Essential WordPress Maintenance Tasks
Below we will outline what we believe to be the most important maintenance tasks for a WordPress website. We’ve been building, optimizing, and providing a top-rated WordPress maintenance services for over a decade now and bring that experience and knowledge to this article. By then end, we hope you will not only know the steps to accomplish most of these tasks, but also the reasoning behind them.
We are big advocates of understanding the WHY and not just the HOW.
Before you begin, you may want to learn more about the history of WordPress or what we think are the main reasons to use WordPress in the first place.
How WordPress Works
In very (very) basic terms, here is how WordPress works.
Your website is made up of two basic sections. These sections are run by different web technologies which, most of the time, are running side by side on the same server.
The first section is the files that exist on the server. These files are, for the most part, written in a language called PHP. The purpose of this language is to fetch data and build web pages so people can see your website. Again, this is very basic, and of course, PHP is one of the most in-depth and popular languages used on the web today, but for our purposes that is the most, you need to know. PHP files get loaded when a user visits your website, they tell your server exactly what to send back, and then they build out the page. Keep in mind this is the same for your “frontend” (homepage, about us, etc.) as your “backend” (admin dashboard).
The second important section of your website is your database. This is where your data is stored and fetched from. Imagine your database like a big spreadsheet with separate tabs/sheets for different types of data. Types of data can be anything from a user (name, email, password), to a blog post (URL, title, featured image and content), or even something like what plugins are installed and which are active or inactive. Once you set a plugin to inactive and click save something has to happen. Well, what happens is the PHP file that handles showing you the plugins page of your WordPress dashboard send the request to your database to set the plugin you selected to inactive. Your database then stores this selection and when your website is loaded WordPress checks to see which plugins should be active, and which inactive.
All of this happens in a split second of course.
- User to Website: “Hi Website I’d like to see the homepage”
- Website: “Sure, one moment please”
- Website to Database: “Hi Database, please fetch me the data for the homepage”
- Database: “Nice to hear from you Website, no problem, here you go!”
- Website: “Thanks” (adds data to webpage template)
- Website to User: “Here you go, here’s the homepage with the latest data from the database”
- User: “Thanks!”
More on the history of WordPress: https://possibleweb.com/wordpress-history/
More on why use WP in the first place: https://possibleweb.com/why-wordpress/
Now that you know the two important “technologies” that make up your website you will be able to more completely understand why we need to routinely perform the WordPress maintenance tasks listed below.
Here's the Plan: Key WordPress Maintenance Tasks
- Set up Backups
- Update WordPress Core
- Update Plugins
- Update PHP & Server Software
- Delete Spam Comments & Users
- Remove Database Cruft
- Delete unused images
Before WordPress Maintenance, WordPress Backup
This highly recommended step should be the very first thing you do. Having a reliable website backup system in place relieves stress. Set it up and know you can restore your website if something goes wrong.
While this alone is not “maintenance” and does nothing for your website, it is first on our list because it adds that layer of protection that in case you mess something up, install a plugin that doesn’t play nice with your theme, or some other major issue happens where your website is now looking funky, simply restore and you are good. Go one task at a time so you know which one to avoid after you restore it.
We use a backup system that intelligently knows which files have changed and which have stayed the same. Most WordPress installs are fairly big, with uploads folders where your images reside causing most of that. You don’t need to backup every image, every time. We recommend finding or creating a system like this that only backs up that files that have changed. Restoring a site is one click.
Now that your website is protected and back-up you can start tinkering with the steps below to keep your website up to date.
Should I use a WordPress Maintenance Mode plugin?
You probably have seen a ton of these while googling. If not, you most likely have seen some of the bigger sites only with their maintenance pages up. It looks nice and seems professional, but for the most part, it is overkill for your website.
Sure a maintenance mode plugin is easy enough to set up. But at the end of the day, most plugin updates take a matter of seconds and your website is just fine by the end.
If you have NOT updated your website in a long time and have 20+ plugins to update along with WordPress Core (keep reading for information on this) then perhaps putting your website into maintenance mode for an hour is a good idea.
- If you use Elementor you can create a Maintenance mode template to show and turn this on in the settings.
- If you use Cloudflare as a CDN you can turn Maintenance mode on from your dashboard and use the standard Cloudflare page.
At any rate, using a WP maintenance mode plugin is completely up to you. We rarely use them.
Check & Update WordPress Core
What is “WordPress Core” anyways. Good question. Remember that PHP language we discussed? Here’s where that starts to come into play. WordPress is, essentially, at its core (pun intended), a collection of PHP files.
There are dozens of files, each one handling a different responsibility, but the main thing to understand is every WordPress site has files and code that is the same. This could be the code that creates the Admin Dashboard where you log in or the page code that shows and manipulates the list of plugins. What about logging in? When you set up WordPress you instantly have a login and sign up page with working form.
Where does this come from? Well, it comes from the core files of WordPress.
Updates come along multiple times every month or so. Since WordPress is an open-source project, developers across the planet contribute monthly to bugs, issues, or creating new features. Key developers on the project decide what code gets into the updates.
When WordPress gets updates the version number changes. If it was a minor update (typically fixing bugs) the version number will change to the right of the decimal mark. So if the last version was 5.0, the new minor version maybe 5.1.
It’s not a significant enough update to warrant changing the version number to the left of the decimal, a few bugs won’t justify making this version 6.0 - but there may be a lot of important fixes in the update, for example, security patches. (I'm not trying to knock those decimal point updates)
Larger, more significant updates that generally involve a long list of fixes plus a few new features are recognized by the version number changing to the left of the decimal. This happens once a month or so. Some years have more updates than others. 2019 was a big year as both PHP 7 was largely adopted, and WordPress version 5 came out which introduced one of the largest updates in the last few years including the "Gutenberg" block editor.
Check & Update WordPress Plugins
One of the great things about WordPress is the plugins.
What is a plugin?
A plugin is essentially a .zip file or folder full of code. Some of this code is "boilerplate" and required by WordPress in order for the plugin to be recognized and "turned on". The rest of the code is custom written by the developer who created the plugin and dictates exactly the features or functionality that gets added to your website.
Examples of plugins include being able to quickly add an email signup form that connects to MailChimp or quickly adding an automated backup system that takes a backup of your website daily.
How to are plugins installed?
Plugins are installed directly from the WordPress dashboard by either browsing the library of plugins available for download on WordPress.org OR you may have purchased a premium plugin and have a .zip file. In this case, you will click "Upload Plugin" and directly add your .zip file on the resulting screen.
Behind the scenes, WordPress will "unpack" this .zip file and extract the folder to the "Plugins" folder (remember WordPress is essentially just a boilerplate system of folders and files - one of those preset folders is called Plugins and its where each folder for each plugin you install lives.)
Now that you know what plugins are and how they are installed, you can understand why you would need to update them.
It's been 1 month since you installed a great plugin. It's doing its job day in, day out.
What you don't know is in that past 30 days a bunch of malicious actors have been scouring the code of this plugin trying to find vulnerabilities. And they found one.
They found a way to inject your website with malware and they are now searching for websites that are using this plugin!
Never fear, the plugin creator is on top of it. She quickly patches the bad code and releases the newly updated version of the plugin files.
Here's where the update comes in. It is YOUR responsibility as the website owner to replace the old plugin files, with the newly secured version. Because WordPress is such a mature platform, the updating functionality is built into the dashboard (this goes back to the boilerplate code I mentioned above). Nine times out of ten you will simply have to click "Update" and in about a minute WordPress will download the updated .zip, remove the old plugin folder and files, and extract the new files in their place.
This process will happen for every plugin you install multiple times per year.
Keep Your Server Up To Date
This mostly applies to those of you who are running your own server. It also highlights one of the main reasons NOT to use one of the cheap shared hosting providers like GoDaddy. You can't get access to some of the hosting settings discussed below.
Let's back up.
A server is a computer. Its job is to listen for browser requests, perform the correct operations and finally respond to the browser. In order to perform these operations, the server has lots of different software installed along with several "languages".
The main "language" your server speaks is PHP. We discuss this above when describing the basic parts of WordPress. Every so often the PHP community will release an update, similar to plugins updates, often tackling some vulnerabilities or bugs that have crept up since the last release. Some are minor, others (like 2019's release of PHP 7) are major releases.
Here's the list of official releases: https://www.php.net/releases/index.php
Many shared hosting providers are slow to update their versions of software because they have millions of websites running on their servers. Updating the software, while good for the majority of sites, may negatively affect other sites on the server. Think about a site built in 1999 and rarely updated or maintained. Yes, they exist and they run on very old versions of PHP. Updating the version of PHP on the server runs the risk of making this old site not work. So large companies like GoDaddy are slow to update, typically needing to send out months of advanced notice, if they even update at all.
On the other hand, having your website live on your own private server has its advantages and one of them is being able to keep your server up to date. Your website can be extra fast and secure with your server running PHP 7.3 and your competition will suffer on their shared box running 5.4.
If you are not running your own dedicated or private server you can reach out to your hosting provider support to inquire about the versions of software running on your machine.
Remove Spam Comments & Users
The majority of WordPress sites have a few less than secure features that can be exploited by hackers and software out on the wonderful World Wide Web.
User creation and commenting are two of those features.
Without proper "hardening" or security, and if you ignore the maintenance for a while you may find that you have a ton of spam users who have registered as "Subscribers". You may also find you have hundreds of comments on your blog posts.
Do not get excited. Your articles have not gone viral.
What is happening is software running 24/7 365 days a year is out looking for websites that have a few key characteristics indicating they are WordPress websites. Then they exploit these sites by leaving comments on the blog posts and create user profiles.
Most of the time they are trying to get a cheap link off your site. Sometimes their intentions can be worse.
Do these comments sound familiar?
"Wow, I really love your writing. I'm definitely subscribing to your blogs."
"This topic has been very interesting to me and I wish to learn more about this topic."
"I'm so glad I found this blog. Keep up the hard work."
When I saw them on my first blog post years ago I got excited.
Wow, this Internet marketing thing is easy! Overnight people around the world discovered my amazing writing and were really taken by it.
Nope. 37 bots had visited my site overnight leaving spam comments everywhere, pulling from a list of "natural-sounding comments" created during a spammers marketing meeting in some Ukrainian basement. Also, my blog had 181 new subscribers. Sweet! Not! (Borat voice)
You can manually mark these comments as spam inside your WordPress dashboard and delete them. You can also delete all users (besides yourself of course). If there are too many to do manually then there are a few plugins out there that can help you remove spam users and comments. Delete the spam and then disable commenting and user registration. Install the Disable Comments plugins and disable user registration from the Settings menu in WordPress.
Review your website to see if there are any WordPress sign up forms anywhere that should not be.
Of course, if you are running a membership site then you will need to keep User Registration enabled and in that case, there are some additional security measures you can take to block spam users like Captchas and Honeypots.
But for most business sites you do not need user registrations or comments. Avoid the headache and get rid of them both.
Bulk Delete WordPress Maintenance
Disable Comments WordPress Maintenance
Keeping Your Database Optimized By Removing "Cruft"
One of the cool things about WordPress is as you type your blog post, the system will automatically save "versions" of your post. After time your database gets a little sluggish because of all the extra "stuff" it's saving that you don't need.
520 versions of a blog post that you published 3 months ago.
3 database tables created by a plugin you tried out 6 months ago and then deleted.
All the settings for the theme you used last year.
We call this "cruft".
We don't like cruft and don't want it around. Let's get rid of it.
Below is a recommended plugin to accomplish this task. After you install the plugin and run the optimize operation be sure to disable the plugin because you do not need it running all the time. Just enable it once a month or so, run the bulk optimize operation, and disable.
WordPress Optimize Plugin
Remove Unused Images
This one is not necessary all the time but can be useful if you find your WordPress website is getting a bit sluggish. Another great feature of this popular CMS is when you upload an image to your Media Library, WordPress will automatically create a few different versions of the image. The "thumbnail" is an example of this.
So you upload one image. WordPress saves seven or eight versions.
After a while this can lead to a massive media library, hogging a lot of space on your server.
Of course, you can upgrade your hosting package to get more server space.
But you can also go through your media library and delete the images you don't use anymore.
This is often a useful practice once per year. Just be absolutely sure the image is not being used on a page or post because it will show as a broken image after you delete it.
To delete unattached images, you can follow the below steps after clicking in your Media Library:
- Choose unattached from the drop-down and click on filter http://goo.gl/mpL7CD, it will show all unattached images
- Then select all images and choose Delete Permanently from Bulk Action drop-down, click on Apply.
You did it!
If you made it this far give your eyeballs a round of applause. That was a lot of reading, but I hope we made how WordPress works a bit more clear. You are now a WordPress maintenance expert.
I cannot stress enough to start by making sure your backup system is in place and operational. If you have consistent backups then you can rest easy knowing that if something was to go wrong you can restore quickly.
We highly recommend WP Time Capsule.
Then again, if all of this sounds like a whole bunch of work you do not want to do then never fear, Possible Web is here.
Our team will complete these tasks month after month making sure your website is running as smoothly as possible. Not only that but as a CARE customer we manage and operate your private server for you making sure everything is up to date and perfect.