I see the back end of a lot of WordPress installations. It’s always with shock that I see the pending updates, and with a bit of conern that I hear their answer to the question, “Have you backed your site up lately?” I’ve come to the conclusion that a lot of people are using the self-hosted version of WordPress (WordPress.org) who don’t have a clue about some of the very basics when it comes to setting up and maintaining a WordPress.org installation. So here’s what I tell my friends who use WordPress, the first things I check and change on a client’s WordPress site. It’s kinda like the “WordPress.org for Dummies”—except, if you’re using WordPress, you’re not a dummy.
1. Never use the “admin” username.
If you hired a web designer who set up your WordPress install and gave you the login username “admin”, fire them at once. “Admin” is the default username and the most commonly used in automatic hack attempts.
If you installed WordPress and gave yourself the default username “admin”, immediately create a new user with a more unique username. Then delete the user “admin”, assigning all your posts to the new user you made.
Plugin Tip: Install Limit Login Attempts to increase your security.
2. Your WordPress.org site does not automatically back itself up.
If your WordPress website is hacked or your host’s servers crash, you could lose all your posts and comments. WordPress.org installations do not automatically back themselves up. Your host may do a backup once a day or once a week, but you’ll want to check to be sure. And it’s still a good idea to make a backup on your own computer, external hard drive, or cloud server, rather than just relying on your host’s backups.
At the very least, choose Tools, Export, All Content once in a while so you have a copy of all your posts/comments on your computer. But that doesn’t backup the database (which stores all the information about how your site is configured) or the images you’ve uploaded to your site. For more detailed information, check out Amy Lynn Andrews’ post: How to Backup WordPress. But remember that no matter what automated backup solution you choose, no backup is as good as a manual one you’ve made and double-checked yourself.
Plugin Tip: BackWPUp gives you lots of options to automatically back up your posts, database, files, or all three, hourly, daily, or weekly, email them to you or store them on your server or another one.
3. WordPress installation, theme, and plugin updates are crucial for security.
You know the little icon that looks like a recyclable logo, that shows up in your admin bar with a number by it? That means it’s time to do an upgrade—and the number indicates how many items are ready to be upgraded. But the update icon should really be a bright red security alert, because having an out-of-date WordPress installation is like hanging out a welcome sign for hackers, advertising that you have all the latest security vulnerabilities. And good plugin authors are always updating their plugins to fix bugs and keep them working with the constantly changing world wide web, not to mention making the plugins more secure, as well. So when your WordPress dashboard tells you that updates are available, make that your first blogging priority of the day.
Do a backup, then upgrade everything that needs upgrading. But be careful doing theme updates—if your theme wasn’t customized correctly (with a child theme or custom CSS file), you could lose your theme customizations.
4. When it comes to plugins, less is more.
Each plugin you install can actually slow down your site if it is poorly coded. It’s easy to go crazy installing cool plugins, but less is really more. Don’t install a plugin if you don’t really need it. Choose a plugin that does three things at once (like giving you Facebook, Pinterest, and Twitter share buttons) rather than installing three separate plugins. Regularly check your installed plugins for those you really don’t need or use any more: deactivate them, and if you don’t miss them, delete them! (Click here for the list of plugins I always install.)
Plugin Tip: P3 (Plugin Performance Profiler) analyzes your WordPress install and lets you know which plugins are slowing down your site’s performance.
5. Use only popular, recently-updated plugins and themes.
There’s nothing worse than finding a cute theme only to realize that its author never updates it when WordPress changes. WordPress plugins are also vulnerable to security loopholes, so don’t install a WordPress plugin unless it has high ratings and has been updated not only recently, but frequently (take a peek at the changelog and stats for these details). You want to know that the author will actively work on improving and updating their plugin or theme to keep up with the latest WordPress features, not to mention keep it secure from hackers!
6. WordPress.org is for techies or for those who can hire techies.
WordPress.org is for novices who are willing to spend hours perusing the likes of wpbeginner.com and bloggingwithamy.com. Or for people who can afford to pay those who already know the necessary facts and codes. And don’t assume that you can just hire a designer for a one-time setup and design fee—you’ll most likely want to have someone on a retainer fee for future updates, upgrades, and changes if you don’t know your way around HTML and CSS or if things like plugin updates and database backups scare you.
Want the features of WordPress without the technical headache? Check out wordpress.com.