Tài Hoàng

About

Projects

  • ← ARTICLES

    Disabling Concatenated Script Loading in WordPress

    By default, WordPress bundles multiple JavaScript files into a single request inside the admin dashboard. This happens through wp-admin/load-scripts.php, a mechanism known as script concatenation. It was originally designed to improve performance by reducing the number of HTTP requests.

    That approach made sense in the era of HTTP/1.1, where many small requests could significantly slow page loads. Today, most WordPress sites run on servers using HTTP/2 or HTTP/3, which handle multiple requests efficiently in parallel. In this environment, the benefits of script concatenation are far less compelling and in some cases, it introduces new drawbacks.

    Table of Contents
    1. Cons of Script Concatenation
    2. Why This Matters on Modern Servers
    3. How to Disable Script Concatenation

    Cons of Script Concatenation

    When attackers target the admin area, especially /wp-admin/, they typically rely on volume—large numbers of repeated requests are sent in a short period of time. If script concatenation is enabled, each request pulls a heavier, combined JavaScript payload through load-scripts.php.

    This can result in:

    • A sluggish or unresponsive admin dashboard
    • Login or admin requests timing out
    • Increased CPU and memory usage on the server
    • Less granular inspection by caching layers, WAFs, and security tools

    In simple terms, each request does more work than necessary.

    Why This Matters on Modern Servers

    With HTTP/2 and HTTP/3, browsers can request multiple small files simultaneously without the performance penalties seen in older protocols. When script concatenation is disabled, this leads to several practical benefits:

    • Little to no performance loss: Modern protocols handle parallel requests efficiently, so loading scripts individually rarely impacts speed.
    • Improved cache efficiency: When a single script changes, only that file is invalidated, not an entire bundled payload.
    • Reduced amplification under load: Serving scripts individually prevents load-scripts.php from becoming a single, high-impact endpoint during high-volume admin traffic.
    • Better visibility for security tools: Smaller, discrete requests are easier for CDNs, WAFs, and monitoring tools to inspect, cache, and rate-limit.

    How to Disable Script Concatenation

    Add the following line to your wp-config.php file:

    define('CONCATENATE_SCRIPTS', false);Code language: PHP (php)

    The end.

    Reply via email