My website maintenance checklist
After I launch a website, my regular interactions with it usually stop there. That’s not the case for its owner, though, because WordPress sites take a certain amount of ongoing care.
I keep an eye on past clients’ sites, so I know that people often let this slide. It can absolutely be tedious, but it doesn’t make sense to budget (often quite a bit of) money for the initial website build and then allocate zero resources to keeping it maintained.
(With that said, I can empathize – the last time I went to a salon, the guy shampooing my hair pointed out, “You pay a lot of money to get your hair coloured, but then you buy drug store shampoo that strips it all out”. Touché, shampoo guy.)
I have a weekly calendar reminder to log in to my own WordPress sites and take care of these tasks:
- Run a full backup
- Update the core software
- Update plugins, themes, and translations
- Have a look around the front end
- Review security logs
- Run a malware scan
- Run a full backup & send to a remote destination
Run a full backup
If your hosting company provides automated backups, great! You should still run an on-demand backup immediately before you make any updates. Most hosts only make backups once a day. If you need to roll back to the version of the site before you updated that one plugin, you don’t want to lose (up to) 24 hours of content changes too.
My favourite WordPress host WP Engine has automated daily backups, lets you run on-demand backups from their panel, and they have a one-click restore button in case you make a change you regret. If you’re stuck with a sub-par host, you can use VaultPress to get those automated backups and the restore button, but their cheapest plan doesn’t let you do on-demand backups. A free solution is the plugin BackUpWordPress, which does automated and on-demand backups, but no easy restore button.
Whatever you use to get there, the goal is to have a full backup that contains everything from your theme, plugins, menus, widgets, and settings to every post, page, and image ever added to the site.
Updates for WordPress itself plus your plugins, themes, and translations will start popping up in the admin area as time goes on. It looks like this:
WordPress’s frequent updates are a good thing – people are actively working to improve the software that’s running your website – but they also present a security risk. WordPress is an open source project, which means that anyone who’s interested can look at the code that makes it run. After an update is released, it’s relatively easy for hackers to compare the old code to the new code and find the vulnerability in the old version.
What this means for you is that as long as you apply updates soon after they’re available your website will be secure. The longer you leave outdated plugins or core on your site, however, the more likely it is that someone might exploit a long-since-patched security hole that’s still wide open on your site.
Update the core software
New versions of the WordPress core software are released periodically. Some hosts will make these updates for you, but if you’re on your own you should make these updates right away. Follow these steps to update:
- Go to Dashboard → Updates.
- Click the “Update Now” button near the top of the screen.
- Wait until the update completes before navigating away from the page.
Update plugins, themes, and translations
New versions of your plugins will appear frequently; less frequently you might also see updates for your theme(s) and translations. Update them as follows:
- Go to Dashboard → Updates.
- Under the Plugins heading, click the link that says “View version x.xx details” on each plugin that has an update available. Look for changes like “WOAH WE CHANGED EVERYTHING” or “this is a major upgrade, follow these steps before you update!”. You still want to update even if you see things like this, but be aware that it could significantly alter the plugin’s functionality and you might prefer to find a different plugin instead. Most of the time the changes are small though.
- Click the checkbox next to “Select All” to select all plugins with updates available.
- Click the “Update Plugins” button.
- Wait until you see the message “All updates have been completed.” Do not navigate away from the page until this message appears! If you do, the plugins may not reactivate successfully.
- Repeat these steps for any theme updates. If you have lots of themes installed that you’re not actively using, take this opportunity to delete them from the Appearance → Themes page instead of updating them.
- If you’re running a translation of WordPress (like Canadian English) there might also be a button to update your translations. Go ahead and click that last.
Have a look around the front end
After making all those updates, have a look at your site! You don’t have to go through every page, just click around a bit and make sure everything’s functioning normally.
Review security logs
I use the free Sucuri plugin to keep track of what’s going on with my sites. As part of my weekly maintenance, I glance through the past week’s logs for any weird-looking activity. These can be found at Sucuri Security → Dashboard.
Don’t be worried if you see lots of failed login attempts here. That’s normal with a WordPress site, and in most cases it’s not even humans trying to log in, it’s robots. As long as your login info isn’t something a robot could guess (like the username admin and the password password123), you’ll be fine.
Your password isn’t password123, right?
This page also does an integrity check on the standard parts of your WordPress installation and lets you know if anything is out of place. If everything is good, it displays the message “Your WordPress core files are clean and were not modified.”
If you don’t have a lot of people logging into your site, you might want to set up email alerts for whenever someone does log in. You can do so at Sucuri Security → Settings → “Alerts” tab. Under “Alert Events”, I usually select these three:
- Use WordPress functions to send mails (uncheck to use native PHP functions)
- Allow redirection after login to report the last-login information
- Receive email alerts for successful login attempts
Finally, I check on the Sucuri Security → Hardening page. Some of the options will stay red (such as their “Website Firewall protection”, which you have to pay for) and some are fairly technical to turn green (such as the “Database table prefix”), but you want to harden as many of them as possible.
Run a malware scan
Sucuri’s SiteCheck scan is built into their plugin (at Sucuri Security → Malware Scan), or you can run the scan from their website for a bit more info. A lot of it will be technical, but if something’s not right on your website it’ll throw up a clear warning. If the scanner does find malware on your site, get Sucuri’s malware removal team on the case. Their Basic plan will get you cleaned up within 12 hours and then cover you for a year.
Run a full backup & send to a remote destination
Finally, once you’re sure your site is up to date, run a full backup and send that backup to a remote destination (i.e. somewhere other than where your website lives). No matter what backup solution you use, this is essential! If your backups are stored in the same place as your website, anything that goes wrong with the website can affect your backups too. VaultPress is off-site by default, and BackUpWordPress can be configured to send to a Dropbox account or other external storage.
P.S. Also set up regularly scheduled backups
Aside from the on-demand backups you make when updating WordPress, you should also have a regular backup schedule that sends to a remote destination.
You only need to keep a few backups at any given time (especially if they’re being sent somewhere with limited space, like a Dropbox account), but having these files will be absolutely crucial if your site ever gets hacked, or your hosting company’s servers explode, or something similarly catastrophic occurs.
In total, it takes me a few minutes per site each week to keep them running smoothly, and I highly recommend doing this on any WordPress sites you have lying around. I don’t care if you do it yourself or hire someone else to do it for you – the important thing is to make sure someone’s doing it!