Launching your WordPress site is always exciting. You get to watch all that hard work and planning transform into a tangible asset that the world can enjoy. It’s awesome – congratulations!
But here’s the deal:
Your job isn’t done just because your site is out and in the wild. Not by a longshot.
Now, you’re tasked with keeping your site secure, performing well, and up to date. And all that WordPress maintenance is going to require some planning.
In this post, we’re going to share some of the WordPress maintenance tips we give our enterprise clients. And because we want to make this post helpful to the entire WordPress community, we’re also going to share affordable alternatives to make our suggestions accessible to WordPress webmasters of all sizes.
Ok, here’s how we recommend keeping your WordPress site running smoothly.
Make Security a Focus From Day One
When you follow basic best practices, WordPress is a secure content management system. But so many WordPress webmasters fail to follow even simple security protocols, which makes WordPress unnecessarily vulnerable.
Here’s how we recommend our clients keep WordPress secure…
Pick a Security Tool That’s Right For You
Not to state the obvious, but the best way to keep your site secure is to, well, prevent an issue from happening in the first place.
While there are plenty of smaller tactics that you can manually implement to harden WordPress, nowadays you can outsource most security functions to a managed WordPress host or a security plugin.
Our first recommendation is always to host your site at a managed WordPress host that implements server-side security measures like WordPress-specific web application firewalls, proactive threat detection and malware scans, resource isolation, rate limiting, and more.
Again, when feasible, it’s best to implement security at the server-level.
But if that’s not possible, your next best bet is to use a quality WordPress security plugin.
On that front, we recommend two plugins:
If you’re on a tight budget, Wordfence is a stellar option because it offers firewalls in its free version, while Sucuri Security only offers a firewall in the paid version.
Have A Plan In Place For When Things Go Wrong
Mike Tyson famously said, “everybody has a plan until they get punched in the mouth.”
Now, running a WordPress site might not be quite as physically demanding as heavyweight boxing, but the same basic idea holds true for your WordPress site.
No matter how great your security prevention protocol is, you still need a plan for when things go wrong – when you get “punched in the mouth.”
A security breach is always going to be stressful – that’s unavoidable. But having a plan of action already in place helps you make the right decisions when the heat is on.
Your plan might vary, but here’s what we think is a good approach:
- Put your site into maintenance mode to prevent damage to your brand from a hacked site
- Restore your site from a recent clean backup
1. Know How to Quickly Enable Maintenance Mode
Maintenance mode is a core WordPress feature that WordPress uses when running automatic upgrades.
It’s also something that you can quickly manually trigger by uploading a file to the root folder of your site via FTP. All you need is a file named .maintenance that contains the following line of code:
<?php $upgrading = time();?>
This tells WordPress to put your site into maintenance mode for an undetermined amount of time. With it active, your visitors will see this:
If you’d prefer to create a more user friendly maintenance page, you can adjust what WordPress displays by uploading a file named maintenance.php to your …/wp-content root folder:
2. Know How to Restore Your Site From Backup (And Test Backups)
Backing up your site is essential – but it’s not the only thing you need to be concerned about.
Beyond actually running backups, it’s important to:
- Know exactly how to restore your site from a backup
- Test your backups to make sure they are indeed functional backups
We’ll talk more about good backup principles later in this post.
Live By The Least Privilege Principle
If you’re a major institution using WordPress (or even just a regular ‘ole blogger with some contributing authors), you’ll likely find yourself granting dashboard access to other users.
That’s totally fine – WordPress is built to handle multiple users. But if you’re granting access, you need to pay attention to WordPress user roles and the principle of least privilege.
The principle of least privilege basically says:
Only give a user or tool as little access as it needs to do its job.
For example, a contributing author doesn’t need access to publish posts, nor does an editor need access to install plugins or edit files.
By default, WordPress single site installs have 5 different user roles. You can view a summary of each user’s privileges at this WordPress Codex entry.
Once you know the proper access level to grant a user, you can choose each user’s role when you create their account:
Consider Two-Factor Authentication for Added Security
In an analysis from SecuPress, they found that the second largest known attack vector for their clients’ sites was a brute-force attack. That is, the attackers were able to repeatedly guess passwords until they found a password that granted them “legitimate” access.
Your host and/or security plugin likely already implemented some brute-force protection tactics, but if you want to totally lock-down your login page, using two-factor authentication is a good option because it requires users to enter both their password and a unique one-time password (OTP).
If you use a security plugin like Wordfence, you can set up two-factor authentication via the plugin by going to Wordfence → Tools → Cellphone Sign-in. This feature is only available in the premium version of Wordfence:
For a semi-free alternative, the Two Factor Authentication plugin from miniOrange offers a variety of authentication methods:
Set Up A Security Audit Log To Track Changes And Activity
Beyond proactive security measures implemented at the server level or via a plugin, another way that you can stop potential security risks from ballooning is to track all of the changes that happen on your WordPress site with a plugin like WP Security Audit Log.
With it activated, you’ll get a real-time log of everything happening on your WordPress site:
In the pro version of the plugin, you can set up email alerts, search the activity log, and use an external database to store the log for improved performance.
Put A Plan In Place to Monitor Performance
Performance testing isn’t something you do once when you launch your site and then forget about.
No, performance testing is an ongoing process. Your site is always in a state of flux, whether that flux stems from internal configuration changes or external forces like traffic spikes.
For that reason, you can never just benchmark your site and call it a day – you need to put a plan in place to regularly monitor your site’s performance.
What Matters When It Comes to Performance
Most of the tests we recommend have to do with monitoring the page load times of your site.
The importance of consistently low page load times can’t be overstated. The time it takes your site to load affects everything from conversion rates to user experience and search engine rankings.
For example, Intuit found that for every second they managed to shave off page load times, they boosted their conversion rate by 1%+.
On the user experience front, Akamai found that, at least for eCommerce sites, 30% of users expect a page to load in under one second.
And finally, Google has publicly stated that page load times have been a ranking factor since as far back as 2010.
All that to say – your site’s performance is important enough that it merits continuous monitoring, even after launch day. Here’s how we recommend you do it:
Put Load Times Under a Microscope
Pingdom is a popular monitoring tool that, among other things, lets you track exactly how long it takes your site to load for your visitors.
With Pingdom, you can:
- Have the tool check your site’s page load times every 30 minutes
- Monitor specific interactions, like a signup flow, checkout flow, or other specific activities
- Get recommendations on how to improve your page load times
What’s nice about Pingdom’s monitoring is that it doesn’t require adding any code to your WordPress site – all of the configuration happens directly in your Pingdom dashboard.
To get automated monitoring, you’ll need to sign up for one of Pingdom’s paid plans:
But if you just want a taste of what Pingdom can do, you can also use the free Pingdom page speed tool to run one-off tests:
The free tool’s data isn’t quite as comprehensive. But for those on a budget, it’s a nice way to get a taste of the monitoring many enterprise sites make use of.
Consider New Relic for Enterprise Testing and Optimization
For more detailed performance monitoring and optimization, New Relic offers enterprise-focused monitoring in a variety of different tools.
Beyond general end-user browsing experience, New Relic helps you dive deep into WordPress performance monitoring and find which plugins are eating up your database time, or which external service calls are slowing down your site:
New Relic even offers specific WordPress functionality that makes it easy for you to find the metrics that matter. And there’s also a New Relic Browser plugin that makes integration with your WordPress site easy.
Don’t Forget About Stress Tests
Pingdom is excellent for a quick picture of your site’s load times, but it falters when it comes to load testing, a test that measures how your site performs when it’s under heavy load (like a traffic spike from going viral).
Basically, load testing your WordPress site means making sure your site loads just as fast for the 10,000th concurrent visitor as it does for the first visitor.
If you’re using New Relic monitoring, you can run load tests for up to 100,000 concurrent users using New Relic’s BlazeMeter Load Testing.
For a standalone load testing tool, you can also use Load Impact. Load Impact offers free plans that let you run tests with up to 50 virtual users. Beyond that, they also offer enterprise-level plans that let you test up to 1.2 million concurrent users:
Make Sure Your Site Is Up With Uptime Monitoring
Beyond performance, another important metric to measure is uptime. Even a 0.1% change in uptime can mean an extra 44 minutes a month that your site is unavailable.
If you’re an enterprise, you’ll likely already have alert systems in place to quickly ping your dev team in the event of downtime.
Have a Process for Safely Handling Updates
When you use WordPress, you’re going to deal with a ton of updates. That’s because you not only have to update the WordPress core, but you’re also responsible for updating every single theme and plugin that you decide to use.
Put those three together and you may even end up seeing that red update icon multiple times per week.
Each time you update, you run a risk, however small, of breaking something.
With that being said, updates are an absolute necessity. 61% of the hacked WordPress websites that Sucuri looked at were running out of date WordPress software at the time of infection.
Image source: Sucuri Hacked Website Report 2016 – Q3
For that reason, you can’t afford to delay when it comes to updating your site. But what you can do is put in place a process for ensuring that updates don’t ruin your day.
Have a Staging Environment to Test Updates Before Going Live
No matter what changes you’re making, it’s a bad idea to apply changes straight to your live production site.
That’s where a staging site comes in. A staging site is a duplicate copy of your live site that’s inaccessible to the public.
Besides testing new features, you can also use your staging site to test updates before you push them to your live site.
Once you verify the update doesn’t break anything, we recommend pushing updates live as soon as possible.
How Do You Create a Staging Site?
Ideally, your staging site should be running on the exact same hardware as your live site, which makes local development sites a poor substitute for actual staging sites.
The easiest way to get access to a staging site is to use a managed WordPress host that offers dedicated staging functionality.
Some hosts, like WP Engine and Kinsta, offer easy staging tools that make staging as simple as clicking a button. Others, like Pantheon and Pagely, offer loose staging workflows rather than structured UIs:
Create Your Own Staging Site
If managed WordPress hosting isn’t an option, you can also create your own staging site without too much fuss.
Essentially, you’ll first need to manually copy over your WordPress site’s files. Then, you can use the WP Migrate DB plugin to properly clone your database and fix data serialization issues:
If you’re on a budget, the free version of WP Migrate DB lets you perform this process manually. That is, you’ll need to manually export your database each time and import it to your staging site.
To streamline the process, though, you can purchase WP Migrate DB Pro for the ability to automatically “push” and “pull” your database between your production and staging site with the click of a button.
Read Changelogs To Catch Potential Issues Before They Happen
One way to preemptively head off issues with updates is to know exactly what changes each update contains.
And the easiest way to do that is to…read the changelogs!
If you see that an update is changing a specific area that you rely on, you can be sure to test that area thoroughly.
For example, many sites experienced issues when WordPress 4.8 replaced the (now) old WordPress text widget with a rich-text widget.
Had those sites read the changelog, they might’ve had a chance to more thoroughly test the new widget on a staging site before pushing the update live.
Where Can You Find Changelogs for WordPress Updates?
For the WordPress software itself, you can find detailed changelogs for every release at the WordPress Codex.
- Go to your WordPress dashboard
- Head to your main Plugins listing page
- Look for the View version X details link
Clicking on the link will open a popup with the full changelog for all versions:
For themes, you can find the changelog by going to Appearance → Themes and clicking on a theme to open its Theme Details page:
Just like with plugins, clicking on View version X details opens the full changelog:
The nice thing is that this approach should work with all themes and plugins, not just those listed at WordPress.org.
Take Regular Backups (And Make Sure They Work)
In the security section, we talked about having a plan for when your site gets metaphorically punched in the mouth. Well, the same holds true for pushing updates live (or making any other changes to your site).
Backups are your safety net when anything goes wrong. Beyond running regular backups in general, you should always back up your WordPress site before pushing any updates live.
How to Take WordPress Backups
We usually recommend two backup methods to our clients.
When available, we always recommend clients run backups directly through their host. If you’re not sure how to do this, you can always speak to your hosting support because the process differs for each host.
Another solid plugin option is VaultPress, which is part of the Jetpack plugin. VaultPress handles both running automatic daily backups, as well as storing 30 days of backups on their cloud servers (though you should also download the backups to a local server):
Test Your Backups to Make Sure They Work
It might sound a little obvious, but backups are only helpful if they…work. That’s why it’s never enough to just perform a backup – you also need to test whether you can successfully restore from the backup.
We recommend practicing restoring backups to a staging server to ensure that:
- Your backup files do indeed work
- You know how to quickly restore your site from a backup if needed
Practice 3-2-1 For Safe Backup Storage
Finally, it’s important to make sure your backups are always accessible. That’s where the 3-2-1 backup rule comes into effects.
The 3-2-1 rule dictates that you:
- Keep a minimum of three copies of your data, including the original copy
- Keep your backups on at least two different media, e.g. one on an external hard drive and one on a cloud server
- Store at least one backup offsite, e.g. in a cloud environment
The 3-2-1 rule ensures that no matter what disaster befalls your site, you should always have access to at least one working backup.
One Ounce of Prevention = One Pound Of Cure
Implementing the proper WordPress maintenance processes from the beginning helps you avoid major issues down the line. When running a website, planning and prevention are your allies against downtime and broken websites.
If you put a security plan in place, monitor your WordPress site’s performance, and quickly and safely apply WordPress updates, you’ll set yourself up for success with WordPress both now and in the future.