Backup and Maintenance for Your WordPress Website
We love WordPress for its flexibility, plugins and integrations. But it is a complex system that, in spite of its popularity, is not for the faint of heart. Backup, maintenance, and security are top priorities for WordPress websites. WordPress has fewer security flaws than it used to, but you should still follow this guide to ensure your site stays up and provides a good user experience to keep visitors coming back.
This article is about WordPress.ORG websites – the kind where you get a hosting account and then install WordPress. If you’re using Wordpress.COM, steps are similar but you’ll stick to the Personal sections below. For Wordpress.ORG websites, you can follow the Personal or Professional steps, depending on your needs.
Backup
How to Back Up Your Website
Personal
Backup is easy using WordPress’ multi-featured plugin called Jetpack. Get an account for Jetpack, or enter your Wordpress.com credentials if you already have an account. Note that Jetpack is part of Wordpress.COM, the commercial arm of WordPress that’s separate from Wordpress.ORG and your Wordpress.ORG website credentials.
Jetpack offers daily backup service starting at the very good price of $3 per month, which keeps nightly backups for 30 days, or more for longer storage periods. During setup, it will need the FTP credentials for your website hosting account. After that it creates nightly backups and stores them off-site, that is to say on Jetpack’s servers not on your hosting plan’s server.
Restoring is easy with Jetpack – find the date you want and click to restore.
Professional
We currently use UpdraftPlus Pro for all our clients’s sites, but there are other backup plugins to choose from. Backup software has zillions of settings – here are some important ones. Offsite storage: most services offer different off-site options for storing backups including Dropbox, Google Drive, sending backups to email, and others. Some services, including UpdraftPlus, offer their own storage options, but we generally don’t find them satisfactory. Frequency: nightly is a good choice for most websites. Retention schedule: consider retaining daily backups for 6 weeks, weekly backups for 6 months, and quarterly backups for anything older than that.
Once you’ve got your automatic backups running, make sure to check your off-site storage periodically to ensure everything is getting stored as expected. Don’t depend on the plugin to say they’re there! Visit your off-site storage and check. A further security step is to periodically, say monthly, move one night’s backups to a separate folder in your storage. The plugin can delete off-site backups for the retention schedule; this means a hacker can delete your backups too, via the plugin. Best to place a copy of one night’s backups out of that folder from time to time – we call the safe folder “Cant Touch This”.
Restoring in place is generally straightforward, though with more options and integrity checks than plugins like Jetpack. Restoring to a different account, referred to as a migration, can be a real chore. It’s a great idea to pay for a backup plan that includes a migration feature. If the hosting company goes down for good, or your decide it’s time to move to a new host, the migration option makes it much smoother.
Why
Backups are absolutely critical for WordPress websites. Due to the nature of WordPress—its plethora of plugins, the ability to modify the core PHP files, its overall customizability, etc.—it runs the risk of running into issues more frequently than many other website platforms. Even on other platforms, backups are important but for WordPress it’s especially so. Weird glitches will happen, hackers will target the site, someone will accidentally delete something, a theme will have an update that breaks your site, all of these things and more happen with WordPress and having a backup will save you an innumerable amount of time when things go awry. Imagine if a hacker or a disgruntled former employee deletes a chunk of your website. Without backups, you’d have to try and figure out what even got deleted and what its content was and then remake everything from scratch. With a backup plugin, pretty much all you have to do is click a few buttons and you’re site is restored. As part of this, make sure your backup plugin stores backup files off-site so that if a catastrophic failure were to occur on the website, the backups will remain safe elsewhere.
Security
Security Plugins
Personal
The most common way to attempt to break in to WordPress websites is brute-forcing—when someone tries a bunch of different passwords in rapid succession hoping that one will work. It’s not actually a person typing at a keyboard, they’ve programmed computers to do this quickly and without fatigue! To combat this, turn on security in the free version of Jetpack, which offers brute-force attack protection by blocking login attempts from computers with IP addresses they’ve flagged as potentially dangerous.
There’s much more to WordPress security than this, but if you’ve got a personal blog or a small site, brute-force protection and using good passwords is a fine start.
Professional
Wordfence and iThemes Security are the two big security plugins for WordPress. We use and love them both. Well maybe we don’t love them, but we appreciate them. Going beyond brute-force protection, they offer IP blacklisting, firewall rules, malware signatures and scanning, vulnerability checks, incident logs and more. Yet these two plugins are very different. Wordfence takes a more hands-off, let our software figure it out approach. iThemes Security wants more direct input about your preferences and the particular website. We debate which is better! It’s possible Wordfence, in spite of its more advanced malware scanning, might not do as good a job of keeping malware out in the first place. It’s possible iThemes Security presents a harder barrier to penetrate, yet its malware scanning is less robust. Our real world experience is that either one is lightyears ahead of having no security or basic brute-force security like Jetpack. Both offer free versions; we highly recommend that after testing a free version you upgrade to a paid version. (Also, don’t install two at once or they’ll step on each others’ toes.)
At Sund + Co, we check the logs and review security software settings monthly. We also adjust notification settings from time to time – too many notifications and we ignore them too readily, too tight a lid on notifications and we might not realize something’s wrong.
Updating WordPress and Plugins
Out-of-date plugins, themes, and WordPress versions run the risk of becoming a way for hackers to get into your site due to unresolved security issues. Up-to-date WordPress and plugins also offer new features and bug fixes.
Before running updates it’s good to check a few things. Run a backup or double-check that last night’s backup ran. And check to make sure that whichever plugins you’re updating are compatible with your version of WordPress.
Make sure no one else is currently working on the website when you make updates, as you may inadvertently undo their work. We use WP Activity Log Pro to see if anyone else is editing the site (as well as a history of edits).
You can have many updates run automatically, but sometimes an update will break something, so we like to do them manually once a month, occasionally more often, and surf the site afterward to check that everything still looks right and works correctly.
CHECK SPEED & UPTIME MONITORING
Personal
Jetpack provides a free tool that will send you an email if it thinks your site is down. All you do is toggle the downtime monitoring feature to on and you’re set. If you need features more advanced than that, consider the following professional suggestions.
Professional
Out of the myriad of monitoring tools that are available on the web, e.g. Freshping or Dynatrace, we use Site24x7 to monitor site behavior. It uses a variety of servers to check if a site is up and running, how long a site is taking to load, and breaks down each element on a page to see if there are any specific parts of the page that would be slowing down overall load times. This is done to ensure that website visitors can access the site and to make sure that the site isn’t taking so long to load that people are dissuaded from surfing the site. Also, the Site24x7 statistics are helpful for identifying trends in site behavior and for troubleshooting website issues.
REVIEW YOUR VISITOR STATS & SEARCH CONSOLES
VISITORS STATISTICS
Visitor statistics gives you insight about who is using your site and how people navigate it. When looking over visitor statistics, go through and check that nothing abnormal is going on. For instance, if you offer a service that is only relevant to the Cincinnati area, you would not expect to find a bunch of page views from Las Vegas. Visitor stats contain invaluable information about how your site gets used. Below is a screenshot of a report that we set up for Google Analytics to generate and send out each month. (Google Analytics is operated by Google the company, but it reports statistics for visitors from all sources.)
At Sund + Co, we create a custom dashboard for all each client similar to the one shown. If you like it, you can recreate it block-by-block but… it’s quicker to click this link! Modify it as needed and then set up a recurring email:
https://analytics.google.com/analytics/web/template?uid=mh2ta8qeQESPAwtpO5WcQQ
SEARCH CONSOLES
Google Search Console and Bing Webmaster Tools show a smorgasbord of information about how visitors and each search engine experience your website. Here are useful ones in Google Search Console…
Core Web Vitals – tells you if pages are taking too long to load and other user experience issues. This is a lightweight substitute for speed and uptime monitoring (above), though it has much less info and won’t notify you when your site is down or slow.
Mobile Usability – shows anything making it difficult to use your site on phones.
Coverage – whether they’ve indexed all your pages.
Search Results – what terms people search for and what terms have high click-through rates on search engines. This is a lightweight substitute for keyword research.
And more!
The search consoles are useful for seeing how people look for your website and what kind of things people search for that end up leading them to your site.
Conclusion
WordPress sites inherently run a higher risk of being compromised over sites made with competing website-making platforms. Because of this, security and backups are key to keeping your WordPress site running. On top of that, it is good to keep an eye on load times, visitor stats, and SEO to make sure your site gets continuous traffic.
Contact us if you have questions or would like to know more about Sund + Co’s advertising and design services.
