does not include updates for third-party software packages.

For more details about EOL dates on all VMware software products, check out this webpage.

What does this mean?

When a software product reaches the end-of-life date, it stops receiving regular security updates. This means that admins should have already planned ahead and upgraded all deployments to a newer release.

While it’s not unlikely that VMware will still offer some critical security patches for these older versions, it’s not guaranteed and certainly won’t release patches for all new vulnerabilities that are discovered.

Once an unsupported ESXi server has carried on for long enough without patches, it will have accumulated so many security vulnerabilities that attackers would have multiple ways to breach it.

Due to ESXi hosting virtual machines, attacking the server can potentially cause severe and wide-scale disruption to business operations, which is why ransomware gangs are so focused on targeting it.

This year, ESXi VMs were targeted by the likes of Black BastaRedAlertGwisinLockerHive, and the Cheers ransomware gangs.

More recently, Mandiant discovered that hackers found a new method to establish persistence on VMware ESXi hypervisors that lets them control the server and hosted VMs without being detected.

All that said, ESXi already enjoys ample attention from threat actors, so running outdated and vulnerable versions of the software would no doubt be a terrible idea.

Related Articles:

VMware: 70% drop in Linux ESXi VM performance with Retbleed fixes

Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws

Microsoft adds new RSS feed for security update notifications

VMware vCenter Server bug disclosed last year still not patched

Windows 11 KB5018427 update released with 30 bug fixes, improvements

Source :
https://www.bleepingcomputer.com/news/security/over-45-000-vmware-esxi-servers-just-reached-end-of-life/

Patch Now: The WordPress 6.0.3 Security Update Contains Important Fixes

The WordPress 6.0.3 Security Update contains patches for a large number of vulnerabilities, most of which are low in severity or require a highly privileged user account or additional vulnerable code in order to exploit.

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

The Wordfence Firewall provides protection from the majority of these vulnerabilities, and most sites should have been updated to the patched version automatically. Nonetheless, we strongly recommend updating your site as soon as possible, if it has not automatically been updated.

Vulnerability Analysis

We have determined that these vulnerabilities are unlikely to be seen as mass exploits but several of them could offer a way for skilled attackers to exploit high-value sites using targeted attacks.

Description: Authenticated (Contributor+) Stored Cross-Site Scripting via RSS Widget/Block
Affected Versions: WordPress Core < 6.0.3 & Gutenberg < 14.3.1
Researcher:  N/A
CVE ID: Pending
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54543

WordPress allows any user that can edit posts, such as Contributors, to add a block linking to an RSS feed. While the contents of any feed imported this way are escaped, errors in retrieving the feed would be displayed on the page containing the feed. These included the error status code and content-type header. This means that a contributor-level attacker could create a page on a site they controlled that returned an error code and a malicious script in the Content-Type response header. They could then add a post containing an RSS block linking to their malicious “feed” and submit it for review. When an administrator previewed the post, the malicious script in the Content-Type header would be executed in their browser.

Unfortunately it is not possible to write a firewall rule to protect against this vulnerability as it could potentially be exploited without sending any requests to the victim site. A motivated attacker could look for existing RSS feeds on a site and attempt to compromise one of the sites those feeds were generated from. Such an attacker could potentially take over multiple sites using a single malicious RSS feed.


Description: Authenticated Stored Cross-Site Scripting via Search Block
Affected Versions: WordPress Core < 6.0.3 & Gutenberg < 14.3.1
Researcher: Alex Concha
CVE ID: Pending
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54543

It is possible for users that can edit posts to inject malicious JavaScript via the Search Block’s Text color and Background color attributes. Doing so requires bypassing the filtering provided by the safecss_filter_attr function and is not trivial.


Description: Authenticated Stored Cross-Site Scripting via Featured Image Block
Affected Versions: WordPress Core < 6.0.3 & Gutenberg < 14.3.1
Researcher: N/A
CVE ID: Pending
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54543

It is possible for users that can edit posts to inject malicious JavaScript via the Featured Image block. Doing so requires bypassing the filtering provided by the safecss_filter_attr function and is not trivial. A similar issue also appears to have been patched in the Navigation block, though it was not announced and may not be exploitable.


Description: Authenticated (Admin+) Stored Cross-Site Scripting in Widget Block
Affected Versions: WordPress Core < 6.0.3 & Gutenberg < 14.3.1
Researcher: Alex Concha
CVE ID: Pending
CVSS Score: 4.8(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54543

It is possible for administrator-level users to inject malicious JavaScript via the Widget Group title attribute. This is unlikely to be exploited as administrator-level users typically have a number of other ways to add arbitrary scripts to a website.


Description: Stored XSS via wp-mail.php
Affected Versions: WordPress Core < 6.0.3
Researcher: Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
CVE ID: Pending
CVSS Score: 7.2(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54531

In WordPress, site owners have the ability to create posts by sending emails to the target WordPress site. These requests are processed through the /wp-mail.php file which uses wp_insert_post to add the emailed post to the target website. This functionality didn’t check what level the user was sending the request and therefore did not perform any sanitization on the submitted post data. This meant that users without the unfiltered_html capability, with access to submitting posts via email, could inject malicious JavaScript into posts that would execute whenever someone accessed the post. WordPress now sets any user submitting a post via email to the user ID of 0 which will ensure that all posts pass through wp_kses. This feature is disabled by default, so most installations likely are not vulnerable.


Description: Authenticated (Admin+) Stored Cross-Site Scripting via Customizer
Affected Versions: WordPress Core < 6.0.3
Researcher: Alex Concha
CVE ID: Pending
CVSS Score: 5.5(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54536/

It is possible for administrator-level users to add malicious JavaScript to the Blog Name via the Customizer that will execute in the browser of any site visitor. This is unlikely to be exploited as administrator-level users typically have a number of other ways to add arbitrary scripts to a website.


Description: Authenticated (Editor+) Stored Cross-Site Scripting via Comment Editing
Affected Versions: WordPress Core < 6.0.3
Researcher: Alex Concha
CVE ID: Pending
CVSS Score: 5.5(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changesethttps://core.trac.wordpress.org/changeset/54537

It is possible for users with the unfiltered_html capability, including administrators and editors, to add malicious JavaScript to existing comments using the comment editor. This is unlikely to be exploited as administrator-level users typically have a number of other ways to add arbitrary scripts to a website.


Description: Reflected Cross-Site Scripting via SQL Injection in Media Library
Affected Versions: WordPress Core < 6.0.3
Researcher: Ben Bidner & Marc Montpas
CVE ID: Pending
CVSS Score: 8.8(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 6.0.3
Changesethttps://core.trac.wordpress.org/changeset/54534

It is possible to craft a search query via the media library that results in a malicious JavaScript being echoed out onto the page. As it is possible to generate a link to the media library with the search query pre-populated via the s parameter, this can be used to perform a reflected Cross-Site Scripting(XSS) attack. While this would require social engineering to exploit and crafting an appropriate payload is nontrivial, the attacker does not need to be authenticated, making this potentially the most exploitable vulnerability patched in this release. We may update our assessment if a proof of concept becomes available.


Description: SQL Injection via WP_Date_Query
Affected Versions: WordPress Core < 6.0.3
Researcher: Michael Mazzolini
CVE ID: Pending
CVSS Score: 8.8(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54540

The sanitize_query function used in the WP_Date_Query  class failed to sanitize all relations where it was expecting “AND” or “OR” in the query. It is possible that a third-party plugin or theme might perform a date query in an unsafe way that resulted in SQL injection, though WordPress core is not vulnerable itself. This is similar to the fixes released back in version 5.8.3.


Description: Cross-Site Request Forgery via wp-trackback.php
Affected Versions: WordPress Core < 6.0.3
Researcher: Simon Scannell
CVE ID: Pending
CVSS Score: 8.8(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54525

Similar to the above XSS via wp-mail.php, the Trackback functionality of WordPress did not explicitly state the intended user identity which means that any request to wp-trackback.php would assume the identity of the user whose cookies are sent with the request. This would make it possible for an unauthenticated user to trigger a trackback assuming the identity of another user, granted they could trick that other user into performing the action. In new versions of WordPress, the identity will always be a non-existent user with the ID of 0, which represents an unauthenticated user.


Description: Shared User Instance Weakness
Affected Versions: WordPress Core < 6.0.3
Researcher: Alex Concha & Ben Bidner
CVE ID: Pending
CVSS Score: 3.7(Low)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54544

This fix appears to have been necessary to safely use the wp_set_current_user( 0 ); method to patch the previously mentioned XSS and CSRF in wp-mail.php and wp-trackback.php vulnerabilities. The previous functionality may have resulted in third party plugins or themes using the wp_set_current_user function in a way that could lead to privilege escalation and users being able to perform more actions than originally intended. We may update our assessment if a proof of concept becomes available.


Description: Post Author Email Disclosure via wp-mail.php
Affected Versions: WordPress Core < 6.0.3
Researcher: devrayn
CVE ID: Pending
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54523

The post by email functionality has the ability to enable logging. This can contain a post author’s email address which can be considered sensitive information and has the potential to be publicly accessible. This feature is disabled by default, so most installations likely are not vulnerable.


Description: Data Exposure via the REST Terms/Tags Endpoint
Affected Versions: WordPress Core < 6.0.3
Researcher: Than Taintor
CVE ID: Pending
CVSS Score: 4.3(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54538

The REST API endpoint for terms and tags did not perform enough validation on the user requesting information about terms and tags for a given post. This made it possible for users with access to terms and tags, such as a contributor, to determine those details on all posts not belonging to them, even when in a private status. This does not reveal critical information, and as such it is not likely to be exploited.


Description: Information Disclosure via Multi-Part Email Content Leakage in wp-mail.php
Affected Versions: WordPress Core < 6.0.3
Researcher: Thomas Kräftner
CVE ID: Pending
CVSS Score: 3.7(Low)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54539

In cases where wp-mail was used to send multiple emails or multi-part emails within a single request, the email altBody (frequently used to provide a text alternative to HTML-formatted emails) was not cleared between messages, which could result in users receiving message contents intended for other recipients. While this would require a plugin configured to send multiple messages with altBody text and would be almost impossible to exploit on purpose, it could still lead to exposure of highly sensitive information.


Description: Open Redirect via wp_nonce_ays
Affected Versions: WordPress Core < 6.0.3
Researcher: devrayn
CVE ID: Pending
CVSS Score: 4.7(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54532

It was possible to generate a link with an invalid nonce and the _wp_http_referer query string parameter set to an external site. If an attacker was able to trick a logged-in user into clicking on the crafted link, they would be redirected to the external site.

Conclusion

The WordPress 6.0.3 Security update contains a much larger number of security patches than usual. Most of these are not easy to exploit without an existing proof of concept and require an authenticated user. Additionally, the Wordfence firewall should protect all Wordfence users, including Wordfence FreeWordfence PremiumWordfence Care, and Wordfence Response, against most of these vulnerabilities. We urge you to verify that your site has been updated to a patched version immediately as there are vulnerabilities in this update that the Wordfence firewall cannot practically block. These vulnerabilities should be taken seriously as a skilled and lucky attacker could potentially use several of them for site takeover.

Special thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for collaborating on this article. Props to Toshitsugu Yoneyama, devrayn, Ben Bidner, Simon Scannell, Marc Montpas, Alex Concha, Than Taintor, Thomas Kräftner, and Michael Mazzolini for discovering and responsibly disclosing these vulnerabilities.

Source :
https://www.wordfence.com/blog/2022/10/patch-now-the-wordpress-6-0-3-security-update-contains-important-fixes/

25 Ways To Fix A Slow WordPress Site And Pass Core Web Vitals: 2022 Advanced Guide

Welcome to the most complete guide on WordPress speed optimization!

This is my attempt to sum up WordPress speed + core web vitals in 1 post (it’s loooong).

I’ve constantly updated it to reflect new changes ever since I first published this 10 years ago. You have updates to things like core web vitals, plugin changelogs, and Cloudflare Enterprise happening every day. While site speed has gotten complex, the basics have stayed the same: use lightweight themes/plugins on fast servers (ideally with a performant cache plugin/CDN).

Why this tutorial is different:

First, my recommendations on tools/plugins/services are arguably better than what other people tell you to use. I’m very transparent about SiteGround’s slow TTFB and cache plugin, Kinsta’s overpriced service + lack of resources, NitroPack being blackhat, RocketCDN’s poor performance, and Elementor/Divi being slow. I’ve also written extensive reviews/tutorials on nearly every major host, cache plugin, CDN, and core web vital you can find in my nav menu.

Which is the 2nd reason it’s different: configuration guides! I have tons of them. Need help configuring FlyingPressLiteSpeed Cache, or Perfmatters? Want to improve TTFB or LCP? Or maybe you’re wondering which Cloudflare settings to use. I have detailed guides on all those.

If you have suggestions on making this tutorial better (or you have a question), drop me a comment. I’m all ears. I’m not for hire because I spend so much time writing these guides 🙂

Good luck and fair seas!

  1. Testing Tools
  2. DNS
  3. Hosting
  4. Page Builders
  5. CDN
  6. Cache Plugins
  7. Other Caching
  8. Plugins
  9. CSS + JavaScript
  10. Third-Party Code
  11. Fonts
  12. Images
  13. Videos
  14. Comments
  15. LCP
  16. CLS
  17. Preload, Prefetch, Preconnect
  18. Database
  19. Background Tasks
  20. Mobile
  21. WooCommerce
  22. Security
  23. PHP Version
  24. Make Sure Optimizations Are Working
  25. Speed Plugins
  26. Get Help
  27. My Setup

1. Testing Tools

Find bottlenecks on your site before jumping in.

  • Chrome Dev Tools – the coverage report shows your largest CSS/JS files and where they’re loaded from (plugins + third-party code are common culprits). So many parts of speed and web vitals are related to CSS/JS and it’s best to tackle it at the source. Removing things you don’t need is better than trying to optimize it.
  • KeyCDN Performance Test  – measure TTFB in 10 global locations. This is mainly improved with better hosting and using a performant CDN with full page caching (like APO or FlyingProxy). It also shows DNS lookup times and TLS which can be improved with a fast DNS (i.e. Cloudflare) and configuring their SSL/TLS settings.
  • PageSpeed Insights – most items come down to reducing or optimizing CSS, JS, fonts, images, TTFB, and above the fold content. For example, preload your LCP image and exclude it from lazy load, then move large plugins/elements below the fold so they can be delayed. Focus on recommendations in PSI’s opportunities + diagnostics sections, and monitor your core web vitals report in Search Console.
  • CLS Debugger – see your website’s layout shifts (CLS) on mobile/desktop in a GIF.
  • WP Hive – Chrome extension that lets you search the WordPress plugin repository and see whether a plugin impacts memory usage and PageSpeed scores, but only measures “out of the box settings” and not when content is added to the frontend.
  • Wordfence Live Traffic Report – see bots hitting your site in real-time. AhrefsBot, SemrushBot, compute.amazonaws.com and other bots can be blocked if you’re using their service. Since most bot protection services don’t block these service’s bots, you’ll need to do this manually with something like Cloudflare firewall rules.
  • WP-Optimize – see which plugins add database overhead and remove old tables left behind by plugins/themes you deleted. Does a better than job cache plugins with scheduled cleanups because it can keep a certain number of post revisions while removing junk (cache plugins delete them all, leaving you with no backups).
  • cdnperf.com + dnsperf.com – you can these as baseline for choosing a DNS/CDN provider, but it doesn’t include StackPath’s CDN (removed from cdnperf and used by RocketCDN), QUIC.cloud’s CDN or CDN (used on LiteSpeed), and other services.
  • Waterfall Charts – testing “scores” isn’t nearly as effective as measuring things in a Waterfall chart. Google’s video on optimizing LCP is a great resource and shows you the basics. You can find one in WebPageTest, Chrome Dev Tools, and GTmetrix.
  • Diagnostic Plugins –  the speed plugins section lists all plugins mentioned in the guide. It includes diagnostic plugins like Query Monitor (this is probably best for finding bottlenecks), WP Server Stats, WP Hosting Benchmark, and WP Crontrol.

2. DNS

A slow DNS causes latency which is part of TTFB (and TTFB is part of LCP).

Whoever you registered your domain through is who you’re using for a DNS. GoDaddy, NameCheap, and even Amazon Route 53 (used on Kinsta) don’t perform well on dnsperf.com. Better options include Cloudflare, QUIC.cloud, or Google (if using Google Domains). I usually recommend Cloudflare since it’s free and can be used on any setup by changing nameservers.

Cloudflare dns

3. Hosting

Rocket.net with their free Cloudflare Enterprise will outperform any “mainstream host” since you get 32 CPU cores + 128GB RAM, NVMe storage, Redis, and Cloudflare’s full page caching + Argo Smart Routing. I use them and average a <150ms global TTFB (or click through my posts).

12 things to know about hosting/TTFB

  1. Hosting is the #1 factor of site speed.
  2. TTFB is a key indicator of hosting performance.
  3. TTFB is part of core web vitals and is 40% of LCP.
  4. TTFB also affects INP (since latency is part of TTFB).
  5. SpeedVitals tests TTFB in 35 locations – use this tool!
  6. Test your site 3 times to get accurate numbers in SpeedVitals.
  7. Doing this ensures your caching and CDN are working properly.
  8. Check your average TTFB worldwide in your 3rd SpeedVitals test.
  9. Google flags your TTFB if it’s over 600ms, but under 200ms is better.
  10. PageSpeed Insights (and other testing tools) only test TTFB in 1 location.
  11. WP Hosting Benchmark also tests hosting performance (here are my results).
  12. Combining a good host/CDN is arguably the best way to improve TTFB (using a host with improved specs on top of Cloudflare Enterprise hits 2 birds with 1 stone).
Omm ttfb speedvitals 1

Mainstream hosts (like SiteGround, Hostinger, and WPX) don’t have a lot of CPU/RAM, use slower SATA SSDs, and are shared hosting with strict CPU limits which force you to upgrade plans. Cloud hosting is faster, but Kinsta still uses SATA SSDs with low CPU/RAM, PHP workers, and monthly visits (Redis also costs $100/month). Cloudways Vultr HF is who I previously used, but again, they start with only 1 CPU + 1GB RAM on slower Apache servers, PHP-FPM, and GZIP.

Here are Rocket.net’s:

All plans use 32 CPU cores + 128GB RAM with NVMe (faster than SATA), Redis (better than memcached), LiteSpeed’s PHP, and Brotli (smaller compression than GZIP). They have no PHP worker limits since only about 10% of traffic hits your origin due to their Cloudflare Enterprise.

SiteGroundHostingerKinstaCloudways Vultr HFRocket.net
Hosting typeSharedSharedCloudCloudPrivate cloud
StorageSATASATASATANVMeNVMe
CPU coresNot listed1-212132
RAM (GB)Not listed.768 – 1.53681128
Object cacheMemcachedxRedis ($100/mo)Redis (Pro)Redis
ServerNginxLiteSpeedNginxApacheNginx
PHP processingFastCGILiteSpeedFastCGIFPMLiteSpeed
CompressionBrotliBrotliBrotliGZIPBrotli
CPU limitsVery commonLow memoryLow PHP workersAverageNone

 
Why you need Cloudflare Enterprise

Because you get Enterprise features like 270+ PoPs, prioritized routing, full page caching, HTTP/3, WAF, and image optimization. 3 problems with most CDNs are their small network (PoPs) and no full page caching or image optimization. For example, WP Rocket’s RocketCDN uses StackPath which was removed from cdnperf.com and doesn’t include image optimization with a mediocre Tbps speed of 65+. SiteGround’s CDN only has 14 PoPs. QUIC.cloud CDN (for LiteSpeed) and BunnyCDN are good, but they still don’t beat Cloudflare Enterprise. Sure, you can pay $5/mo for Cloudflare’s APO, but you’re still missing out on all other Enterprise features.

3 popular hosts with Cloudflare Enterprise

Rocket.net’s Cloudflare Enterprise is free, setup automatically, and uses full page caching (unlike Cloudways). And unlike Kinsta’s, Rocket.net has Argo Smart Routing (specifically good for WooCommerce sites), load balancing, and image optimization. Rocket.net CEO Ben Gabler also used to be StackPath’s Chief Product Officer and went as far as building Rocket.net’s data centers in the same locations as Cloudflare’s. And unlike both hosts, Rocket.net doesn’t limit PHP workers (there’s no CPU limits) and monthly visit limits are 10-25 times more than Kinsta’s.

Cloudflare Enterprise (Kinsta)Cloudflare Enterprise (Cloudways)Cloudflare Enterprise (Rocket.net)
CDN PoPs270270270
Prioritized routing
Full page cachingx
HTTP/3
WAF
Argo smart routingx
Load balancingx
Image optimizationx
Automatic configurationxx
PriceFree$5/mo (1 domain)Free

 
Problems with mainstream hosts

I’ve written some pretty bad reviews about SiteGround’s slow TTFB, CPU limits, and why SG Optimizer does a poor job with core web vitals (they also control several Facebook Groups and threaten to sue people who write bad reviews). Hostinger writes fake reviews and is only cheap because you get less resources like CPU/RAM. Kinsta and WP Engine are way too expensive for how many resources, PHP workers, and monthly visits you get. Along with major incidents like WPX’s worldwide outage and SiteGround’s DNS getting blocked by Google for 4 days (both WPX and SiteGround denied responsibility). One thing is clear: most mainstream hosts appear to be more interested in profits than performance. Please do your own research before getting advice.

Getting started on Rocket.net

Step 1: Create a Rocket.net account and you’ll be prompted to add a coupon. Sign up with coupon OMM1 to get your first month for $1 (renews at $30/mo or $25/mo when paying yearly). If you sign up with my coupon or affiliate links, I get a commission which I seriously appreciate.

Rocket. Net omm1 coupon

Step 2: Request a free migration. They did this the same day and let me review my website before it was launched with no downtime. For the record, their support is better than Kinsta’s and you can reach out to Ben Gabler or his team (via phone/chat/email) if you have questions.

Step 3: Upgrade to PHP 8.1 and ask support to install Redis (they use Redis Object Cache). These are the only things I did since Cloudflare Enterprise and backups are both automatic.

Step 4: Retest your TTFB in SpeedVitals and click through your pages to see the difference. You can also search their TrustPilot profile for people mentioning “TTFB” where they’re rated 4.9/5.

Kinsta to rocket. Net migration
Moved to rocket. Net vs siteground
Rocket. Net positive review
Rocket. Net facebook review 1
Rocket. Net vs kinsta
Kinsta to rocket. Net ttfb redis
https://youtube.com/watch?v=AT3LycPIR2E%3Fautoplay%3D1
Namehero cloudways rocket. Net
I agree with this for the most part

I was previously on Cloudways Vultr HF which was great, but their Cloudflare Enterprise doesn’t use full page caching (yet) and is $5/mo with annoying challenge pages. Even if their Cloudflare Enterprise was identical, Rocket.net still outperforms them with better specs like more CPU/RAM, Brotli, and LiteSpeed’s PHP (plus better support, easier to use, and usually pricing). While Cloudways is a big improvement than most hosts, you’re already spending $18/mo for Vultr HF’s lowest 1 CPU plan with Cloudflare Enterprise. At that point, the extra $7/mo you’d be spending at Rocket.net is worth it. Rocket.net’s dashboard is also much easier.

For small sites on a budget, NameHero’s Turbo Cloud plan is similar to Hostinger between LiteSpeed, cPanel, and pricing. However, NameHero’s Turbo Cloud plan has about 1.5x more resources (3 CPU + 3GB RAM) with NVMe storage. NameHero’s support/uptimes are also better shown in TrustPilot reviews. This is one the fastest setups on a budget… you get a LiteSpeed server + LiteSpeed Cache + QUIC.cloud CDN, and email hosting. The main con is their data centers are only in the US and Netherlands. If these aren’t close to your visitors, make sure to setup QUIC.cloud’s CDN which has HTML caching (ideally the paid plan which uses all 70 PoPs).

Cpu cores on litespeed hosting plans
Litespeed cache litespeed server
Ram on litespeed hosting plans
Namehero vs siteground feedback

4. Page Builders

Elementor/Divi are slower than Gutenberg/Oxygen.

Since multiple PSI items are related to CSS/JS/fonts, many people are replacing them with lightweight alternatives. The last thing you want to do is use a slow page builder then install a bunch of “extra functionality plugins” which add even more CSS/JS. Don’t fall into this trap. If you don’t want to ditch your page builder completely, there are still ways you can optimize it.

  • Divi/Elementor add extra CSS/JS/fonts to your site.
  • Adding more page builder plugins can slow it down more.
  • GeneratePress (what I use), Kadence, Blocksy, Oxygen are faster.
  • If using Elementor, try the settings under Elementor → Experiments.
  • Same thing with Divi (Divi → Theme Options → General → Performance).
  • If using Astra Starter Sites, use a template built in Gutenberg (not Elementor).
  • Use CSS for your header/footer/sidebar (instead of bloated page builder code).
  • Elementor has a theme customizer setting to host fonts locally + preload them.
  • If you don’t use Elementor font icons, disable them or use custom icons instead.
  • If you don’t use elementor-dialog.js for popups, disable it (i.e. using Perfmatters).
  • Many page builder plugins are module-based, so disable modules you don’t use.
  • Simplify your design by using less widgets/columns (here’s a YouTube video on it).
  • If you preload critical images in FlyingPress or Perfmatters, this excludes above the fold images from lazy load and preloads them to improve LCP. However, it doesn’t work with Elementor image widgets (go through your page builder + cache plugin documentation).
  • Background images aren’t lazy loaded by default because they’re loaded from a separate CSS file. Some cache plugins support a lazy-bg class you can use to lazy load backgrounds.
  • WP Johnny offers page builder removal services but he’s expensive and usually a busy guy.
Fastest wordpress themes
View test
Elementor css
Use the coverage report to find page builder plugins adding CSS/JS

5. CDN

Have a slow TTFB in KeyCDN’s performance test?

A performant CDN with HTML caching (and other CDN features) can be the difference maker. While cdnperf.com is a good baseline, there are other things to consider.

Start by looking at their network page (you’ll see BunnyCDN’s network has more PoPs and faster a Tbps than StackPath). Also look at the features (for example, RocketCDN only serves files from the CDN and nothing else while other CDNs do a lot more than just “serving files.” Cloudflare’s dashboard has hundreds of optimizations to improve speed, security, and CPU usage. Aside from choosing a good CDN, make sure to also take advantage of everything it offers. Or just use a service like FlyingProxy/Rocket.net that integrates Cloudflare Enterprise.

CDNPoPsPriceRating
Cloudflare270Freemium2.1
BunnyCDN93$.01 – $.06/GB4.8
QUIC.cloud70Free or $.02 – $.08/GB3.0
Google Cloud CDN100+Varies where purchasedN/A
CloudFront310Free 50GB/yr then $0.02 – $.16/GB4.4
KeyCDN40$.01 – $.11/GB4.5
StackPath (Used By RocketCDN)50Varies where purchased or $7.99/mo2.3
SiteGround CDN14Free on SiteGroundN/A
WPX XDN25Free on WPXN/A

Cloudflare – it’s hard to beat Cloudflare with 270+ data centers and all the robust features. Open your Cloudflare dashboard and use the recommendations below to configure settings.

Free Cloudflare Features I Recommend Using

  • CDN – in your DNS settings, find your domain and change the proxy status to Proxied (orange cloud). This is needed for several Cloudflare features to work.
  • TLS version – set minimum TLS version to 1.2 and make sure TLS 1.3 is enabled.
  • Firewall rules – often used to block access to wp-login, XML-RPC, and “hacky” countries. Firewalls block attacks along with unwanted requests to the server.
  • Bot protection – block spammy bots from hitting your server. I would also check your Wordfence live traffic report to see bots hitting your website in real time and manually block bots like AhrefsBot + SemrushBot if you don’t use them. Bot fight mode can add a JS file to your site (invisible.js) and cause PSI errors (so test this).
  • Brotli – this only works if your host supports Brotli, otherwise GZIP will be used.
  • Early hints – while the server is waiting for a response, preload/preconnect hints are sent to the browser so resources load sooner, reducing your server think time.
  • Browser cache TTL – 1 year is good for static sites (my blog is mostly static so this is what I use) or use 1 month for dynamic sites. This is recommended by Google and can fix serve static assets with an efficient cache policy in PageSpeed Insights.
  • Crawler hints – helps search engines efficiently time crawling and save resources.
  • Cache reserve – improves cache hit ratio by making sure specific content is being served from Cloudflare even when the content hasn’t been requested for months.
  • Workers – deploy code on Cloudflare’s edge servers (try the playground). Workers are serverless with automatic scaling + load balancing. Obviously involves coding knowledge and can reduce LCP by 80%. It can also be used for external cron jobs.
  • Cache everything page rule – most common page rule which caches HTML and improves TTFB, but I recommend APO or Super Page Cache for Cloudflare instead.
  • HTTP/3 – not true HTTP/3 but still a nice feature (test your site using HTTP/3 test).
  • 0-RTT connection resumption – good for repeat visitors, latency, mobile speed.
  • Hotlink protection – saves bandwidth by stopping people from copying your images and using them on their own website while they’re hosted on your server.
  • Zaraz – offload third-party scripts to Cloudflare like Google Analytics, Facebook Pixel, chatbots, and custom HTML. But test your results against delaying these.
  • Monitor bandwidth/analytics – the more bandwidth you offload to Cloudflare the better. This should lighten the load on your server while reducing CPU usage.

Paid Cloudflare Features

  • APO – caches HTML which can improve TTFB in multiple global locations.
  • WAF – block unwanted requests, improve security, and reduce CPU usage.
  • Argo + Tiered Cache – route traffic using efficient paths with Tiered Cache.
  • Image optimizations – I prefer these over plugins. Between all 3 (image resizing, Mirage, Polish), you don’t have to use a bloated image optimization plugin and they usually do a better job. You have features like compression/WebP and they also have mobile optimizations like serving smaller images to reduce mobile LCP.
  • Signed Exchanges – improves LCP when people click links in Google’s search results via prefetching which Google says can lead to a substantial improvement.
  • Load Balancing – creates a failover so your traffic is re-routed from unhealthy origins to healthy origins. Can reduce things like latency, TLS, and general errors.
  • Cloudflare Enterprise – majors benefits include prioritized routing, more PoPs, Argo + Tiered Cache, full page caching, image optimization, and other features depending where you get it from. The easiest/cheapest way is to use a host with Cloudflare Enterprise or FlyingProxy (I recommend Rocket.net’s who even built their data centers in the same locations as Cloudflare). It’s just more thought out than Cloudways/Kinsta. You could also consider using Cloudflare Pro which has some of these features. It requires more configuration but gives you more control.
Opcache memcached redis
Take advantage of different caching layers your host offers

BunnyCDN – Gijo suggests Cloudflare + BunnyCDN which is what I’ve used for a long time. If you’re using FlyingPress, FlyingCDN is powered by BunnyCDN with Bunny Optimizer + geo-replication. It’s also cheaper than buying these directly through BunnyCDN and easy to setup.

Cloudflare with bunnycdn

QUIC.cloud – use this if you’re on LiteSpeed. You’ll want to use the standard (paid) plan since the free plan only uses 6 PoPs and doesn’t have DDoS protection. It has HTML caching which is similar to Cloudflare’s full page caching and is also needed for LSC’s image/page optimizations.

Quic. Cloud cdn free vs. Standard plan

RocketCDN – uses StackPath which was removed from cdnsperf.com and has less PoPs, slower Tbps, no image optimization, no HTML caching, and no other features besides serving files from a CDN. Also isn’t “unlimited” like WP Rocket advertises since they will cut you off at some point.

SiteGround CDN – not a lot of PoPs/features and you have to use their DNS to use it (which if you remember, was blocked by Google for 4 days). I personally wouldn’t trust this with my site.

6. Cache Plugins

Let’s summarize 5 popular cache plugins in 10 lines or less.

FlyingPress – optimizes for core web vitals and real-world browsing better than the last 3. When a new core web vital update comes out (like fetchpriority resource hints), Gijo is almost always first to add it. Awesome features not found in most cache plugins: preloading critical images lets you set the number of images usually shown above the fold to exclude them from lazy load while preloading them. FlyingPress can also lazy render HTML elements, self-host YouTube placeholders, and it has a lazy-bg helper class for lazy loading background images. FlyingCDN uses BunnyCDN with Bunny Optimizer + geo-replication (great choice). The remove unused CSS feature is faster than WP Rocket’s since it loads used CSS in a separate file (instead of inline) which Perfmatters agrees is faster for visitors. Really, the main thing it doesn’t have is server-level caching. I moved from WP Rocket to FlyingPress and saw a big difference in speed.

SG OptimizerWP RocketFlyingPress
Server-side cachingxx
Delay JavaScriptx
Remove unused CSSxInlineSeparate file
Critical CSSx
Preload critical imagesxxBy number
Exclude above the fold imagesBy classBy URLBy number
Lazy load background imagesxInlineHelper class
Fetchpriority resource hintxx
Lazy render HTML elementsxx
Add missing image dimensionsx
YouTube iframe preview imagex
Self-host YouTube placeholderxx
Host fonts locallyxx
Font-display: swapx
Preload linksx
CDN (beyond Cloudflare)SiteGround CDNStackPathBunnyCDN
CDN PoPs146093
CDN TbpsN/A6580
Dynamic cachingxx
CDN geo-replicationxx
CDN image optimizationx
CDN image resizing for mobilexx
Documented APO compatibilityxx

LiteSpeed Cache – also does a great job optimizing for web vitals and real users, but different than FlyingPress. Mainly because it should only be used on LiteSpeed, it’s free, and it has faster server-side caching. However, the settings can be complicated. While some settings are similar to FlyingPress like loading used CSS in a separate file and lazy loading HTML elements, it has its own unique features such as localizing third-party resources, ESI, guest mode, LQIP, and HTML caching through QUIC. Use LSC if you’re on a LiteSpeed host. Anything else, I’d use FlyingPress.

WP Rocket – removing unused CSS is slower for visitors and RocketCDN isn’t a good CDN. WP Rocket doesn’t self-host fonts (or even recommend it) or video placeholders. Excluding above the fold images from lazy load and preloading them individually is tedious. Still no image optimization or documented APO compatibility. While Gijo releases many new features and updates FlyingPress to address core web vital updates, it seems WP Rocket has fallen behind. Two good things about WP Rocket are automatic delaying of JavaScript and documentation.

SiteGround Optimizer – great for caching, not for web vitals. Lacks way too many features and has a history of compatibility issues the developers blame on third-party plugins/themes if you check support threads. My advice is to only use it for caching, disable everything else, then use FlyingPress or WP Rocket (just make sure page caching is only enabled in 1 plugin and disabled in the other). Of course, SiteGround will glorify their cache plugin even when it’s clearly inferior.

NitroPack – don’t use this! The only reason you get better “scores” is because it moves elements off the main-thread so they can’t be detected in speed testing tools. This leads to great (but false) scores and it doesn’t actually do a good job making your website load faster compared to other plugins. Google “NitroPack blackhat” and you’ll find plenty of articles on it.

7. Other Caching

Cache plugins are just 1 layer.

Check whether your host supports object cache (Redis/memcached), OPcache, and HTTP accelerators like Varnish/FastCGI. Most do but they need to be enabled or set up manually.

You also have CDN caching which is its own layer. All these are meant for different things and you should ideally use most (if not all) them. People get scared they’re using too much caching, but as long as you’re only using 1 type of layer (not both Redis + memcached), it’s a good thing.

  • OPcache – enable in your host (can help reduce CPU usage).
  • Browser cache – enable in your cache plugin (stores files in browsers).
  • HTTP accelerators – enable in your host (probably Varnish or FastCGI).
  • Object cache – Redis generally uses memory more efficiently than memcached and is good for large/eCommerce sites. Once it’s enabled in your host, you’ll connect it your site using a plugin (i.e. LiteSpeed Cache, W3 Total Cache, SG Optimizer, WP Redis). Check your host’s documentation/support on which plugin is best. For example, Rocket.net requires you to install the WP Redis plugin while Cloudways requires you to install the Redis addon.
  • CDN cache – APO is not the same as a cache everything page rule or the Super Page Cache plugin. QUIC also does HTML caching, then there are services that include Cloudflare’s full page cache like Rocket.net’s Cloudflare Enterprise, FlyingProxy, and SiteGround Optimizer. The key thing is that you’re caching HTML somewhere as it can significantly improve TTFB.
Opcache memcached redis
Take advantage of different caching layers your host offers

8. Plugins

Watch out for plugins that:

  • Add CSS/JS to the frontend – use the Chrome Dev Tools coverage report to see which plugins add CSS and JS. This includes plugins that inject third-party JavaScript or fonts.
  • Increase CPU usage – common with plugins that collect “statistics” like Wordfence’s live traffic report, Query Monitor, and Broken Link Checker. But can really be from any plugin. WP Hive tells you if a plugin increases memory usage when browsing the WP plugin repo.
  • Add database bloat – use WP-Optimize to see which plugins (or specific plugin modules) add the most database overhead. This is explained more in this guide’s database section.
  • Load above the fold – slow plugins are bad enough, but loading them above the fold is even worse. When plugins load below the fold, you can delay them (i.e. comment plugins).
  • Use jQuery – Perfmatters has a script manager setting to show dependencies. Once it’s enabled, head to the script manager → jQuery and it shows you all plugins using jQuery. Felix Arntz wrote an article on how removing jQuery can reduce JavaScript by up to 80%.
Jquery plugin dependencies 1
Perfmatters shows plugins that depend on jQuery

Lightweight Alternatives

  • Social Sharing – Grow Social.
  • Tables – Gutenberg block (no plugin).
  • Gallery – Gutenberg block (no plugin).
  • Buttons – Gutenberg block (no plugin).
  • Comments – native comments (no plugin).
  • Image Optimization – image CDN (no plugin).
  • Translate – MultilingualPress, Polylang (not WPML).
  • Security – no security plugin (Cloudflare, firewall, etc).
  • Sliders – Soliloquy or MetaSlider (but ideally no sliders).
  • Analytics – call me crazy but I only use Google Search Console.
  • SEO – Rank Math or SEOPress (but most SEO plugins use jQuery).
  • CSS – need custom styling or even a table of contents? Just use CSS.
  • Backups – hosting backups or a lightweight alternative like UpdraftPlus.

In Query Monitor, the “queries by component” section shows your slow plugins. You can also use my list of 75+ common slow plugins. Finally, delete all plugins you’re not using (as well as their database tables in WP-Optimize), and disable plugin features/modules you’re not using.

PluginCategoryMemory ImpactPageSpeed Impact
All In One SEOSEOxx
Broken Link CheckerSEOx
DisqusCommentsx
Divi BuilderPage Builderxx
ElementorPage Builderxx
Elementor Premium AddonsPage Builderx
Elementor ProPage Builderxx
Elementor Ultimate AddonsPage Builderx
JetElementsPage Builderxx
JetpackSecurityxx
NextGEN GalleryGalleryxx
Popup BuilderPopupxx
Site Kit by GoogleAnalyticsx
Slider RevolutionSliderxx
Social Media Share ButtonsSocial Sharingx
WooCommerceWooCommercexx
WordfenceSecurityx
wpDiscuzCommentsxx
WPMLTranslatexx
Yoast SEOSEOx

9. CSS + JavaScript

Probably the #1 reason for poor core web vitals.

New Optimizations

  • Remove unused CSS – WP Rocket’s method of loading used CSS inline is slower for visitors but better for scores. You should ideally use FlyingPress, LiteSpeed Cache, or Perfmatters for this which loads used CSS in a separate file so it can be cached and doesn’t increase HTML size. You should only be using 1 plugin for this. If you’re not using an optimization plugin that does this, try DeBloat or PurifyCSS.
  • Remove Gutenberg CSS – if you don’t use Gutenberg’s block library (i.e. you’re using classic editor), you can remove Gutenberg’s CSS which is loaded by default.
  • Asset unloading plugins – remove CSS/JS (or entire plugins) from specific pages/posts where they don’t need to load. Common examples are only loading contact forms on the contact page, only loading social sharing plugins on posts, and disabling WooCommerce plugins where they’re not used. You can also disable specific files like jQuery and elementor-dialog if you don’t use them. I recommend Perfmatters especially if you’re using WP Rocket or SiteGround Optimizer because it has many optimizations not found in these plugins. Be sure to use test mode and dependencies in your script manager settings. For a free plugin, try Asset CleanUp.
  • Critical CSS – loads above the fold CSS immediately which improves LCP. Most cache plugins do this while others (like SG Optimizer) don’t. If you make changes to stylesheets or custom CSS, regenerate critical CSS so it’s current with your site.
  • Load CSS/JS non render-blocking – both deferring JavaScript and critical CSS help serve resources non render-blocking. Make sure they work in your cache plugin and exclude files from defer if they break your site. Or try Async JavaScript.
  • Minify – Cloudflare lets you do this but you should use your cache plugin instead.
  • Don’t combine – should almost always be off especially on big sites or on HTTP/2.

Optimizations Covered In Other Sections

  • Page builders – Elementor/Divi add extra CSS/JS which can be optimized with their built-in performance settings, coding your header/footer/sidebar in CSS, disabling Elementor fonts/dialog, lazy loading background images in CSS, etc.
  • Plugins – just look at the screenshot below (plugins are obviously a major factor).
  • Third-party code – hosting files locally, delaying JavaScript, and using a smaller GA tracking code can reduce its size or delay so it doesn’t impact initial load times.
  • Font Icons – disable these if you don’t use them or use Elementor’s custom icons.
  • WooCommerce – disable scripts/styles on non-eCommerce content and disable Woo plugins where they don’t need to load (many load across the entire website).
Css javascript chrome dev tools
Use the coverage report to find your largest CSS/JS files

10. Third-Party Code

This is anything on your site that has to pull info from a third-party domain (like Google Fonts, Google Analytics tracking code, or an embedded YouTube video). It’s a common reason for JS-related errors in PSI. Luckily, most of it can be optimized especially if it’s shown below the fold.

  • Step 1: Host files locally – some third-party code can be hosted locally (see the table below). LiteSpeed Cache can localize resources, FlyingPress can host fonts/YouTube thumbnails locally, Perfmatters does fonts and analytics, and WP Rocket does nothing.
Third-Party CodeURL(s)Plugins To Host It Locally
Google Fontsfonts.gstatic.comMost optimization plugins, Elementor, OMGF
Google Analyticsgoogle-analytics.comFlying Analytics, Perfmatters
Gravatarsgravatar.comSimple Local Avatar
YouTube Thumbnailsi.ytimg.comFlyingPress, WP YouTube Lyte
  • Step 2: Delay JavaScript – for third-party code that can’t be hosted locally, delay its JavaScript if it’s loading below the fold (you can also delay plugins loading below the fold). WP Rocket does this automatically while other cache plugins make you add files manually. If your cache plugin doesn’t support this, use Perfmatters or Flying Scripts. In these, you’ll set a timeout period and can increase this if you’re not seeing good results. You can try offloading third-party code to Cloudflare Zaraz, but I prefer delaying its JS.
ga( '
ga('
google-analytics.com/analytics.js
analytics.js
gtagv4.js
analytics-minimal.js
/gtm.js
/gtag/js
gtag(
/gtm-
adsbygoogle.js
grecaptcha.execute
optimize.js
fbevents.js
fbq(
/busting/facebook-tracking/
disqus.com/embed.js
script.hotjar.com
wp-content/themes/script-name
wp-content/plugins/plugin-name
  • Step 3: Prefetch or preconnect everything else – for all third-party code that can’t be hosted locally or delayed, add a DNS prefetch resource hint. Preconnect is usually only used for CDN URLs (not needed for Cloudflare), and third-party fonts (should be hosted locally). Or YouTube if you can’t eliminate requests using video optimizations in step #13.
  • Google Analytics – Perfmatters + Flying Analytics can use a minimal analytics tracking code that’s just 1.5 KB. Perfmatters can also prevent a Doubleclick request by disabling display features, but both these should only be used if you don’t need certain data in GA.
  • Avoid overtracking – one of the most common “mistakes” I see is sites using too many tracking tools: Analytics, Tag Manager, Heatmaps, Pixel, etc. Do you really need them all?
Reduce impact of third party code wordpress

11. Fonts

Probably your largest files after CSS/JS.

Your GTmetrix Waterfall chart shows font load times, number of requests, and whether they’re served locally or from a third-party domain like fonts.gstatic.com or use.fontawesome.com. Be sure to keep tabs on your Waterfall chart as you make optimizations. Fonts can also cause FOIT and FOUT which cause layout shifts. A few simple tweaks can make your fonts load much faster.

  • Reduce font families, weights, icons – try to only use 1 font family and only load the weights you actually use. Disable Font Awesome and Eicons if you don’t use them (Elementor has a tutorial on this). Some fonts also have larger file sizes than others.
  • Use WOFF2 – the most lightweight/universal format which is faster than .ttf and .otf.
  • Host locally – if your fonts are being served from fonts.gstatic.com, host them locally.
  • Preload – fonts should be preloaded when they load above the fold or used in CSS files. Most cache/optimization plugins require you to manually add font files (and if there’s a crossorigin option like in Perfmatters, it should be used for fonts). Elementor hosts fonts locally and preloads them under Theme Customizer → Performance. PSI used to tell you which fonts to preload in “preload key requests” but I don’t think they do this anymore.
  • Add font-display: optional – if you need to “ensure text remains visible during webfont load,” add font-display: optional to your font’s CSS. This is recommended by Google for the fastest performance while preventing layout shifts. It delays loading text up to 100ms. As of writing this, most plugins only support swap found in Elementor, Perfmatters, and most cache plugins. To use optional, you need to add it manually to your font’s CSS, use WP Foft Loader, or use swap until your optimization plugin supports optional. Preloading fonts that use font-display: optional completely eliminates layout shifts (FOIT) from fonts.
  • Load fonts inline – Elementor and Divi have options to do this and so does FlyingPress.
  • System fonts – system fonts generate 0 requests and are obviously best for speed, but even for someone who obsesses over performance, I’d rather have a better looking font.
  • Use custom Icons for Elementor – replace Font Awesome and Eicons with custom icons.
  • Serve Google Fonts from Cloudflare Workers – I’ll leave this here if you want to dive in.

12. Images

There are 7 PSI items related to image optimization, and that doesn’t even cover everything.

Image optimization pagespeed insights
  • Preload critical images and exclude them from lazy load – above the fold content should load immediately which is a big factor of LCP. Instead of delaying images with lazy load, you want the browser to download them immediately by using preload. The easiest way to do this (by far) is “preload critical images” in FlyingPress or Perfmatters. Instead of manually excluding/preloading above the fold images on every single page/post (because they’re usually different), you will set the number of images usually shown above the fold. In my case, it’s 3. This will preload your top 3 images while excluding them from lazy load. Currently, FlyingPress is the only cache plugin I know that supports fetchpriority which is recommended by Google to set things like your LCP image to “high priority.” Props to Gijo.
Above the fold images
Exclude above the fold images from lazy load and preload them
  • LCP image – your most important image to optimize for lower LCP (shown in PSI).
  • Background images – page builders serve background images in their CSS and won’t be lazy loaded, leading to ‘defer offscreen images’ errors. Some cache plugins have a lazy-bg helper class, Perfmatters has a CSS background images setting, and WP Rocket makes you move them to inline HTML. Check the documentation in your cache/image optimization plugin on how to lazy load them. You can also use Optimal or add a helper class yourself.
  • Image CDNs – I use Cloudflare for image optimization but Bunny Optimizer and QUIC are good too. They usually do a better job than plugins (and it’s 1 less plugin on your website).
  • Resize images for mobile – make sure your image optimization plugin (or image CDN) serves smaller images to mobile which should also improve your LCP on mobile. This is the “image resizing” feature in Cloudflare, or you could use ShortPixel Adaptive Images.
  • Properly size images – resize large images to be smaller. My blog is 765px width so I crop/resize blog images to that size (the Zoom Chrome Extension is handy for getting the perfect dimensions when taking screenshots). I always recommend creating an “image dimensions cheat sheet” so you know the size of your blog, featured, sidebar images, etc.
  • WebP – faster than JPEG/PNG and most image optimization plugins or CDNs can do this.
  • Compression – Lighthouse test images at 85% so that’s usually a good compression level.
  • CSS sprites – combines multiple small/decorative images into 1 image so it only creates 1 request. My old homepage used a CSS sprite and it was very fast. You can do it for sections like “featured on” where you show a bunch of logos. You would use a CSS sprite generator.
  • Specify dimensions – most cache plugins can “add missing dimensions” otherwise you would need to add a width/height to the image’s HTML or CSS. This prevents layout shifts.
  • Downgrade quality on slow connections – services like Cloudflare Mirage + Optimole serve low quality images on slow connections until a faster connection can be accessed.
  • Hotlink protection – stops people from using your images when they’re hosted on your server and saves bandwidth. Common with sites using high quality images or if people copy your content. Can be enabled in your host or by using Cloudflare’s hotlink protection.
  • Low quality images placeholders (LQIP) – if you’re using QUIC.cloud on LiteSpeed, these can prevent layout shifts but you need to make sure you’re doing it right or it will look bad.

13. Videos

Unless videos are optimized, they will probably be the slowest thing on a page.

While most cache plugins lazy load videos and replace iframes with a preview image, FlyingPress and WP YouTube Lyte are some of the only plugins that optimize placeholders.

  • Lazy load videos – done in cache plugins, Perfmatters, or try WP YouTube Lyte.
  • Replace YouTube iframes with preview images – the iframe (which is the heaviest element of the video) is only loaded once your visitors actually click the play button.
  • Self-host YouTube placeholders – FlyingPress and WP YouTube Lyte can self-host placeholders to prevent i.ytimg.com requests shown in your “third-party code” report.
  • Preconnect – if you’re not able to make the optimizations above and you still have third-party domains loading from YouTube, you can preconnect domains from youtube.com, i.ytimg.com, and Roboto which is currently being used as the font in the YouTube player.
https://youtube.com/watch?v=FssULNGSZIA%3Fautoplay%3D1

14. Comments

Third-party comment plugins, Gravatars, or just lots of comments can slow down WordPress.

  • Use native comments (not plugins).
  • Cache Gravatars if using LiteSpeed Cache.
  • Delay third-party comments plugins and Gravatars.
  • Use a local avatar plugin to prevent Gravatar requests.
  • If you must use Disqus, use the conditional load plugin.
  • Break comments in your WordPress discussion settings.
  • Try using a “load more comments” button especially on mobile.
  • Lazy load comments/footer (can be done in FlyingPress or LSC).
  • wpDiscuz has options for lazy loading and initiating AJAX loading after page.
Lazy render html elements flyingpress
Some optimization plugins can lazy load any HTML element (including comments)

15. LCP

Largest contentful paint is the core web vital people struggle with most.

View your “longest main-threads tasks” report in PageSpeed Insights and optimize those files. LCP includes 4 sub-parts and Google’s YouTube video is a nice resource for optimizing each one.

Largest contentful paint breakdown google
LCP breakdown
LCP Sub-PartFactorsLCP %
TTFBPrimarily hosting and CDNs + full page caching~40%
Resource load delayExclude above the fold content from optimizations, resource hints<10%
Resource load timeReduce image/CSS/JS sizes, critical CSS, CDN, cache expiration~40%
Element render delayRender-blocking CSS/JS, JS file size, font-display optional<10%

Most LCP recommendations are scattered in this guide, so I’ll just go over them briefly.

  • Exclude above the fold images from lazy load – you should never lazy load, delay, or defer anything that loads above the fold because this content should load immediately, which is why you should also use preload hints to help browsers download them faster.
  • Prioritize above the fold images – preload above the fold images (or use fetchpriority). PSI shows your largest contentful paint image which is the most important to optimize.
  • Reduce CSS, JS, font sizes – a big part of reducing load time is reducing their file sizes.
  • Reduce TTFB – 40% of LCP can usually be improved with a better hosting + CDN setup.
  • Eliminate render-blocking CSS/JS – render-blocking resources add delay (see video).
  • Use font-display: optional – if fonts aren’t loaded properly, they can also add delay.
  • Lazy render HTML elements – allows browsers to focus on the above the fold content.
  • Preload, preconnect, prefetch – hints browsers to download specific resources faster.
  • Increase cache expiration – also mentioned by Google (Cloudflare browser cache TTL).
  • Choose the right cache plugin/settings – some have better optimizations than others.
  • Enable Signed Exchanges (SXGs) – this is found in Cloudflare (Speed → Optimization).
  • Use Cloudflare Workers – Google Engineer used Workers to improve LCP by about 80%.
  • Move plugin content, ads, animations below the fold – that way, they can be delayed.

16. CLS

Layout shifts happen when things jump around while the page is loading.

You can use Google’s layout shift debugger to see these in a GIF. PSI also has an “avoid large layout shifts” item showing you which sections on your website contribute the most to CLS. Even with these recommendations, it’s hard to know why the section is causing a layout shift.

  • Change font-display to swap or optional – do this if you see “ensure text remains visible during webfont load.” As shown in section #11, font-display: optional is the best method.
  • Problems with loading CSS asynchronously – this is a setting in cache plugins that can add layout shifts caused by FOUC (flash of unstyled content). Ideally use the “remove unused CSS” method instead. If this breaks your site and you default back to loading CSS asynchronously, make sure you exclude problematic files causing FOUC, ensure critical CSS is working, and always regenerate critical CSS after updating stylesheets/custom CSS.
  • Preload fonts – preloading fonts eliminates layout shifts when they use display: optional.
  • Specify dimensions of images, videos, iframes, ads – the first 3 are easy (make sure a width and height are specified in images). Ads and other dynamic content should have reserved space by placing it in a div code. The width/height should be the ad’s largest size.
  • Use CSS transform in animations – not a fan of animations but here’s documentation.
  • Use separate mobile cache (when it makes sense) – if your mobile site is different than desktop and you’re not using a separate mobile cache, it can cause layout shifts. However, you’ll need to check your cache plugin’s documentation on when to use (and not use) this.
  • Change cookie notice plugin – search your plugin’s support thread. It’s been reported some cookie plugins cause layout shifts. I recommend Gijo’s solution or this Cookie plugin.
Cumulative layout shift

17. Preload, Prefetch, Preconnect

These help browsers download high priority resources faster.

They prioritize above the fold content (preload + fetchpriority). Preload is also used in Cloudflare’s Early Hints and for downloading internal pages in the background so they load faster when visitors click them (link preloading + Flying Pages). Prefetch + preconnect help establish early connections to third-party domains if resources aren’t already being delayed.

Preload – commonly used for above the fold images (this can also be a WebP image) but can also be used for CSS/JS (i.e. the block library), videos, audio, Cloudflare workers, and other files.

<link rel="preload" href="/image.webp?x36994" as="image">
<link rel="preload" href="/font.woff2" as="font" crossorigin>

Fetchpriority – similar to preload only assigns a priority (low, high, auto). For example, if you have a large LCP image, you would assign that image’s priority to “high.” But if you have an image carousel that’s loading above the fold, you could assign the images with a low priority. FlyingPress is the only plugin I know currently supporting fetchpriority shown in the changelog.

<img src="lcp-image.webp" fetchpriority="high">

Link preloading – there’s 2 main types: preloading links in the viewport so internal links in the immediate content load faster when clicked (supported by Flying Pages and FlyingPress). And “link preloading” where users hover over any internal link (or touch it on mobile), and the page will download in the background so by the time they actually click it, it appears to load instantly (found in cache plugins like WP Rocket). While neither improves scores, both improve perceived load time. Just be careful… preloading too many pages in the background will increase CPU usage especially if you have something like a WooCommerce store with internal links in images. If visitors are hovering over product images, this will cause lots of pages to download. Not good!

Flying pages by wp speed matters

DNS Prefetch – this helps browsers anticipate third-party domains by performing a DNS lookup, but usually not needed since third-party domains should be hosted locally or delayed.

<link rel="dns-prefetch" href="https://connect.facebook.net">
<link rel="dns-prefetch" href="https://www.googletagservices.com">

Preconnect – establishes early connections to important third-party domains. Common with CDN URLs and third-party fonts like fonts.gstatic.com, use.fontawesome.com, and use.typekit. Most cache plugins add preconnect automatically when you add a CDN URL or when enabling “Google Font Optimization” (or a similar setting), but you’ll want to check their documentation.

<link rel="preconnect" href="/assets/vendor/gstatic" crossorigin>
<link rel="preconnect" href="https://cdn.yourdomain.com" crossorigin>
Preload font perfmatters
You can use Perfmatters or Pre* Party if your optimization plugin doesn’t support a specific resource hint

18. Database

There’s usually 3 problems with using your cache plugin to clean your database:

  • It can’t take database backups.
  • It can’t remove database tables left behind by old plugins.
  • It deletes all post revisions, but you may want to keep a few.

That’s why I recommend WP Optimize for database cleanups. Go through your database tables and look for tables that are not installed or inactive. You can delete these if you don’t plan on using the plugin (or theme) again since they will usually store info in the database for future use.

Wp optimize unused database tables

Certain plugin modules/features can also add lots of overhead especially if they collect data. Rank Math’s Google Analytics module adds lots of overhead, so consider disabling this Rank Math module and getting your analytics data directly from the Google Analytics website instead.

Rank math database bloat

For ongoing database cleanup, WP-Optimize removes everything most cache plugins do, but it lets you keep a certain amount of post revisions so you have backups (I recommend 5-10). You can also connect UpdraftPlus which takes a database backup before scheduled optimizations.

Wp optimize schedule database cleanup settings

19. Background Tasks

Background tasks can bog down your server and increase CPU usage.

These are common with cache plugins (preloading + automatic cache clearing), plugins that collect stats or create autoloads, and even WordPress core (Heartbeat, autosaves, pingbacks). Many of these can be disabled, limited, or scheduled during non-peak hours using a cron job.

  • Control Preloading – the preloading in cache plugins is infamous for increasing CPU usage (WP Rocket’s preloading, LSC crawler, SG Optimizer’s preheat cache, etc). The first step is changing settings to only preload important sitemap URLs (i.e. page-sitemap.com + post-sitemap.com) instead of the full sitemap. Next, you can increase the preload interval.
Wp rocket sitemap preloading
Only preload important sitemap URLs (not the full sitemap)
  • Automatic cache clearing – there are specific actions that trigger your entire cache to be cleared (and when the cache lifespan expires). Instead of constantly clearing cache with these actions, disable automatic cache clearing and use a cron job to clear it at a specific time (once at night). It’s best to use a cron job for both cache clearing + cache preloading.
  • Disable WP-Cron – using an external cron to schedule tasks like the 2 items above helps reduce CPU usage. The first step is to add the code below your wp-config.php file. Next, setup a real cron job in your host, Cloudflare, or using a third-party service like EasyCron. Some hosts have specific instructions for adding a cron job, so check their documentation.
define('DISABLE_WP_CRON', true);

Now add a real cron job.

Cron job minutes
wget -q -O - https://yourwebsite.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1
External cron job
Scheduling tasks using cron jobs for 5-10 minutes can reduce CPU usage
  • Remove unused CSS – decrease WP Rocket’s batch size and increase the cron interval.
  • Link preloading – some cache plugins can “preload links” which sounds like a good idea because when users hover over a link, that page downloads in the background to make it load faster by the time users actually click it. But if your website has lots of links (such as a WooCommerce store with links in the product images), you’ll want to leave this setting off.
  • Plugins – think of Query Monitor, Wordfence’s live traffic report, and backup/statistic plugins (they all run background tasks). You might be able schedule these, disable specific features in plugins, or delete the plugin completely. Plugins/themes can also leave behind autoloaded data when you delete them which can be cleaned up in the wp_options table.
  • Autosaves – when you’re editing a post, WordPress autosaves a draft every minute. You can use a simple line of code (or Perfmatters) to increase this to something like 5 minutes.
define('AUTOSAVE_INTERVAL', 300); // seconds
  • Heartbeat – called every 15s and can usually be disabled in the frontend/backend, then limited in the post editor since you probably want to keep features there (like autosaves).
  • Pingbacks – disable pingbacks since you don’t want a notification every time you add an internal link. You may want to leave trackbacks on to help notify blogs you linked to them.
  • Post revisions –  stored every time you hit save, publish, or update and accumulate over time. You can limit revisions in some optimization plugins, manually with code, or use WP-Optimize to run scheduled database cleanups while keeping a certain number of revisions.
define( 'WP_POST_REVISIONS', 10 );
  • Plugin data sharing – disable in plugins to save a little resources, sorry plugin developers!
  • Bots – blocking spam bots and using Cloudflare’s crawler hints saves resources from bots.
  • Comment spam – I use Antispam Bee and blacklist these words in the Discussion settings.
  • Hosting features – WP Johnny has nice tips on disabling unused services in your hosting account like the DNS, email, FTP/SFTP, proxies, or other services if you’re not using them.
  • Bloat removal plugins – using plugins like Unbloater + Disable WooCommerce Bloat help.

20. Mobile

Poor mobile scores in PSI is a common issue. Most desktop optimizations transfer over to mobile so start with “general optimizations” first. Otherwise, here are mobile-specific tips.

  • Resize images for mobile – image CDNs and adaptive image plugins do this.
  • Reduce latency – use a faster DNS, faster TLS versions, and Cloudflare’s 0-RTT.
  • Replace sliders/galleries with static images – use responsive editing to do this.
  • Remove unused CSS/JS – Perfmatters can disable unused CSS/JS by device type.
  • Don’t use AMP – lots of challenges and most WordPress users agree not to use it.
  • Fix mobile layout shifts – Google’s layout shift debugger tests mobile layout shifts.
  • Use mobile caching – enable this in your cache plugin or use one that supports this.
  • Know when to use separate mobile cache – check your cache plugin documentation.
  • Downgrade image quality on slow connections – try Cloudflare Mirage or Optimole.
  • Check your responsiveness – even if you use a responsive theme, check this manually.
  • Add a “load more comments” button on mobile – helps if you have lots of comments.
Flyingpress responsive images
Most image CDNs serve smaller images to mobile (but not RocketCDN)
Perfmatters disable plugins on mobile
Disable specific files/plugins from loading on mobile in Perfmatters

21. WooCommerce

WooCommerce sites often have more plugins, scripts, styles, and are more resource-hungry than static sites. You will need to optimize your website even more if you want good results.

  • Hosting – wphostingbenchmarks.com ran tests for multiple WooCommerce hosts, although I think there are much better options than the ones tested (I would personally lean towards something like Rocket.net, GridPane, RunCloud). Obviously very important.
  • Remove WooCommerce admin bloat – Disable WooCommerce Bloat is good for this.
  • Cloudflare Argo + Tiered Cache  – specifically good for speeding up dynamic requests.
  • Redis – also specifically good for WooCommerce (especially Redis Object Cache Pro).
  • Go easy on WooCommerce Extensions – just like other plugins, be minimal with these.
  • Unload WooCommerce plugins – Woo plugins are infamously bad with loading across your entire site. Use your asset unloading plugin to disable them where they’re not used.
  • Product image size – Appearance → Customize → WooCommerce → Product Images.
  • Increase memory limit – WooCommerce sites usually require increasing it even more.
  • Browser cache TTL – Google recommends 1 year but 1 month is good for dynamic sites.
  • Elasticsearch – speeds up searches especially for websites with thousands of products.
  • Delete expired transients – these can build up quickly so delete them more frequently.

22. Security

With the right optimizations (and a firewall), you shouldn’t need a security plugin.

Wordpress security checklist 1

A few other tips:

  • Hide your WordPress version.
  • Use a host that takes security seriously.
  • Add security headers (try the HTTP Headers plugin).
  • Use Cloudflare firewall rules (i.e. only access wp-login from your IP).
  • Disable file editing to prevent hackers from editing theme/plugin files.
  • Follow security-related social media accounts like Cloudflare/Wordfence.
  • Check for known vulnerabilities before updating things (especially plugins).

23. PHP Version

Only 7% of websites use PHP 8.

Come on y’all, you already know higher PHP versions are faster and more secure. Google “update PHP version [your host]” and you’ll find instructions. If updating breaks your site, just revert back to your older version (or remove incompatible plugins that aren’t maintained well).

Wordpress php versions
PHP version used by WordPress sites (source: WordPress stats)

24. Make Sure Optimizations Are Working

You set things up, but are they working? Make sure they are.

  • Caching – cache plugins should have documentation to check if the caching is working.
  • Redis/memcached – LiteSpeed Cache’s connection test and most Redis plugins tell you.
Litespeed cache object cache
Confirm Redis is working (screenshot is in LiteSpeed Cache)
  • CDN Analytics – how many requests are you blocking from bots, hotlink protection, and WAF? What is your cache hit ratio (hopefully around 90%)? CDN analytics are very useful.
  • Dr. Flare – Chrome Extension to view tons of Cloudflare stats like your cache hit ratio, uncached requests, non-Cloudflare requests, how much % was reduced by Polish/Minify.
  • CDN rewrites – are your files actually being served from your CDN? Check your CDN Analytics, Dr. Flare, or view your source code to make sure files are being served from the CDN when using a CDN URL, like this: cdn.mywebsite.com/wp-content/uploads/logo.png. If you’re using BunnyCDN, you may be able to serve more files from BunnyCDN by adding your CDN URL to your cache plugin on top of using BunnyCDN’s plugin. It worked for me.
  • APO – verify Cloudflare’s APO is working by testing your website in uptrends.com then making sure headers exactly match with what Cloudflare shows in the documentation.
Test cloudflare apo
Confirm APO is working by checking headers
  • Asynchronous CSS – if you’re using this, cache plugins should also have documentation.
  • External cron jobs – check the logs in your hosting account to make sure these are firing.
  • Waterfall charts – after each optimization, you should ideally check its impact using a Waterfall chart (better than running another PageSpeed Insights test and testing scores).
  • Clear cache – you may need to clear cache or regenerate critical CSS to see your changes.

25. Speed Plugins

Here’s the full list.

Obviously you don’t need all these especially if you’re using a cache/optimization plugin that already does some of these, Cloudflare image optimizations, or you can code things manually.

PluginCategoryPrice
FlyingPressCachePaid
LiteSpeed CacheCacheFree
PerfmattersMultiple CategoriesPaid
CloudflareCDNPaid
Super Page Cache for CloudflareCDNFree
WP-OptimizeDatabaseFree
FlyingProxyCDNPaid
Flying PagesResource HintsFree
Flying ScriptsDelay JavaScriptFree
Flying AnalyticsAnalyticsFree
OptimoleImageFreemium
ShortPixelImageFreemium
ShortPixel Adaptive ImagesImageFreemium
WP YouTube LyteVideoFree
OMGFFontFree
WP Foft LoaderFontFreemium
Pre* Party Resource HintsResource HintsFree
BunnyCDNCDNPaid
WP CrontrolCron JobFree
UnbloaterBloat RemovalFree
DebloatBloat RemovalFree
Disable WooCommerce BloatBloat RemovalFree
Heartbeat ControlBloat RemovalFree
Disable XML-RPCBloat RemovalFree
Widget DisableBloat RemovalFree
Limit Login AttemptsSecurityFree
WPS Hide LoginSecurityFree
Redis Object CacheCacheFree
Blackhole For Bad BotsBlock BotsFree
Simple Local AvatarsCommentsFree
Preload Featured ImagesLCPFree
Query MonitorDiagnosticFree
WP Server Health StatsDiagnosticFree
WP Hosting BenchmarkDiagnosticFree
WP Hosting Performance CheckDiagnosticFree

26. Get Help

Still need help? I’m not for hire, but here’s what I got:

DIY

  • Search the WP Speed Matters Facebook Group.
  • Plugins like Perfmatters have great documentation.
  • Gijo Varghese and WP Johnny also put on quality articles.
  • My other articles (if you liked this one, I have plenty more).

Hire Help

  • BDKamol – Pronaya mainly works with Gutenberg, WooCommerce, and Genesis. He’s been helping me for over 10 years even when I launched my first website and had no visitors. He points me in the right direction and was a key part in launching my new blog, helping me with things like custom coding, CSS styling, theme/plugin recommendations, etc. Pronaya lives in Bangladesh and his communication (and my trust in him) are 100%.
  • WP Johnny – he’s a busy guy but you can try hiring him and his team. I was lucky enough to have him help me remove my page builder (which I regret using in the first place and should have known better). While the work is great, it can take awhile to get things done.
  • WP Fix It – hired them once to improve issues related to core web vitals. While I was very happy with the work, they closed my tickets without notice saying the project was done, even when I told them I would pay more since truly fixing the issues required more work.
Pronaya wordpress speed optimizer

27. My Setup

This will cost about $500/year.

It assumes you already have a lightweight theme (i.e. GeneratePress/Kadence) and pay yearly for Rocket.net since you get 2 months free. It also assumes you’re using Rocket.net’s lower $25/mo plan (I pay $50/mo for the Business plan). For my site, this is the best setup I’ve found.

My blog costs around $800/year which is a lot cheaper than I was paying (mainly because hosting gets expensive as you scale). Scaling on Rocket.net is reasonable since monthly visits and RAM are both 10x Kinsta’s and there’s no PHP worker limits since only about 10% of traffic hits the origin (due to Ben Gabler’s Cloudflare Enterprise setup who I suggest reaching out to).

LiteSpeed is also solid and can be cheaper since LiteSpeed Cache is free and email hosting is often included. Check out NameHeroChemiCloud, and Scala (they seem to have good specs and TrustPilot reviews). RunCloudGridPane, and JohnnyVPS are probably best for larger sites.

Cloudways is who I was using. I still think they’re better than most hosts but it gets expensive with all the add-ons, they use Apache servers, and Cloudflare Enterprise + Breeze need work.

ServicePriceNotes
Rocket.net$25/moRead my full reviewOMM1 = $1 first month1 year =  2 months free
Cloudflare EnterpriseFree on Rocket.netNo configurationFull page cachingI trust their config
GeneratePress$249 (one-time)Less CSS/JSUses GutenbergI use the “Search” theme
GenerateBlocks$39/yrMore block templates
FlyingPress$3.5/mo (renewal price)Gijo’s pluginGreat for CWVAnd for real usersConfigure the settings
Google Workspace$6/moMost cloud host don’t support email hosting
Perfmatters$24.95/yrAsset unloadingBloat removalOptimizations not found in WP Rocket or SG OptimizerConfigure the settings
Total Yearly Price$477.95/yrPlus one-time cost of GeneratePress

Of course I use other tools/plugins, but that’s my foundation.

I hope you learned something new! Drop me a comment with any questions/suggestions.

Cheers,
Tom

Source :
https://onlinemediamasters.com/slow-wordpress-site/

How To Serve Static Assets With An Efficient Cache Policy In WordPress

If you ran your site through PageSpeed Insights, you may see a recommendation to serve static assets with an efficient cache policy.

Serve static assets with an efficient cache policy

This is flagged when you have a short cache expiration for images, fonts, media, scripts, and stylesheets. Google fails the audit if the cache expiration is under 180 days (259200 minutes). This simply means you need to adjust your cache expiration for those files to 180 days or over.

In most cases, you will login to your hosting account and adjust the static cache expiry (or similar) to 180 days. However, this can be quite a long time that visitors won’t see an updated version of those files. If you change these files frequently, a longer cache lifespan may not be best and you may want to make it shorter (even if it’s flagged). Google warns you about this.

I’ll cover a few other ways to serve static assets with an efficient cache policy in WordPress specifically for Cloudflare, other CDNs, Google Analytics, WP Rocket, and third-party scripts.

  1. NGINX
  2. Cloudflare
  3. Other CDNs
  4. WP Rocket
  5. LiteSpeed Cache
  6. W3 Total Cache
  7. Google Analytics
  8. Google Fonts
  9. Third-Party Scripts
  10. Purge Files And Retest

1. NGINX

Some hosts using NGINX let you adjust the cache expiration:

  • Login to your hosting account.
  • Find the static cache expiry option (or similar).
  • Set the static cache expiry to 259200 minutes (180 days).
Static cache expiry

Alternatively, add this code to your server’s configuration file (borrowed from Kinsta).

location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
 expires 180d;
 add_header Cache-Control "public, no-transform";
}

If you’re not using a host that lets you to change this, contact them and request it.

2. Cloudflare

Cloudflare has it’s own browser cache expiration.

Login to Cloudflare and go to Caching → Browser Cache TTL, then set it for “6 months.”

Cloudflare-browser-cache-ttl

3. Other CDNs

Most other CDNs let you change the browser cache expiration.

For example, in BunnyCDN, go to Pullzone → Your Website → Cache → Browser Cache Expiration. In this case, there is no option for 180 days. You can either set it for 1 year or “match server cache expiration.” You’ll need to make sure your server uses the correct cache expiration.

Bunnycdn browser cache expiration

4. WP Rocket

WP Rocket has documentation on how their browser caching works.

This code is automatically added to your .htaccess file when you activate WP Rocket. But you will notice the browser cache expiration for images, fonts, and other files is 4 months (about 2 months short of Google’s 180 day requirement). It means you’ll need to change it to 180 days.

# Expires headers (for better cache control)

ExpiresActive on
    ExpiresDefault                              "access plus 1 month"
    # cache.appcache needs re-requests in FF 3.6 (~Introducing HTML5)
    ExpiresByType text/cache-manifest           "access plus 0 seconds"
    # Your document html
    ExpiresByType text/html                     "access plus 0 seconds"
    # Data
    ExpiresByType text/xml                      "access plus 0 seconds"
    ExpiresByType application/xml               "access plus 0 seconds"
    ExpiresByType application/json              "access plus 0 seconds"
    # Feed
    ExpiresByType application/rss+xml           "access plus 1 hour"
    ExpiresByType application/atom+xml          "access plus 1 hour"
    # Favicon (cannot be renamed)
    ExpiresByType image/x-icon                  "access plus 1 week"
    # Media: images, video, audio
    ExpiresByType image/gif                     "access plus 4 months"
    ExpiresByType image/png                     "access plus 4 months"
    ExpiresByType image/jpeg                    "access plus 4 months"
    ExpiresByType image/webp                    "access plus 4 months"
    ExpiresByType video/ogg                     "access plus 4 months"
    ExpiresByType audio/ogg                     "access plus 4 months"
    ExpiresByType video/mp4                     "access plus 4 months"
    ExpiresByType video/webm                    "access plus 4 months"
    # HTC files  (css3pie)
    ExpiresByType text/x-component              "access plus 1 month"
    # Webfonts
    ExpiresByType font/ttf    "access plus 4 months"
    ExpiresByType font/otf    "access plus 4 months"
    ExpiresByType font/woff   "access plus 4 months"
    ExpiresByType font/woff2  "access plus 4 months"
    ExpiresByType image/svg+xml                 "access plus 1 month"
    ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
    # CSS and JavaScript
    ExpiresByType text/css                      "access plus 1 year"
    ExpiresByType application/javascript        "access plus 1 year"

Edit your .htaccess (you can use Htaccess File Editor if you don’t know how). Change the expiration from 4 months to 180 days. You may only want to do this for file types being flagged.

Wp rocket cache policy

WP Rocket also suggests to check with your host to make sure they don’t block WP Rocket’s rules and that Mod_expires is enabled.

5. LiteSpeed Cache

To serve statics assets with an efficient cache policy using LiteSpeed Cache, go to LiteSpeed Cache Settings > Browser. Enable browser cache and the browser cache TTL should be left as default (31557600 seconds). If you still see errors, check if your host or CDN is overriding this.

Serve static assets with efficient cache policy - litespeed cache

6. W3 Total Cache

If you need to serve static assets with an efficient cache policy in W3 Total Cache, go your Browser Cache settings and change the Expires header lifetime to at least 15552000s (180 days). Make sure the cache expiration in your hosting and CDN settings aren’t overriding this.

Serve static assets with efficient cache policy w3 total cache

7. Google Analytics

Google Analytics can also cause errors when serving static assets with an efficient cache policy.

If Google Analytics is appearing in PageSpeed Insights for this recommendation, CAOS Analytics lets you host analytics locally and adjust the cookie expiration period. WP Rocket’s Google Tracking Addon hosts it locally but doesn’t give you other options for the tracking code.

  • Install the CAOS Analytics plugin.
  • Go to Settings → Optimize Google Analytics → Advanced Settings → Cookie Expiry Period.
  • Set it to 180 days.
Caos analytics cookie expiry period

I recommend checking out other features in the CAOS Analytics plugin. Using a minimal analytics tracking code and serving it from your CDN can be beneficial for WordPress speed.

8. Google Fonts

Just like you hosted Google Analytics locally to control the cache lifespan, you can do the same thing with Google Fonts.

But they need to be hosted locally on your server (not pulling from fonts.gtstatic.com). You can do this by downloading your fonts directly from the Google Fonts website (remember to be minimal with font families and weights), converting them to WOFF2 format using a tool like Transfonter, then adding them to your CSS. Alternatively, you can also try the the OMGF plugin.

Once fonts are hosting locally, follow step #4 to set the cache expiration to 180 days for fonts.

9. Third-Party Scripts

Third-party code isn’t hosted on your server, so you can’t optimize it.

Google Analytics and fonts are an exception since they can be hosted locally, and therefore, you can control the cache expiration. But serving  static assets with an efficient cache policy is not possible for AdSense, YouTube, Google Maps, and other third-party scripts that you might be getting errors for. Although, there may be other ways to optimize them like delaying JavaScript.

Third party usage

10. Purge Files And Retest

Once you’re done changing your cache expiration, remember to purge files and retest your WordPress site. Ideally you’ll have 100% for serve static assets with an efficient cache policy.

Frequently Asked Questions

How do I serve static assets with an efficient cache policy in WordPress?

Change your browser cache expiration to 180 days (or 259200 minutes). This is typically done in your hosting account, cache plugin, or CDN.

How do I serve static assets with an efficient cache policy using WP Rocket?

Edit your. htaccess file and locate the browser cache expiration code added by WP Rocket. Change the expiration from 4 months to 6 months for files flagged in Lighthouse, which are usually images or fonts.

How do I serve static assets with an efficient cache policy using Cloudflare?

Login to Cloudflare and go to Caching > Browser Cache TTL and change it to 6 months.

How do I serve static assets with an efficient cache policy using W3 Total Cache?

In your W3 Total Cache settings, go to Browser Cache and change Expires header lifetime to 180 days (15552000 seconds). Check your server and CDN to make sure they’re not overriding this setting.

See also: My Ultimate WordPress Speed Guide

Cheers,
Tom

Source :
https://onlinemediamasters.com/serve-static-assets-with-an-efficient-cache-policy-wordpress/