Hello clients, subscribers, friends!
Happy New Year! I hope you’re enjoying a cozy, mellow and safe holiday season.
I’m writing with an important, albeit long and dry, winter reminder (unfortunately, this isn’t just a reference to California’s current weather): now is a good time to update all of your web-related passwords and back up and upgrade your WordPress websites.
All online software is at risk to security vulnerabilities, and WordPress is no exception. However, you can do a lot to keep your site protected, as well as ensure that— if you ever do experience a vulnerability— restoring your site is as simple as possible.
If you have a technical support plan or a managed host, some of the following may not be relevant. However, anyone who owns a website should routinely update their own passwords and monitor the health of their site to ensure that everything is up to date, backed up and secure.
First a warning: WordPress upgrades can sometimes (though rarely) get stuck and/or cause conflicts with plugins, themes or server software. Please schedule your upgrades during a time when your website isn’t mission critical. You can also contact me to be available if your upgrades happen to cause problems, or you can schedule me to do the backups/upgrades for you. In addition, it’s always important to back up and download your files and database before running upgrades (see #2 below).
Now on to the to-do list…
1) CHANGE PASSWORDS & CLEAN UP ACCOUNTS
Update all of your website-related passwords, including: hosting account login, cPanel login (if your host has this tool and if the login is different than the hosting account), all FTP accounts (these are typically changed within the host’s management tool or cPanel), and all WordPress accounts (these are changed in your site’s WordPress backend under ‘Users’). If there are any old or unnecessary FTP and/or WordPress accounts, remove those. If you find any suspicious accounts, see #6 below. Be sure to use strong passwords and store them in a secure manner. While you’re at it, you might as well update your domain registrar, email and other online passwords too.
2) BACK UP FILES & DATABASE
First, make sure your WordPress install includes a file and database back up plugin. To do this, go to your WordPress backend, then ‘Plugins’ > ‘Add New’. Search for ‘backupwordpress’ and find the plugin titled BackUpWordPress by Human Made Limited. If not already marked as Active, click ‘Install Now’ then ‘Activate.’
Now go to ‘Tools’ > ‘Backups’ and click on ‘Settings.’ For the backup option, select ‘Both Database & Files.’ For the other settings, you can configure this however you want (I like to schedule backups once monthly with 3 backups stored on the server). Click ‘Done’ then ‘Run Now.’ Once the backup is complete, click ‘Download.’ Save the downloaded zip to your computer, as well as to cloud storage and/or a backup drive. Should anything malicious ever happen to your website, having a clean and current database and set of files will be important.
3) UPGRADE & CLEAN UP PLUGINS
In the WordPress backend, go to the ‘Plugins’ panel. You’ll see notices next to the plugins that have updates available— click on ‘update now’ for each of these. If you’ve installed any plugins that you don’t need anymore, you can remove these by clicking ‘Deactivate’ then ‘Delete.’
4) UPDATE THEMES & WORDPRESS
In the WordPress backend, go to the ‘Dashboard’ > ‘Updates’ panel. Under Themes, select all that have updates available, then click on ‘Update Themes.’ Next, if you see ‘An updated version of WordPress is available,’ click on the blue ‘Update Now’ button.
Empty your browser’s cache and click through the frontend of your website to make sure everything looks correct. Test contact forms, transactions and any other advanced functions. If you’re happy with everything, repeat step #2 to be sure you have the latest and greatest backup of your site.
6) ISSUES OR CONCERNS
If you run into any issues or concerns along the way, please feel free to contact me. Other helpful resources you might be interested in include:
- The free malware scanner by Sucuri, as well as Sucuri’s monitoring and cleanup offerings
- Managed WordPress hosting offered by Flywheel, which includes backups, WordPress updates, security monitoring and malware removal (other hosts offer these types of services too, so you may want to see what’s available with your current plan)
- Much more information about WordPress security is available in the WordPress codex, at WP Beginner and at Yoast.com
Whew! If you made it this far, thank you! Even if you didn’t make it this far, thank you! I’ve been so lucky to work with such wonderful, kind and creative people over the past decade. I’m continually inspired by the good work you all do.
Wishing you all the best in the year to come,