WordPress is fun yet powerful. And there are so many things you can do with it. But don’t just leap in with both feet and start WordPressing with reckless abandon. There are best practices one needs to partake in to ensure your WordPress site is dialed in and safe, to boot.
WordPress best practices for a successful website
Like anything worth having, WordPress needs a little TLC to get the end result looking groovy.
First floor... hosting
Building a home with a lousy foundation is a recipe for disaster. The same goes for your website. Hosting is critical in the success of your WordPress site.
Build a site that gets lots of traffic on a hosting platform that can’t handle the traffic load and you just sank your ship. Get the type of hosting needed to handle the traffic and also be easy to use, going forward.
There are a wide range of hosting platforms to get you started in the right direction. From shared hosting on cPanel, Managed WordPress hosting, to a VPS (virtual private server) or dedicated server if you have bigger plans.
Themes and plugins, oh my...
Now that you have your hosting picked out and your WordPress site installed, it's time to start down the path of theme and plugin choices.
For your site’s safety and your reputability, never just download free themes and plugins from an untrusted site. That is a timebomb just waiting to go off.
Always download from trusted sources. For instance, if you are looking for just a basic theme, all the themes in the WordPress repository have been checked for malicious content and are generally safe to download.
A good third-party vendor of WordPress themes is Envato Market (formerly ThemeForest). I have used them for years — good support and great theme selections.
These are all premium themes though that cost cash money to get a hold of. But they generally aren’t very expensive, and you’ll be getting, often times, a really nice out of the box theme that will last you till you later change your mind and want to rebrand to a new theme — which is perfectly acceptable to do.
I change my theme up about every three to four years or so. Just don’t change the look too much, or you’ll confuse your visitors and possibly lose a few, too.
With regards to plugins, it is almost always necessary to download and install plugins from the WordPress repository. They have been checked and are generally safe to use.
Never just download a plugin from an untrusted site, as you will be flirting with danger.
There are some premium plugins out there that aren’t available through the WordPress dashboard, like Revolution Slider and others. These are premium plugins and only available for download from the plugin developer’s site.
Do your research though and investigate things like WordPress version compatibility, the overall number of downloads, the last updated date, and how many stars the plugin has.
The children are your future
When doing any theme customization, one of the most important WordPress best practices is to enable a child theme. This way, you can edit your site’s theme to your heart’s content, without losing all those customizations when your theme gets an update.
Hard code your main theme, and those edits may very well be lost when the theme is updated. And that can really harsh your mellow.
What is a child theme, you might ask?
Good question. Simply put, a child theme is a sub-theme that inherits the look, feel, and functionality of the parent theme. When you make modifications to the child theme, they are kept separately from the parent theme's files.
This comes in handy, since your theme will, most likely, get an update, or several, during the time you use it. If you’ve customized the parent, all your arduous work is typically overwritten.
But if you custom code a child theme, those changes are kept, yet the site’s theme is updated successfully.
Never (I repeat, never) take security of your site lightly. A compromise can be disastrous to get rid of and can cause downtime or even complete site destruction.
It stinks that there are people out there who are so smart yet use their intelligence to wreak havoc on your hard work. But that isn’t going to change any time soon.
So, you’re best off securing your site as best as you can.
One nuisance is comment form spam. It’s a huge pain for some. However, there is an effortless way to avoid that, almost entirely. Just download and install the plugin called Discuz. Then, turn off WordPress’ inherent comment capability entirely and allow Discuz to handle all commenting on your site.
I did and have gotten only one comment form spam in over three years!
Another cool plugin that I have used is Akismet. This is a comment form and spam blocking plugin that works with your native WordPress commenting system. This aids in defeating comment form spam too.
But I feel Discuz just takes care of things a little better. Both plugins are free with an option to go pro.
Another way to feel warm and fuzzy about your new site is to enable a CDN/WAF (content delivery network/web application firewall). A firewall does a fantastic job of blocking out the knuckleheads out there who want to visit your site just to cause trouble.
It aids in DDoS (Distributes denial of service) protection and allows the good traffic to access your site.
Another key WordPress best practices is a very strong and rotating password for your admin user. Also, a totally unrelated username is preferred.
For example, don’t have a site called Bob’s Biscuits and have an admin username of bob or biscuit. You’re just giving away the first half of your admin user’s security. Then, all the bad actor needs to do is to solve for the password and they’re in.
I rotate my passwords out every month or two. I also use long and strong passwords and a totally unrelated username. I have yet to be compromised as a result.
From a hosting standpoint, you should also have strong passwords and usernames for your cPanel hosting or server. These too need to be regularly rotated out. Password change day is a pain, but not nearly as big of a pain as being compromised for not doing it.
Updated your site yet?
WordPress frequently has core file updates, as do good plugins and good themes. Never let your site get out of date. This is a surefire way to get compromised.
WordPress is an open-source application — that being said, bad actors are constantly downloading the latest versions of WordPress in order to scan for vulnerabilities. These are later used to gain access to your site.
You can thwart these bad efforts by simply and regularly updating your core files, plugins, and theme. It’s an easy couple clicks and a couple minutes of waiting for the update to complete.
That is a small price to pay for security.
To update your site, just log into your dashboard, mouse over the left main menu that reads Dashboard, and then select Updates. This loads your Updates screen. Here you can update your WordPress core files, theme(s), and plugins, all in one place.
Before you update anything, though, be sure to back up your site and database first. That way, in the event that something goes haywire, you can revert back to the last viable version of your site.
Also, be sure to update your plugins one at a time. This way, if one of the plugins goes sideways, you’ll know which one it was and can deactivate that plugin, in phpMyAdmin or File Manager and deal with it later.
Remember, when your site is updating, it will be offline, as WordPress generates a temporary .maintenance file while the updates are being completed. Once the updates are complete, that file is terminated.
That being said, you may want to perform updates during slower or non-peak times so as not to interfere with too many visitors to your site.
On a side note, sometimes that .maintenence file can get stuck and left behind. If this happens, you’ll need to go into File Manager or your favorite FTP program and manually delete said file to get your site back up again.
Search engine optimization is key
Don’t just throw a bunch of content together and call it a day. Websites are so much more than just content. The content needs to be great and designed in a way that looks tasty to search engines.
There are a host of plugins out there, both free and premium, that can assist you with building great content that search engines like Google will prefer.
One plugin for this is Rank Math. It's an SEO plugin for WordPress that makes it easy for you to optimize your content with built-in suggestions based on widely accepted best practices.
You can easily customize important SEO settings, control which pages are indexable, and how you want your website to appear in search with structured data. This plugin, like all SEO plugins I’ve tried, has both a free and a premium option.
Another plugin is Yoast. It makes sure your site meets the highest technical SEO standards. It also gives you the tools to optimize your content for SEO and overall readability. This too comes in both free and paid versions.
There are many more out there to choose from, I merely mentioned two, as listing more could result in an article all its own.
Do you even back up, bruh?
I can’t express this strongly enough. You must have some sort of redundancies in place to ensure you have something to fall back on.
Backups are critical for peace of mind.
The worst feeling of all is possibly managing a WordPress site that gets irreparably compromised and having nothing to restore from. That’s just what you wanted to do, right? Rebuild your entire site again... from scratch.
Images & load times
You can’t have a site without images. That’s just boring. But images can be a hindrance if not set up correctly. Closing out our WordPress best practices: always optimize your images before you upload them to your site.
Size them appropriately, in that you don’t want to have a massive image that is several megabytes in size and then rely on your site to shrink the large image down.
That’s still a large image, it just appears smaller, thus increasing load times.
There are tons of image editing programs out there to choose from. Some paid, some free, but all necessary. Compress the image and resize the image before you upload.
Also include alt tags and descriptions for each image uploaded. This aids in SEO, because some people might find your site via Google or other image searching.
Once you’ve uploaded your optimized image, it doesn’t hurt at all to run the image(s) through a cool plugin called Smush. Smush will optimize images, turn on lazy load, resize, compress, and improve your Google Page Speed.
I personally use this plugin and have for years. I dig it. If you have already uploaded a bunch of images, Smush has the ability to bulk smush images already uploaded.
Closing thoughts on WordPress best practices
All in all, this is but a small starter list in general WordPress best practices that, if utilized, can help get you started on your path to greatness.
Start here and you’ll be a happier designer or developer in the long run. This list is subject to interpretation and substitutions can be made for some of the suggested plugins, but you do you.
Till next time...