WordPress Technical Maintenance

If you have a self-hosted WordPress website (one not hosted at wordpress.com), it’s really important to keep it up to date.

I’m not talking about adding new content. That’s important, of course, but even if you don’t add anything new for a while, your site won’t break. Think of adding new content like putting gas in your car: even if you don’t, your car doesn’t break.

I’m talking about technical maintenance. That’s more like changing the oil and the filters, topping up the fluids, checking the brakes and the transmission. Those are the tasks that keep your car running.

These are the tasks that will keep your WordPress website running.

I do these on average once a week for my maintenance clients. Sometimes I need to check in more often, if it’s a week of multiple updates. Sometimes if I’m travelling I’ll skip a week.

• Backup the entire site on an automated schedule, and send the backup file to offsite storage (backup files are big, and I don’t want them cluttering up the server).
• Run any updates (WordPress core, themes, plugins) only AFTER taking a manual backup and downloading that backup to my local computer so I can restore very quickly if I need to.
• Fix anything that breaks after an update.
• Monitor website security, and take measures as necessary if a website is being attacked.
• Manage and remove spam, and optimize the database as necessary.
• Scan for malware, and remove as necessary

Take Backups

Stuff breaks. Sometimes updating one piece of your website will break something else, when updates get out of sync or one piece changes how it works, or even how it names something, and that change interferes with something else.

You need a backup solution. And backups are only as good as your ability to restore from the backup. So yes, some hosts tell you they do a daily backup of your site. That’s terrific. How fast will they respond and restore your site to a working condition if something goes awry?

I recommend not relying on your host as your only source of backups. You need to be able to create one yourself, and you need to be able to restore from it yourself.

Things to consider when choosing a backup plugin:

• How easy is it to set up and configure?
• Can it send you the backup file by email? Or store it offsite? I store mine in an Amazon S3 account. With 30+ sites storing eight rolling backups (the newest one replaces the oldest one), my monthly storage bill has never been more than $1.50 US a month. Yes, that’s less than $2 a month.
• How easy is the restore process?
• And as for any plugin you install, how good is the support from the plugin company if you have a question or run into a problem?

There are a lot of backup plugins out there. Here’s a good article comparing seven of them: http://www.wpbeginner.com/plugins/7-best-wordpress-backup-plugins-compared-pros-and-cons/.

I use BackupBuddy from iThemes https://ithemes.com/purchase/backupbuddy/, and have for years. It’s not free, but they offer discounts pretty regularly. I have a lifetime developer’s license for unlimited sites so for me it’s very cost effective.

I’ve heard good things about Updraft Plus https://updraftplus.com/. They offer a free version that might be just what you need.

Install Updates

A WordPress website with outdated code is a WordPress website at risk. Most core, theme, and plugin updates address security issues and plug holes. Once a vulnerability is identified, it’s only a matter of time before someone tried to exploit it.

Keep your website up to date. I always take a manual backup before I update anything, and rather than send that one to my Amazon S3 storage account I’ll download it to my computer so if I need to restore, I have it at hand.

And because I want to take a backup before updating any code, I turn all automatic updates off. Even the minor ones. If you look at your list of plugins, or at the version of WordPress that’s installed, you’ll see that version numbers are usually in three parts, like this: 5.2.1. The first number (and any of the numbers might be more than one digit) is what’s called the major version number. If something changes a major version number, that’s a BIG update and can significantly change things. It’s REALLY important to take a backup before a major version change.

To turn off updates, you have to edit the wp-config.php file that sits in the root of your site. If you’re comfortable letting minor updates go through without taking a backup first, put these two lines at the very bottom of that file:

/* only allow automatic minor updates */
define( 'WP_AUTO_UPDATE_CORE', minor);

If you want to be able to take a backup before any updates run, use these lines instead:

/* turn off all updates *.
define( 'WP_AUTO_UPDATE_CORE', false );

Just remember: if you’ve turned off automatic backups, check your site regularly for update notifications.

Troubleshoot and Repair

WordPress is complex all on its own. Start adding themes and plugins from different developers, and you have the potential for things to go sideways in a hurry.

A theme controls how a WordPress site looks, and to some extent where and how visitors interact with your site. Plugins add functionality that allow the site to do things that WordPress can’t do right out of the box. Some themes build in extra functionality that usually reside in plugins — I call those “kitchen sink” themes (and I have yet to find one I like and can recommend, but that’s another story).

The WordPress core provides ways for those themes and plugins to interact with WordPress and with each other. There are absolute rules, which those add-ons must follow in order to work, and then there are best practices. When an add-on doesn’t follow those best practices, even if it seems to work well with WordPress alone, there’s no guarantee that it’ll work well with other add-ons.

Sometimes, your site might be ticking along with its various themes and plugins. But then one of them updates, and something breaks. The site stops working properly, or it looks funky, or is showing code on a page rather then the normal content. And it’s frequently not the piece that updated that breaks.

Those problems can be really hard to find and fix. What I do is restore the last working backup on the live site.Then I install that same backup in a test area. (I have a domain I use just for testing, but you can also install into a subdomain on your own hosting account.) Then I’ll run the updates — one at a time, if there are more than one — on the test site, and work through fixing what broke.

The easiest way to find what’s causing the problem is to disable ALL the plugins and revert back to one of the built-in WordPress stock themes. Yes, the site will look ugly and won’t work the way it did. But by stepping through re-activating all those pieces, you can usually find where the conflict occurs. Start with the theme, as that’s the toughest part to replace with something different if you have to.

There have been times where I completely abandoned a plugin and found a replacement that was able to work with the rest of the site and still do what I needed it to do. There have been times where I have had to go into the code of a theme and change something manually. (Don’t try this at home unless you know what you’re doing!)

Once I have all the bits playing nicely together again, I have two choices. If my client doesn’t add content often, and hasn’t made any changes on their site since I started this process, I’ll simply backup the repaired test site and restore it over the live site. If they have added more content, I don’t want to lose that! So I’ll ask them to hold off until I can make my changes, and then I’ll do the updates and changes on the live site to match how I got the test site to work.

Clear as mud, right? Thing is, if you have a fairly simple site, you might never run into the sort of problems that require such fixes. But the more plugins you add, or the more complex the theme you choose, the higher the probability that something is going to screw up down the line.

That’s one of my complaints about those “kitchen sink” themes. They bundle so much into one package that it becomes hard to troubleshoot if an update causes a problem. And changing out a theme can be a complicated process, especially if you use one of the fancy page-builder types of themes.

Even if you do your technical maintenance yourself, troubleshooting and fixing problems might be areas where you find outside help.

Configure and Monitor Security

WordPress and security is a big topic. WordPress is not inherently any more or any less at risk of being hacked than any other online account or software app. You can do a lot to secure your site just by following some common sense measures:

• Use long, complex passwords.
• Set up two-factor authentication if you can.
• Choose themes and plugins from reputable developers and keep them updated.
• Keep WordPress itself updated.

I also recommend installing a security plugin, one that can harden your site against known methods of intrusion and can monitor for intrusion attempts (and let you know if something is going on that you need to be aware of).

I use Security Pro from iThemes https://ithemes.com/security/. Just as for BackupBuddy, I have an unlimited lifetime license, so even given the initial expense it’s the most cost-effective solution. Plus I like using multiple products from one developer, because I know they’ll work well together (I also use their theme framework, Builder). They do have a free version that does most of what you might need.

Here’s what the PRO version does for me:

• Ban bad users
• Block specific IP addresses and user agents from accessing the site
• 404 Detection
• Hide Login & Admin URL
• Change WordPress salts & keys
• Away Mode
• Database Backups
• File Change Detection
• Remove Windows Live Write header information
• Remove RSD header info
• Remove update notifications from specific user roles
• Remove login error messages
• Rename ‘admin’ account
• Change ID on user with ID 1
• Change WordPress database table prefix
• Change wp-content path
• Force SSL for any post, page, or admin page
• Turn off file editing in WordPress admin
• Reduce Comment Spam
• Local brute force protection
• Network brute force protection
• XML-RPC brute force protection
• Security logs
• Email Notifications & Digest Emails
• Customizable lockout messages
• Strong Password Enforcement
• File Permission Check
• iThemes Sync Integration
• Malware Scan
• Dashboard Widget
• Google reCAPTCHA Integration
• Two-Factor Authentication
• Settings Import & Export
• WordPress Core Online File Comparison
• Scheduled Malware Scanning
• User Action Logging
• Temporary Privilege Escalation
• WP-CLI Integration
• Password Expiration
• Private Ticketed Support
• WordPress User Security Check

A lot of the security on my sites is “set and forget” with this plugin. Once I install it, I walk through all the settings and tighten up as much as I can. Then I rely on the email notifications I can set up to tell me if the site is being attacked, if malware has been detected, if files have been changed that shouldn’t have been, etc.

WordFence https://www.wordfence.com is considered the industry leader in WordPress security plugins. They also have both free and premium versions. Personally, I’m not a fan. I’ve had too many clients get locked out of their own sites for false positives. The one service they do provide, though, that iThemes does not, is cleaning of your site if it gets hacked.They’re not cheap, but they do good work — and a year of their Premium version is included in the price.

Sucuri https://en-ca.wordpress.org/plugins/sucuri-scanner/ is another good option, with both a free and premium version. Sucuri has a long, strong reputation for web security, not just for WordPress.

When I log in every week, I take a look at the logs to make sure nothing weird is going on. If I see a lot of activity where I don’t expect it, or if I see that my client shows as logged in when I know they’re not, I can take steps to change passwords and security kets (WordPress SALTs) to bounce out intruders.

There are other security plugins, but those are the ones I’m most familiar with. Like virus protection on your own computer, it matters less which one you choose than it does choosing SOMETHING, installing it and configuring it, and paying attention to it on a regular basis.

Manage Spam

Akismet https://akismet.com/ comes with WordPress, but it requires a license/key to activate it. There’s a free version, but it’s meant for personal sites, not business sites. (And yes, author sites are business sites even if you don’t sell directly from your site.)

I like AntiSpam Bee https://en-ca.wordpress.org/plugins/antispam-bee/. It’s free, and it does just as good a job as Akismet, in my experience.

But even if your spam plugin doesn’t allow the spam to be publicly viewed on your site, you as the site owner have to make sure it isn’t building up in the database. One reason is that if for some reason you get hit with a lot of spam, whether it’s visible or not it’s taking up space in your database and can make your backups very large.

Another reason is that spam message sometimes contain malicious code. Even if the comment is hidden, that code is still sitting there on your site until you delete it.

Both Akismet and AntiSpam Bee allow you to set what gets deleted automatically and what hangs around so you can confirm that it’s spam before deleting. Don’t let that garbage build up!

When I log into my sites every week, one of the first steps I take is to check for spam. I don’t want garbage in my backups, either.

Scan for Malware

Just like for your personal computer, you have to take active steps to keep malware and viruses from infecting your website. All three of the security plugins mentioned above provide malware scanning and active monitoring, and there are stand-alone plugins that do as well.

Cleaning of malware can be a long, nasty, complicated, and expensive process. Every single line of code in every single file has to be checked. There are some tools that can help speed up the process, but mostly it’s just painful and slow. I would rather rely on prevention than cleanup! Choose a plugin that allows you to schedule the scans, and informs you if there’s a problem.

Running malware scans a lot can put a big load on your server resources. Unless a site is experiencing a lot of attacks, I prefer to run a weekly scan than to schedule one for every day. It’s one of the tasks I do on all my sites when I log in for maintenance.

Manage the Process

Once you have more than one or two WordPress websites to take care of, collecting them into a management dashboard allows you to take a snapshot of the status of all your sites in one place. I use the free level of ManageWP https://managewp.com/ because I don’t need the additional features from their premium add-ons.

I like this tool because it allows me to log into each individual site from the common dashboard. Since I want to take backups before updating (remember?), I need to visit each site. Some management dashboards don’t provide that sort of access; they just allow you to run the updates from the common dashboard.

What I Do for Clients

There’s nothing on this list that you can’t do yourself, with the possible exceptions of troubleshooting if something breaks or cleaning up a hacked site. But just because you can doesn’t mean you’ll want to! For those folks, I offer a WordPress Technical Maintenance Package. For $275 per year (per client, up to three websites), I take care of all the stuff listed above.

Except an initial cleanup after hacking. If you come to me with a hacked site, we’ll negotiate a price to get it cleaned up and working again. And you get three months of technical maintenance included, to make sure it stays healthy.

So don’t let your site get to that point! Take charge of your WordPress site, do the maintenance regularly, and keep it running smoothly.