WordPress is the world’s number one content management system (CMS).
In fact, more than 40% of all websites online use WordPress and it accounts for 63% of all known CMS solutions.
As a result of its popularity, WordPress websites are of course a target for hackers and undesirables. WordPress is generally known for being a secure platform, but like any software, it is important to keep it up to date and to take steps to secure it. There are several ways to enhance the security of a WordPress site and we shall explore these within our Journal entry.
However, it’s not all about security – maintaining your WordPress website also ensures you avail of the latest technical advances, keep your website running at peak performance and keep solid foundations for growth and scalability.
While it may seem like a simple starting point, you would be surprised how many people and organisations choose cost over security and performance. Some web hosting providers offer enhanced security measures, such as firewalls and malware scanning, which can help protect a site.
Our preferred hosting provider WP Engine is a company that provides hosting and other services specifically tailored to WordPress sites to help improve their performance, security, and manageability. Think of a managed WordPress host as a dedicated technical assistant that powers your website. This includes threat detection and blocking, daily backups, regular WordPress updates, caching to boost page speeds, and more.
Again, this may seem like a fairly basic suggestion, but latest surveys indicate that as many as 70% of current WordPress websites are running versions with known vulnerabilities.
Keeping on top of the latest version is a relatively straightforward task and one you won’t regret. Keep in mind, the longer you leave it the harder it becomes (i.e. the jump from version 1.1 to 1.2 is a lot easier than the jump from 1.1 to 7.8). What’s more, not only will maintaining your version of WordPress help keep your site secure, but you will also benefit from the latest technical advancements.
Even if you’re using the latest version of WordPress, your site may still be vulnerable to attack using flaws in the underlying programming language that the platform uses ‘PHP’. PHP (Hypertext Preprocessor) is a programming language that is mainly used for web development. It is a server-side language, which means that it is executed on the server and the result is sent to the client in the form of HTML, XML, or some other format. PHP is often used in conjunction with a database and is particularly well-suited for creating dynamic, data-driven websites.
At a minimum, you should be using PHP version 7.4. But if a newer version is available, you should consider upgrading. This is a task that might be more suited to your website developer, however, with the right tools and tips it’s a completely achievable (and recommended) maintenance task.
What? More updates we hear you say?
One of the biggest benefits of WordPress is that it’s so easy to add and extend functionality through the use of plugins. WordPress is an open source platform and there is an entire industry supporting and enhancing the platform through both free and paid plugins.
But that flexibility comes at a cost. Every plugin you add to your site increases the site’s complexity and adds additional code that could be vulnerable to attack if not maintained.
Before you even add a plugin you should ask some simple questions:
- Do I actually need this plugin and/or feature (it may already be a core feature of WordPress or your hosting provider)
- How well supported is the plugin?
- Check the developer and their history/reputation
- Look for updates/version control and compatibility
- Look for supporting documentation
We always advise a WordPress website to only run the bare minimum of required plugins. It helps reduce bloating and maintenance. Once you’re happy with your selected plugins, keep them updated. We would recommend adding a task to your calendar once a quarter, keep in mind, like WordPress updates – the jump from version 1.1 to 1.2 is a lot easier than the jump from 1.1 to 7.8. The longer you leave it the more chance of security vulnerabilities and/or complications when updating.
Yet again, it may seem like a simple suggestion but you would be surprised at the amount of CMS admin users who commit cardinal sins when it comes to password management.
Having ‘PASS1234’ as remembering a complex password is just too much hassle, sharing your password with colleagues as it’s just easier than setting them up as a user, or never changing your password as you just can’t spare that 5-min task are just some of those sins.
Weak passwords are a major reason why the rate of attacks on CMS sites and hosting providers is so high – they’re mostly the result of brute-force password hack attempts.
Brute-force involves the use of automation to keep guessing at a site’s account passwords until the hacker hits upon one that works.
Here are our top-tips for good password/user management:
- Please use complex passwords, at least 16 characters long and a combination of uppercase letters, lowercase letters, numbers, and symbols.
- Not a word that can be found in a dictionary or the name of a person, character, etc…
- Change your password frequently, why not tie it in with your general quarterly updates?
- Never share your password
- Ensure each required user has the correct level of access (not all users need to be set as admin, there are others for example editor) and ensure they follow your best practices above
- Consider using 2FA / MFA as an extra layer of security (2FA Two-Step Authentication and MFA Multi-Factor Authentication)
- Remove old users who have left your company or organisation
So, there we have our overview and top-tips for good WordPress maintenance and management. There are plenty of other best practices when it comes to general maintenance like performance management but perhaps we will cover those another day.
And please keep in mind, should you require assistance with any of the above just let us know. We offer everything from yearly/quarterly/monthly maintenance plans to long term support SLAs covering the basics and beyond such as:
- WordPress core updates
- PHP updates
- WordPress plugin updates
- Security scanning and support
- Hosting liaison
- 24/7 uptime monitoring
- Crisis resolution
- Small design/development requests
- Server migrations
- General website audits
- Performance optimisation
- SEO optimisation
- UX/UI reviews