Ben guides us through a checklist he uses on our client sites to make sure they are fast, secure and ready for action.
Notes
A checklist to make sure your WordPress site is fast, secure and ready for action
1. Site has an active backup setup
- Weekly at least. Daily recommended
- Easy to install plugins
- External services
The Benefits of keeping your site healthy
- Takes time to rebuild site from a hack
- Reputation damage
- Data loss and privacy issues
Updraft
- Manual backup
- Paid version ( 33/yr) has scheduling
- Save to Dropbox, Google Drive or FTP
- https://wordpress.org/plugins/updraftplus/
CodeGuard
- Automated remote backup
- Set and forget
- 48/yr for 5GB
- https://www.codeguard.com
CPanel
- Comes with hosting
- Runs on the server
- Automated, little configuration
- https://docs.cpanel.net/cpanel/files/backup-forcpanel/
SiteSucker
- Not a real backup
- HTML snapshot of your site
- Handy reference
- https://ricks-apps.com/osx/sitesucker/index.html
3-2-1 Backup Strategy
- Three copies of your data
- One original. Two on other storage types
- Hosting – Rsync local – Encrypted remote backup
2. Core, theme and plugins updated
- WordPress updates
- Site Health
Site Health is good
- Tools > Site Health
- Highlights any potential issues
- Running PHP version 7.4 and above
Update WordPress Plugins & themes
- Best protection against hacks
- Manage updates (Dashboard > Updates)
- Enable auto-updates for plugins (Plugins)
- https://wordpress.org/support/article/configuringautomatic-background-updates/
3. Site runs on HTTPS
- Protects data sent and received from the server
- Stops fake sites pretending to be a trusted brand
- Many browsers show non HTTP sites as ‘Not secure’
- Many hosts offer free SSL certificates with auto install
4. No unneccessary plugins
- Deactivate and delete unnecessary plugins
- Remove vulnerabilities
- Can speed up the site
5. No unneccessary users
- Users > Administrator tab
- Remove users who no longer need access
- Set role to none if not sure
- Delete admin user ID 1
Use strong passwords
- Use a passphrase. Four random words
- More secure than random password
- Easier to remember
- https://www.correcthorsebatterystaple.net/
- Store passwords securely https://www.lastpass.com
6. No malware or hacks present
- Site check with Sucuri
Passes Sucuri SiteCheck
- External security test
- WordPress plugin. Site hardening guidance
- https://sitecheck.sucuri.net
- https://transparencyreport.google.com/safebrowsing/search
Hack Prevention
- Install a firewall to limit attack area
- Limit login attempts. Prevent brute force
- Random database Username / Password
- Disable Directory Indexing and Browsing
- Change WordPress Database Prefix
- Update WordPress hash
- Remove version number
Wordfence
- Firewall
- Brute force protection – IP blocking
- Malware scanner
- Login security / Two-factor authentication
- https://wordpress.org/plugins/wordfence/
Sucuri
- Malware scanner
- Effective Security Hardening
- Security Notifications
- Firewall (Premium plan)
- https://wordpress.org/plugins/sucuri-scanner/
iThemes Security
- Brute force protection
- Login security / Two-factor authentication
- User banning
- Malware scanner
- Lots of security tweaks
- https://wordpress.org/plugins/better-wp-security/
7. Site loads in less than 2 seconds
- Pingdom speed test
- Compress images
- Page caching
- CDN – Cloudflare
Pingdom Speed Test
- Free site speed test
- Aim for 2 seconds or less
- File size, requests and response time
- https://tools.pingdom.com
Reduce image size
- No larger than twice the pixel size on screen
- Compress to remove meta data
- Saves on server space
- Quicker to upload images
- https://imageoptim.com/mac (Mac)
- https://tinyjpg.com (web)
Smush
- Compress uploaded images
- Lazy load images
- https://wordpress.org/plugins/wpsmushit/
Hummingbird
- Minify (compress) page content
- Enable server caching
- Combine files to reduce requests
- Can break your site if not careful
- https://wordpress.org/plugins/hummingbird-performance/
Cloudflare page caching
- Free plan works for most sites
- Massive speed improvements
- Improve uptime if your server goes down
- Must host your DNS
- https://cloudflare.com
