How to Maintain, Secure, and Monitor Your WordPress Website

As we’ve covered so far, the WordPress ecosystem is better than ever. That means it’s relatively easy to choose high quality, reliable products and services.

It also means you’ve got a lot of choices for every piece of the puzzle. Ideally, the combination of your paid services should be intentionally designed to maximize value for your organization.

Like most technology decisions, the amount of time and energy you spend evaluating options yields diminishing returns. Since it’s hard to know what to focus on, I’ll cover important considerations for maintaining, securing, and monitoring your WordPress site.

WordPress Maintenance

Two key concepts around WordPress maintenance have matured in the last several years: agencies offering maintenance packages and WordPress core’s automatic background updates.

As WordPress spread across the web, it became clear that most non-technical WordPress users weren’t finding it easy to keep their site’s code updated. Even though it’s a matter of clicks to upgrade core, themes, and plugins, it still required someone to check for these updates. Otherwise, it’s easily forgotten.

An outdated WordPress website can be an easy target. But, updates don’t always go as expected, so it’s a scary endeavor if you don’t have experience—and especially if you’ve ever broken a site by accident.

The solutions here are fairly logical—keep regular backups of your site, back up before updating, and test the updates—but that doesn’t make the process of those solutions easy for less technical folks. So, agencies stepped in to fill this role, offering regular maintenance to existing clients, keeping everyone a little happier. Going even further, some companies became specialized in WordPress maintenance services.

This is great for everyone! Although there are countless other benefits, you can think of a good maintenance situation as a healthcare policy for your website: you save on routine check-ups, have someone to answer your questions, and are protected if something catastrophic happens.

In the background, WordPress core has continuously improved its automatic update capabilities. With some light coding, your site can update itself to new minor and major versions of core, themes, plugins.

In addition to keeping things updated—and knowing how to deal with it if something goes wrong—most WordPress maintenance services cover security and monitoring.

WordPress Security Hardening

Keeping your WordPress site secure relies on some overlapping concepts, often provided by different vendors: keeping code up to date, securing WordPress access, and securing server access.

We’ve discussed ways to stay updated, and that helps you avoid hacks explicitly targeting known vulnerabilities in outdated plugins. That’s a mouthful to say: staying up-to-date will keep you out of a lot of trouble.

But, there are two other key access points that can make your site vulnerable: WordPress user access and direct server access.

WordPress User Access

To keep it simple, remember this: any user with administrative privileges has the access and ability to break the site.  Always know who has this level of access to your site, and ensure they’re using secure passwords (and, ideally, two-factor authentication).

That means if someone leaves your organization, it’s time to change their access level (or delete the user). Remember to do the same if you’ve created a “temporary” user at the request of a support agent.

Direct Server Access

Separate from your WordPress installation, your hosting company provides access to your server through FTP and SSH. Just like any user in WordPress with administrative privileges, any FTP or SSH credentials allow anyone to break the site (or hack it, or infect it).

These credentials also need to be routinely checked and regularly secured, ideally with rotating passwords on a regular basis. If you’re not actively using a set of credentials, I recommend disabling them entirely until you do.

Security Plugins and Monitoring

Security-focused plugins for WordPress abound, and most of them do the same important-but-basic tasks: enable more secure settings for WordPress, and “keep an eye out” for hacks.

In many cases, the use of a trusted security plugin, combined with disciplined maintenance, can do the trick for lower-traffic sites.

A good rule of thumb is that your attention (and budget) towards security should scale with your level of traffic or commerce. Business-critical sites should be protected in the DNS layer as well, using a service like Cloudflare, or combining with a WordPress-tailored service like Sucuri or Wordfence.

(It’s a topic for another day, but DNS hosting alone is another layer to consider in all this.)

Uptime Monitoring

When your website goes offline, countless possibilities appear before your eyes: the culprit could be one of countless connections in the complex chain that serves your website up to visitors over the web.

To make matters worse, most of the time, these issues are temporary blips. Or, the server has gone offline for required maintenance.

That means anyone responsible for keeping a website online needs to consider both possible issues with the website itself and issues with every vendor. Your DNS service could be having issues, or your host’s data center could be offline. There could be a bug in the code, running the server out of resources and taking the site down over and over. It’s a lot to consider!

By monitoring your website’s “uptime”, you can get a notification when it appears to go offline. From there, you can kick off whatever triage process works for you: try to load the site yourself, contact your host, look at vendor status pages, read error logs, and so on.

I highly recommend writing this process down and keeping it somewhere you can easily access it. Knowing your site is actively down without knowing why is stressful, and having a step-by-step process to follow makes it easier to stay on task. You can refine this process every time you use it, and you can look for opportunities to automate parts of it as well.

Combining Maintenance, Security, and Monitoring

We see that taking care of a WordPress site requires both disciplined, regular action and proactive planning. The planning aspect has the added benefit of forcing you to map out emergency processes, which helps you see what you’ll be responsible for if you go the DIY route.

By now, you’ve got enough knowledge to start evaluating hosting, maintenance, security, and monitoring. You’ll be in a good place from a technical perspective when you get these right, but there’s one more critical aspect to consider.

Next, we’ll discuss finding the right match for your time and skills when it comes to updating content and getting support questions answered. It’s important to consider these when budgeting for your website overall—not knowing how to make changes or build new things means your investment is going to waste, and you may be wasting your time, too.

  1. How to Manage Your Own WordPress Website
  2. How to Host Your WordPress Website (or How to Choose a Managed WordPress Host)
  3. How to Maintain, Secure, and Monitor Your WordPress Website
  4. How to Update and Get Support for Your WordPress Website

Ask Us Anything

If you have questions or comments about anything you read from us, let us know! We'll get you an answer promptly. (No sales pitch involved, we want to help.)

Written by Cliff Seal. Last Updated 4 weeks ago.
Topics: , , ,