WordPress prioritises backwards compatibility.
That’s a feature. It also means every install ships with things you didn’t ask for.

An emoji CDN script. An oEmbed script. A Windows Live Writer manifest (discontinued 2017).
Dashicons loaded for logged-out visitors. Heartbeat polling every 15 seconds.
A version tag that tells the world exactly which WordPress you’re running.

None of these are bugs. They’re just not needed on most sites.

Disable what you don’t need. Keep what you do.

The Off Switch lets you disable each one, individually.

The Off Switches

Emoji script – ~15 KB + 1 HTTP request. Browsers handle emoji natively.
Embed script – ~4 KB + oEmbed discovery links in <head>.
RSD link – Really Simple Discovery. Only needed for legacy XML-RPC clients.
WLW manifest – Windows Live Writer has been discontinued since 2017.
WP version tag – Stops advertising your WordPress version to the world.
Shortlink – Removes <link rel="shortlink"> from <head> and HTTP headers. Search engines ignore it.
Asset query strings – Strips ?ver= from scripts, styles, and WP 6.5+ Script Modules so CDNs and proxies cache correctly.
XML-RPC – Closes a common brute-force attack vector.
XML-RPC Kill Requests – Goes further than disabling: hard-kills any incoming xmlrpc.php request with a 403 before WordPress loads at all.
Heartbeat API – Reduces admin polling from every 15 s to every 60 s.
Dashicons (frontend) – ~35 KB (CSS + font) saved for every logged-out visitor.
REST API Discovery Link – Removes <link rel="https://api.w.org/"> from <head>. Safe to remove on standard sites.
RSS Feed Links – Removes feed autodiscovery <link> tags from <head>. Modern browsers no longer act on them. Leave enabled if you publish an RSS feed.
Speculation Rules (WP 6.8+) – Disables the WP 6.8+ Speculation Rules API that prefetches links before users click. Can inflate analytics, increase server bandwidth, and trigger consent flows on unfetched pages.
Disable All Feeds – Redirects all RSS and Atom feed URLs to the homepage. For sites with no RSS subscribers.
Comment Auto-Links – Stops WordPress from converting plain-text URLs in comments into clickable links.
Editor Autosave – Deregisters the autosave script that POSTs editor content to the server every 60 seconds. For teams that prefer explicit saves.
DNS Prefetch – Removes all <link rel="dns-prefetch"> hints from <head>. Redundant when Emojis and Embeds are already disabled.
Recent Comments Inline CSS – WordPress outputs a small inline <style> block in <head> whenever the Recent Comments widget is active. Remove it if your theme already styles the widget.

Script & Style Control

jQuery Migrate – ~30 KB. Modern themes don’t need it.
Block Library CSS – ~7 KB loaded on every page, even with no Gutenberg blocks.
Global Styles (theme.json CSS) – 10-50 KB inline CSS from block themes.
SVG Duotone Filters – Hidden SVG blob injected on every page, even with no duotone images.
Script/Style type attributes – type="text/javascript" and type="text/css" are redundant in HTML5.
Defer non-critical JavaScript – Adds defer so scripts don’t block HTML parsing. jQuery is never deferred.
Move scripts to footer – Relocates enqueued scripts from <head> to just before </body>. jQuery is never moved.

WordPress Behaviour Tweaks

Self-pingbacks – WordPress pings your own posts when you link between them – a wasted HTTP request that creates an unwanted comment on the target post.
Capital P filter – WordPress corrects “WordPress” to “WordPress” on every rendered string. Remove if you don’t need the autocorrect.
Limit post revisions – WordPress stores unlimited revisions per post. Caps revisions at 3 to prevent silent database growth on active editorial sites.
Attachment pages – WordPress creates a full template page for every uploaded file. These waste crawl budget on most sites. Sends a 301 redirect to the parent post instead.
Comments – Closes all comments and pingbacks site-wide, hides existing comments on the frontend, and removes comment-related UI from wp-admin (Comments menu, admin bar node, dashboard widget). Enable only if your site does not use comments.
Search – Redirects all WordPress search queries (/?s=) to the homepage with a 301, preventing bots from triggering repeated database queries. Also removes search forms rendered via get_search_form(). Hardcoded forms in theme templates are not affected.
oEmbed Provider – WordPress registers a REST endpoint at /wp-json/oembed/1.0/embed so other sites can embed your content via the oEmbed protocol. Remove it if you don’t want your content embeddable externally. Does not affect your ability to embed others’ content.
Post via Email – Removes the Post via Email configuration from Writing Settings and disables the feature. Almost no modern site uses email-to-post.
Update Services (Ping-o-Matic) – Removes Update Services from Writing Settings and stops outbound pings to weblog ping services on every published post.
Native XML Sitemap (WP 5.5+) – Disables WordPress’s built-in XML sitemap generator. Most sites use external SEO plugins (Yoast, Rank Math) for sitemaps instead. Removes unnecessary redirects and reduces crawl overhead (default OFF).
oEmbed Auto-Embed – Disables WordPress from regex-scanning post content for [embed] shortcodes and oEmbed patterns on every frontend page load. For sites that do not embed external content, removing this filter saves processing overhead (default OFF).

Database & Query

Expired Transients – Schedules a daily cleanup of expired transient rows in wp_options. Useful on low-traffic sites where WP-Cron can go days without firing.
Abandoned Auto-Drafts – WordPress creates an auto-draft every time the post editor opens. Abandoned sessions leave these rows permanently. Runs a daily sweep to delete auto-drafts older than 30 days.
Skip Row Count on Singles – On every single post or page, MySQL runs SQL_CALC_FOUND_ROWS to count total matching rows – a full index scan only needed for paginated archives. Removes that sub-query on all singular views.
Adjacent Post Links – WordPress queries the previous and next post on every single post page to output <link rel="prev/next"> in <head>. Two extra DB queries per page load. Google dropped support for these SEO hints in 2019.
Reduce Trash Retention – WordPress keeps trashed items for 30 days before permanent deletion. Reducing to 7 days keeps wp_posts leaner on active editorial sites without affecting normal recovery workflows.

Image Performance

Google Fonts display:swap – Without font-display:swap, the browser hides text while your Google Font downloads (FOIT). Adds display=swap to every Google Fonts URL so visitors see text immediately.
Add missing image dimensions – Images without width and height attributes cause layout shifts (CLS). Reads dimensions from attachment metadata and injects them automatically.
LCP image priority – Adds fetchpriority="high" to the first content image so the browser loads it before lower-priority resources. Adds fetchpriority="low" and decoding="async" to all others.
Lazy load images – Adds loading="lazy" to images below the fold. The first image is never lazy-loaded – it is the LCP candidate and must load immediately.
Disable PDF thumbnails – WordPress generates thumbnail previews for every uploaded PDF when ImageMagick is available. Rarely used on the frontend; adds significant upload processing time.
Disable scaled images – WordPress 5.3+ creates a downsized -scaled copy of any image whose longest side exceeds 2560 px on upload. On most sites this extra file is never served. Disabling it stores the original as-uploaded. Applies to new uploads only.
Disable extra image sizes – WordPress 5.3 added 1536×1536 and 2048×2048 intermediate sizes to every image upload. These oversized copies are rarely requested and waste disk space. Theme and plugin image sizes are not affected. Applies to new uploads only.

Security & Admin Hardening

Block User Enumeration – WordPress redirects ?author=1 to /author/username/, exposing registered usernames. Intercepts those requests and redirects to the homepage before the username is revealed.
Disable Author Archives – Redirects all /author/username/ pages to the homepage. For sites with no author profile pages.
Disable File Editor – Defines DISALLOW_FILE_EDIT to remove the plugin and theme code editor from wp-admin. Eliminates a code-injection surface a compromised admin account could exploit.
Disable Application Passwords – Removes the Application Passwords UI and stops all tokens from being accepted. For sites that don’t use REST API or XML-RPC integrations.
Suppress Admin Email Check – Disables the periodic full-screen prompt asking admins to confirm their email address. One less interruption, no functional change.
Remove X-Pingback Header – Strips X-Pingback: from every HTTP response, stopping the site from advertising its XML-RPC endpoint URL to scanners.
Clean Admin Bar – Removes the WordPress logo dropdown, the duplicate “Visit Site” link, and the admin bar search for a less cluttered editing environment.
Hide Update Nag for Non-Admins – Hides the core update notice from editors and contributors who cannot action it. Administrators still see it normally.
Restrict REST API to Logged-In Users – The REST API is publicly accessible by default, allowing unauthenticated enumeration of posts, users, and other data. Restricting access to authenticated users reduces the attack surface. Will break public REST consumers such as headless frontends.
Redirect Unauthenticated Admin Access – By default, visiting /wp-admin/ without being logged in redirects to the login page, confirming a WordPress admin area exists. This redirects unauthenticated requests to the homepage instead, reducing information disclosure to scanners. AJAX, Cron, WP-CLI, and admin-post.php requests are never affected.
Hide Author Sitemap – WordPress 5.5 added a built-in XML sitemap that includes a users file listing the author archive URL for every user with published posts — up to 2,000 usernames, publicly accessible. Removes the users entry from the sitemap index entirely (WP 5.5+, default ON).
Remove X-Redirect-By Header – WordPress 5.1+ adds an X-Redirect-By: WordPress header on every redirect, openly advertising that the site runs WordPress. Removes it from all redirects (default ON).
Hide PHP Version Header – PHP sends an X-Powered-By: PHP/x.x.x header on every response, exposing your exact PHP version to every visitor and scanner. Removes it from all responses (default ON).
Generic PHP Error Messages – WordPress fatal error messages can include internal file paths and line numbers. Replaces them with a generic response that reveals nothing about server structure (default ON).
Hide Admin Bar on Frontend – Removes the WordPress admin toolbar from the public-facing site for all logged-in users. Reduces frontend CSS/JS overhead for logged-in sessions (default OFF).
Remove Dashboard Welcome Panel – Removes the “Welcome to WordPress” panel from the dashboard home screen for all users (default OFF).
Remove Default Dashboard Widgets – Removes four default dashboard widgets including WordPress Events and News, which makes an outbound HTTP request to api.wordpress.org on every dashboard load (default OFF).
Remove Admin Footer Text – Removes the “Thank you for creating with WordPress” text and WordPress version number from the wp-admin footer (default OFF).
Disable REST Users Endpoint – WordPress’s REST API exposes /wp-json/wp/v2/users publicly, returning usernames and slugs for all users with published posts. Removes this endpoint for unauthenticated requests only — Gutenberg and plugins that need it while logged in are unaffected (default ON).
Disable Email Change Notifications – WordPress sends emails to users when their email address or password changes. On agency-managed sites these are noise. Suppresses both notification types (default OFF).
Disable Auto-Update Emails – WordPress emails after every automatic core, plugin (WP 5.5+), and theme (WP 5.5+) update. On sites where auto-updates are routine these arrive constantly (default OFF).
Auto-Update Emails: Errors Only – A middle ground: suppresses core auto-update success emails only. Failure emails still arrive so you know when action is needed (default OFF).
Skip Bundled Themes on Upgrade – Defines CORE_UPGRADE_SKIP_NEW_BUNDLED to stop WordPress installing a new default theme on every core upgrade. Existing themes are not affected (default OFF).
Disable Site Health – Disables WordPress Site Health checks entirely. Site Health runs a 12-hour background cron job and makes REST API calls on every admin page load, fetching a list of ~20 WordPress.org API endpoints. On managed hosting with automated updates, these checks are redundant and add unnecessary server load (default OFF).

Block Editor

Remote Block Patterns – WordPress fetches patterns from api.wordpress.org on every editor load. An outbound HTTP request that adds latency even if editors never use the Pattern inserter. Local patterns from themes and plugins are unaffected.
Core Block Patterns – Removes WordPress’s built-in block patterns (headers, galleries, CTAs) from the Pattern inserter. For sites using custom patterns or none at all.
Block Directory – The editor includes a live search of wordpress.org that lets users install new blocks without leaving the editor. Remove it to keep block installation under your control.
Font Library (WP 6.5+) – WordPress 6.5 added a Font Library panel for uploading custom fonts and browsing Google Fonts in the Site Editor. Remove it if fonts are managed through your theme or code.
Widget Block Editor (WP 5.8+) – WordPress 5.8 replaced the classic Widgets screen with a block-based editor. Restores the classic screen for classic themes, sidebar widgets, and page builders.

WooCommerce

These toggles are only shown when WooCommerce is active.

Cart Fragments – wc-cart-fragments.js fires an AJAX request to keep mini-cart counts accurate when the Cart Widget is rendered (~3 KB + 1 request). Disable on stores where the Cart Widget is not used, or where real-time cart accuracy across tabs is not needed.
WooCommerce Generator Tag – Removes <meta name="generator" content="WooCommerce x.x.x"> from <head>. Same reason as the WordPress version tag: stops advertising which version of WooCommerce you’re running.
WC Scripts on Non-WC Pages – WooCommerce loads ~114 KB of CSS and JS on every page (woocommerce-general, woocommerce-layout, woocommerce-smallscreen, woocommerce.js, wc-add-to-cart.js, and woocommerce-blocktheme on block themes). Dequeues them all on non-shop, non-cart, non-checkout, and non-account pages. Up to ~30 KB gzipped saved per non-WooCommerce page.
Password Strength Meter – WooCommerce already restricts wc-password-strength-meter to checkout and My Account pages where a password is required. This toggle is a secondary safety net for themes or plugins that enqueue the script more broadly, removing zxcvbn (~80 KB gzipped) wherever it loads unnecessarily.
Status Dashboard Widget – Removes the WooCommerce Status meta box from the WordPress admin dashboard. For stores managed from the WooCommerce screens directly.
WC Block Patterns – WooCommerce registers its own block patterns in the editor inserter. Remove them if your store does not use WooCommerce-provided patterns for page design – declutters the inserter and removes a small init overhead.
WC Legacy Widgets – WooCommerce registers 12 legacy widgets on every page load even on block-based themes. Unregistering them removes the initialisation overhead and hides them from Appearance -> Widgets.
WC Version Header – Removes the X-WooCommerce-Version HTTP response header that some WooCommerce extensions inject, closing the same version-leakage vector as the generator tag toggle.
Stripe Gateway Scripts – Prevents the WooCommerce …

The Off Switch (formerly WP Avoid Slow)