4 WordPress Maintenance Tasks You Should Have Performed Regularly

Article originally from https://www.a2hosting.com

Running a website is, in many ways, much like running a business. Behind every successful site you visit, there’s a lot of work that goes on in the background to keep things running smoothly. Without that regular maintenance, your website might not be able to achieve its full potential.

The good news is that WordPress makes your life easier when it comes to website maintenance. Using plugins, for example, can help you automate or simplify many important tasks, such as creating backups, checking for broken links, and more.

In this article, we’re going to talk about why website maintenance is so necessary. Then we’ll introduce you to four tasks you should carry out regularly, in order to keep everything running in top shape. Let’s pop your site’s hood open!

Why WordPress Website Maintenance Is Important

Sometimes, you’ll find that your website isn’t working at full capacity. You can think about your site as a computer – if you set up too many unnecessary programs and fill it with junk, it won’t work as smoothly as it did out of the box. To avoid this eventuality, you’ll need to carry out routine maintenance on your website to keep it running well. This will benefit both you and your visitors.

WordPress maintenance isn’t just about smooth performance either – it also improves security and user experience. Certain maintenance tasks will enable you to protect your site from attacks, while others make it more friendly to your audience. Either way, it’s important to maintain your site and ensure that it’s living up to its full potential.

How to Monitor Your Website’s Loading Times

We’re going to be talking about the importance of performance and loading times throughout this article, since a lot of WordPress maintenance tasks are designed to keep your site running quickly. However, before we do that, let’s touch on how you can measure your site’s performance to find out if needs improvement.

Knowing this metric is important, because if your website takes over two seconds to load, your bounce rate will often increase. With that in mind, you should monitor your loading times periodically using a service such as Pingdom Tools. All you have to do is enter the URL of the page you want to test, select a test server, and click on Start Test:

The Pingdom Tools homepage.

You’ll see a results page shortly. If you’re below the two-second mark, you’re within the ‘good enough’ range. However, we’re not big fans of good enough, and there’s a lot you can do to make your site perform even better.

4 WordPress Maintenance Tasks You Should Perform Regularly

There are plenty of things you can do to improve your website’s performance, security, and user experience. However, these four general maintenance tasks are the most critical, if you want to keep your site free from clutter and in top shape.

1. Back Up Your Website

The UpdraftPlus plugin.

Backups are snapshots of your website at a specific moment in time, and they enable you to revert your site to a previous state if anything goes wrong. Creating regular backups is the most critical thing you can do to secure your site. They can help you fix bugs, solve security issues, reverse data losses, and much more.

Most people know they should back up their data, of course, but it can be easy to put off doing so. That’s where plugins such as UpdraftPlus come in handy. On top of providing you with multiple options for storing your backups, it also enables you to schedule them so they happen automatically.

A while back, we wrote a guide on how to use UpdraftPlus, and we recommend checking it out. If this tool isn’t to your liking, however, there are plenty of alternatives you can try. Regardless of which plugin you use, you should aim to create weekly backups at the very least.

2. Delete Your Discarded Post Drafts and Trashed Articles

All the information on your WordPress website goes into your database. This means that every post, page, comment, link, and so on that you add will contribute to bloating your database over time. The more cluttered your database is, the longer it will take to find the information you (or your users) actually want. For this reason, you should clean out unnecessary data as often as possible.

WordPress likes to keep discarded post drafts and trashed articles around for 30 days by default. However, it’s better to take out the trash more often than that, which means permanently deleting the content you won’t need anymore.

To do this, go to the Posts page in your dashboard, and select the Trash tab. Inside, you can check all the pieces you want to get rid of:

Deleting the posts in your trash.

Then select Delete Permanently, and click on Apply. Emptying your trash can make a real difference to performance, and it helps keep your website clutter-free.

3. Update and Clear Out Your Plugins and Themes

One of the best things about using WordPress is the sheer amount of fantastic plugins and themes you get access to. However, some sites contain dozens of plugins and themes, many of which aren’t actually used or are outdated.

You should always make sure your plugins and themes are updated. Old versions of plugins often cease to work or cause problems, so you want to avoid using them. If you have plugins and themes that you no longer need, on the other hand, you should remove them altogether.

You can manage both of these tasks from the Plugins and Appearance > Themes tabs respectively. Inside, you’ll find notifications when one of your plugins or themes has an update available:

A theme with an update available.

Likewise, you can select the plugins and themes you don’t use and delete them. This will also help you avoid unnecessary security risks.

4. Check Your Posts and Pages for Broken Links

The Broken Link Checker plugin.

Finally, some of the external links you’ve added to your content may stop working over time. The website a link points to might have gone offline, changed address, or simply deleted that particular page.

Broken URLs can confuse your users, since they lead nowhere. What’s more, they can even negatively affect your search rankings. However, finding broken links manually within even the smallest of websites can be a pain. Therefore, you’ll want to use a plugin such as WP Broken Link Status Checker to speed up the process.

Once the plugin is running, it will notify you when it finds broken links (either via the dashboard or email). You can then remove or replace them with new links right away.

Conclusion

Keeping a website running smoothly isn’t as complicated as you might think. You can automate most maintenance tasks using plugins, and the rest can be carried out in a few minutes. If you take time to regularly clean out the pipes, so to speak, your website should always run at top performance.

When it comes to keeping your WordPress site in top shape, here are the four maintenance tasks you’ll want to perform regularly:

  1. Back up your website.
  2. Delete your discarded drafts and trashed articles.
  3. Update your plugins and themes, and delete the ones you’re not using.
  4. Check your posts and pages for broken links.

Do you have any questions about how to keep your WordPress website running smoothly? Let’s talk about them in the comments section below!

How the Wordfence Scanner Protects Your Site

This entry was posted in WordfenceWordPress Security on May 21, 2018 by Dan Moen

When we think about Wordfence and how it improves your WordPress security posture, there are two core features we tend to focus on: the firewall, and the security scanner. As the first layer of defense, the Wordfence firewall gets the most attention because it blocks hackers from gaining access. But, the scanner plays an equally important role, alerting you to myriad of security findings that help you keep your site secure and respond quickly if you get hacked.

In today’s post we’re doing a deep dive on the Wordfence security scan. We walk you through everything it does and explain why each step is important.

Our malware scanner is the best in the industry

The Wordfence security scan performs a variety of functions, but perhaps the most important is malware detection. Wordfence scan checks your site to ensure you have not been infected with malware.

As the leader in WordPress security, we see more WordPress malware than anyone else. We see tens of millions of attacks every day, giving us unrivaled access to the latest threat information. We also clean hundreds of hacked websites every month, giving us visibility into the latest malware variants and exploits.

Our team has a workflow where we collect malware samples in a repository for analysis. Then we test to see if our malware scanner already detects the variant. If it does then we move on. If not, then we create a new malware signature to detect the new malware variant. We run the signature through quality assurance to make sure it does not detect things it should not (known as ‘false positives’). Once the malware signature passes QA, we release it to our Premium customers immediately and then 30 days later our free customers receive the signature. That way we constantly release detection capability for new WordPress threats to our customers.

Unlike many companies in our space, our analysts and developers are completely focused on WordPress. We don’t have to divide our time securing desktop systems, mobile devices or network hardware. Ensuring that publishers can securely run their websites using WordPress is all we do.

Our scanner runs on your server, giving it access to your website’s source code. Malware detection rates for remote scanners are significantly worse than server based scans like ours. Remote scanners cannot access site source code. Ours does scan source code – and many malware variants hide in site source code.

Our scanner was built from the ground up to protect WordPress. Our depth of knowledge, coupled with our singular focus on WordPress has allowed us to produce the best WordPress malware scanning capability in the industry.

Checking for suspect files and changes makes it hard for attackers to hide their malware

In addition to looking for known malware, the Wordfence scanner compares your site’s files against the official WordPress.org repository. Any files that have been changed or appear to be out of place are reported to you. This additional step makes it very difficult for attackers to avoid detection.

We even give you the ability to revert changed files to the pristine version that is in the official WordPress repository when you detect a change.

Malware scanning so good, we added it to the firewall

In fall of 2016 we added a break-through feature, integrating our malware scanning capabilities into the Wordfence firewall. As traffic passes through the firewall and before it hits your website it is inspected using our malware scanner, blocking any requests that include malicious code.

This was a leap forward in detection capability. Many competitor products don’t have a firewall at all. And many don’t have a malware scanner. We provide both and instead of just a rule based firewall that blocks exploits, we actually detect and block malware payloads too with the scanning capability we integrated in 2016.

The safety of your content matters

Linking to spammy or malicious content can adversely impact your search engine rankings and reputation. For many sites, search traffic is a critical part of their marketing strategy.

It is difficult to stay on top of the quality of your outbound links for several reasons. First, the content on pages you link to can change over time, so even if the content was fine when you published the link, it can end up hurting you down the road.

Second, most active sites have more than one contributor, making it very difficult to stay on top of changes. And even if you have your posts and pages under control, malicious and spammy links can creep in via comments.

Wordfence helps you weed out links that harm your reputation by scanning your pages, posts and comments for malicious content and known malicious URLs. We alert you in the scan results to these problems in a timely manner. That gives you the ability to go in and remove the links to malicious sites before Google notices them and penalizes your search rankings.

Blacklist checks

Domain and IP blacklists are a powerful tool used by search engines, email providers and many others to keep their users safe. As a website owner, landing on a blacklist can have a lasting impact on your site traffic, SEO rankings and email delivery. And there a lot of ways to land on a blacklist, even if your site hasn’t been hacked.

If your site is running on shared hosting with a shared IP address, for example, your site can be blacklisted based on your neighbor’s behavior.

Wordfence Premium helps you protect your site’s reputation, alerting you quickly should your domain or IP be blacklisted. By reacting quickly you can minimize any adverse impact. The fix may be as simple as moving your site to another IP address or fixing content on your site that Google thinks is malicious.

Fixing the issue quickly is key because this will avoid your site visitors seeing a browser warning and will avoid search engine penalties. Wordfence provides early detection which leads to early fixes.

Sensitive File Checks

It’s much easier than you think to accidentally leave sensitive files lying around on your server. It only takes one misplaced configuration or backup file with the wrong permissions to arm an attacker with the information they need to compromise your site. Last year on this blog we wrote reported that 12.8% of sites scanned had at least one sensitive file visible to anyone on the internet.

Running regular Wordfence scans protects you from this risk by alerting you quickly to any issues, locking down or removing sensitive files before they fall into the wrong hands.

Removed and Abandoned Plugins

Last summer (2017) we added an important feature that alerts you when plugins have either been abandoned or removed from the WordPress.org plugin directory.

We define an abandoned plugin as one that hasn’t been updated in over two years. While it is possible that the plugin author is still engaged at that point and available to react to any security issues that arise, it’s not likely the case. We generally recommend that site owners replace or remove abandoned plugins if possible.

The WordPress.org team removes plugins for a variety of reasons. Unfortunately when they do so they rarely disclose why, and in many cases it is due to a security issue that hasn’t been addressed. If you’re unable to determine why a plugin was removed or you’ve confirmed that it was removed for security reasons you should remove it from your site. In cases where it was removed for non-security reasons, it may be okay to continue to run the plugin, but finding a well-maintained replacement is likely a better bet.

We tell you about weak passwords

The security of your website is only as strong as its weakest link. Every time you grant a user access to your site, especially administrators, you are relying on them to keep your site safe. Unfortunately not everyone uses strong passwords, putting your website at risk. Wordfence scan checks if any of your users are using very common passwords and performs an extended check on admin level accounts.

We let you know about core, plugin or theme vulnerabilities

A couple of years ago we published research showing that plugin vulnerabilities were the most common way attackers compromise WordPress websites. The third and fourth most common reasons were core and theme vulnerabilities. It goes without saying that staying on top of vulnerabilities in WordPress core, plugins and themes is critical.

Every time the Wordfence scanner runs it checks to see if you are running software with known security vulnerabilities. It also warns you about any other updates that are needed, just in case the author quietly slipped in a security fix, which happens more often than it should.

We keep making it better and faster

Our development team is always working on ways to make the scanner perform better. Over the last couple of years we delivered a number of innovative updates that improved performance and speed significantly. In Fall of 2016 we released a new version of the scanner that performed up to 18x faster than the previous version. In Summer of 2017 we introduced lightweight scanning and optimized scan timing across VPS instances. In a subsequent release that same summer we introduced short-circuit scan signatures, improving performance by up to 6x.

It’s even better with Premium

The malware scanner relies on threat intelligence developed by our awesome team of security analysts in the form of malware signatures. Premium customers receive updates in real-time as they are developed (free sites receive updates 30 days later). Detecting the latest malware lets you react quickly to a compromised website. In addition, Wordfence Premium delivers real-time updates to firewall rules and enables the real-time IP blacklist.

Conclusion

The Wordfence scanner is a critical component in a layered security strategy. Wordfence scan alerts you quickly to malware, blacklist issues, security vulnerabilities, important updates and other security issues. To take detection to the next level you can upgrade to Wordfence Premium and receive malware signature updates in real-time.

As always we welcome your feedback in the comments below and we’ll be around to reply.

Did you enjoy this post? Share it!

Why it matters what PHP version you are using.

Recently in a facebook group someone posted this image, asking for clarification:

image of text describing how old php 5.2 is, and why a WordPress user should ask their host to update.
This is what’s wrong with web hosting in 2016.

I thought I’d use that as a jumping-off point to talk about “bargain” hosting. This user is on a large (Super-Bowl-ad-budget large) hosting company’s “shared” plan. The irony is that the user would have no way of knowing what version of PHP they are running, were it not for this gently-worded (ahem) encouragement from a plugin developer. This warning didn’t come from the host. It came from a 3rd party plugin developer.

Allow me to be a little more blunt.

But first, a related personal story: some time in 2015, after about 1,000 active users had installed my plugin, I had a user get in touch with me in the support forums saying that they were getting a strange “fatal error” upon activating Better Click To Tweet.

The short and non-technical explanation of the problem my user was having is that the version of PHP they had installed did not include support for a function my plugin needed to function correctly.

The even-shorter explanation: this user used the same large web host as the original picture-sharer above.

For some web hosts, service and security clearly fall outside the scope of expected customer experience.

Here’s the thing: 5.2 has not been officially supported by the PHP development community in YEARS. (since January 06, 2011—to be exact.)

What that means is that any vulnerability discovered in the code has not been patched, since 2011. So, if you are knowingly running version 5.2.x (solve for x) you are implicitly OK with not patching vulnerabilities.

Check out this page for officially supported versions (and note that 5.2 is too old to even make the graph).

literal bug on a computer screen with code.
Who is checking for bugs in your code?
Creative Commons Image Attribution

You read that right. Half of a decade ago developers stopped supporting it, yet some hosts still have it installed on their servers.

If you take your website seriously, you should take your hosting seriously. That means a bare-naked minimum of PHP 5.5, at the time of this writing. Security support for it ends in July of 2016, so you’d be best to go ahead and consider the minimum 5.6.

Some hosts put the onus of updating PHP versions on you, the end user. I think that’s a root problem (pun intended, for my developer readers). Updating PHP versions is a developer task. Any hosting company that has a “one click install” of WordPress can’t expect those users to be comfortable enough to update the scripting language undergirding that one click.

Get in touch with your host. Ask them to update you to an actively supported version of PHP. It should also go without saying, before you update something like that, take a healthy backup of your site (including the database.)

If your host balks at that, it is time for a better host.

WordPress 4.1.2 Security Release

Posted April 21, 2015 by Gary Pendergast. Filed under Releases, Security.

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, andAndrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati,Allan Collins and Marc-Alexandre Montpas.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackbourn, and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.