How to maintain a WordPress website
What does it actually take to maintain a WordPress website ?
In this article I look at the activities involved in maintaining a WordPress website. This article is aimed primarily at “non-technical” users so explanations are kept as simple as possible, with reference to more advanced materials where appropriate.
Backup and Restore
A solid backup strategy is the first basic level of protection for any website. Why have a backup ? Simply for that “bacon saving” moment: to retrieve content accidentally deleted by a user, to recover your website after a software update has gone wrong and ‘broken’ your site or, following a security breach, to restore your site to an earlier version before it became infected.
There are 2 types of backups. It is good practice to have both types set up:
Type 1: Host server backup
Most good hosting providers make automated backups of your website at regular intervals. The hosting provider I recommend, Siteground, for example offers daily backups, maintained for 30 days and with a one click restore facility, through its GoGeek package.
Relying only on your hosting provider for backup does, however, mean you won’t have access to backups older than 30 days (or even as little as 7 days for some hosting providers). What if you only become aware of a problem on day 31 (or day 8) ? What if your server suffers a catastrophic failure and your host loses your backup ? What if you only need to restore certain files and not the whole website ? Which is why also having a “local backup” is important:
Type 2: Local backup
These are backups taken by the user and stored on a local computer or a cloud service such as Dropbox or Google Drive. Local backups can be taken in two ways:
- Manually via FTP (File Transfer Protocol) for files and phpMyAdmin for the database, which requires a degree of technical knowledge
- Using a premium plugin, managed from the WordPress dashboard (recommended)
I implement a plugin called UpdraftPlus for all the sites I manage. A stand alone licence typically costs £54 p.a. although they also have a free version with more limited features. There are of course a number of other backup solutions in existence. This article by wpbeginner reviews 7 of the most popular WordPress backup plugins.
Tip: Having a backup and restore strategy is essential, but a backup strategy is only as good as your backup tools, which will need to be reliable and easy to use when the time comes to restore…and believe me, the time will come at some point !
Beyond the basic precautions which can be taken to minimise security risks for your website, it is highly recommended that you install and configure security software on your WordPress site which helps prevent attacks and scans your site regularly for potential security breaches. A very good option is Wordfence which comes as a free or premium version, depending on security features required. The software sends the user email notifications of any potential security breach which may require action to be taken (e.g. blocked attacks, modified files on your website, software updates required). For more information on how Wordfence works to protect your website you can look at this info graphic.
Other good options include iThemes security or Sucuri Website AntiVirus.
Tip: It is a good idea to subscribe to a couple of the well known security blogs in order to be alerted early about any new WordPress security issues. For example, https://www.wordfence.com/blog/ or https://blog.sucuri.net/
A quick reminder of some of the most basic security precautions
- Keep your WordPress software version, themes and plugins up to date
- Use very strong passwords and non-obvious user names
- Don’t login in to your WordPress dashboard on a public, unsecured wifi network – or use a VPN service
- Have up to date anti-virus software on the computer you use to access your WordPress dashboard
- Only install reputable and well maintained themes and plugins
There are a number of external services, either free or paid, which can be set up regularly to monitor when your site is down. These services work by “pinging” your website at regular intervals and sending an email notification if the site is down. You can then take action to troubleshoot the issue (generally by contacting the hosting provider first) to investigate and minimise downtime.
Here are a couple of options worth checking out: Uptime Robot (free or paid) and Pingdom (paid)
Your WordPress website uses 3 types of software to function:
- WordPress itself
- Your “theme” – this, broadly speaking, drives the look of your website
- “Plugins” – these drive some of the functionality of your website
All software needs to be updated regularly for best functionality and optimum security of your website. A typical, small to medium WordPress site will require 8 to 12 software updates per month on average. A larger, transactional site will require more. WordPress itself has 2 major releases a year with a number of ad-hoc security or bug fixes released in between. Plugins and themes tend to be updated both in line with a major WordPress update and individually throughout the year.
So what does the update process involve ? Well, the vast majority of updates are done from the WordPress dashboard with “one click”, but on occasion some updates may need to be done manually via FTP (click here for an article by wpbeginner for a beginners guide to uploading files via FTP). But beware! In reality, the update process is more time consuming than one might think. Clicking on all updates without taking some basic precautions may break some or all of your site functionality, which can be time consuming to troubleshoot and rectify.
I recommend this process for performing software updates:
- Always make sure you have a backup of your site files and database before any update so you can “roll back” to an earlier software version if something breaks
- For minor updates(*), always read the “changelog” to check what the update changes are and assess the impact on your site
- For major updates(*), you may prefer to wait a few days before updating and read the support forums to become aware of any issues experienced by other users (unless it is a security update, when time is of the essence)
- For more complex, heavier traffic or transactional sites (such as online stores, events booking etc.) it is best practice to make a “staging copy” of the site on a different server, or locally on a computer using a virtual server environment such as MAMP or DesktopServer. Make the updates there, then test the site and only “push to live” once you’re happy everything is still working as it should
Tip: It can be good practice to wait a little while before a major software update so you can assess if other users experience problems with the update. However: WARNING! If the update is issued to patch a newly found security vulnerability, it is imperative to update immediately to protect your site.
(*) You can usually tell a minor update (usually security or bug fixes) from a major update (enhancement, change in functionality) by the version number decimals – e.g. version 3.4 to 4.0 would be a major update; version 3.4 to 3.4.1 would be a minor update.
What if an update breaks my site ?
WordPress websites rely on a combination of themes and plugins to deliver the right look and functionality. These are developed by different developers and sometimes a plugin or theme may develop a conflict with the rest of your site software after an update. You can minimise the risk by only implementing well maintained plugins, minimising the number of plugins in use, sourcing plugins from the same developer where possible and using a good hosting provider.
However, at some point an update will break your site or an element of its functionality and this is when the troubleshooting begins.
There are usually 3 main reasons a site can break after an update:
- Server configuration issue – this requires investigation with your hosting provider
- Bug in the software update – this requires investigation with the theme or plugin developer
- Plugin conflict – this requires you to manually disable all plugins and isolate the culprit by re-activating plugins one by one until the site breaks again
Troubleshooting an issue can be time consuming and frustrating as you may need to deal with different parties who may not always identify the problem as their responsibility at first.
Cleaning up a compromised website
If, in spite of taking all good precautions, you are unlucky enough to have your site compromised, you will need to hire a professional to clean it up for you. Thankfully there are services which specialise in cleaning up infected websites. One such service is Sucuri Complete Website Security, with charges varying from $200 to $300.
Once your site has been cleaned up there are also a number of steps you need to take to protect it from further attacks. This article by Sucuri covers these steps well.