WordPress Optimization Results: Before, After, and What’s Still Left

This is the final post in a six-part series documenting a full technical overhaul of this site — kindoflost.com — using Claude, an AI assistant by Anthropic. If you’ve followed along from Post 1, you’ve seen every fix in detail. This post is the recap: what the site looked like before, what it looks like now, what we’d do differently, and what’s still on the to-do list.

Before: A D+ Site

When we started, this site had been running for years without any serious technical attention. It worked, in the sense that pages loaded and the store processed orders. But under the hood it was a different story.

• Security grade: D+. xmlrpc.php open, default login URL, readme.html advertising the WP version, REST API broadcasting the admin username, a vulnerable plugin active and handling a security header.
• Cloudflare: installed but misconfigured. Duplicate DKIM record, FTP and cPanel proxied through Cloudflare (breaking them), SSL on a weaker mode, no HTML caching rules, no Bot Fight Mode.
• Performance: poor on mobile. No server-side caching, no front-end optimization, PayPal SDK loading on every page including blog posts, site icon too small to generate valid apple-touch-icon variants.
• WooCommerce: functional but fragile. Cart showing stale items due to unconfigured caching, checkout at /checkout-2/ instead of /checkout/, no fraud protection configured.
• Plugin count: 27. Including inactive ones and at least one actively flagged for a vulnerability.

After: A Solid B

• Security: B. Login URL hidden, xmlrpc blocked, readme.html deleted, REST API user endpoint removed, security header moved from vulnerable plugin to Cloudflare Transform Rule, WHOIS privacy confirmed active.
• Cloudflare: properly configured. Duplicate record removed, FTP and cPanel set to DNS only, SSL upgraded to Full (Strict), DMARC record added, three-layer cache rules in correct order, Bot Fight Mode on, Smart Tiered Cache enabled.
• Performance: meaningfully improved. Three-layer caching stack active (Cloudflare + WP Optimize + Jetpack Boost), PayPal scoped to WooCommerce pages only, site icon fixed, Critical CSS generated, lazy loading enabled.
• WooCommerce: stable. Checkout at /checkout/, cache bypass rules consistent across all layers, PayPal fraud protection set to Basic, reCAPTCHA on checkout.

The “Best Practices” score is 77 because of cookies saved site-wide by WooCommerce, which I couldn’t figure out how to improve.

What’s Still on the List

• Admin username. The account named “kindoflost” is still the active admin. Creating a new admin with a non-obvious name and retiring the old one is the remaining meaningful security fix.
• HostGator server-level cache exclusions. The /cart/ path still needs to be excluded at the hosting infrastructure level. A quick conversation with HostGator support is all it takes.
• Plugin count. Still higher than ideal. A focused cleanup session to delete inactive and redundant plugins would reduce the attack surface further.

What We’d Do Differently

• Check the database table prefix before writing SQL. The phpMyAdmin attempt to delete the rogue checkout draft ran silently and did nothing because the table prefix wasn’t wp_. Always use $wpdb->posts in PHP instead of hardcoding the table name.
• Set up the full caching stack before benchmarking. Early PageSpeed tests before the Cloudflare rules were fully in place made some results misleading.
• Check WHOIS privacy before assuming it’s not active. HostGator was marketing domain privacy as an upgrade. It was already included. A quick ICANN lookup saves the confusion.
• Keep a running change log. When you’re making changes across WordPress, Cloudflare, cPanel, and hosting support simultaneously, a simple timestamped text file would have been useful.

The Role Claude Played

Everything in this series was done using Claude as the technical guide. To be clear about what that means in practice: Claude didn’t have direct access to the site during the optimization work. Every change was made manually — in Cloudflare, in WordPress, in cPanel. What Claude did was identify the problems, explain why they mattered, say exactly where to go and what to click, write the code snippets, and catch things that wouldn’t have been obvious otherwise.

Most of what we did is documented somewhere in WordPress forums and security blogs. Claude didn’t invent any of it. What it did was pull it all together into one coherent session with no conflicting advice, no tab-switching, and no “it depends” without a follow-up answer. For a non-developer doing this kind of work, that made a real difference.

Claude also wrote this series of posts based on notes and transcripts from the actual work sessions. The technical content is accurate because it documents things that were actually done on this site.

Total Cost: $0

Every tool in this series was free or already part of an existing subscription: Cloudflare (free), WP Optimize (free), Jetpack Boost (free), WPS Hide Login (free), Code Snippets (free), PageSpeed Insights (free), SecurityHeaders.com (free), Claude (existing subscription). No new paid tools were needed.

Read the Full Series

• Post 1: My WordPress Site Was a Mess. Here’s How I Found Out.
• Post 2: How to Set Up Cloudflare Correctly for a WordPress Site
• Post 3: WordPress Security Hardening Without Touching Code
• Post 4: How to Speed Up a WordPress and WooCommerce Site on Shared Hosting
• Post 5: WooCommerce Caching, Checkout, and Cart Fixes That Actually Work
• Post 6: Lessons Learned and Final Results (this post)

Things that I use, like, and am affiliated with:
Mint Mobile offers great cell phone service for $15 flat, get $15 off using the link. Get discounted phones with service activation and no contract.
I never spend money before I check Mr Rebates or Rakuten to get cashbacks, rebates, discounts, coupons or cheaper gift cards.