This article may contain affiliate links. This means that at no extra cost to you, I may earn a commission if you use one of these links to make a purchase. Read the full disclosure.
How to maintain a WordPress website – it’s not as straightforward as you first thought!
WordPress websites are increasingly complex with users adding their own plugins, switching themes, adding code snippets and even making WordPress look like something else entirely. But website maintenance goes further than keeping your pages up-to-date, there’s a lot going on in the background that needs taking care of.
For quite a while now, WordPress has included a new “Site Health” feature on the dashboard that will tell you which areas of your site are less “healthy” and need improvement. Unless you’re a web developer or a site technician, you probably won’t know what everything there means, so I’m here to explain the most important parts of WordPress Maintenance.
Why WordPress needs Maintaining
- WordPress isn’t just a static set of files, it uses a dynamic database to store content. That database is queried thousands of times per day.
- Unmaintained sites become slow to load for users and site admins
- WordPress is often targeted by hackers
- Well maintained sites help your brand’s reputation
1. Core WordPress Updates
WordPress is constantly being updated. At the time of writing this (January 2021), the current version is 5.6. Depending on how your site was configured, you may have to manually update your version of WordPress yourself.
Your WordPress dashboard will notify you if an update is available and prompt you to update as soon as possible. However, it’s best practice to backup your entire site and database before jumping straight into an update! On larger sites that are mission critical, updating WordPress in a staging environment to fully test before deploying it to the live site is the way to go 👍🏻.
This is why having backups and using staging environments is so important! All my WordPress maintenance clients have peace of mind that someone else takes care of this for them!
2. Plugin Updates
As well as core WordPress updates, if you use third-party plugins then these will also need to be updated on a regular basis. Large sites with a lot of plugins are at risk of errors when updating plugins, so it’s certainly a good idea to use a staging environment.
Large, popular plugins are likely to be tested to work with other large, popular plugins. But small, relatively niche, or bespoke plugins will not be tested in this way, so you should always do your own tests after any updates.
Also, never bulk update! If there is an issue, it’s incredibly challenging to track down which plugin is the culprit if you updated them all at once! For this reason, I recommend keeping automatic updates disabled for plugins.
3. Theme Updates
Like plugins, themes also need updating. But unlike plugins, themes are often edited or customised so performing updates will overwrite these changes. Any themes with customisations made should have a child theme setup before doing any updates to preserve your edits.
Like with other updates, backups and staging environments are your best friend!
4. Automated Daily Backups
Do not rely on your hosting company for this. Just ask yourself: What happens if my hosting company goes down? What will happen to your site?
Whatever you do, take your own backups and automate the process so it just runs in the background while you sleep! Daily backups are best for peace of mind, but real-time incremental backups may be necessary for e-commerce or membership sites.
UpDraftPlus is a free plugin that will take care of your backup needs and even upload your backed up site to cloud storage such as Google Drive, DropBox or Amazon S3.
5. Login Security
WordPress sites are a known target for hackers and brute force attacks. Why? Because they’re often left insecure and therefore easy to break into. Consider the consequences of someone malicious gaining admin access to your site:
- Customer data may be compromised
- Your site may be redirected, replaced or defaced
- Your content may be deleted or corrupts
- Damage to your brand’s reputation
- Stress, hassle and expense of putting things right
Fortunately, you can limit the number of login attempts by using a plugin or by editing your Apache/nginx configuration files (each setup is different, so check with your web developer before making any changes)
In severe cases, it may be necessary to limit admin logins for a particular IP address only, or cloak the login page by renaming it to something else.
6. Malware Scans
Malware is another serious threat for WordPress site owners. Usually, out-of-date plugins or themes are to blame, but WordPress Malware is nasty and great at hiding. I’ve personally dealt with Malware that hid from logged in admin users and was only visible when the traffic source was Google. This made it easily undetectable by the site owner who probably never visits their own site via Google and will almost always type it in directly.
I’ve seen malicious code re-appearing after being deleted and hiding in the text code .jpg photos from 9+ years ago. It’s insane how far Malware will go to hide itself.
WordPress websites need a Malware and vulnerability scan at least once per week, more if it’s an ecommerce store. Plugins like WordFence are very popular, but it’s nor perfect. It adds a lot of extra bloat to your site’s database and gives frequent false positives which are confusing for inexperienced users. Deleting a file that turns out to be a false positive could break your site entirely!
Aim to scan your site once a week for extra peace of mind.
7. Database Maintenance
Behind every WordPress site is a database, think of it like a filing cabinet that stores all of your pages, posts, products, comments and everything else that’s important on your site. Overtime, the database can accumulate junk files that just aren’t needed. It’s common to see:
- Post revisions – WordPress stores post revisions by default. Every time you edit and save a post, an entirely new version is created. It’s possible to set this to a lower number if you’re comfortable changing WordPress settings using the config file.
- Spam comments – Spam comments are usually filtered out by an anti-spam plugin, but they’re still stored in the database in the comments table even though they’re spam! It’s definitely a good idea to clear out your spam comments regularly.
- Table overhead and transient data – When you delete content or remove a plugin, that space is now unused, but the database still keeps that space reserved which is not necessary. Some data has an expiration date, these are known as transients. Table overhead and expired transients can be safely deleted by a WordPress technician.
8. File Configuration
There are certain files that a web developer or website technician will edit as part of all WordPress configurations. If you used “one click install” then the wp-config file is automatically created for you so there’s no need to add anything to its configuration.
The most important part of the config file is the database information, auth keys and salts. Without this, your site will not be accessible to you or anyone else. An experienced WordPress expert is likely to make further edits to this file, such as:
- Hard-coding the site URL so that this cannot be edited in the dashboard
- Reducing the number of post revisions saved in the database
- Setting a time limit on post revisions to automatically expire
- Turn debug mode on or off
- Add memory limits, caching or concatenation statements
- Enable or disable automatic updates
Another important file is the .htaccess file (if using Apache hosting), which also needs to be configured for the environment. This file can be used to
- Secure the site
- Block directory indexing
- Browser caching
- Security Headers
- Redirections (301s/302s)
Each site is different, and needs to be configured according to the environment it is in, so speak to a WordPress expert for a bespoke file configuration that suits your needs.
9. Server-side Updates and Configuration
WordPress is made using PHP, which itself has several versions. The current version of WordPress (5.6) is compatible with PHP 5.6 and above (but version 7.4 is recommended). The next update: PHP8 is due to be rolled out in 2021.
Using an outdated version of PHP results in low speed, poor performance and potential security issues on your site.
Web hosts operate differently, some (such as those using cPanel) will let you do these updates yourself. Other managed hosting will restrict access and they will perform updates in your behalf. If in doubt, check with your web host.
10. Technical Audits
A technical audit is useful to highlight technical issues that are difficult to spot when browsing the site. For example, there may be an image that’s not been resized correctly and it’s causing a bottleneck when the page loads. Or, blog posts that are not marked up with the correct heading levels.
When maintaining a WordPress site, using a tool like SiteBulb on a monthly basis will highlight an on-page or technical issues with your website.
11. Downtime Monitoring
If you website goes down, you need to be the first to know so you can fix it before anyone else notices! UpTime Robot is my favourite downtime monitoring tool. This service works with all websites, not just WordPress.
Good maintenance is like practical insurance – taking active steps to prevent a disaster on your website. Small business owners have a lot to deal with, so don’t let WordPress maintenance and updates get in the way of your life.
I offer a personalised, bespoke WordPress maintenance service from £29 per month that takes care of everything on this list plus more! It’s specifically aimed at small businesses, freelancers and bloggers who want to focus on their business without worrying about the inner workings of WordPress.
So, let me take care of your website so you can grow your business with no hindrance!