Best Practices for Managing Your WordPress Site

Best Practices for Managing Your WordPress Site

I speak to a lot of people who think that creating a website is all you need to do to have a presence on the Internet.

They think that simply having a site out there, preferably one built on WordPress and using a great theme and some plugins to make it even better, will help them to reach a huge online audience and connect with more people or make more sales.

Unfortunately it isn’t as simple as that. Once you’ve created and launched your site, you can give yourself a quick pat on the back, but you really mustn’t rest on your laurels. This is only the start of the ongoing task of managing your site and keeping it up-to-date, relevant and secure.

In this post I’ll look at some of the things you need to do to manage your site effectively over time.

I’m going to look at five key areas:

  • Content
  • Code
  • Performance
  • Backups
  • Security

Managing your site isn’t difficult. Millions of website owners do it and there are plenty of tools out there to help you, some of which I’ll mention here. But it can be hard work, especially if you want a site with high levels of traffic, as you’ll not only need to attract the visitors you want but also ensure your security measures keep out those you don’t.

So let’s start with my favorite out of the five topics (I’m a writer, what do you expect?): Content.

Managing Your Site Content

Managing and updating content is pretty easy with WordPress: it is a content management system after all. But WordPress won’t do the hard work for you: you have to create your content, share it with a wide audience, and engage with the people who are reading it and commenting on it. By doing these things you’ll create a site that encourages people to come back regularly and which gets found by search engines.

The three main areas you need to think about are:

  • Publishing regularly
  • Sharing content
  • Managing subscribers and comments

Publishing to Your Site Regularly

In the early days of working on your site, the chances are you’ll have lots of adrenalin and write new content fairly frequently. As time passes you’ll get distracted by other things, you’ll lose your enthusiasm and start publishing less and less frequently. In time you may stop publishing altogether.

If you want people to keep visiting your site and the search engines to keep finding it, this can’t happen. So you need to define a publishing schedule that you can stick to from the outset. If you’ve got loads of ideas at the beginning, by all means start working on them but don’t publish them yet: save them as drafts or in note form and publish them at a later date when you haven’t got so many ideas or so much time.

Schedule posts
WordPress lets you schedule your posts in the future.

Here are some tips for creating and sticking to a regular publishing schedule:

  • Identify how frequently your site visitors will expect you to post new content. This will depend on your site and your audience and is likely to be higher if you want to make money from the site.
  • Be honest with yourself: can you realistically write, edit, and publish content at this pace? If you can’t do it yourself, you may need to rethink your plans or hire other people to help you.
  • Create a publishing schedule with details of when you’ll publish and what type of content you’ll publish when: for example, you might post different types of posts on different days of the week.
  • As you come up with ideas, allocate them to dates in the future. Give yourself a reasonable amount of time before publication to allow time for writing, editing, and creating or sourcing assets.
  • Take time to edit your posts. After drafting something, don’t hit ‘Publish’. Save it as a draft and then come back to it another day to make edits, or (even better) ask someone else to.
  • If you’re not going to be around on the days when you normally publish content, use the WordPress scheduling feature. In the publishing pane, you can select a future date for publication and then hit ‘Schedule’. WordPress will automatically publish the post for you when you tell it to.

Spreading the Word

Once you’ve got content, you need to tell people about it. Even established sites with audiences in the millions adopt strategies to let people know what they’re publishing. You’ve got a few tools available to help you with this:

  • Subscription – If you can entice people to subscribe to your site (maybe with a freebie such as a free e-book or report), then you have a captive audience. You can use plugins like HubSpot, MailPoet or our Subscribe by Email to automatically notify your subscribers when you post new content, or to send them a daily or weekly digest of new posts.
  • RSS Feeds – WordPress will automatically create an RSS feed for you, but you can make things easier for your readers by using a widget to help them subscribe to it.
  • Social media – If your content is public, then social media really is the best way to raise awareness of it. But don’t go hammering all the social media platforms: you’ll spend way too much time on it and you’ll get diminishing returns. Identify what social media platforms your target audience use and build your presence on those. Identify when your audience is on social media and make sure you post at those times. A tool like Hootsuite can help you with scheduling posts.
  • Social media plugins – Plugins like Ultimate Facebook and WP to Twitter will help you automatically post new content to your social media accounts when you publish it on your blog. Plugins like Ultimate Facebook will also encourage your readers to share your content via their own social media accounts, too.

For details of some great plugins that will help you share your content, see my post on 16 plugins to help you communicate with your users.

Managing Comments

As well as engaging with your readers on social media, you’ll need to consider whether and how you’re going to use comments to let your readers voice their opinions and ask questions – and how you’ll respond.

You don’t have to enable comments; on some sites, it may not be necessary, but if you’re launching a blog or community site it will help your readers feel that you care about what they think, give you a chance to understand what they think of your content and make it more likely that they’ll keep coming back.

Here are some questions you might ask yourself:

  • Will you allow anyone to post comments, or will you approve them first?
  • If someone has already had a comment approved, will you let them comment without you having to approve in the future?
  • Will people have to sign in to comment?
  • Will you use a third-party tool to manage comments, or let readers use their social media accounts?
  • How often will you read comments?
  • To what sort of comments will you reply? Will you reply to everyone or have a set of criteria?

The first thing you’ll need to do is configure your discussion settings in the admin screens. In Settings -> Discussion, choose the options that work best for your site and remember that if you turn comments off, this will only apply to new posts, so you’ll need to either manually turn discussion off in your old posts or use a plugin like Disable Comments.

In the Discussion settings screen, you can define whether comments are allowed, whether users need to be logged in to comment, whether you’ll moderate comments before they’re published, and whether you’ll allow people who’ve posted comments before to post again without moderation:


Once you’ve done this, you need to manage comments and respond to them. It can be easy to get sucked into replying to comments the instant you’re emailed with a notification, which can impact on your productivity elsewhere.

I recommend identifying a time of day (or maybe a day of the week if you don’t get a lot of comments to start with) when you review comments and respond to them.

Here are a few tips:

  • Make sure you enable the Akismet plugin, bundled with WordPress, to clear out comment spam. It will save you a lot of work.
  • Sometimes another reader will reply to a commenter answering their question or starting a discussion. This is great! It means your site is sparking off discussion among your community of readers. If you wait a while before replying to comments yourself, this is more likely, but don’t forget to post a comment at some point or people will think you’re ignoring them.
  • Beware of comments that say your post is the best thing since sliced bread but don’t add anything specific. These are often spam – if you publish them thinking it’ll make your site look good, it might actually make you look a bit needy and gullible.
  • If people do post positive and specific comments, publish them as soon as possible and reply with a thank you and an answer to any questions.
  • You may well get comments disagreeing with your viewpoint or advice. This is very healthy as it encourages debate and will get more people commenting. Respond to these comments but don’t be tempted to get defensive: your views are just as valid as those of your readers.
  • If people (correctly) point out errors in your content, thank them, and make corrections. I’m talking about factual errors here, not differences of opinion!
  • If people post defamatory, obscene or libelous comments, don’t publish them – they aren’t part of healthy debate. Mark them as spam and Akismet will spam that commenter’s comments in the future, or simply delete them if you don’t want to be so strict.

I’ve seen blogs that generate thousands of comments on posts, many of which are very repetitive (‘I love your ideas on X and Y! Awesome!’). Welcome these but don’t feel you need to reply to each one individually. Time spent on writing new content will benefit your readers much more than time spent on replying to endless comments.

Managing Your Site’s Code

Of course, none of your content will be displayed in your visitors’ browsers without some code. The code powering your site comes from three sources:

  • WordPress itself
  • Your theme
  • Plugins you use

You need to make sure that the code from these three sources is up to date and free of any potential problems such as spammy links, security risks, and conflicts. The most important thing you can do to avoid this is to keep everything up to date but there’s more to it than that.


Keeping your version of WordPress and your plugins and themes up to date will help keep your site running smoothly and reduce any security risks.

Keeping WordPress Up-to-Date

WordPress updates are released for very different reasons, but they’ll normally include one or more of the following:

  • Bug fixes
  • Security patches
  • Enhancements.

The major releases (such as 4.1) tend to be focused on enhancements but they’ll probably include some bug fixes as well. The interim releases (such as 4.0.1) are normally focused on fixing bugs or making security patches.

I’ve been creating and supporting client websites for five years now and in that time almost every time a site has been hacked it’s because it hasn’t been running the latest version of WordPress. On just one occasion it was because the server was hacked, and on another, it was because a client was running an insecure theme, but every other time it’s because people have exploited vulnerabilities in an old version of WordPress. Security patches are released very quickly after a problem is identified, and made very public, which means that the bad guys will know about the vulnerability too. So keep your version of WordPress up-to-date!

While WordPress will automatically update to the latest minor version, major versions need to be updated manually so be sure to check your WordPress installs whenever a new major release has been shipped.

Keeping Themes and Plugins Up-to-Date

The same goes for your themes and plugins: if they’re updated, it will be for one of four reasons:

  • Feature enhancements
  • Bug fixes
  • Security patches
  • Compatibility with the latest version of WordPress.

In the Dashboard, you can easily see if you have any themes or plugins that need updating. And you can update them all by going to the Updates screen:


You might want to test the updates on a local copy of your site before updating everything on your live site. While a well-written theme or plugin shouldn’t break your site, occasionally it does happen and you don’t want that to be visible to your visitors.

To make a local copy of your site, you can use a plugin like Snapshot Pro to back up your site and then install it on your local machine. There’s more advice on running WordPress locally in the WordPress Codex.

Sourcing Your Themes and Plugins

As well as keeping your site up-to-date, you also need to consider where you’re getting your themes and plugins from in the first place.

Make sure you only download code from a reputable source. If you’re not sure, ask other WordPress users for their recommendations or for their take on the plugin or theme you want to use. Or if you’re not a developer but know one, ask them if they don’t mind looking at the code for you. A friend once asked me to look at a theme that she was planning on using for a community site, and it turned out to have malicious links hidden in the footer.

Where you’re going to get your themes and plugins from will differ depending on whether you’re looking for free or premium ones. Here are my tips:

  • Only download free themes and plugins from the WordPress theme and plugin repositories. These have thousands of themes and plugins to meet all needs and what’s best is that they’ve been checked by experienced teams to ensure that they work and that they don’t include malicious code or security errors. For full details of how themes and plugins are reviewed, see the Theme Unit Test and Plugin Submission and Promotion pages on the Codex.
  • When buying premium themes and plugins, talk to other developers, or check with websites like this one for reviews and advice. This will help you to find reputable sources and avoid trouble. Purchasing themes from a high-quality theme provider or subscribing to a plugin library like the one here at WPMU DEV will help you avoid problems.

For more on sourcing themes and plugins, especially on deciding whether to go for free or premium ones, see our post on when to buy and when to download free.

Choosing Themes and Plugins that Make Managing Your Site Easier

When you’re choosing themes and plugins, reliability and security aren’t the only criteria to bear in mind. You also want to find a theme and a set of plugins that will make it easier for you to create, manage, and update your site.

This isn’t just about installing plugins to help you with site management activities: it’s also about finding plugins that are easy to work with, quick to install and administer, and just do what they say they will without too much extra work from you. For example:

  • If you’re a non-coder, avoid plugins that require you to insert code into theme template files.
  • Avoid themes with features that you don’t need. They’ll add more code and may confuse you if they come with lots of theme options.
  • Test how your plugins do the job they’re designed to do. For example, when choosing a backup plugin, find one that automates backups and makes it super easy to restore your site if things go wrong: lots of plugins do the first but not the second.
  • Choose plugins that are efficient and won’t slow down your site. If a plugin is slowing your site down, check that it’s up to date and if it is, consider looking for an alternative plugin. However it’s worth saying that plugins aren’t always bad for site performance: there is a myth that the more plugins you install the slower your site will be, but the reality is that it depends on the size and performance of the plugins.

Managing Your Site’s Performance

The third aspect of managing your site is performance. There are really two aspects to this:

  1. The performance of your site against its objectives, which may be attracting more visitors, making more conversions, etc.
  2. The performance of your site in terms of page load times and speed.

Each of these is quite different, but the second will have an impact on the first because a slow site is one that people abandon before it’s even loaded.

Creating a High-Performing Site

A high performing site will generate significant amounts of traffic and increase the number of visitors over time. It will attract new visitors and encourage people to return, and it will have a low bounce rate.

Your site will have its own specific objectives: it’s important to know what those are from the outset as it will influence your site design, UI, and content.

To maximize your site performance you need to know what your objectives are and find a way to measure the site against those objectives. You’ll also need to identify and use tools that will help your site to meet its objectives. The main areas you’ll probably want to consider are:

  • SEO to attract more visitors
  • Conversion optimization to get more sales or encourage more people to contact you
  • In-site activity tracking so you can minimize bounce rates
  • Analytics to help you track visitors, conversions, bounce rates and more
  • Optimizing your site for all of the platforms your visitors use, including mobile and touch devices as well as desktop PCs.

Search Engine Optimization

There are probably millions of articles and blog posts out there to help you with your SEO, so I’m not going to add much to the topic here. However, it’s worth noting what WordPress-specific tools you have at your disposal to help with SEO. WordPress comes with inbuilt features for this and you can also install plugins which will help you boost your search engine rankings. None of these are a quick fix however and if SEO is the means by which you’ll attract traffic, you’ll need to gain an in-depth understanding of the latest developments in it and put in a lot of work to optimize your site.

Features and tools you can use include:

  • Inbuilt WordPress functions such as those to generate title tags in the <head> section of your pages. Your theme should support these (although you might want to override them using a plugin).
  • When adding links, especially internal links, adding a title in the field provided by WordPress. This will help search engines understand what those links are about.
  • When inserting images, adding alternative text and a description. When people make image searches, Google and other search engines will use these to determine what to show them. They’re also good for accessibility.
  • Plugins to give you more advanced SEO functionality, such as SmartCrawl, All In One SEO Pack or Yoast SEO.
  • Plugins to help you access your site analytics in the WordPress admin such as Beehive.

Conversion Optimization

For many years now the focus has been on SEO – on getting more visitors to your site in the assumption that once they’re with you, they’ll do what you want them to. But it’s dangerous to assume this.

The chances are you have some activity that you want people to engage in when they reach your site: consume content, join a community, buy something, subscribe, or get in touch. People who do this after visiting your website are sad to have converted – they’re now more than just visitors.

Working on your conversation optimization can be much more effective than working on SEO, for the simple reason that fewer sites are doing it.

So if you invest a given amount of time and money in SEO, you might increase your visitor numbers by 500% (for example) from 100 per day to 500 per day.


Our best pro WP tools in one bundle

Try free for 7 days
30-day money-back

But if those people are then leaving your site within seconds of arriving, all that investment in SEO hasn’t done you much good. Let’s say 10% of the people visiting your site normally convert, but this percentage drops with more visitors to 5%. You’ll now have more than twice as many people converting (25 compared to 10), which is good.

But what if you invest that time and money in increasing your conversation rate by 500% instead? You still have 100 visitors per day but instead of 10 of them converting, 50 of them now convert. That’s twice the rate of return compared to putting the same effort into SEO. And you may well find that it’s easier to do, as you can gain a better understanding of your site and how people behave on it than you can of Google and its algorithms.

There’s less material online about Conversion Rate Optimization (CRO) than there is on SEO, but if you want to understand how to get started I’d recommend the free materials you can download from Conversion Rate Experts. But what WordPress tools can help with this?

  • Plugins like Beehive help you access your site analytics and see what visitors are doing.
  • Performing A/B testing on two themes will help you see which theme encourages more visitors to convert. Check out our list of A/B Theme Testing tools that can help you do this.
  • There are a range of plugins to help you get more from your analytics data and create more detailed data. An example is Form Abandonment Tracking, which tracks behaviors on forms.

Cross-Platform Optimization

When I started developing websites, cross-browser testing was all the rage. Developers would spend hours wrangling their code so it worked in various versions of Internet Explorer, causing much frustration.

Then the idea of progressive enhancement emerged and we learned not to worry so much about users of bad browsers not getting the optimal experience.

No-one talks about browser compatibility anymore. Now it’s all about cross-device compatibility. With increasing numbers of people accessing the Internet on mobile devices, be that a smartphone or tablet, it’s now essential for your site to work effectively on all devices. In practice, this will probably mean using a responsive theme, but you might also want to think about installing or developing an adaptive theme, which takes responsiveness a step further.

At the very least, your site’s layout should resize on smaller screens and buttons, links, etc. should be easy to tap on a touchscreen. Navigation should resize or move to suit the demands of a small screen and ideally, images should be served up at different resolutions for smaller screens to save on load times.

You can find a list of some great free responsive themes or premium themes here on our blog as well as the lowdown on plugins to optimize your site on mobile.

To take your site one step further on mobile, you can use an adaptive theme, which uses PHP to change what’s output by the server, rather than just using CSS to change how it’s displayed. An adaptive theme will include responsiveness for layout but also use server-side techniques to ensure that (for example) smaller images are sent to devices with smaller screens. While this is less of a priority than it was a couple of years ago when phones were often working on slow connections, it always makes sense to avoid making your site any slower than it needs to be.

Optimizing Your Site’s Speed

Your site isn’t going to perform if it’s too slow. Website visitors are used to pages loading quickly and if yours don’t the chances are they’ll just give up and go elsewhere. So all that work you’ve done on SEO and CRO will come to nothing.

Ensuring your site runs quickly involves anticipating the traffic you’re going to get (especially spikes) and ensuring that your server can cope with it. It’s also about using themes and plugins which are coded in a way that makes for a fast, efficient site, and it’s about using methods such as caching to serve pages up quicker. Let’s take a look at some of these techniques.

Caching Your Site’s Pages

If you cache your site’s pages, it means that your site generates static HTML for pages at given intervals; those static pages are then served up to browsers instead of WordPress running all of the actions it needs to load a page, setup themes, and plugins, and fetch content from the database.

Caching will generally speed up your page load times, but should be approached with caution:

  • If your site has pages that frequently change (such as the home page), cached pages could quickly go out of date.
  • If you’re enabling comment posting without moderation, caching could prevent people’s comments from being displayed straightaway.
  • If your pages include feeds from elsewhere (such as social media or RSS feeds), you’ll need to consider how often you want the cache to refresh so that the feed is up to date.

For high traffic sites, you can also use server caching: the way you do this will depend on your server configuration so it’s something you’ll need to speak to your hosting provider about.

The most popular plugins for caching WordPress sites are Hummingbird, W3 Total Cache, and WP Super Cache. Which one works best for you will depend on the specific options you need: it’s worth testing both of them if your site receives a lot of traffic as then you can pick the one which makes the most difference to your site speed.

Minifying Your Code

As well as caching your pages, you can also install plugins that will minify the code in your CSS and Javascript files. This makes the browser read the files slightly faster, as it doesn’t need all of the extra carriage returns and spaces you’ve added to make your code easier to work with.

Ensuring Your Code is Efficient

As well as caching your pages, you can speed up your site by ensuring that your plugins and themes are coded in a way that is as fast and efficient as possible. This will include:

  • Minimizing HTTP requests. Every time a browser has to make a request for an asset or page, it takes time, and one of the biggest culprits is calling images. Make sure your theme or plugins don’t use images where they should be using code (for example using images for solid backgrounds or rounded corners, which can be achieved with CSS). For small screens, use PHP to prevent sliders and other assets with lots of images from loading, unless they’re designed for the small screen.
  • Load stylesheets at the top of the page, in the <head> section. This doesn’t generally speed up your page load time, but it won’t decrease it and it will make the page appear to load more quickly to users, who might worry if all the content loads before the styling kicks in. Your theme’s header.php file should be loading the stylesheet early on.
  • Load scripts at the bottom of the page. Scripts loaded at the top of the page will block other downloads such as images and other assets. It’s likely that your script’s functionality won’t be needed until the rest of the page has loaded, so you should ensure that you use plugins (or code your own plugins) to load scripts in the footer. You don’t do this by coding them into your theme files: instead, use the wp_enqueue_script() function.
  • Use CSS and Javascript that are external to the page. Inline CSS, in particular, is very bad practice and external scripts will load faster than those in the page as the external files are cached by the browser. In both cases, it’s also a more efficient way of coding as your theme may need to access styling or scripts form more than one template file.
  • Avoid redirects where possible. Redirects (using the 301 and 302 status codes) slow things down as the user has to wait for the browser to be redirected before anything starts to load. If you do have to use redecorates on your site, combine them with caching of those pages.
  • Make sure you use a trailing slash after internal links. A link without a trailing slash actually points to nothing, but the browser will assume that it points to the correct link (with the trailing slash), and force a redirect to that URL, slowing down the page load time. If you’re working on an existing site and you think some old links don’t have trailing slashes, you can force trailing slashes in your .htaccess file. If you’re not comfortable doing this, the least you can do is ensure that all of the links in your navigation menus have trailing slashes.
  • Call functions correctly and attach them to the right hook. The codex will help you identify which hook to use with which function: getting this right will ensure your function loads at the right time.
  • Minimize the number of queries on a page and create custom queries as efficiently as possible. Don’t use wp_query – if you want to modify the main query, use the pre_get_posts hook instead. For completely new queries use the WP_Query class, and beware using this too many times on a page.

There are more ways in which you can make your code as efficient as possible, but these are some of the ones that will get the best results for the least effort. For more on this, see the Codex page on WordPress optimization.

Keeping Your Site Backed Up

If there is one thing that will help you avoid some major headaches, it’s installing a plugin to regularly backup your site without any input for you. Don’t rely on yourself to do this manually: chances are you’ll forget the day before your server goes down or your site gets hacked and you won’t have an up to date backup.

There are plenty of backup plugins out there: here are some pointers to help you choose the right one for you:

  • Your plugging must let you create an automated backup schedule, preferably with the frequency of backups dictated by you.
  • Consider how easy a plugin makes it to restore your site when you need to: lots of them (especially the free ones) make it easy to take backups but not so easy to do a restore.
  • Think about where you want your backups to be stored: some plugins store your backups on their own servers, others email you a backup, some store it on your server (not much use if your server fails) and others let you use third-party services like Dropbox. The best ones will give you a choice.
  • A good backup plugin is worth spending money on, in my opinion. If it takes you a long time to restore your site in the case of disaster, that’s time when you could be earning, so you may lose out financially. But this will depend on the type of site you’re running and whether you have any budget.

For more, read this post for tips on choosing a backup plugin with a review of some of them.

Once you’ve picked your plugin, configure it to take automatic backups and store them somewhere secure. This needs to happen without any involvement from you. Some things to consider:

  • Schedule different backups at different frequencies. For example, you might back up your database and uploads daily and your files weekly.
  • Think about the times and days when you do the most work on your site and schedule backups for just after these days and times.
  • Alternatively, run backups in the middle of the night so you know you won’t be in the middle of working on the site when they’re taken.
  • Consider how often you update your site: this is the frequency with which you need to take backups.
  • Read up on how to do a restore with your chosen plugin so that you’re prepared if the worst happens.
  • Make sure you can access your backups when you’re away from the office: the last time I had to restore my site was on a camping trip! It wasn’t the best way to spend the first day of my vacation and didn’t make my family too happy, but at least I could access everything (from a coffee shop with wifi) and restore my site relatively quickly.

Enhancing Site Security

Even if you keep WordPress and your themes and plugins up to date, your site may not necessarily be as secure as it could be. There are additional steps you can take to make your site as secure as possible against hackers and spammers. Let’s take a look at five aspects of this:

  • Secure site management and administration.
  • Configuring your WordPress installation for added security
  • Locking down part of your installation
  • Security by obscurity
  • Monitoring your site for attacks

Secure Site Management and Administration

There are some simple steps you and other users can take when managing your site to make it more secure:

  • Update WordPress each time a new version is released. This is the single most important step you can take to improve security. New releases will have security patches addressing backdoors which hackers are aware of and have been using to attack sites – so by installing the update, you close the backdoor.
  • Only download WordPress updates from the official WordPress site. There’s absolutely no reason to download it from anywhere else.
  • Only download plugins and themes from trusted sources. The official plugin and theme repositories are the only places I would consider downloading free themes or plugins. If you’re buying premium themes and plugins, make sure they have a GPL license and that they come recommended by other developers. It’s also wise to inspect the code before activating them.
  • Use SFTP instead of FTP when uploading and downloading or editing site files.
  • Use strong passwords, and encourage other users to do the same. You can try using a strong password generator if you can’t think of your own!

Secure WordPress Configuration

There are a number of steps you can take when configuring your site to make things more secure, and you’ll find a lot of detail on the Codex guide to hardening WordPress.

The most straightforward of these is to use keys. These are keys added to the config.php file, which you don’t need to remember but will ensure better encryption of information stored in cookies. Security keys look like the code below (taken from the Codex – don’t use these!):

As I say, don’t use the keys in the example above: yours need to be unique. You can use the security key generator on the WordPress site to generate your own, and then you’ll need to paste them into your wp-config.php file.

Another option you’ll want to consider, especially if your site is a Multisite installation with lots of people creating their own subsites, or if you’re running an e-commerce site, is using SSL. This will your domain https at the beginning  instead of http and will encrypt URLs so they’re sent securely between the browser and the server. It could also give you an SEO advantage in the future, as Google has stated that it may favor sites that use SSL. See this guide for instructions on how to set up SSL. Also, keep in mind that SSL certificates are free with any sites hosted with us.

Locking Down Parts of Your Site

You can also try locking down parts of your site or restricting access, including the examples below:

  • Restrict access by IP address. In your .htaccess file you can specify IP addresses from which users are permitted to edit the site. This may not be ideal for a client site or one with multiple contributors (users may want to access the site from another IP address while traveling) but will make your own site very secure. To do this, add the following to your .htaccess file, replacing with your IP address:
  • Password-protect the wp-admin directory. You can add a server-side password to the wp-admin directory using CPanel and it adds an additional layer of security to this directory, meaning any hacker that manages to get in via a username and password will also have to get through this password (which you will, of course, make very strong).
  • Disallow file editing via the dashboard. This can also help prevent problems due to user error – editing files via the dashboard is not good practice anyway compared to using a text editor with FTP, as there is no means of undoing changes. To disallow file editing in this way, add the following to .htaccess:

Security by Obscurity

The concept of ‘security by obscurity’ means that you’re not actually making your site more secure, but you are making it vary from a standard WordPress installation which might prevent access via automated hacks or really stupid hackers! You shouldn’t rely on the measures below but they can’t do any harm:

  • Don’t use default usernames. If an account with the admin username is created when you install WordPress, remove it. Create an administrator account with a unique username instead. This will protect you from opportunistic hackers looking for a backdoor via the admin account.
  • Change the WordPress table prefix. By default this is wp_, but you can change it while installing WordPress by changing the $table_prefix value in your wp-config.php file.

Monitoring Site Security

However secure you make your site, it’s always worth monitoring it so you know if you’ve been attacked and can take action as quickly as possible. There are tools and services you can use to help with this, which range on cost depending on the nature of your site and the level of service:

  • Your hosting company will probably offer levels of service which can monitor your site or fix it if things go wrong, such as a managed hosting account. Some providers offer managed hosting specifically geared towards WordPress sites (like us here at WPMU DEV).
  • Sucuri offers a free security checking tool on their website but if you want automatic updates and fixes you can try their WordPress security monitoring service.
  • The Sucuri security plugin is free and will help you monitor your own site security if you don’t want to pay for a higher level of service.

For more on securing your site, see our ultimate guide to WordPress security.


As you can see from the number of topics covered in this post, managing your site isn’t as simple as launching it and then sitting back and waiting for visitors to come.

For your site to be successful, you’ll need to manage it on an ongoing basis. Exactly what you need to do will depend on the nature of your site, its objectives, and its userbase, but you will probably need to consider some or all of the following:

  • Creating content, making people aware of it, and engaging with readers.
  • Keeping your code up to date and sourcing plugins and themes from secure and reputable sources.
  • Monitoring and managing your site’s performance to enhance reliability and speed.
  • Enhancing search engine optimization to attract more visitors and conversation optimization to make sure their visit to your site is valuable.
  • Setting up regular automated backups and knowing what to do in case you need to use them to restore your site.
  • Enhancing your site’s security and monitoring it to check for attacks.

None of this is particularly difficult, but it can be a lot of work, and the amount of time you put in will depend on what you want to get from your site. But if you do it well, you’ll have a high performing, secure site that engages effectively with its audience and achieves its objectives, whatever those may be.

Do you follow WordPress best practice? Do you have any other tips for managing a WordPress site that we missed? Let us know in the comments below.