Articles

Article updates

Disable the CSS / JavaScript Processing ( Combine / In Place ) for specific URLs

The CSS and JavaScript processing modules is a powerful functionality which helps with SEO improvements and plugins/theme white-labeling. In some cases, the options are required to not trigger for specific URLs, this can be achieved using programable filters.

The following code should be placed within a file in /wp-content/mu-plugins/ folder or a custom plugin. This disable the functionality on a URL which include ‘/sample-page/’ slug.



    add_filter('wph/components/js_combine_code' ,'custom_wph_components_disable_combine');
    add_filter('wph/components/css_combine_code' , 'custom_wph_components_disable_combine');
    function custom_wph_components_disable_combine( $status )
        {
            
            $current_url    =   'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
            
            if ( stripos( $current_url, '/sample-page/') !==    FALSE )
                $status =   FALSE;
                
            return $status;   
        }

Rewrite – Registration

This functionality is available for PRO version.

The Registration module controls the URL for the registration process and the activation URL on a MultiSite.

New register-me.php

As default, the register-me.php is being used for the registration process, This is the place where users can register a site or / and a ursername. This functionality provides a way to change the default URL to something else.
The registration status can be controlled through the network super admin interface:

Block register-me.php URL

Block the default register-me.php file. If New register-me.php is being used, is save to block the default, the registration process will continue to work.

New wp-activate.php

This is the URL through which a user can activate a registered blog. Using this feature the URL can be mapped to something else.

Help – Block wp-activate.php

Block access to wp-activate.php file. Through this file, new users confirm that the activation key that is received in the email after signs up for a new blog, matches the key for that user.
If New wp-activate.php is being used, is save to block the default, the registration process will continue to work.

PostProcessing – JavaScript

This functionality is available for PRO version.

The JavaScript PostProcessing feature is a crucial component of the PostProcessing engine, working alongside CSS PostProcessing and Replacements to provide comprehensive control over your website’s front-end performance and security. This feature is specifically designed to handle all the JavaScript assets associated with your site, offering advanced processing options that enhance load times, boost security, and optimize the overall user experience. By meticulously processing every piece of JavaScript code, the PostProcessing engine ensures that your site remains fast, efficient, and resilient against potential threats.

Continue reading

General / Html Text Replace

This functionality is available for PRO version.

The feature provides a visual interface for arbitrary text replacement on HTML. The substitution is case-sensitive, also spaces in front or at the end are being used as is. The replacements occur only on front-side.

This is intended to be used with long texts for accurate replacements. Short words might produced unexpected results if being found in different part of the code. If small group of chars are needed to be changed (e.g. wp-, elementor, builder) the Html/Css/JS Replacements should be used instead.

General / Html – Robots.txt

Robots.txt file tells search engines how to crawl your website which makes it an incredibly powerful SEO tool.

As default the robots.txt also includes an allow clause to admin URL and run-ajax.php url. Once customized those areas, the new slugs might not want to be show to anyone. Turn this option to Yes removed any reference to new wp-admin and run-ajax.php.

The robot file is available at the following url:
http://-domain-name-/robots.txt

General / Html – Feed

Web feeds allows users and applications to receive regular updates from a site. There are several different kinds of feeds, read by different feed-readers. Some feeds include RSS (“Rich Site Summary” or “Really Simple Syndication”), Atom or RDF files.

By default, WordPress comes with various feeds:

RSS 2.0 format
http://-domain-name-/feed/

RSS 2.0 format
http://-domain-name-/feed/rss2/

RSS 0.92 format
http://-domain-name-/feed/rss/

RDF/RSS 1.0 format
http://-domain-name-/feed/rdf/

Atom format
http://-domain-name-/feed/atom/

This plugin options allows to disable the above feed service.

Rewrite – Search

The /search/ is the default slug used to display the results for the search page.
This feature help to change the default /search/ endpoint to something customized. As default the search url format is:
https://-domain-name-/search/search-word/
By using the option “find” the default url becomes:
https://-domain-name-/find/search-word/

Block default search url

After changing the default author, the old url is still accessible. This provide a way to block it and allows only the new one.

Rewrite – Author

New Author Path

An author URL displays all posts published by a specific author on your WordPress site. By default, these URLs use the /author/ slug, which makes them easily identifiable as part of a WordPress installation.

This feature allows you to customize the default /author/ endpoint, replacing it with a unique slug such as /contributor/ or any other term that better fits your branding or enhances security. For example:

  • Default author URL format:
    https://your-domain.com/author/author-name/
  • Customized author URL using the “contributor” slug:
    https://your-domain.com/contributor/author-name/

Changing the author URL slug can serve both aesthetic and security purposes. Since /author/ is a well-known and predictable pattern used by WordPress, it becomes a target for bots and malicious users trying to identify your site’s CMS or enumerate usernames.

By customizing the author base, you make it slightly more difficult for automated tools to recognize your site as WordPress-based, which can help reduce the likelihood of targeted attacks. While not a standalone security solution, it’s a useful step as part of a broader hardening strategy.

This setting is especially helpful for sites with multiple contributors, where branding and URL structure consistency are important.

 

Prevent Access to Author Archives

By default, WordPress generates author archive pages using URLs like yoursite.com/?author=ID. This behavior can be exploited by attackers who repeatedly request URLs such as ?author=1, ?author=2. and so on, until they find valid user IDs—revealing active usernames on your site.

To enhance security, it’s best to completely disable access to these types of URLs, especially since author archive pages often serve little or no purpose on many sites.

Even if your permalink settings are not set to the default (i.e., ‘Plain’), WordPress will still redirect ?author=ID URLs to the corresponding author archive page, if it exists. Therefore, additional measures are necessary to block these redirects and prevent username enumeration.

 

Block default author url

After changing the default author URL slug (e.g., from /author/ to /contributor/), the original URL remains accessible by default. This means that both the old and new URLs will redirect to the same author archive page, which can be problematic from both a security and SEO standpoint.

To prevent this, it’s recommended to block access to the old author URL entirely and allow only the new custom slug. Leaving the default /author/ endpoint accessible can still expose your site to potential user enumeration attacks or signal that your site is running on WordPress, which may attract automated bots and malicious traffic.

By blocking the legacy URL, you ensure that visitors and search engines are directed only to the intended, branded author archive path. This also helps avoid duplicate content issues and improves overall site structure and security.

 

Scroll to top