WordPress site management best practices


WordPress is a great tool and it has become an icon in the Internet world.  But with success of distribution comes the vulnerability of becoming a target for hackers.  Many of you have experienced what it is like to deal with hacking and malware.  Hopefully most of you haven’t experienced this yet.  This post will cover some best practices so that hopefully, you won’t ever have to deal with that.

Don’t test new code or upgrades on a production site

Probably the most prevalent no-no that I see is people who manage their sites completely on the production side.  They fail to maintain a testing system and they test plugins on the production site.  Even worse, some see a plugin upgrade available and without testing the upgrade first, they update the production site immediately.  It’s good to be on top of updates like that, but don’t let your first experience with a piece of code be on your production system.

Don’t run your test system next to your production system

A lot of hosts allow you to have multiple domains hosted on your account.  That is fine if you are able to run them under separate users where their folder structures are separated at the user level.  But don’t run your test system under the same user account as your production system.  If one of these gets infected with malware, there is a good chance the other will be vulnerable.

Keep an off site backup

Since you should already be maintaining an off-site testing system, this should be a no-brainer.  Keep a clean copy of your production site offline.  From your production system or your test system, file transfer should be a one way street – outbound.  Do not co-mingle code here.  This is your rollback if your production site is hacked.

Use a child theme

Many modern WordPress themes take advantage of the parent-child model in WordPress and a lot of theme authors take advantage of the fact that they can easily distribute updates to their plugin.  But what happens if you’ve make a lot of customizations to your theme?  An update will wipe them out and create a lot of work for you.  But updates are important as some of them could be security related.

So, keep your customizations in a child theme.  This allows you to upgrade the parent when an update is available without wiping out your changes.  You may need to check for compatibilities in the upgrade, and you should be doing this on a test system as outlined above.  But this will make your life infinitely easier when it comes to updates.

Setting up a child theme is an easy process, so there’s no reason not to do it.  The WordPress Codex is a good place to start.

Keep core, plugins, and themes up-to-date

If you have out of date plugins, or worse yet, out of date WordPress, you are just asking for trouble.  Keep things up to date with the most recent version.

That brings up a side point. If you ware using some obscure plugin from an author that no longer keeps it up to date for WordPress, you might want to reconsider using that plugin.  This doesn’t apply to everything because some simple plugins don’t really (a) pose a security risk and (b) need to be updated.  This is just a generalization to say choose your plugins carefully.  It’s also good to consider if you really need a plugin or if a simple function in your functions.php would do the job.

Good password management

For a dictionary style attack, WordPress is a pretty easy target if you don’t practice good password management (and if you have an admin username like “admin” or “administrator”).  WordPress has made things better over the years by not creating the initial account as “admin” and giving you a password strength indicator.  Take advantage of those.

Dictionary attackers use a file list with common usernames and passwords.  They will hit until they find a good combination.  If you use something simple like username “admin” and password as “password123″ you are wide open to this type of attack.

Suggested reading:


This list of Best Practices is not exhaustive, nor is it the end story on each of the points covered.  But following some of these simple rules and considering security for your blog will save you mountains of headaches down the road.


You do not have permission to view this forum.