Let’s talk WordPress and Best Practice. WordPress is the most popular Content Management System for small businesses and bloggers.
It’s so easy to get started with thousands of themes and plugins at your fingertips, you won’t even need to write a line of code! But, if you’re not an experienced website designer, developer or site technician, how are you supposed to know if you’re doing the right thing?
I run 11 WordPress websites for myself and over 45 websites for clients. I have over 15 years of experience when it comes to dealing with the technical side of website management for small businesses.
These best practices are some tips that I’ve found to be the most efficient way of running modern websites.
Contents
- 1. Keep your Domain, Hosting and Email Separate
- 2. Never use the same cPanel account for multiple sites
- 3. Always use SSL from the beginning
- 4. Redirections should be server-level
- 5. Keep Plugins to a Minimum
- 6. Disable XMLPRC
- 7. Ditch Classic Editor
- 8. Use a Content Delivery Network for International Sites
- 9. Daily/Weekly General Maintenance Tasks
1. Keep your Domain, Hosting and Email Separate
It’s considered best practice to purchase your domain, hosting and email separately. I recommend this to all my clients that this is an expense that simply cannot be spared.
Domain names tied to hosting packages are at risk of being held hostage by the hosting company if you ever decide to part ways. There may be a contractual obligation to retain the domain name with the company in question, which sucks, but some unscrupulous companies get away with it.
You should buy your domain name from a registrar (my favourite is NameCheap.com) and point your name servers to your hosting package.
That way, you’re in full control of what happens to your domain and your hosting company can never hold it hostage.
As for email, services like Google Workplace (formerly G Suite) and Microsoft 365 (formerly Office 365) are viable and affordable options. You also get extra services like cloud storage and documents, spreadsheets, collaboration tools, etc.
If you’re on an extremely tight budget, Zoho Mail offers business mailbox for about £1 per month. Ask your website manager to configure your DNS records to your email service.
2. Never use the same cPanel account for multiple sites
This is a major security no-no. It’s also an inefficient way of hosting your sites.
Just because your hosting package allows for multiple websites in the same cPanel account, it doesn’t mean that you should install multiple instances of WordPress, just because it lets you.
Commercial web servers separate each instance of cPanel into a container – if that file directory becomes infected with Malware, the server will not physically allow that malware to reach other user’s directories.
If all your sites are hosted as sub-directories within the same cPanel root account, then they’re all at risk. Also, they will be sharing the same resources, so it’s incredibly inefficient to host websites in this way.
If you host multiple websites, get a reseller account to manage them all using WHM – part of cPanel but one level higher. It’s well worth it and gives you added peace of mind for security too.
3. Always use SSL from the beginning
Having a SSL certificate is an absolute must. It’s been an absolute must for several years now. If your site loads over http instead of https then visitors to your site are going to see a warning telling them they’re on an insecure site.
If you have a contact form, payment form or shopping cart, then visitors may choose not to purchase from you because your site is not secure. All major web browsers and mobile devices will give this warning.
Using an SSL certificate from the start of your WordPress install makes things much easier than installing one later on and having to deal with mixed content errors. SSL certificates are free from all good hosting companies using the Open Source Let’sEncrypt certificates.
Why Your Shouldn’t use Really Simple SSL Plugin for WordPress
One of the most popular plugins in the WordPress repository is Really Simple SSL – an all-in-one solution for SSL implementation. However there is a better way to migrate your site from http to https by searching & replacing the database for references containing https:// and handling the http > https redirect at server-level.
4. Redirections should be server-level
Not using a plugin that stores redirects in the database. You should not be using plugins handling redirects. Common plugins that have this functionality are RankMath, Yoast and Redirection.
Avoid Redirection WordPress Plugins
Redirections should be at server-level in the .htaccess file and nowhere else.
The most popular redirection plugins offer the option to export redirects to .htaccess or Nginx config files so it should not be used as a permanent solution. Your website administrator or manager will be able to decommission your Redirection plugin without losing functionality.
5. Keep Plugins to a Minimum
When I log into a site with any more than 12 plugins, alarm bells ring!
Generally Useful Plugins
- Yoast SEO (free version)
- WP Fastest Cache
- Antispam bee
- Asset Cleanup
- UpDraft Plus Backups
Plugins to avoid in 2022
- Jetpack (it’s bloated and most of the features can be done with other services)
- Redirection (see above)
- Really Simple SSL (see above)
- Monster Insights (Google Analytics can be installed manually without need for a plugin)
- Akismet (this comes with WordPress by default and should be removed)
6. Disable XMLPRC
XMLPRC is a way of connecting to WordPress from external apps such as Windows Live Writer and the WordPress mobile app. I recommend disabling XMLPRC all together using functions in the config and .htaccess files.
XMLPRC is inherently insecure. When you remove it, attacks on your site will be significantly reduced as hackers and bad bots love targeting this archaic way to access WordPress.
WordPress has its REST API which is more secure, so you can safely disable XMLPRC. I include this as part of my standard WordPress Installation and Configuration service, or as a one-off fix.
7. Ditch Classic Editor
It. Is. 2022. Stop. Using. Classic. Editor. Got it?
Gutenberg is here, WordPress is going all out in developing Gutenberg. If you’re not using it yet, still using the old ‘Classic Editor’ then it’s about time you moved with the times.
It is a learning curve, sure. It does take some getting used to. But you will soon find its capabilities are extensive and it’s getting better with each new major release of WordPress.
Gutenberg ‘blocks’ will soon allow Full Site Editing (FSE) that means you can build your site’s menu, header, footer, sidebar and widgets visually using Gutenberg blocks.
In fact, if you use any page builder like Divi or Elementor, you may want to consider ditching those in the near future too. Gutenberg is so much faster than anything produced by multi-purpose page builders.
Plus, if you use Yoast, you can add FAQ and How-To Schema blocks directly from the WordPress editor.
Will switching to Gutenberg break my old posts?
No. All of your old posts will remain intact. If you do decide to ditch classic editor in favour of the Gutenberg editor, it won’t mess up all your existing posts. It will put each post into a “classic block” and you can manually convert your old posts using Gutenberg or leave them as they are, and they won’t change.
8. Use a Content Delivery Network for International Sites
A content delivery network is a network of servers in data centres around the world, where a cached copy of your website is stored. That means it will always serve your site to the user from the most local location. It’s also more efficient and much faster for the user to be served content from a CDN.
CloudFlare is an excellent choice, and there are added benefits of having a Web Application Firewall and other security features.
9. Daily/Weekly General Maintenance Tasks
To keep your WordPress site healthy, there are a series of general maintenance tasks to be completed:
- Core WordPress updates
- Plugin updates
- Theme updates
- Daily or weekly backups
- Login security
- Malware scans
- Database Maintenance
- Config, htaccess and robots.txt file configuration
- Server-side updates and configuration
- Technical website audits
- Downtime monitoring
- Traffic monitoring
Learn more about How to Maintain your WordPress site.
I offer WordPress setup, management, maintenance and audits as a service for small businesses. If you’re interested in having all or some of the technical aspects of your site managed for you, get in touch today!