Wordpress is amazing & many modern websites run on the WordPress platform — and there’s good reason for that — it blends the power of a robust CMS with relative ease-of-use for those managing the site once its been built.

But unlike the “old days” when you would create a site in HTML and it was “finished” unless you needed to update it, WordPress has also introduced a new task for site owners: keeping it up-to-date. And I’m not talking about the content of the site, I’m talking about the WordPress (and plugin) software itself.

The following only applies if you have WordPress installed on your own hosting server (sometimes known as a WordPress.org site). If you’re not sure what kind of WordPress site you have, read about the difference between a custom install and WordPress.com here.

Here are my suggestions for how to keep your WordPress install in tip top shape…

1. Take regular backups of your site. In the WordPress administration pages go to Tools > Export in the menu on the left and export all content (it will be an .XML file) and save it on your computer. You don’t need to keep multiples of these, so you can delete older backups as you create new ones. You will also take a database backup. I like the Complete Central Backup plugin that you can set so that your site automatically creates a weekly database backup weekly (under Settings > Backup in the WP Admin menu). You’ll want to make sure you have a database backup before you do an update of WordPress and/or the plugins. Keep a download of the most recent backup on your computer using the Download icon listed for each backup. Doing both of these things is the belt & suspenders approach.
2. Do regular updates of both WordPress and Plugins. Available updates are indicated in the top toolbar of your WordPress administration pages with a circular arrows icon. Often these updates plug security holes. Note that WordPress does have the ability now to do security updates automatically & that is the default, so that may not be something you need to worry about as often, but they will still require you to do a manual update to major versions. Make sure you get a backup of your site before you do this.
3. Create & maintain a strong password for all users. Make sure your WordPress password is a strong one by including upper and lower case letters in addition to numbers and other characters like punctuation marks. Using a made-up or unique word is better than one from the dictionary, but please don’t use anything to do with your domain name.
4. Be careful about what comments you approve. If comments are enabled for your site & they seem at all suspicious, you’re better off not approving them and instead, mark them as spam. The spam filter Akismet (which comes with most WordPress sites as a plugin) does a better job for you if you mark spam comments as such. Make sure to empty the spam comments regularly by going to Comments in the WP Admin menu and clicking on Spam, then the Empty Spam button.
5. Check for malware. I like the Wordfence plugin as a virus/malware scanner. Once it’s installed you’ll be able to set it to alert you via email if it discovers anything suspicious during its daily automated scan. If it finds anything, just visit the Wordfence section in the WordPress administration menu (it’ll be at or near the bottom) and view the results of your most recent scan. It will display any issues for you and you can resolve them right there.

Keep in mind when updating WordPress and/or plugins that they rely on technology that is in use on your web hosting server, such as PHP. If a plugin runs on a newer version of PHP than you have installed on your server, it’ll break, and might even break your whole site. So make sure to check out whether an update has any such requirement and check in with your web hosting service to make sure you’re good-to-go. If you need an upgrade to PHP, they can handle that for you. If they don’t, it might be time to consider getting a better, modern web host!