How To Archives - Tweaks WP

Sanitize input vs escape output WordPress XSS prevention split layout

How to Prevent XSS in WordPress: Sanitization and Escaping Functions Guide

Maps every WordPress esc_*, wp_kses_*, and sanitize_* function to its exact context, with the 'sanitize on input, escape on output' rule that eliminates XSS.

Varun Dubey · May 23, 2026 · 10 min read

WordPress hook priority execution order with add_action priorities

How To

WordPress Hook Priority Explained: How Action and Filter Execution Order Works

How WordPress hook priority numbers work, how to remove object method and closure callbacks, and runtime tools like doing_action(), did_action(), and $wp_filter inspection.

Varun Dubey · May 23, 2026 · 10 min read

PHP-FPM pm.max_children worker calculation formula for WordPress

How To

PHP-FPM Tuning for WordPress: How to Calculate Workers, Memory, and Timeouts

PHP-FPM tuning guide for WordPress: how to calculate pm.max_children from actual memory usage, set spare server counts, configure request timeouts, and monitor pool health.

Varun Dubey · May 23, 2026 · 10 min read

Nginx FastCGI cache hit and miss timing grid for WordPress

How To

Nginx FastCGI Cache for WordPress: Complete Setup and Purge Guide

Complete Nginx FastCGI cache setup for WordPress: cache zone config, logged-in user bypass, WooCommerce exclusions, purge on publish, and HIT/MISS header debugging.

Varun Dubey · May 23, 2026 · 10 min read

PHP OPcache configuration values for WordPress shown as memory bars

How To

PHP OPcache Settings for WordPress: Configuration Guide with Benchmarks

OPcache configuration guide for WordPress covering memory_consumption, max_accelerated_files, revalidate_freq, JIT settings, and how to verify hit rate on production.

Varun Dubey · May 23, 2026 · 10 min read

WordPress malware cleanup recovery checklist in terminal style

How To

WordPress Malware Cleanup: Developer’s Step-by-Step Recovery Checklist

Step-by-step WordPress malware cleanup checklist covering core file verification, database injection scans, hidden admin detection, cron backdoors, and post-cleanup hardening.

Varun Dubey · May 23, 2026 · 10 min read

WordPress SQL injection prevention with wpdb prepare placeholder code example

How To

WordPress SQL Injection Prevention: $wpdb->prepare() Deep Dive

Every WordPress database query that concatenates user input without $wpdb->prepare() is a ticking time bomb. This guide covers every prepare() pattern in production code.

Varun Dubey · May 23, 2026 · 10 min read

Dark developer-themed featured image showing PHP code for disabling XML-RPC and blocking REST API user enumeration in WordPress

Backup and Security

How to Disable XML-RPC and Block REST API User Enumeration in WordPress

Disable XML-RPC, block REST API user enumeration, and stop ?author= redirects with exact PHP hooks, Apache/.htaccess, and Nginx config examples.

Varun Dubey · April 30, 2026 · 10 min read

WordPress file permissions chmod guide showing correct values: 400 for wp-config.php, 755 for directories, 644 for files, 444 for .htaccess

How To

Correct File Permissions for WordPress: chmod Guide for Every File and Folder

Set correct chmod values for wp-config.php, directories, files, uploads, and .htaccess. Includes one-liner fix commands and wp-config.php constants.

Varun Dubey · April 30, 2026 · 10 min read

WordPress login security hardening: rate limiting with transients, custom login URL via rewrite rules, and brute force protection code diagram on dark developer background

Backup and Security

WordPress Login Security: Rate Limiting, Custom URL, and Brute Force Protection

Harden WordPress login with PHP rate limiting via transients, a custom login URL using rewrite rules, Application Password controls, and TOTP 2FA. No plugins required.

Varun Dubey · April 30, 2026 · 10 min read

WordPress wp-config.php environment configuration for dev, staging, and production showing server, settings, and file-code icons on dark navy background

Code Snippets

WordPress Environment Config: How to Set Up Dev/Staging/Production wp-config.php

Learn how to configure separate WordPress environments for dev, staging, and production using conditional constants, WP_ENVIRONMENT_TYPE, wp-config-local.php pattern, and .env file integration.

Varun Dubey · April 20, 2026 · 10 min read

Code Snippets

WordPress Multisite wp-config.php: Network Constants

A complete reference to every WordPress multisite wp-config.php constant: WP_ALLOW_MULTISITE, MULTISITE, SUBDOMAIN_INSTALL, DOMAIN_CURRENT_SITE, PATH_CURRENT_SITE, SITE_ID_CURRENT_SITE, BLOG_ID_CURRENT_SITE, NOBLOGREDIRECT, SUNRISE, COOKIE_DOMAIN, SITECOOKIEPATH, COOKIEHASH, and network tweaks that separate a working network from a production-grade one.

Varun Dubey · April 17, 2026 · 10 min read

Category: How To

How to Prevent XSS in WordPress: Sanitization and Escaping Functions Guide

WordPress Hook Priority Explained: How Action and Filter Execution Order Works

PHP-FPM Tuning for WordPress: How to Calculate Workers, Memory, and Timeouts

Nginx FastCGI Cache for WordPress: Complete Setup and Purge Guide

PHP OPcache Settings for WordPress: Configuration Guide with Benchmarks

WordPress Malware Cleanup: Developer’s Step-by-Step Recovery Checklist

WordPress SQL Injection Prevention: $wpdb->prepare() Deep Dive

How to Disable XML-RPC and Block REST API User Enumeration in WordPress

Correct File Permissions for WordPress: chmod Guide for Every File and Folder

WordPress Login Security: Rate Limiting, Custom URL, and Brute Force Protection

WordPress Environment Config: How to Set Up Dev/Staging/Production wp-config.php

WordPress Multisite wp-config.php: Network Constants