A Detailed Guide to Get Your Site Running Optimally

Do you ever worry that your WordPress site might not be set up correctly?  That you might have installed plugins that could cause problems?  Or that you might have vulnerabilities that make your site open to being hacked?

We get a lot of questions from customers like these and decided to create a checklist to help site owners like you.

This checklist is not just based on our 14+ years in business— we actually went out and interviewed a separate panel of WordPress consultants to create the best possible list of recommendations from the broadest variety of experience.

We curated their responses and combined them with our own insights to create a list of WordPress best practices organized into four key areas:

Download the PDF checklist by clicking here (no email required):

Download WordPress Best Practices Checklist 

Read on for an epic guide with detailed recommendations of each best practice listed.

1. Security

The moment you launch your website you should immediately implement security measures.  Your website is under continual and automated probing by hacker scripts to find vulnerabilities and exploit them.  

You may think, "My site isn't that important and won't be a target," but actually hackers can get all sorts of benefits from any website.  They may use your site to:

  • Deliver malware to your visitors
  • Route spam email from unrelated websites
  • Make it look like another website on a hidden page and scam people who have nothing to do with you

Once your site is hacked, it often gets taken down by your web host to limit the damage it is causing.  Typically, they won't restore it until you clean up your site files and database and remove all hacker changes.

If a hacker has been particularly sneaky, you may end up removed from Google search results.  If not caught in time, your visitors' anti-virus software on their computer may block access to your site.  In these cases, it can take weeks to get removed from security black lists and available to the public again.

Protect your website by applying these WordPress security tips.

A. Change WordPress default admin name and set a strong password

How to set a strong password?

A password should have no ties to your personal information nor should it be a common word. A combination of numbers, symbols, lower and upper case letters is a standard rule for setting a strong password.

But what makes it most strong is its length- so make your password as long as is reasonable.

Setting a strong password

Password cracking: A short and complex password "3$2Llm_2" versus a longer and simpler password "Disney_hooray#mamas_boat39".  Longer passwords are more secure!

To change your password, click the name Howdy (your name) on the top right of your WordPress dashboard. Upon clicking Howdy, there should be an "edit profile" option.  Click that. 

Scrolling down, you will come across a "set password" option.

Use How secure is my password to measure your password strength before you set it.

Changing WordPress username from admin

"Admin" is a default username for WordPress websites. If you leave your username as "admin" you'll give hackers a username that they can run password guessing programs against.  You're basically giving them half of the puzzle.

But if you change your username from "admin" to something else, they'll have to figure out both the username and password to successfully attack you.

To change your username, scroll down on your WordPress dashboard and click on users, and choose the all users option. Your user profile will appear and you can edit accordingly. The process is straightforward. We recommend using a random and meaningless name.

WordPress username

B. Update plugins, themes and WordPress on a regular basis

WordPress updates

You only have to update the WordPress Core when a new version is released. WordPress will let you know through your dashboard when this happens.

Each WordPress version is released with the aim of improving performance, fixing bugs, refining existing features and improving security.

Because WordPress is open source software, hackers know when a new WordPress vulnerability is identified and a new version is released to patch the vulnerability. When you don’t update your WordPress core, your site will operate on publicly published vulnerability hackers know of and can exploit. 

There is no staying the same with security updates- you always become more secure when you upgrade and less secure when you don't (this is true for themes and plugins too.)

To see the version your website is using, scroll down on your dashboard page and look on your bottom right. It should be there. 

To update, click "Updates" on the left side of your dashboard. The latest version will be available for updating there.

WordPress version

If your website is outdated, avoid complications by using a staging area to test out updates before updating on a live site. See below to learn how to set a staging area.

How to update themes and plugins on WordPress?

Out of date plugins are another gateway for hackers to attack your website. Using nulled themes and plugins -pirated copies of commercial themes and plugins offered for free- is another way that hackers gain access to your site.

If you don’t have time to check for updates every day, enable auto-updates. If you don’t like the idea of enabling auto-updates, at least check for updates weekly. Remember: each time you update your website, you strengthen it against cyber attacks.
Setting up a staging area for updates

A staging area is a clone of your website. You use this clone to test out changes you want to make on your website before making them on a live website. This way, you don’t risk making changes that can affect your website detrimentally without an option to reverse the actions. 

Tools to use to set a staging area for updates 
  1. WP Staging - Wp Staging is a staging area plugin available for installation on WordPress. This is the best option for a minimal admin process.
  2. UpdraftClone - UpdraftClone is a staging area solution by a notable product for different WordPress practices, UpdraftPlus.
  3. cPanel - Most hosting providers create a cPanel account on your behalf. All you have to do is login into your cPanel and follow the instructions. We don’t recommend this process for beginners.
  4. Set up using your hosting provider - Processes may differ depending on your hosting provider. First, check with your hosting provider if they offer the staging area option and take it from there (SiteGround, Kinsta, WP Engine, and others offer this.) 
  5. Local- Local can help you set up a local, offline version of your site on your computer. It is designed for tight integration with FlyWheel (hosting.)
Staging Area Tools

WP Staging and Local- plugin and service solutions for staging areas

C. Always backup your WordPress site prior to updating.

Occasionally plugins, themes, servers and WordPress versions are incompatible. And this can become apparent with your website breaking after you update any of this. 

The easiest way to recover a website broken by an update is to have an available and current backup.

Many hosting providers offer backups as part of their service.  However, the frequency with which they take and keep backups can make them unreliable to restore from.  Because of this, it's smart to take a backup just before updating.

WordPress Backup Tools
  1. UPDraftPlus - A highly regarded WordPress backup, restore and clone plugin.
  2. VaultPress - This plugin is great for e-commerce sites because it backs up every transaction in real-time. 
  3. Akeeba Backup- Akeeba offers backup software that makes your WordPress site easy to backup and transport.
Plugin Installation

D. Get a good hosting provider

Note: hosting impacts security, performance, and stability, but we've chosen to organize it here under the security heading because cheaper hosting often comes with security issues.

A good hosting provider will have the following:
  • Reliable and prompt technical support team.  This might be phone, chat, or ticket based.  It's less important that you can experience live communication (phone, chat) than getting competent help.  There are lots of hosts with live support solutions from incompetent technicians who will waste your time.
  • Stay up to date with security standards.
  • Not bare bones pricing.  Cheap hosts skimp on competent help and overstuff servers causing your site to get slower and slower as time passes.
Recommended hosting providers
  1. Rochen - Well run servers with a quick responding technical team.  Ticket based.  Good value for pricing.  cPanel hosting management.
  2. SiteGround - Good shared hosting at a bit more expensive pricing.  Tricky packages where the listed pricing can triple after the first invoice.  Forced 2 factor can make it cumbersome to get help from developers.  
  3. WordKeeper- Smaller hosting company with a strong WordPress support focus and a high standard of quality.
  4. WPEngine - Larger value added hosting provider with higher priced plans for larger businesses.
  5. Kinsta - Value added mid-tier hosting, with an advanced toolset and features (staging environment, DevKinsta dev environment, application profiler, Cloudflare partnership.)
  6. Flywheel - Value added mid-tier hosting, with an advanced toolset and features (Local dev environment, free malware cleanup via a Sucuri partnership, agency focused tools).

E. Have an SSL Certificate installed on your website

An SSL certificate is a digital certificate that authenticates your website's identity and enables an encrypted connection. When not installed, your WordPress site is not secure. When installed, it activates the https protocol that prompts a secure connection between your web server and the browser. 

This encryption protects information communicated from the visitor browser to your website.  E.g. when they enter a password to login or enter credit card numbers to purchase. An SSL certificate turns this information into an unbreakable cryptographic code third parties can't read.

SSL certificates also have a slight positive effect on search engine ranking in Google.

Insecure connection

What your users see when they try to access your website securely and you don't have an SSL certificate.

Most hosting providers offer to install a Let’s Encrypt free SSL certificate. But a commercial SSL certificate is the best option for E-commerce websites. If you don't have an active Let's Encrypt certificate on your website, ask your hosting providers to help you have one installed. 

F. Configure an application firewall

A firewall is an application that stands between your website and your visitors ensuring that hackers attacks fail to reach your website. It will filter out malicious HTTP traffic to your website. 

There are three types of firewalls. They all work at different levels to protect you: the DNS level firewall, the server level firewall, and the application level firewall.

Web Appllication Firewall

How to configure an application firewall?

DNS level firewalls 
  1. Cloudflare
  2. Sucuri
Application level firewalls
  1. Wordfence
  2. Titan security
  3. Admin Tools
  4. Jetpack
  5. WP Cerber Security
  6. Defender Security

Your website hosting should provide a server level firewall as part of the hosting.

G. Conduct regular site scans for security vulnerabilities

Sometimes hackers can place malware on your website without your knowledge. While your website will still function normally, the malware could be distributing anything from email redirection spam, and harmful content. 

A website with malware can potentially be deactivated from a hosting server and delisted from Google search results. 

Because of this, it is important to catch successful hacking attempts early and address the implications. A regular website scan can help you be up to date with your website's health. 

The above firewall plugins also provide site scans- if you set them up. 

Concerned your site might be hacked? Scan your website now with Google Transparency report.

This is not foolproof, but it will tell you whether Google has detected any suspicious activity linked to your site.

Malware scan

H. No old users have admin access or weak passwords

If your website has multiple users and administrators, all should have strong passwords that are difficult to hack. You should also remove anyone who previously had administrator access to your website to reduce the risk of hackers hacking your website via old users with weak passwords. 

You can control user access on your WordPress dashboard under the "Users" option.

2. Performance

According to Kissmetrics, 47% of visitors expect a website to load in less than 2 seconds, and 40% will leave the website if the loading process takes over 3 seconds.  A one second delay in page response can result in a 7% reduction in conversions. 

According to research completed by Pingdom, bounce rates for pages that take more than 3 seconds to load are on average 38%.  Compare this to a 9% bounce rate for a page that loads within 2 seconds. Your bounce can not only cost you customers, but it can also drag down your page rankings in Google.

Use the following WordPress best practices to improve your website performance. 

A. Compress images

Though fancy images make your site look good, they can also prevent you from having a fast-loading website.  Unoptimized high-resolution images consume a lot of bandwidth when they load, and as a result, they take longer to arrive at visitor's browsers and slow down the loading of your website.

The first thing to take into account is to use the lightest format for the image you want to load:

  • Jpeg images are the best format to use for photos because they have a slower loading time.
  • PNG and GIFs are great for graphic illustrations and should be used for that purpose.  GIFs tend to be smaller than PNG's but don't handle transparent overlays as well.
  • There are a variety of speed-friendly formats coming to modern browsers, but they're not quite ready for broad use.  

Beyond choosing the best format, you should still compress your images. Compression will help reduce image size and improve your website speed.

You can compress your images in your preferred graphic editing program, using an online tool, or by installing and implement a plugin like one of the below:

3 popular Image compression plugins
  1. Smush 
  2. Optimole
  3. Imagify
Image compressor

B. Enable website caching

Website caching is a process that stores website data like HTML and images in an easily accessible temporary location.

When this is cached, WordPress doesn't have to do the same work to load all of that information and this results in a quicker web page loading time.

Best WordPress Caching plugins to get you started
  1. WPRocket
  2. Hummingbird
  3. W3 Total Cache
  4. WP Super Cache

C. Use a Content Delivery Network

How far away is your server from your users?  Websites load faster when there is less physical distance between a server and the user. And this is where the content delivery network (CDN) comes in.

Content delivery is a system that uses multiple servers distributed around different locations. Storing your website’s images, CSS, javascript and HTML data, CDN's deliver this content from CDN servers that are in close proximity to visitors. This helps minimize website loading times.

There are different paid CDN services out there to choose from. However, Cloudflare and Jetpack both offer free CDN services. 

CDN

D. Minify CSS

Your website uses a sheet style language to describe how your HTML pages and posts should look (CSS).  However, most CSS files are filled with lots of unnecessary white space to make them easy for developers to read and modify.

By minifying CSS, you programmatically delete these unnecessary characters and ultimately reduce the size of your CSS file.  This in turn reduces loading time which improves user experience and search engine rankings.

You can minify CSS using a dedicated plugin such as WP Super Minify and Autoptimize. You can also use an online tool like CSS Minifier.

Optimization tools like W3 Total cache and Hummingbird (mentioned above under image compression) also have CSS minifying features.

E. Get your site load speed time under 2.5 seconds

If your website implements a majority of the best practices on this list, there is a good chance it loads in less than 2.5 seconds. 

To check, conduct a website loading speed test using GTmetrix. It will give you a detailed report on where your website is performing well and where to improve to reduce your load speed time. We recommend a score between A and B.

Google PageSpeed Insights is another important speed testing tool to check your CSS, JavaScript and other contents that slow down websites.  Target a minimum score of 70.

Tip - Check your website speed using both GTmetrix and Google PageSpeed insights for a more detailed view on possible slowness causes.

Gtmetrix example

F. Remove unused plugins and themes

Something we often see on customer sites lots of unnecessary, unused plugins and themes. The problem with these plugins is that, while serving no purpose, they're still loaded and processed and can slow down the WordPress response time.  Some are outdated and provide code hackers can exploit (even when they're disabled.)

Because of this, be sure to keep your site tidy and lean! 

3. Stability

For a stable website, the first step is to have a good hosting provider (see our list in "Security").

A good hosting provider will ensure the server is current, secure, and the server firewall is set up correctly.  They'll correctly resource the servers to prevent performance issues and manage maintenance professionally.

Besides relying on a good hosting provider, there are several things you can do to keep your site stable:

A. Set up automated backups

Many hosting providers offer to backup your website as part of their service. The problem is the backups are limited in frequency, so it's not guaranteed that they will always have a backup with the information you need.

Additionally, worse case scenarios do occur: we gained a new customer who had previously lost two years of work because his website and his hosting company's automatic backups were accidentally deleted.  All the hosting company said was, "Whoops!  We can offer you a two month off discount as a way of saying sorry?"  This happened at a popular hosting company (though we'll be nice and not say which one.)

Because of this, we recommend automated offsite backups via a WordPress plugin to provide redundancy.  Should your hosting provider backup fail, you can access your offsite backups to restore your website.

Offsite locations mean separate from your website server: DropBox, AWS, Box.com etc. 

You should set automated backups according to your website usage.  A busy website should probably have at least weekly database backups compared to a smaller website with less traffic.

automated backups example

UpdraftPlus backup configuration

Recommended WordPress backup services
  1. Vaultpress (Jetpack)
  2. Akeeba
  3. BlogVault
  4. UpdraftPlus
  5. BackupBuddy
  6. BackWPup

B. Test backups on a schedule (quarterly to yearly depending on how often your site's data changes)

Rarely, but still occurring, backup software can run into software conflicts and create an unrecoverable backup. That's why it's important to periodically test recovery.  Remember: a backup is only good if you can actually restore it.

See Security practices above for instructions on setting up a staging area.

C. Set up site monitoring

It's common for websites to go down for no apparent reason.  Typically, this is due to changes in the environment or a successful attack on the site.  Website monitoring services can alert you in real-time when this happens so that you can respond immediately.

Site monitoring services:
  1. Pingdom
  2. Jetpack
  3. Uptime Robot
  4. Super Monitoring

D. Link your website to Google Search Console

Google Search Console is a powerful service with different useful tools that monitor your website ranking on Google. This is also the primary place to submit XML sitemaps (see Marketing section).

Search Console helps monitor website performance focused on the following areas:

  • Search analytics - site’s impressions, clicks and position on Google
  • Content on Google - sitemaps, individual url crawling and index coverage
  • Website issues - affected URLs, mobile usability, breadcrumbs
  • Web pages - detailed page crawl, index and information about pages

As it relates to stability, Search Console can alert you when there are pages on your site not loading correctly for visitors.  This is important for all sites, but particularly for sites with more content and functionality.

Here is a step-by-step Search Console training by Google to get started.

Providing the same service but for the Bing search engine, Bing Websmaster Tools is another good tool to monitor website ranking factors.

Google Search Console

E. Use the latest PHP version

WordPress is written using an open source scripting language called PHP. Because of this, PHP is the main code used by WordPress to process user requests on your sites. PHP also fetches and interacts with data from your database.

Every now and then, a new PHP version is released. When this happens, you should update your site to use the latest PHP version.  Outdated PHP versions are a security risk that typically have vulnerabilities that are discovered as time passes. 

Additionally, newer versions of PHP are faster and will make your WP site load quicker.

4. Marketing

While Marketing is highly customized and specific to your situation, there are some best practices that form a strong foundation for all digital marketing in WordPress.  Follow the tips below to implement them.

A. Change permalinks to use key terms

Your users are able to access different pages and posts on your website separately because each page and post has a unique URL address.  In WordPress, we call this URL address a permalink.

Search engines use permalinks to determine what your pages are about, which means they are an important element of your SEO.  Because of this, it's important that your permalinks include any keywords you're targetting on that page.

Optimized permalinks should let users know which content to expect, and organize links in categories.  It’s your responsibility to change the default WordPress permalink configuration from numbers to a post name with a keyword.

Important! You should change permalinks when you first install WordPress. If your site is already live, you might need to create redirects for all existing pages into their new URLs to avoid creating 404 errors.

permalinks

The above is a common configuration that works well for SEO.

B. Set up a Google Analytics account and track your website

Google Analytics is a popular service by Google. Unlike Search Console, Analytics provides you free tools to assess visitor behavior on your website. Using this information, you can build informed marketing strategies.

Google Analytics metrics:

  • Real time data - Location, traffic sources, content, events, conversions
  • Audience - Demographics, interests, behavior, technology
  • Acquisition - Overall traffic, Google Ads, Marketing campaigns, social media
  • Behaviour - Site search, site content, site speed, events
  • Conversions - Goals, E-commerce, multi channel funnel
Google Search results example

C. Put a contact form on your website

It's important to give visitors a line of communication with you.  This will help with everything from them telling you about website errors to unanticipated business opportunities.  The simplest way to do this is to implement a contact form.

Most WordPress contact forms are drag and drop and very easy to use. Once you have one up, it will work to direct any sent messages to your email inbox without you having to put your email address on the web.

A contact form is also one way to build a mailing list (provided you ask for permission to send emails of course.)Easy to use contact forms plugins

  1. WPForms
  2. Contact Form 7
  3. Formidable Forms
  4. Ninja Forms
WordPress forms

D. Have an about page

About website pages are crucial for:

  • Lowering risk around your business or content
  • Building personal connections to visitors

It anchors your website, which exists in the nebulous medium of cyberspace, to real people and places.

The information you put on your about page should establish why you are a safe business to work with or a safe source of content.

Information to put on your about page.
  • Other businesses you've worked with
  • How long you've been in business
  • Where you're based
  • Testimonials from other customers
  • Pictures of you and your staff

E. Link social media accounts to feed traffic to your website

"Location, location, location!"  There's an old recommendation for brick and mortar businesses to set up shop on the busy streets of a town.

The busy streets of the Internet are on social media.  According to statista, Facebook alone has roughly 2.85 billion users each month.

When choosing a social media platform for your business, consider where your ideal target audience spends most of their time.

When it comes to the direction of visitors, you want to direct visitors from social media to your website- they should feed your site, not the other way around. 

This is because most conversions of customers happen on the website.  Additionally, you own your website and have full control of your property.  On social media sites, you are a renter at best (we have a recent customer whose business was decimated because it was entirely on Facebook and Facebook's AI cut their advertising reach and hamstrung their revenue.)

Because of these reasons, for most cases, we don't recommend setting up feeds or widgets from Facebook or Twitter on your site to your accounts on those networks.  Not only do they actively remove visitors from your site, but they also typically slow down the page load speed by loading additional javascript libraries and stylesheets.

F. Use a mobile responsive theme

Mobile web traffic accounts for 54.8% of all web traffic beating desktop and tablet (statisa). Chances are that most people visiting your website are on a cellphone.

In fact, Google bases your overall ranking in its search results on your mobile traffic and performance.

Given this, it is critical that your mobile performance is as good or better than your desktop performance. 

G. Create a XML Sitemap

Search engine bots crawl your website to find out what your website is about, the type of content you post and also to gauge your pages.  When you have a sitemap file in place, you provide these bots a map to crawl all your website pages. This is especially important if you have a big website with a lot of pages.

You can also manually submit your website sitemap to Search Console and Bing Webmaster Tools to be indexed and ranked for content you want to rank for.

Plugins that can help you create your XML sitemap:

Free online tools to create an XML sitemap (a quick option for sites that don't add content):

H. Remove Broken Links

Over time, website content is often changed or moved. 

Given this, it's important to keep track of any link changes and make sure all your links are up to date. This will provide your visitors with a better experience and will also give a little boost to your search engine ranking results. 

Use Ahrefs broken link checker or Dead Link Checker (more comprehensive) to check your website. 

Ahrefs Broken link checker

I. Posts and pages have a good readability score

People rarely make it to search engines' second page because they find what they are looking for somewhere in the content ranking on the first page. 

There are different factors that go into boosting content’s quality.  But often -and especially for niche content- what shows up is simply what is easiest to read and best communicates the answers the searcher is seeking.

Clear writing will also help to retain your readers' attention and reduce your bounce rate.

A shortcut to get an idea of how well written a page is is using a tool that provides a "readability score."  The popular SEO plugin Yoast is an example of this.  Readable is an example of a service that provides this.

SEO example

Yoast Example of Readability Score

Writing tools to achieve a good readability score 
  1. Grammarly 
  2. Hemmingway app
  3. ProwritingAid

J. Optimize pages and posts for SEO

Before we even get into optimizing web pages and posts, your content needs to:

  1. Be relevant to searchers
  2. Be presented in your user’s language - keywords, jargon, and phrases
Get the H1 Tag right

The H1 tag is the most important header tag in your pages and content because it lets search bots know what your page/post is about. How the title comes out also depends on your theme.

Work on your meta tags

Meta tags tell the search engine bots what your page is intended to be about. There are two important meta tags that work together to optimize your content.

Titles

A search engine result snippet shows a summarized pitch meant to entice readers to click on your website. In the snippet, the title is the first line that people see, so it has to count. Clear and properly formatted headings equal a clear and enticing search engine snippet which will earn your website visits and boost traffic.

Meta Description

The meta description is like your personal Ad in the Google search engine results telling people why they should read your content. So it should be well written. 

Often, Google will pull out its own meta description based on the post content. But having your own as backup is still important because it will still sometimes show.

For a solid snippet that earns clicks to your website, the title and the meta description have to compliment each other.

To avoid a high bounce rate, ensure the meta description matches the content on the page.

H1 tag example
A few good SEO audit services for WordPress sites:
  1. Semrush  
  2. Ahrefs 
  3. Moz
Plugins which can help you optimize your site:
  1. All In One SEO Pack
  2. Yoast 
  3. RankMath 
  4. SEOPress

Want help optimizing your website?

If you'd rather just hire an expert to get your site tuned up, please consider trying Site Steward out.  We have a special offer of 1 month of our Core support level for just $49.  During that time, we can run your site through this list.  Check it out here.

If not, no worries and we hope you found this guide useful!

Questions/comments?  Shoot us an email at This email address is being protected from spambots. You need JavaScript enabled to view it. 

John Hooley
President, Steward

John is a graduate of 10,000 Small Businesses, a certified Customer Acquisition Specialist, and a Zend Certified Engineer. He speaks and writes on connecting digital strategy to association goals. Outside of work he's an avid traveler, climber, diver, and a burgeoning sailor. He also volunteers with Rotary and Big Brothers Big Sisters.