Whether you’re using WordPress to run a personal blog or to power your business website, the new year is the perfect time to take a few precautionary steps that will ensure your site remains happy, secure, and healthy throughout the year. Most of these tips will only take a few minutes, but they can prevent hours (days maybe weeks) of headaches in the future.
- Backup everything. That means backing up your WordPress theme as well as your MySQL database. After you’ve backed up everything, schedule regular automated backups, so you won’t have to worry about them the future. The easiest way to automate backups is with a plugin like BackupBuddy (affiliate link) or a service like VaultPress. BackupBuddy will backup your database and theme, as well as your settings and widget configuration. VaultPress is a little more pricey, but it provides additional security through automated vulnerability scanning and disaster recovery. When the TimThumb hack hit last year, VaultPress members’ sites were fixed automatically. That’s a valuable service for site owners who’d rather be running their business than babysitting a sick website.
- Do those upgrades (and do them now). Are you running the latest version of WordPress? If not, what are you waiting for? In the WordPress world, updates are about more than just new features, they’re also about security. Most WordPress site hacks (TimThumb being the notable exception) can be traced to outdated versions of WordPress. While you’re at it, be sure to update your plugins too.
- Deactivate plugins you aren’t using. Go to your Installed Plugins page (Plugins -> Installed Plugins) and click the Active link. Do you recognize all of the plugins that are active on your site? If you’re like most WordPress users there’s a good chance that you’ve got more than a few plugins that you experimented with, then later abandoned. If you’re not using a plugin, be sure to deactivate it. Your site will be faster; you’ll have fewer compatibility problems down the road, and you’ll likely have a more secure website to boot. And if you aren’t using a plugin you should delete it (after you’re sure you don’t need it, of course). In a future post, I’ll show you how to take a plugin inventory so you’ll always know which plugins are installed and why.
- Delete themes you aren’t using. When TimThumb was wreaking havoc last year, WordPress users scrambled to upgrade the script that came installed with many popular themes. If you were one of those users, you probably breathed a sigh of relief after updating your theme. But did you know that your site may be vulnerable to the TimThumb hack even if you’ve upgraded the script on your active theme? How can that be? Take a close look at installed themes that aren’t active. You’ll find those themes listed under Appearance -> Themes. If any of those themes uses the old TimThumb script, your website is still at risk. Remember, TimThumb isn’t part of WordPress. The script comes bundled with themes that use the script to resize images. If you’re one of those theme-junkies who tries out every new theme that comes along, you may have scores of inactive themes in your /wp-content/themes/ folder. And some of those themes may also include a vulnerable copy of TimThumb. As long as the vulnerable script is stored in a publicly accessible directory, your site can (and probably will) be hacked. The safest course of action is to remove those unused themes. Over the past few months, I’ve noticed this is particularly a problem with DreamHost. When you use the DreamHost control panel to auto-install WordPress, they generously install dozens (maybe hundreds) of themes. If you’re on DreamHost, you need to delete all of those unused themes.
- Speed up your site. A faster site makes for happier visitors and better search engine rankings. The easiest way to speed up your WordPress site is to install a caching plugin like W3Total Cache. Combined with a service like CloudFlare you can see some significant performance improvements. As a bonus, CloudFlare will enhance your site security and decrease SPAM. As a rule, you should never pass up an opportunity to keep those no-good dirty spammers at bay.