Levers

Fix WordPress
in one switch.

Levers is a single plugin that fixes the things WordPress gets wrong out of the box, and rolls in the dozens of tiny plugins you'd normally install one by one. Flip a switch, ship.

Download Plugin

Do the job of over 50 plugins - with zero bloat.

Stop bolting on a separate plugin for every fix. Here are just a few plugins that Levers makes redundant.

Limit Login Attempts Really Simple SSL Hide My WP WP Optimize (lite) Disable XML-RPC Disable Emojis Disable Embeds Disable JSON API Stop User Enumeration Duplicate Post Duplicate Page Disable Admin Notices Easy Avatar Upload Remove Howdy Safe SVG
Remove Website URL Field From Comment Form Missed Scheduled Posts Publisher Favicon by RealFaviconGenerator SSL Insecure Content Fixer Attachment Pages Redirect Headers Security Advanced & HSTS WP Simple Local Avatars Custom Login Logo Header Footer Code Manager External Links new tab Auto-purge transients Image EXIF Remover Search Engine Privacy Limit Post Revisions Email Encoder

Every lever in the box.

Only enable the levers that you need, disable the rest.

Friendlier "Welcome back" greeting

Swap the toolbar's "Howdy" for a warmer "Welcome back" everywhere it appears.

Custom login logo

Replace the WordPress logo on wp-login.php with one you pick from the media library.

Favicon

Set a site favicon and show it in the WordPress admin too. Inline picker, no theme code.

Hide "Uncategorized" category

Hide the default category from pickers, lists and widgets. Reversible - nothing is deleted.

Hide admin footer credit

Remove the "Thank you for creating with WordPress" line and the version from the dashboard.

Hide admin notices

Adds a one-click "Hide notice" link to every admin nag. Stays hidden site-wide.

Hide updates from non-admins

Strips update nags and counters from editors and authors. Admins still see them.

Local avatars

Adds an avatar uploader to each user that overrides their Gravatar everywhere.

Skip admin email verification

Suppress the periodic "Is this still your email?" interstitial that interrupts admins.

Disable admin fade transitions

Disables the WP 7.0 page-fade animation in the admin. Pages load instantly again.

Allow sanitized SVG uploads

Lets admins upload SVGs to the media library, sanitized to strip scripts and external refs.

Enable post/page duplication

Adds a Duplicate row action to posts, pages and CPTs. Clones to a draft, ready to edit.

Header & footer scripts

Inject tracking, verification and custom code into the head, body or footer. No theme edits.

Disable file editor

Sets DISALLOW_FILE_EDIT so theme/plugin PHP can't be edited from the dashboard.

Prevent XML-RPC login attacks

Disables XML-RPC, a legacy service mostly used to brute-force WordPress logins.

Force SSL

Redirect HTTP requests to HTTPS across the front end, login and dashboard.

Fix insecure content

Rewrite http:// resource URLs to https:// so secure pages stop showing mixed-content warnings.

Limit login attempts

Lock out an IP after 5 failed logins in 24 hours. A second lockout is permanent.

Add security headers

Sends X-Frame-Options, X-Content-Type-Options, Referrer-Policy and a Permissions-Policy.

Hide WordPress version

Strips the generator meta tag, ?ver= strings on core assets, and version from feeds.

Block user enumeration

Blocks ?author=N enumeration and locks /wp-json/wp/v2/users for logged-out visitors.

Block PHP execution in uploads

Drops an .htaccess rule into /uploads so uploaded PHP files can't run.

Disable directory browsing

Adds Options -Indexes so visitors can't list raw folder contents. Classic info-leak shut.

Strip EXIF & GPS from uploads

Removes EXIF metadata (including GPS) from uploaded JPEGs, preserving orientation.

Remove readme.html & license.txt

Deletes the two root files that broadcast your WP version and blocks them via .htaccess.

Add missing image dimensions

Adds width/height to img and picture sources missing them. Prevents layout shift.

Skip front-end dashicons

Stops the Dashicons stylesheet loading on the front end for logged-out visitors.

Remove emoji scripts

Stops wp-emoji-release.min.js, its inline CSS and the DNS prefetch to s.w.org.

Disable jQuery Migrate

Drops the legacy jquery-migrate shim from the front end. Safe on modern themes.

Disable oEmbed/embeds

Removes wp-embed.min.js and the embed REST endpoint if you don't embed external posts.

Optimize database tables

Weekly OPTIMIZE TABLE pass on wp_* tables with real fragmentation. Runs at 2 AM.

Clean expired transients

Daily sweep that purges expired transients from wp_options without an object cache.

Clean orphaned metadata

Daily sweep of postmeta, commentmeta and termmeta rows whose parent record is gone.

Delete expired sessions

Daily purge of expired _wp_session_* rows that WooCommerce and membership plugins leave behind.

Limit & clean post revisions

Caps revisions at 5 per post going forward and trims existing extras. Big wp_posts win.

Close blog comment spam exploit

Holds every comment for manual approval and stops auto-approving prior commenters.

Prevent links in blog comments

Marks any comment containing a link as spam. Real-time and on the pending queue.

Remove comment website field

Removes the "Website" field from the comment form, killing comment spam's main incentive.

Auto-empty spam & trash comments

Auto-purges comments in spam or trash older than 30 days to keep wp_comments small.

Email obfuscation

Rewrites email addresses in content as HTML entities so harvesters can't scrape them.

Replace em-dashes sitewide

Swaps em-dashes for a regular hyphen in titles, content, excerpts and comments.

Disable smart punctuation

Stops WordPress auto-curling quotes and dashes, and un-curls existing content.

Dynamic copyright year

Scans the footer for stale "© YYYY" and auto-bumps the year to the current one.

External links open in new tab

Adds target="_blank" + rel="noopener" to off-site links. Idempotent for other SEO plugins.

Remove Grammarly bloat

Strips the leftover spans and link classes Grammarly leaves in pasted content.

Stop nav menu jumps

Rewrites empty href="#" in nav menus so dropdown parents don't scroll back to top.

Noindex internal search results

Adds noindex to /?s= pages so spammers can't rank junk URLs under your domain.

Redirect attachment pages

Redirects attachment URLs to the parent post (or home) so empty image pages don't index.

Default inserted images to no link

Sets the editor's default Link-to for new images to None instead of attachment page.

Clean rel on internal links

Strips SEO-blocking rel tokens (nofollow, sponsored, ugc, noindex) from internal links.

Remove double slashes from URLs

Collapses double slashes in URL paths in links and images. Quiets SEO-tool warnings.

Search engine visibility warning

Warns admins when WordPress's "Discourage search engines" setting is left on.

Disable per-post feeds

Redirects each post's /feed/ URL back to the post itself. Mostly serves scrapers.

Disable self-pingbacks

Stops WordPress creating pingbacks when you link to your own posts. No more emails.

Fix scheduled post modified time

When a scheduled post auto-publishes, aligns modified date with the publish date.

Publish missed scheduled posts

Catches scheduled posts that missed their slot (a known WP-Cron quirk) and publishes them.

Install

Three steps. No setup screen.

Activate the plugin and head to Settings › Levers. Everything is off by default, so nothing on your site changes until you flip a switch.

1

Upload the levers folder to /wp-content/plugins/ (or install the ZIP from the Plugins screen).

2

Activate Levers from the Plugins screen.

3

Open Settings › Levers and flip on the ones you want.

Download Plugin