Milan Latinović
Software Engineer and Enterprise Architect
WordPress Security and Optimization
This article will provide you with major concerns when it comes to WordPress security and optimization.
Table of Contents
- WordPress Security and Optimization – Maintaining web sites
- Firstly, let’s separate concerns
- Maintenance Management and Typical Maintenance Tasks for WordPress web sites
- Cleanup your WordPress header
- Promoting WordPress web sites – Backups
- Cleanup your junk
- Scanning of your WordPress system
- Broken links checker
WordPress Security and Optimization – Maintaining web sites
WordPress Security and Optimization is very important.
Luckily, maintaining WordPress web sites became pretty simple and direct task.
There is a great number of available themes, both free and premium.
Furthermore there are plug-ins, parts of code, tutorials and experts who can program WordPress platform. This is making the job easier for site owners.
However, when WordPress site is created, only then starts the life cycle of that site. Meaning site has to work fast and reliably to provide quality services to their ultimate customers. Finally it has to accomplish desired goals (gathering customers, increasing the list of users, promotion or product sales).
Firstly, let’s separate concerns
It`s necessary to separate two things:
- Creating a WordPress page
- Maintenance of a WordPress page
Equally, negligence of the correct way to maintain WordPress page has a series of unwanted consequences:
- Increased time of loading web pages
- Decline in quality of customer`s experience
- Decline in position (or complete removal) on internet search engines
- Reduced security
- Incremental expenses or complete inability to create next versions of the site (new functionalities).
Creating WordPress page includes all those steps which are creating new value on the site.
WordPress Security and Optimization – In the beginning
In the beginning, creating of the new page means making the page from the scratch, designing, coding etc. After this “first version” of the page next versions with new functionalities are being created.
This functionalities include the change of navigation, adding subscription mechanism, adding e-shop, refactoring code to improve loading, new plug-ins for SEO (Search Engine Optimization), etc.
All those activities should be placed on staging server which represents realistic replica of the real web site but which does not have real customers and visits.
On this way the owner of the site and the programmer/consultant who works on the site, can without interference experiment with different functionalities.
Creating WordPress page represents all those steps which are happening on the staging server.
Maintaining WordPress web page includes all those activities which are being performed on the production server in order to preserve fast and reliable work of the web page.
Maintenance Management and Typical Maintenance Tasks for WordPress web sites
WordPress Security and Optimization: The most common approach to maintaining WordPress web sites is classification of activities on: daily, weekly, monthly and quarterly.
WordPress Security and Optimization – Daily maintenance of WordPress web sites
- Managing the comments (replying, deleting, marking spam)
- Backup
- Uptime monitoring
Daily tasks for maintenance of WordPress sites can be automatized. As a matter of fact, it is desirable for the majority of daily tasks to be automatized so that there is more time for improving web sites. Managing the comments means review of all the comments which users are leaving on our posts, pages etc.
Big problem which most of the WordPress site owners are facing with are spam comments. This problem is easily solved by installing plug-ins like Akismet. This free plug-in will perform a really good monitoring, removal of the spam comments and the activation is very simple.
Anti spam plugins
- Akismet – is really an anti-spam service which works outside of our site. However, Akismet has built a small plug-in which connects on WordPress web sites and creates a tunnel through which he sends comments to checkup.
- WP-SpamShield Anti-Spam – All-in-One Spam Protection – this plug-in fights with spam comments on the way that he is trying to block automatic spam (spam-bots) as well as human spam. This is being performed on two levels: JavaScript/Cookies Anti-Spam Layer and Algorithmic Anti-Spam Layer. Also, this plug-in does Pingback/Traceback validation.
Cleanup your WordPress header
You should consider this tutorial to cleanup your WordPress header from junk links and make it faster.
Promoting WordPress web sites – Backups
WordPress Security and Optimization: Backup means: a) backup of system files and b) backup of databases!
Further, backup of system files can be divided on backup of WordPress core, theme, uploads etc., but this is usually unnecessary.
The majority of better hosting providers provide daily backups of system files and data bases so this problem is most commonly solved automatically.
However these daily backups are not permanent; hosting have limited number of days (history) which are being backed up. It can happen a mistake in coding or malware which we notice only after couple of weeks, when this backups are not useful anymore, i.e. when the mistake had been propagated through all backups.
For this reason, beside daily backups, weekly or monthly are recommended (offline backup). Anyway, backup policy depends of many factors and it`s best to consult with expert before defining them.
- BackupBuddy – Premium backup service
- UpdraftPlus – Premium backup service
- Backup WordPress – free plug-in which performs web site backups and can save backup files externally (Dropbox, Google Drive, itd.)
Uptime monitoring
WordPress Security and Optimization: Uptime monitoring means all time tracking to make sure that web site is available to customers.
This can be done on several ways and the most popular are by using external service like Monitor (Monitis) or creating your own scripts which are executed from different servers.
Monitor is fantastic example of service which performs different testing and monitoring(Uptime monitoring among others), and there are free and premium accounts.
The essential thing is possibility of connecting uptime monitors with administrator`s e-mail, who will get a notification when uptime monitor notices that web site is not available. On this way you can react on time and reduce downtime for all users.
Advice: Adjust daily backups of data bases and system files. Adjust Akismet (or other) anti-spam mechanism. Configure Uptime monitor mechanism and connect it with administrator`s e-mail, or other person assigned for continual functioning of web site.
Weekly maintenance of WordPress web sites
- review of web site`s speed
- emptying spam comments
- sorting drafts and deleting trash
- analytics check
- checking error and firewall logs
WordPress Security and Optimization: Speed of WordPress sites is becoming very important factor in satisfying customers and optimization of search engines.
Because of the great number of plug-ins, multimedia content, inadequately optimization or simply slow servers, great number of site owners has a problem with the speed of web sites. Equally, once repaired web site`s speed doesn`t mean that the site will stay fast.
Every new plug-in/WordPress core/theme update represents a change of code on the web site. This new code can perform faster or slower, it can have collision with other parts of code. Adding new texts and pictures on site represents new content which usually isn`t optimized.
All of this affects that speed of web site degrades with time so this is very important item for weekly maintenance.
WordPress Security and Optimization: Web site speed
Web site`s speed is not important just for SEOs but for the percent of conversion ({8015e10338b3a7119e9a1b6a564b57a55d510a5647d857f8adbeaa4fee8e5a8d}$$) too. Practice showed that web site`s loading speed directly impacts on the user`s activity on the site, i.e. improvement of web site speed increases percentage of: registrations on mail list, sales, comments on posts etc.
- GT Metrix – great service for checking the speed of web sites. Beside that, service will also provide short information how this speed can be improved. This service is often used by developers and web site owners when they are checking the quality of work (condition of web site before and after update).
- Ping Dom – this is also an excellent service for checking the speed of web sites. One interesting option that this service provides is changing the location of the server from which testing is being performed (which is very useful if you are testing how the site will behave for the users from different Geo-locations).
Cleanup your junk
Emptying spam comments represents constant (permanent) removal of spam comments from the junk. Here it is necessary to do a fast check of spam filters (to test that some valid comment has not been deleted), and then to delete all the spam comments.
While emptying spam comments you can pay attention on the number of those comments, i.e. on the spam trends. If site is being under some kind of “spam attack” you will notice a considerably larger amount of spam comments (e.g. sites which have 1000 spam comments per week, during the spam attack can have 20 times more spam comments).
WordPress Security and Optimization: Sorting drafts and deleting junk
Sorting drafts and deleting junk represents a standard technical task for WordPress sites editors. This is being done in order to preserve the backend structure, and also to disburden WordPress databases from excessive information.
Analytics check depends from the type of analytics on the web site, as well as from web site`s functions, i.e. from the things that must be checked.
The most common scenarios are the sites that already have Google Analytics set and also some mechanism for tracking e-commerce activities. However, beside this services, on the site you can also find Yandex Metrica, Webvisor (tracking users’ behavior, saving user`s sessions), heatmap analytics (e.g. CrazyEgg), etc.
Analytics check should have at least:
- the number of visits (this week vs. previous week, this month vs. previous month)
- comparative analysis of the users’ sessions length
- Bounce-rate analysis
- Traffic Sources analysis (direct traffic VS social networks VS search engines)
- Geographic analysis (in the case of sites which are targeting different Geo-location).
Checking Error and Firewall logs
Checking Error and Firewall logs is extremely important weekly task. WordPress has an error log in which all the mistakes (that happen while performing functions on the web site), are being kept. Reviewing this log file you can see all the problems which users have on the web site. If some error repeats, that means it represents a serious problem for the users and needs to be removed.
E.g. if some plug-in has a problem with registration on databases (or with reading from databases) error log will show problematic SQL inquiries and it will direct you to the plug-in which is making that problem. Equally, if larger number of problems appear, error log can become much bigger (which affects backups, loading speed of error logs etc.) and it`s necessary to check this error log from time to time.
Advice: Error and Firewall logs analysis, by competent WordPress developer on weekly level, is located on the top of the list of priorities when it comes to managing WordPress sites.
Monthly maintenance of WordPress web sites
- WordPress Core update
- Plug-in update
- Theme update
- Consolidation of themes and plug-ins (optimization)
- Databases optimization
- Scanning the system (to be safe from Malwares)
WordPress Core`s, plug-inn’s and theme`s update had been described on a lot of places and it is pretty familiar subject.
WordPress Security and Optimization – Most of the WordPress site owners understand that usage of CMS (Content Management System), which has an open source code and which is susceptible to security lapses, means constant updating.
Advice: During the update, firstly the update of WordPress Core is being done, and then the update of plug-ins and themes. Before the WordPress Core update it is necessary to check which PHP version is needed for undisturbed work of the new (updated) code, and which PHP version is on the main server. It would be good if you check the update on the test server first, before releasing update on the production.
Consolidation of themes and plug-ins
Consolidation of themes and plug-ins represent removing unnecessary plug-ins , changing the plug-ins if better ones appear.
While creating new functionalities the larger number of plug-ins is being tested, so you could find the best ones. Usually these plug-ins will stay active in the system, or inactive but present. With the consolidation of plug-ins this problem is being solved and the site is being optimized.
Databases optimization means cleaning WordPress databases from excessive meta/data, orphan pages, excessive backup pages and posts, drafts, tables which are left after deleting plug-ins etc. There are several ways to access databases optimization and the most common ones are:
- Optimization by using plug-ins like WP Optimize or
- Direct database optimization
In practice, combination of these two, usually gives the best results.
Scanning of your WordPress system
Scanning the system means checking if there are any infected files (Malware). The question is, why the system scanning isn`t being performed automatically? There are 2 reasons for that. The first one is that if you just scan the system, that won`t help you, because you need developer or site owner, someone who knows hot to read results of that system scanning, and who can figure is there any problem in the system.
The second reason is that scanning takes a lot of resources, so in those periods of scanning, the web site can become slower, some performances can decline and even uptime alarms can be turned on. On the other hand, scanning the system and reading the results can take a lot of time, so it is recommended that these tasks should be done rarely, but with more quality.
When it comes to tools, there is a great number of external services or WordPress plug-ins which can perform scanning.
Advices
Advice: Complete scan should be done rarely but with more quality. There is no use in often and sloppy scanning. This is all about checking system`s security and that kind of check takes time, and the person who does the check should be completely focused.
- Wordfence Security represents a very good plug-in for the security scan. Beside scanning, it has a mechanism for blocking the IPs and firewall.
- Vulnerability Alerts is an example of a great plug-in which scans WordPress core, themes and plug-ins for standard vulnerabilities. This plug-in is especially interesting if you had developed your theme or plug-in and you want to perform security check.
- WP Scan is a great service for scanning WordPress sites. This is an open source softer which can be installed on several Linux distributions and can run simply (it comes preinstalled on Kali Linux).
WordPress Security and Optimization – Quarterly maintenance of WordPress web sites
- Checking bad links(elimination of dead links)
- Checking of 404 logs
- Promoting inner link connectivity
- Updating static pages and contact data(optionally)
- Validation of WordPress page
Broken link check for WordPress Security and Optimization
Broken link check should make sure that all the references on web sites work properly. When creating texts for a web site we often point to external sources, but as the time passes we can`t be sure that these sources still exist. Because of that it is important to check complete site (periodically-quarterly), and to find broken links. This check Is done by using some of the scanning tools:
- DeadLinkChecker service represents am excellent choice for web site`s free scan and for providing reports about broken links. In this report you can find the list of all the links which are not working and also locations, in which documents those links are found.
- Broken Link Checker is a plug-in which you can install on your WordPress site and with it the internal check of broken links, is being done. However, it is maybe better not to spend all the system resources on this plug-in, because external services exist, which are doing that task.
- W3C Links Checker is an official W3C tool for a link check, with very interesting settings and reports. It certainly represents a service on which you should pay attention.
Broken links checker
404 errors and affect to WordPress Security and Optimization – Security and Optimization
Checking 404 logs means checking broken links, but in the opposite way. With this check we can find information- what are those unavailable things which users are trying to find on our web sites. To perform this check correctly, the mechanism should be set previously (plug-ins, scripts, external service), which should be able to record all 404 actions that happen on the site.
In case that we want to make our internal mechanism which specially treats 404 pages (records them, navigates customers etc.), WordPress has a is_404() function which tells us did user actually get 404 page. On the basis of this function and template_redirect hook an interesting mechanism for 404 logic can be made. An example of “a skeleton function” would look like this:
function skeleton_function_for_404(){ if( is_404() ){ // do stuff } } add_action( 'template_redirect', 'skeleton_function_for_404' );
Promotion of the inner link connectivity represents structural part of the link strategy. So, it`s in the web site`s owners best interest that texts on their sites are as much as possible connected between each other. There is a great number of technical and organizational ways to implement a successful inner link strategy. This task is placed in quarterly part, in terms of checking (validation and adaptation of the inner link strategy).
Updating static pages
Updating static pages and contact data means checking static materials on the site. These are materials which are rarely changing, but when it comes to some change, the updating of a web site with the right data is usually forgotten. E.g. if you change contact`s number of phone or an e-mail, all the locations which have that data on it, should be updated (sites, contact pages, e-mail forms, lists, everything…)
WordPress Security and Optimization – Validation of WordPress page
Validation of WordPress page, i.e. technical audit, represents a complete verification of system`s operations. Of course, technical audit includes some of the already mentioned weekly or monthly activities. However, during the technical audit the accent is on connecting the indicators. So, if there are indicators of error logs, of the poor speed, reduced uptime, technical audit tries to connect them and then to figure out what are the problems, and what are the causes.
Advice: Anomalies in the work of web sites should be divided on the problems and causes. Usually, one technical anomaly will cause a few more anomalies. If we remove these anomalies (without the removal of original problem) they will simply reappear after a while. Technical audit recognizes what are the causes which solution will automatically solve or at least accelerate solving other problems.