Have you ever viewed the source code of your WordPress website and noticed a bunch of links and meta tags in the <head> section that you didn't add? WordPress automatically injects several links and tags into your website's header, and while some of them are useful, many are unnecessary for most websites and can even be a security concern.
Falcon feature helps you remove these unnecessary elements, making your HTML cleaner, slightly faster to load, and more secure. Think of it as spring cleaning for your website's head section!
What gets removed?
WordPress adds various links and meta tags to your website's <head> section by default. Here's what the Header Cleanup feature can remove and why you might want to remove each one:
Feed links
WordPress automatically adds RSS and Atom feed links to your website's header. These include feeds for posts, categories, tags, comments, authors, and search results.
<link rel="alternate" type="application/rss+xml" title="My Site » Feed" href="https://example.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="My Site » Comments Feed" href="https://example.com/comments/feed/" />If you don't use RSS feeds or want to keep your feed URLs private, removing these links can reduce clutter in your HTML. Please note that Falcon only removes the links from the HTML header - it doesn't disable the feed functionality itself. Your feeds should still be accessible at their direct URLs (e.g., /feed/).
RSD link
RSD (Really Simple Discovery) is an XML file that helps external tools discover your WordPress installation. It's used by blog editors and other publishing tools.
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://example.com/xmlrpc.php?rsd" />If you don't use external blog editors (like Windows Live Writer or other desktop publishing tools), this link serves no purpose. Removing it can also help hide the fact that you're using WordPress, which is a minor security benefit.
wlwmanifest link
This is a manifest file for Windows Live Writer, a desktop blogging tool that's no longer actively developed by Microsoft.
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://example.com/wp-includes/wlwmanifest.xml" />Since Windows Live Writer is deprecated and rarely used, this link is essentially dead weight for most modern websites.
Adjacent posts links
WordPress adds rel="next" and rel="prev" links to indicate the previous and next posts in a sequence. These are meant to help search engines understand the relationship between posts.
<link rel="prev" href="https://example.com/previous-post/" />
<link rel="next" href="https://example.com/next-post/" />If you want to improve SEO for your website, you probably use a SEO plugin for WordPress. All SEO plugins have the XML sitemap feature, which lists URLs of all posts for search engines to discover. It's not neccessary to have these links in the header.
WordPress version number
WordPress automatically adds a meta tag that reveals your WordPress version number.
<meta name="generator" content="WordPress 6.4" />This is a security best practice. Revealing your WordPress version makes it easier for attackers to target known vulnerabilities in that specific version. While security through obscurity isn't a complete solution, removing this information is a simple step that makes your site slightly less attractive to automated attacks. There's really no good reason to keep this.
Shortlink
WordPress generates a shortlink (a shortened URL) for each post and page. This is typically in the format ?p=123 where 123 is the post ID.
<link rel="shortlink" href="https://example.com/?p=123" />Most sites use pretty permalinks, and the shortlink functionality is largely obsolete. Removing it reduces unnecessary HTML.
REST API Link
WordPress automatically adds a link to the REST API endpoint in the header. This helps discover the API location.
<link rel="https://api.w.org/" href="https://example.com/wp-json/" />Even if you use REST API in WordPress like building a headless WordPress site or have applications that need to access the REST API endpoints, then these apps already knows the API endpoints. Exposing them to the public might is a security issue that makes attackers easily to discover it and try to exploit.
Removing the link only removes the discovery link from the HTML. The REST API endpoint itself remains functional. If you need to completely disable the REST API, you'll need additional security measures beyond header cleanup.
Performance impact
While the performance impact of header cleanup is minimal, every little bit helps:
- Reduced HTML size: Removing unnecessary links and meta tags reduces the size of your HTML, which means faster page loads, especially on slower connections.
- Fewer HTTP requests: Some of these links might trigger additional requests from browsers or crawlers.
- Cleaner code: A cleaner HTML source is easier to debug and maintain.
The performance gains are small but measurable, especially when combined with other optimizations.
Security benefits
The most significant security benefit comes from removing the WordPress version number. Here's why:
- Reduced attack surface: Attackers often scan websites to find specific WordPress versions with known vulnerabilities.
- Less information disclosure: The less information you reveal about your setup, the better.