WordPress Security: 10 Crucial Website Maintenance Tasks

We love WordPress. But everything needs some regular TLC.
We hope you enjoyed our April Fool’s post on security myths. Now let’s talk brass tacks. Website Maintenance, and specifically WordPress maintenance, is done for several reasons: fix bugs, add or improve functionality, and repair security holes. Security is arguably the most important reason, so here are ten tasks for maintaining or improving your WordPress security. These should be done at least quarterly.

1. Back up your files and database

Also, make sure you know how to restore them! Doing any maintenance without backing up first is like playing Russian roulette with your website. Now is the time to test your hosting provider’s backup protocols, not when you need to recover corrupted data.  Most hosting packages’ “included” backups are only file-based and not thorough locked-table database “dumps.”

2. Upgrade WordPress core and plug-ins

Keep in mind that within the rest of your site’s code some plug-ins may “break” when you upgrade them. Review all plugins for compatibility with the latest version of the CMS core. Be prepared to roll-back (remember the backups?) or postpone upgrade.

3. Review custom plugins and themes

Even though your theme may be custom-coded for your site, as some plugins, even these rely on some open-source code. A great example is TimThumb, a thumbnail library: it’s used by many themes, including WooThemes. A vulnerability was discovered last year, and WooThemes did a fantastic job updating the themes and notifying everyone. Also update any javascript libraries.

4. Remove unused plug-ins

A clean website is a happy website.  Unused unmaintained, plug-ins leave your site open to unexpected complications.

5. Curate your plugins

Review all your plug-ins, especially those that haven’t been updated in a while: are they still actively maintained? Make a plan to remove or replace any stale plug-ins. Better yet, join the Open Source movement and take ownership of stale but useful plug-ins.

6. Review all file and directory permissions

Make sure access is granted only when needed.  Make sure files and directories are owned by the appropriate system users. In most cases, the webserver will need access to some directories. But by limiting the webserer’s rights to most of your installation, you can mitigate a possible attack.

7. Review all users and passwords

Update passwords, including the admin password. If possible, use SSL for admin tasks or logins.  Disable or remove stale users (such as ex-employees.)

8. Review ftp, shell, and database access

How many people have access to your ftp or ssh account? How many database users are there? Are these users limited to only specific hosts?

9. Review logs

Luckily, these days looking at just web analytics and using Google webmaster tools will usually suffice to alert you to any potential problems or compromised files.

10. Make sure everything else on your server is updated

If you’re sharing a server with other websites, makes sure the other websites are also up to date. If another website on the same server is compromised, your site also is compromised. Choose your hosting provider wisely and make sure they keep their servers up to date. (Hint: most cheap hosting providers won’t keep their servers up to date since upgrading may break old websites.)

Bonus: Use Cloudflare

We’re big fans of Cloudflare’s combined CDN, optimizer, and web security service. They do not make your site safe or secure, but they do help mitigate attacks.

Did I miss anything? Leave a comment.