WordPress Management
Once you’ve created and launched your site, you can give yourself a quick pat on the back, but you really mustn’t rest on your laurels. This is only the start of the ongoing task of managing your site and keeping it up-to-date, relevant and secure.
Managing your site isn’t difficult. Millions of website owners do it and there are plenty of tools out there to help you, some of which I’ll mention here. But it can be hard work, especially if you want a site with high levels of traffic, as you’ll not only need to attract the visitors you want, but also ensure your security measures keep out those you don’t.
In this lesson we’ll look at some of the things you need to do to manage your site effectively over time.
Although there are countless areas to discuss we will foucus on reviewing a few key areas:
Creating a Custom Menu
1. To get started creating a custom menu, log in to your WordPress site and click to expand the Appearance menu on the left side of the WordPress Dashboard.
2. Click on the Menus link in the Appearance menu. You’ll now see the Menus editor page.
3. Enter your menu name, and click Create menu.
4. Now you’re ready to add menu items from the boxes on the left, such as pages, categories and links.
5. If you’d like to change which menu options you see from this page, click to expand the Screen Options tab. Now you can add other menu items options such as posts, tags or formats, or show advanced menu properties like
CSS
Cascading Style Sheets (CSS) is a standard (or language) that describes the formatting of markup language pages. CSS defines formatting for the following document types: HyperText Markup Language (HTML) Extensible HyperText Markup Language (XHTML) Extensible Markup Language (XML) Scalable Vector Graphic (SVG) XML User Interface Language (XUL) CSS enables developers to separate content and visual elements for greater page control… classes.
6. When you have your menu items arranged in order, click Save Menu. You now have a new navigation menu that can be added to any menu location on your WordPress site.
Creating Users in WordPress
WordPress user roles include site administrator, editor, author, contributor and subscriber. These user roles control the level of site management granted to a user — including the ability to write, edit or publish content on your site. Users with lower access roles will see fewer options in the WordPress Dashboard when they are logged in.
1. To add a new user to your WordPress site, log in to your WordPress site and click to expand the Users menu.
2. Click the Add New link located in the Users menu.
3. Enter the username, email address, first name, last name, website, and password for the user.
4. If this user is brand new, it’s a good idea to select to send this password to the new user by email.
5. Next, select the subscriber role for the user.
6. To see a basic overview of WordPress user roles, click the Help tab at the top of the screen. Here you’ll see details for how user roles relate to site privileges, so you’ll be able to decide which level of access to grant to your new user.
Managing Your Site Content
Managing and updating content is pretty easy with WordPress: it is a content management system after all. But WordPress won’t do the hard work for you: you have to create your content, share it with a wide audience and engage with the people who are reading it and commenting on it. By doing these things you’ll create a site which encourages people to come back regularly and which gets found by search engines.
The three main areas you need to think about are:
- Publishing regularly
- Sharing content
- Managing subscribers and comments
Publishing to Your Site Regularly
In the early days of working on your site, the chances are you’ll have lots of adrenalin and write new content fairly frequently. As time passes you’ll get distracted by other things, you’ll lose your enthusiasm and start publishing less and less frequently. In time you may stop publishing altogether.
If you want people to keep visiting your site and the search engines to keep finding it, this can’t happen. So you need to define a publishing schedule that you can stick to from the outset. If you’ve got loads of ideas at the beginning, by all means start working on them, but don’t publish them yet: save them as drafts or in note form and publish them at a later date when you haven’t got so many ideas or so much time.
WordPress lets you schedule your posts in the future.
Here are some tips for creating and sticking to a regular publishing schedule:
- Identify how frequently your site visitors will expect you to post new content. This will depend on your site and your audience, and is likely to be higher if you want to make money from the site.
- Be honest with yourself: can you realistically write, edit and publish content at this pace? If you can’t do it yourself, you may need to rethink your plans or hire other people to help you.
- Create a publishing schedule with details of when you’ll publish and what type of content you’ll publish when: for example you might post different types of posts on different days of the week.
- As you come up with ideas, allocate them to dates in the future. Give yourself a reasonable amount of time before publication to allow time for writing, editing and creating or sourcing assets.
- Take time to edit your posts. After drafting something, don’t hit ‘Publish’. Save it as a draft and then come back to it another day to make edits, or (even better) ask someone else to.
- If you’re not going to be around on the days when you normally publish content, use the WordPress scheduling feature. In the publishing pane, you can select a future date for publication and then hit ‘Schedule’. WordPress will automatically publish the post for you when you tell it to.
Spreading the Word
Once you’ve got content, you need to tell people about it. Even established sites with audiences in the millions adopt strategies to let people know what they’re publishing. You’ve got a few tools available to help you with this:
- Subscription – If you can entice people to subscribe to your site (maybe with a freebie such as a free e-book or report), then you have a captive audience. You can use plugins like
MailPoet
or our
Subscribe by Email
to automatically notify your subscribers when you post new content, or to send them a daily or weekly digest of new posts. - RSS Feeds – WordPress will automatically create an RSS feed for you, but you can make things easier for your readers by using a widget to help them subscribe to it.
- Social media – If your content is public, then social media really is the best way to raise awareness of it. But don’t go hammering all the social media platforms: you’ll spend way too much time on it and you’ll get diminishing returns. Identify what social media platforms your target audience use and build your presence on those. Identify when your audience are on social media and make sure you post at those times. A tool like
Hootsuite
can help you with scheduling posts. - Social media plugins – Plugins like
Ultimate Facebook
,
WP to Twitter
and
Add Link to Facebook
will help you automatically post new content to your social media accounts when you publish it on your blog. Plugins like Ultimate Facebook and
ShareThis
will also encourage your readers to share your content via their own social media accounts, too.
For details of some great plugins that will help you share your content, see my post on
16 plugins to help you communicate with your users
.
Managing Comments
As well as engaging with your readers on social media, you’ll need to consider whether and how you’re going to use comments to let your readers voice their opinions and ask questions – and how you’ll respond.
You don’t have to enable comments; on some sites it may not be necessary, but if you’re launching a blog or community site it will help your readers feel that you care about what they think, give you a chance to understand what they think of your content, and make it more likely that they’ll keep coming back.
Here are some questions you might ask yourself:
- Will you allow anyone to post comments, or will you approve them first?
- If someone has already had a comment approved, will you let them comment without you having to approve in future?
- Will people have to sign in to comment?
- Will you use a third party tool to manage comments, or let readers use their social media accounts?
- How often will you read comments?
- To what sort of comments will you reply? Will you reply to everyone or have a set of criteria?
The first thing you’ll need to do is configure your discussion settings in the admin screens. In Settings -> Discussion, choose the options that work best for your site, and remember that if you turn comments off, this will only apply to new posts, so you’ll need to either manually turn discussion off in your old posts or use a plugin like
Disable Comments
.
In the Discussion settings screen, you can define whether comments are allowed, whether users need to be logged in to comment, whether you’ll moderate comments before they’re published, and whether you’ll allow people who’ve posted comments before to post again without moderation:
Once you’ve done this, you need to manage comments and respond to them. It can be easy to get sucked into replying to comments the instant you’re emailed with a notification, which can impact on your productivity elsewhere.
I recommend identifying a time of day (or maybe a day of the week if you don’t get a lot of comments to start with) when you review comments and respond to them.
Here are a few tips:
- Make sure you enable the
Akismet
plugin, bundled with WordPress, to clear out comment spam. It will save you a lot of work. - Sometimes another reader will reply to a commenter answering their question or starting a discussion. This is great! It means your site is sparking off discussion among your community of readers. If you wait a while before replying to comments yourself, this is more likely, but don’t forget to post a comment at some point or people will think you’re ignoring them.
- Beware of comments that say your post is the best thing since sliced bread but don’t add anything specific. These are often spam – if you publish them thinking it’ll make your site look good, it might actually make you look a bit needy and gullible.
- If people do post positive and specific comments, publish them as soon as possible and reply with a thank you and an answer to any questions.
- You may well get comments disagreeing with your viewpoint or advice. This is very healthy as it encourages debate and will get more people commenting. Respond to these comments but don’t be tempted to get defensive: your views are just as valid as those of your readers.
- If people (correctly) point out errors in your content, thank them and make corrections. I’m talking about factual errors here, not differences of opinion!
- If people post defamatory, obscene or libellous comments, don’t publish them – they aren’t part of healthy debate. Mark them as spam and Akismet will spam that commenter’s comments in the future, or simply delete them if you don’t want to be so strict.
I’ve seen blogs that generate thousands of comments on posts, many of which are very repetitive (‘I love your ideas on X and Y! Awesome!’). Welcome these but don’t feel you need to reply to each one individually. Time spent on writing new content will benefit your readers much more than time spent on replying to endless comments.
Managing Your Site’s Code
Of course none of your content will be displayed in your visitors’ browsers without some code. The code powering your site comes from three sources:
- WordPress itself
- Your theme
- Plugins you use
You need to make sure that the code from these three sources is up to date and free of any potential problems such as spammy links, security risks and conflicts. The most important thing you can do to avoid this is to keep everything up to date but there’s more to it than that.
Updates
Keeping your version of WordPress and your plugins and themes up to date will help keep your site running smoothly and reduce any security risks.
Keeping WordPress Up-to-Date
WordPress updates are released for very different reasons, but they’ll normally include one or more of the following:
- Bug fixes
- Security patches
- Enhancements.
The major releases (such as 4.1) tend to be focused on enhancements but they’ll probably include some bug fixes as well. The interim releases (such as 4.0.1) are normally focused on fixing bigs or making security patches.
I’ve been creating and supporting client websites for five years now and in that time almost every time a site has been hacked it’s because it hasn’t been running the latest version of WordPress. On just one occasion it was because the server was hacked, and on another it was because a client was running an insecure theme, but every other time it’s because people have exploited vulnerabilities in an old version of WordPress. Security patches are released very quickly after a problem is identified, and made very public, which means that the bad guys will know about the vulnerability too. So keep your version of WordPress up-to-date!
While WordPress will automatically update to the latest minor version, major versions need to be updated manually so be sure to check your WordPress installs whenever a new major release has been shipped.
Keeping Themes and Plugins Up-to-Date
The same goes for your themes and plugins: if they’re updated, it will be for one of four reasons:
- Feature enhancements
- Bug fixes
- Security patches
- Compatibility with the latest version of WordPress.
In the Dashboard, you can easily see if you have any themes or plugins that need updating. And you can update them all by going to the Updates screen:
You might want to test the updates on a local copy of your site before updating everything on your live site. While a well-written theme or plugin shouldn’t break your site, occasionally it does happen and you don’t want that to be visible to your visitors.
To make a local copy of your site, you can use a plugin like
Snapshot
to back up your site and then install it on your local machine. There’s more advice on
running WordPress locally
in the WordPress Codex.
Sourcing Your Themes and Plugins
As well as keeping your site up-to-date, you also need to consider where you’re getting your themes and plugins from in the first place.
Make sure you only download code from a reputable source. If you’re not sure, ask other WordPress users for their recommendations or for their take on the plugin or theme you want to use. Or if you’re not a developer but know one, ask them if they don’t mind looking at the code for you. A friend once asked me to look at a theme that she was planning on using for a community site, and it turned out to have malicious links hidden in the footer.
Where you’re going to get your themes and plugins from will differ depending on whether you’re looking for free or premium ones. Here are my tips:
- Only download free themes and plugins from the WordPress theme and plugin repositories. These have thousands of themes and plugins to meet all needs and what’s best is that they’ve been checked by experienced teams to ensure that they work and that they don’t include malicious code or security errors. For full details of how themes and plugins are reviewed, see the
Theme Unit Test
and
Plugin Submission and Promotion
pages on the Codex. - When buying premium themes and plugins, talk to other developers or check with websites like this one for reviews and advice. This will help you to find reputable sources and avoid trouble. Subscribing to a high quality
theme
or
plugin
library like the one here at WPMU DEV will help you avoid problems.
For more on sourcing themes and plugins, especially on deciding whether to go for free or premium ones, see our post on
when to buy and when to download free
.
Choosing Themes and Plugins that Make Managing Your Site Easier
When you’re choosing themes and plugins, reliability and security aren’t the only criteria to bear in mind. You also want to find a theme and a set of plugins that will make it easier for you to create, manage and update your site.
This isn’t just about installing plugins to help you with site management activities: it’s also about finding plugins that are easy to work with, quick to install and administer and just do what they say they will without too much extra work from you. For example:
- If you’re a non-coder, avoid plugins that require you to insert code into theme template files.
- Avoid themes with features that you don’t need. They’ll add more code and may confuse you if they come with lots of theme options.
- Test how your plugins do the job they’re designed to do. For example when choosing a backup plugin, find one that automates backups and makes it super easy to restore your site if things go wrong: lots of plugins do the first but not the second.
- Choose plugins that are efficient and won’t slow down your site. If a plugin is slowing your site down, check that it’s up to date and if it is, consider looking for an alternative plugin. However it’s worth saying that plugins aren’t always bad for site performance: there is a myth that the more plugins you install the slower your site will be, but the reality is that it depends on the size and performance of the plugins.
Managing Your Site’s Performance
The third aspect of managing your site is performance. There are really two aspects to this:
- The performance of your site against its objectives, which may be attracting more visitors, making more conversions etc.
- The performance of your site in terms of page load times and speed.
Each of these is quite different, but the second will have an impact on the first because a slow site is one which people abandon before it’s even loaded.
Creating a High-Performing Site
A high performing site will generate significant amounts of traffic and increase the number of visitors over time. It will attract new visitors and encourage people to return, and it will have a low bounce rate.
Your site will have its own specific objectives: it’s important to know what those are from the outset as it will influence your site design, UI and content.
To maximize your site performance you need to know what your objectives are and find a way to measure the site against those objectives. You’ll also need to identify and use tools which will hep your site to meet its objectives. The main areas you’ll probably want to consider are:
- SEO to attract more visitors
- Conversion optimization to get more sales or encourage more people to contact you
- In-site activity tracking so you can minimize bounce rates
- Analytics to help you track visitors, conversions, bounce rates and more
- Optimizing your site for all of the platforms your visitors use, including mobile and touch devices as well as desktop PCs.
Search Engine Optimization
There are probably millions of articles and blog posts out there to help you with your SEO, so I’m not going to add much to the topic here. However it’s worth noting what WordPress-specific tools you have at your disposal to help with SEO. WordPress comes with inbuilt features for this and you can also install plugins which will help you boost your search engine rankings. None of these are a quick fix however and if SEO is the means by which you’ll attract traffic, you’ll need to gain an in-depth understanding of the latest developments in it and put in a lot of work to optimize your site.
Features and tools you can use include:
- Inbuilt WordPress functions such as those to generate title tags in the <head> section of your pages. Your theme should support these (although you might want to override them using a plugin).
- When adding links, especially internal links, adding a title in the field provided by WordPress. This will help search engines understand what those links are about.
- When inserting images, adding alternative text and a description. When people make image searches, Google and other search engines will use these to determine what to show them. They’re also good for accessibility.
- Plugins to give you more advanced SEO functionality such as
All In One SEO Pack
or our
Infinite SEO
. - Plugins to help you access your site analytics in the WordPress admin such as
Google Analytics+
or
Google Analytics Dashboard for WP
.
Conversion Optimization
For many years now the focus has been on SEO – on getting more visitors to your site in the assumption that once they’re with you, they’ll do what you want them to. But it’s dangerous to assume this.
The chances are you have some activity that you want people to engage in when they reach your site: consume content, join a community, buy something, subscribe or get in touch. People who do this after visiting your website are sad to have converted – they’re now more than just visitors.
Working on your conversation optimization can be much more effective than working on SEO, for the simple reason that less sites are doing it.
So if you invest a given amount of time and money in SEO, you might increase your visitor numbers by 500% (for example) from 100 per day to 500 per day.
But if those people are then leaving your site within seconds of arriving, all that investment in SEO hasn’t done you much good. Let’s say 10% of the people visiting your site normally convert, but this percentage drops with more visitors to 5%. You’ll now have more than twice as many people converting (25 compared to 10), which is good.
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox – free!
But what if you invest that time and money in increasing your conversation rate by 500% instead? You still have 100 visitors per day but instead of 10 of them converting, 50 of them now convert. That’s twice the rate of return compared to putting the same effort into SEO. And you may well find that it’s easier to do, as you can gain a better understanding of your site and how people behave on it than you can of Google and its algorithms.
There’s less material online about Conversion Rate Optimization (CRO) than there is on SEO, but if you want to understand how to get started I’d recommend the
free materials
you can download from Conversion Rate Experts. But what WordPress tools can help with this?
- Plugins like
Google Analytics+
or
Google Analytics Dashboard for WP
help you access your site analytics and see what visitors are doing. - Performing A/B testing on two themes will help you see which theme encourages more visitors to convert. The
A/B Theme Testing
plugin helps you do this. - There are a range of plugins to hep you get more from your analytics data and create more detailed data. Examples include
Form Abandonment Tracking
, which tracks behaviors on forms,
Track Everything
which you can customize to track a variety of areas and elements on your pages,
Video Analytics
for video embeds, and
Heatmap for WordPress
which lets you see where on your pages users have clicked.
Cross-Platform Optimization
When I started developing websites, cross-browser testing was all the rage. Developers would spend hours wrangling their code so it worked in various versions of Internet Explorer, causing much frustration.
Then the idea of progressive enhancement emerged and we learned not to worry so much about users of bad browsers not getting the optimal experience.
No-one talks about browser compatibility anymore. Now it’s all about cross-device compatibility. With increasing numbers of people accessing the Internet on mobile device, be that a smartphone or tablet, it’s now essential for your site to work effectively on all devices. In practice this will probably mean using a responsive theme, but you might also want to think about installing or developing an adaptive theme, which takes responsiveness a step further.
At the very least, your site’s layout should resize on smaller screens and buttons, links etc. should be easy to tap on a touchscreen. Navigation should resize or move to suit the demands of a small screen and ideally images should be served up at different resolutions for smaller screens to save on load times.
You can find a list of some
great responsive themes
here on our blog as well as the lowdown on
plugins to optimize your site on mobile
.
To take your site one step further on mobile, you can use an adaptive theme, which uses PHP to change what’s output by the server, rather than just using CSS to change how it’s displayed. An adaptive theme will include responsiveness for layout but also use server-side techniques to ensure that (for example) smaller images are sent to devices with smaller screens. While this is less of a priority than it was a couple of years ago when phones were often working on slow connections, it always makes sense to avoid making your site any slower than it needs to be.
A great plugin which provides template tags you can use to detect devices and serve up content accordingly is
Mobble
, and I’ve written about about how you can use the tags provided by this plugin to
send different sized featured images to different devices
.
Optimizing Your Site’s Speed
Your site isn’t going to perform if it’s too slow. Website visitors are used to pages loading quickly and if yours don’t the chances are they’ll just give up and go elsewhere. So all that work your’ve done on SEO and CRO will come to nothing.
Ensuring your site runs quickly involves anticipating the traffic you’re going to get (especially spikes) and ensuring that your server can cope with it. It’s also about using themes and plugins which are coded in a way which makes for a fast, efficient site, and it’s about using methods such as caching to serve pages up quicker. Let’s take a look at some of these techniques.
Caching Your Site’s Pages
If you cache your site’s pages, it means that your site generates static html for pages at given intervals; those static pages are then served up to browsers instead of WordPress running all of the actions it needs to to load a page, setup themes and plugins and fetch content from the database.
Caching will generally speed up your page load times, but should be approached with caution:
- If your site has pages which frequently change (such as the home page), cached pages could quickly go out of date.
- If you’re enabling comment posting without moderation, caching could prevent people’s comments from being displayed straightaway.
- If your pages include feeds from elsewhere (such as social media or RSS feeds), you’ll need to consider how often you want the cache to refresh so that the feed is up to date.
For high traffic sites you can also use server caching: the way you do this will depend on your server configuration so it’s something you’ll need to speak to your hosting provider about.
The most popular plugins for caching WordPress sites are
W3 Total Cache
and
WP Super Cache
. Which one works best for you will depend on the specific options you need: it’s worth testing both of them if your site receives a lot of traffic as then you can pick the one which makes the most difference to your site speed.
Minifying Your Code
As well as caching your pages, you can also install plugins which will minify the code in your CSS and Javascript files. This makes the browser read the files slightly faster, as it doesn’t need all of the extra carriage returns and spaces you’ve added to make your code easier to work with.
The caching plugins offer minifying as an option, and if you want to minify without caching, you could try the
Better WordPress Minify
plugin.
Ensuring Your Code is Efficient
As well as caching your pages, you can speed up your site by ensuring that your plugins and themes are coded in a way which is as fast an efficient as possible. This will include:
- Minimizing HTTP requests. Every time a browser has to make a request for an asset or page, it takes time, and one of the biggest culprits is calling images. Make sure your theme or plugins don’t use images where they should be using code (for example using images for solid backgrounds or rounded corners, which can be achieved with CSS). For small screens, use PHP to prevent sliders and other assets with lots of images from loading, unless they’re designed for the small screen.
- Load stylesheets at the top of the page, in the <head> section. This doesn’t generally speed up your page load time, but it won’t decrease it and it will make the page appear to load more quickly to users, who might worry if all the content loads before the styling kicks in. Your theme’s header.php file should be loading the stylesheet early on.
- Load scripts at the bottom of the page. Scripts loaded at the top of the page will block other downloads such as images and other assets. It’s likely that your script’s functionality won’t be needed until the rest of the page has loaded, so you should ensure that you use plugins (or code your own plugins) to load scripts in the footer. You don’t do this my coding them into your theme files: instead use the
wp_enqueue_script()
function. - Use CSS and Javascript that are external to the page. Inline CSS in particular is very bad practice and external scripts will load faster than those in the page as the external files are cached by the browser. In both cases it’s also a more efficient way of coding as your theme may need to access styling or scripts form more than one template file.
- Avoid redirects where possible. Redirects (using the 301 and 302 status codes) slow things down as the user has to wait for the browser to be redirected before anything starts to load. If you do have to use redecorates on your site, combine them with caching of those pages.
- Make sure you use a trailing slash after internal links. A link without a trailing slash actually points to nothing, but the browser will assume that it points to the correct link (with the trailing slash), and force a redirect to that URL, slowing down the page load time. If you’re working on an existing site and you think some old links don’t have trailing slashes, you can
force trailing slashes
in your .htaccessfile. If you’re not comfortable doing this, the least you can do is ensure that all of the links in your navigation menus have trailing slashes. - Call functions correctly and attach them to the right hook. The codex will help you identify which hook to use with which function: getting this right will ensure your function loads at the right time.
- Minimise the number of queries on a page and
create custom queries as efficiently as possible
. Don’t use wp_query – if you want to modify the main query, use the
pre_get_posts
hook instead. For completely new queries use the
WP_Query
class, and beware using this too many times on a page.
There are more ways in which you can make your code as efficient as possible, but these are some of the ones that will get the best results for the least effort. For more on this, see the Codex page on
WordPress optimization
.
Keeping Your Site Backed Up
If there is one thing that will help you avoid some major headaches, it’s installing a plugin to regularly backup your site without any input for you. Don’t rely on yourself to do this manually: chances are you’ll forget the day before your server goes down or your site gets hacked and you won’t have an up to date backup.
There are plenty of backup plugins out there: here are some pointers to help you choose the right one for you:
- Your plugging must let you create an automated backup schedule, preferably with the frequency of backups dictated by you.
- Consider how easy a plugin makes it to restore your site when you need to: lots of them (especially the free ones) make it easy to take backups but not so easy to do a restore.
- Think about where you want your backups to be stored: some plugins store your backups on their own servers, others email you a backup, some store it on your server (not much use if your server fails) and others let you use third party services like Dropbox. The best ones will give you a choice.
- A good backup plugin is worth spending money on, in my opinion. If it takes you a long time to restore your site in the case of disaster, that’s time when you could be earning, so you may lose out financially. But this will depend on the type of site you’re running and whether you have any budget.
For more, read this post for
tips on choosing a backup plugin with a review
of some of them.
Once you’ve picked your plugin, configure it to take automatic backups and store them somewhere secure. This needs to happen without any involvement from you. Some things to consider:
- Schedule different backups at different frequencies. For example, you might backup your database and uploads daily and your files weekly.
- Think about the times and days when you do the most work on your site, and schedule backups for just after these days and times.
- Alternatively, run backups in the middle of the night so you know you won’t be in the middle of working on the site when they’re taken.
- Consider how often you update your site: this is the frequency with which you need to take backups.
- Read up on how to do a restore with your chosen plugin so that you’re prepared if the worst happens.
- Make sure you can access your backups when you’re away from the office: the last time I had to restore my site was on a camping trip! It wasn’t the best way to spend the first day of my vacation and didn’t make my family too happy, but at least I could access everything (from a coffee shop with wifi) and restore my site relatively quickly.
Enhancing Site Security
Even if you keep WordPress and your themes and plugins up to date, your site may not necessarily be as secure as it could be. There are additional steps you can take to make your site as secure as possible against hackers and spammers. Let’s take a look at five aspects of this:
- Secure site management and administration.
- Configuring your WordPress installation for added security
- Locking down part of your installation
- Security by obscurity
- Monitoring your site for attacks
Secure Site Management and Administration
There are some simple steps you and other users can take when managing your site to make it more secure:
- Update WordPress each time a new version is released. This is the single most important step you can take to improve security. New releases will have security patches addressing backdoors which hackers are aware of and have been using to attack sites – so by installing the update, you close the backdoor.
- Only download WordPress updates from the
official WordPress site
. There’s absolutely no reason to download it from anywhere else. - Only download plugins and themes from trusted sources. The official
plugin
and
theme
repositories are the only places I would consider downloading free themes or plugins. If you’re buying premium themes and plugins, make sure they have a GPL license and that they come recommended by other developers. It’s also wise to inspect the code before activating them. - Use SFTP instead of FTP when uploading and downloading or editing site files.
- Use strong passwords, and encourage other users to do the same. Even better, force them to do it with a plugin like
Force Strong Passwords
. You can try using a
strong password generator
if you can’t think of your own!
Secure WordPress Configuration
There are a number of steps you can take when configuring your site to make things more secure, and you’ll find a lot of detail on the Codex guide to
hardening WordPress
.
The most straightforward of these is to use keys. These are keys added to the config.php file, which you don’t need to remember but will ensure better encryption of information stored in cookies. Security keys look like the code below (taken from the
Codex
– don’t use these!):
define(‘AUTH_KEY’, ‘t`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|’); | |
define(‘SECURE_AUTH_KEY’, ‘D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj’); | |
define(‘LOGGED_IN_KEY’, ‘MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^’); | |
define(‘NONCE_KEY’, ‘FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe’); | |
define(‘AUTH_SALT’, ‘7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G’); | |
define(‘SECURE_AUTH_SALT’, ‘I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #’); | |
define(‘LOGGED_IN_SALT’, ‘w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i’); | |
define(‘NONCE_SALT’, ‘a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<I44`jAbup]t=]V<`}.py(wTP%%’); |
As I say, don’t use the keys in the example above: yours need to be unique. You can use the
security key generator
on the WordPress site to generate your own, and then you’ll need to paste them into your wp-config.php file.
Another option you’ll want to consider, especially if your site is a Multisite installation with lots of people creating their own subsites, or if you’re running an e-commerce site, is using SSL. This will your domain https at the beginning instead of http and will encrypt urls so they’re sent securely between the browser and the server. It could also give you an SEO advantage in the future, as Google has stated that it may favor sites which use SSL. See
this guide
for instructions on how to set up SSL.
Locking Down Parts of Your Site
You can also try locking down parts of your site or restricting access, including the examples below:
- Restrict access by IP address. In your .htaccess file you can specify IP addresses from which users are permitted to edit the site. This may not be ideal for a client site or one with multiple contributors (users may want to access the site from another IP address while traveling), but will make your own site very secure. To do this, add the following to your .htaccessfile, replacing xxx.xxx.xxx.xxx with your IP address:
- Password-protect the wp-admin directory. You can
add a server-side password
to the wp-admin directory using CPanel and it adds an additional layer of security to this directory, meaning any hacker that manages to get in via a username and password will also have to get through this password (which you will of course make very strong). - Disallow file editing via the dashboard. This can also help prevent problems due to user error – editing files via the dashboard is not good practice anyway compared to using a text editor with FTP, as there is no means of undoing changes. To disallow file editing in this way, add the following to .htaccess:
AuthUserFile /dev/null | |
AuthGroupFile /dev/null | |
AuthName “Access Control” | |
AuthType Basic | |
order deny,allow | |
deny from all | |
#IP address to Whitelist | |
allow from xxx.xxx.xxx.xxx |
Security by Obscurity
The concept of ‘security by obscurity’ means that you’re not actually making your site more secure, but you are making it vary from a standard WordPress installation which might prevent access via automated hacks or really stupid hackers! You shouldn’t rely on the measures below but they can’t do any harm:
- Don’t use default usernames. If an account with the admin username is created when you install WordPress, remove it. Create an administrator account with a unique username instead. This will protect you from opportunistic hackers looking for a backdoor via the admin account.
- Change the WordPress table prefix. By default this is wp_, but you can change it while installing WordPress by changing the $table_prefix value in your wp-config.php file.
Monitoring Site Security
However secure you make your site, it’s always worth monitoring it so you know if you’ve been attacked and can take action as quickly as possible. There are tools and services you can use to help with this, which range on cost depending on the nature of your site and the level of service:
- Your hosting company will probably offer levels of service which can monitor your site or fix it if things go wrong, such as a managed hosting account. Some providers offer managed hosting specifically geared towards WordPress sites.
- Sucuri offer a free security checking tool on their website but if you want automatic updates and fixes you can try their
WordPress security monitoring service
. - The
Sucuri security
plugin is free and will help you monitor your own site security if you don’t want to pay for a higher level of service.
For more on securing your site, see our
ultimate guide to WordPress security
.
Managing a WordPress site means performing daily, weekly and monthly tasks to help your site run smoothly. Use this checklist to help you manage WordPress sites either for yourself or your web design clients. The list below includes both one-time tasks for newer WordPress sites and repetitive tasks that will need to be performed on a regular basis.
WordPress Backup Tasks
1. Install a
WordPress backup plugin
like BackupBuddy to start running automatic WordPress backups
2. Confirm your
automatic WordPress backups
are running at scheduled intervals
3. Confirm backups are delivering to a safe, off-site storage destination & set up redundant backups (two or more backup file storage locations)
4. Confirm backup files include WordPress database and all files (media library, themes, plugins, etc.)
5. Consider using Stash Live (
real-time WordPress backups
) if you manage a more active site
6. Delete any old locally-stored backups (these are backups stored on your own server)
7. Delete old backup files stored off-site in BackupBuddy Stash to reduce storage usage
8. Keep a current version of the
ImportBuddy
script file on hand
WordPress Security Tasks
9. Update WordPress core to latest version
10. Use a
WordPress security plugin
like iThemes Security to help perform important WordPress security tasks
11. Run the
WordPress Security Check
feature to activate recommended WordPress Security features
12. Enable 404 Detection because of phishing and other attempts
13. Enable the Banned Users setting to block specific IP addresses and user agents from accessing your site
14. Review logs of Banned User IPs
15. Enable
WordPress brute force protection
to protect your site against attackers that try to randomly guess login details to your site
16. Enable Network Brute Force Protection to protect your site against known attackers before they reach your site
17. Run a
WordPress Malware Scan
18. Enable User Logging to log user actions such as login, editing or saving content and other actions
19. Disable the File Editor in WordPress Tweaks
20.
Harden WordPress
by using the Away Mode setting to limit access to your WordPress login and admin area (for example, overnight or while you’re on vacation)
21. Whitelist your own IP Address
22. Review
WordPress file permissions
23. Remove the Admin user
24. Change
WordPress salts
& secret keys
25. Activate and set up WordPress two-factor authentication
WordPress Theme & Plugin Tasks
26. Confirm premium theme and plugins have current licenses (this is usually how version updates are communicated to your WordPress site)
27. Update current theme to latest version
28. Update active plugins to latest version
29. Delete and completely remove unused themes and plugins
30. Review new plugin and theme features for implementation
Comments Tasks
31. Approve & reply to pending comments
32. Empty spam comments
33. Make sure an
anti-spam service
like Akismet is activated to help reduce comment spam
Uptime Monitoring Tasks
34.
Monitor WordPress uptime
to track hosting performance
35. Review uptime/downtime stats for uptime percentage, total downtime and number of downtimes
36. Enable email notifications for downtime
Blog Tasks
37. Add new posts weekly to keep blog fresh
38. Review top-performing posts for improvements
39. Add & confirm email newsletter signup is working
40. Confirm social sharing buttons are working
41. Add featured images to posts
42. Review Post drafts & delete unneeded posts
43. Empty Posts stored in Trash
Image Tasks
44. Optimize images for the web (reduce file sizes for images above 600KB)
45. Delete unused images from the Media Library
46. Review and add alt tags to images in posts and pages
Page Tasks
47. Audit older pages for content updates
48. Empty Pages in Trash
49. Review Pages in Draft
50. Fill unused Widget areas if possible
User Tasks
51. Delete unused or unneeded user accounts
52. Encourage Admin users to enable
WordPress two-factor authentication
& better
WordPress password security
53.
WordPress Role Manager
: Review user access levels and adjust roles as necessary
54. Encourage Admins / Editors / Contributor Users to set up their Gravatar profile images (anyone that writes content or replies to comments)
Contact Page Tasks
55. Confirm current contact information (Email, Social, Phone, etc.)
56. Review Contact form confirmation email
57. Review Contact form submission delivery
58. Reply to contact form submissions
59. Consider using conditional logic to deliver canned contact form responses
60. Update FAQs to reflect common customer or client questions
Portfolio Tasks
61. Update portfolio with images of latest projects
62. Add new testimonials
SEO & Analytics Tasks
63. Install a WordPress SEO plugin to help with basic SEO
64. Connect Google Analytics and activate Google Search Console for your WordPress site
65. Submit a sitemap for WordPress site
66. Audit Pages and Posts for keyword-focus
67. Add missing meta descriptions to Posts and Pages
68. Review analytics data for total page views and unique visitors
69. Review referral traffic and inbound links
70. Review Google Console data (Search Traffic, Google Index, Crawl)
71. Set up and review Goals in Google Analytics
72. Review Behavior Flow
73. Review Page load times
74. Consider Page Speed suggestions
75. Audit Site for Mobile-responsiveness and usage
Source: https://ithemes.com/2016/10/19/how-to-manage-wordpress-sites/
Tasks to Complete
- Complete all available resources found in lesson resources.
- Read all content on this page.
- Follow any links and review all contents.
- There are no assignments associated with this section of the lesson that must be submitted.
Summary
As you can see from the number of topics covered in this post, managing your site isn’t as simple as launching it and then sitting back and waiting for visitors to come.
For your site to be successful, you’ll need to manage it on an ongoing basis. Exactly what you need to do will depend on the nature of your site, its objectives and its userbase, but you will probably need to consider some or all of the following:
- Creating content, making people aware of it and engaging with readers.
- Keeping your code up to date and sourcing plugins and themes from secure and reputable sources.
- Monitoring and managing your site’s performance to enhance reliability and speed.
- Enhancing search engine optimization to attract more visitors and conversation optimization to make sure their visit to your site is valuable.
- Setting up regular automated backups and knowing what to do in case you need to use them to restore your site.
- Enhancing your site’s security and monitoring it to check for attacks.
None of this is particularly difficult, but it can be a lot of work, and the amount of time you put in will depend on what you want to get from your site. But if you do it well, you’ll have a high performing, secure site that engages effectively with its audience and achieves its objectives, whatever those may be.
Sources: https://ithemes.com/tutorials/wordpress-com-vs-wordpress-org/ | https://premium.wpmudev.org/blog/wordpress-best-practice/?utm_expid=3606929-108.O6f5ypXuTg-XPCV9sY1yrw.0&utm_referrer=https%3A%2F%2Fwww.google.com%2F