WordPress maintenance done right

Content

1. Why regular maintenance of WordPress websites is important
2. Maintenance of large websites
3. Maintenance of small websites
4. Best Practices for Updates
5. Tools & Automation
6. Legal & GDPR
7. Conclusion

WordPress is a very widespread and popular CMS (content management system) that is also open source. Open source means that the code can be viewed by everyone. Open source also means that security vulnerabilities are disclosed and can therefore be viewed by everyone. This makes it all the easier for hackers to exploit known security vulnerabilities and try to hack into WordPress installations. Such hacks are usually automated: Bots systematically search the web for known security gaps and as soon as they find a vulnerability, they automatically exploit it.

This can have very different consequences for a website.

Depending on the hack, the website can be used to

• send spam emails
• create links to dubious websites
• redirect to dubious websites
• ...

In the worst case, the website is deleted completely.

To avoid all of these things, you can only try to keep your website and the underlying system - in this case WordPress - as up-to-date as possible and follow a few rules to prevent the above-mentioned things from happening.

In this article, we look at the regular maintenance of WordPress websites and what you need to bear in mind.

Regular maintenance is a must for large and highly frequented websites, blogs or online stores. Not only because the importance for your own business (or that of your customers) is probably greater than for small websites, but also because a failure or loss of data can cause considerable damage.

With regular maintenance and monitoring, you can work preventively and largely prevent outages, hacked sites and data theft.

What does the maintenance of large WordPress instances look like?

• Update all plugins once a week or if necessary when devastating security vulnerabilities occur
• WordPress core update once a week if necessary
• Close monitoring to detect errors quickly
• Server monitoring to detect and track errors in code or SQL queries in order to optimize the system
  • Fixing errors in the code
  • Replace plugins that cause problems
  • Set caching for certain things
• Check the Google Search Console weekly to identify problems
  • Access pages that trigger 404
  • Accessing pages that trigger 503
  • Incorrect redirects
  • Page views from pages that should not be in the index
• Weekly check of website access via a tracking tool such as Google Analytics or Matomo
  • Is the tracking working?
  • Which pages are being accessed?
  • Are the campaigns working?
• Regularly check the WordPress users and their authorization
  • Have any employees left the company?
  • Do users need to be deactivated?
  • Are there too many rights for users?
  • Are there users that no one can assign?
• Regularly check the plugins
  • Are all plugins that are installed actually being used?
  • Are there outdated plugins that are no longer maintained?
• Perform a performance check with Google Lighthouse once a week
  • Check the start page
  • Check at least one subpage
• Daily backup of the database and the file system, which is stored outside the web space
  • Data export to another server
  • Data export to a Dropbox in a cloud service
• Precise documentation of updates and adjustments so that you can always see what happened and when.
  • This helps immensely with troubleshooting
  • It provides an overview of the activities carried out at all times

For smaller websites that are less frequented and where the content does not change very much, updates can be carried out at shorter intervals.

Caution: Just because a website is small and has few visitors does not mean that it is less susceptible to being hacked. Hackers don't choose websites based on their popularity, they simply scan the web for WordPress websites and exploit security gaps automatically. It is often the inconspicuous websites that have not been maintained for ages that fall victim to hacker attacks.

What should I bear in mind when maintaining smaller websites?

• Update all plugins once a month or as needed when security vulnerabilities arise
• WordPress core update, if necessary
• Regular backups, preferably before every update
• Regular monitoring to detect problems, such as
  • Error pages
  • SSL problems (errors when renewing certificates)
• Server monitoring to recognize when, for example, PHP and MySQL updates need to be made (or the version in the admin panel needs to be changed by the hoster)
• Monthly check of the Google Search Console to identify problems
  • Access to pages that trigger 404
  • Access to pages that trigger 503
  • Incorrect redirects
  • Page views from pages that should not be in the index
• Monthly check of website access via a tracking tool such as Google Analytics or Matomo
  • Does the tracking work?
  • Which pages are accessed?
  • Are the campaigns working?
• Documentation of updates and adjustments so that you can always see what happened and when.
  • This helps immensely with troubleshooting
  • It provides an overview of the activities carried out at all times
  • You can provide customers with proof of the work involved and provide evidence of the activities

1. Never update directly on the live site

• Always check in a test environment first.
• Check whether plugins, themes and customizations still work.

2. Backup before every update

• Make a complete backup (files + database) before every plugin, theme or core update.
• Ideally automated and tested.

3. Plan the timing well

• Do not carry out updates shortly before closing time or at the weekend.
• The best time is in the morning, when there is still time for bug fixing.
• For some projects, updates in the evening can also be advantageous when there is less access.

4. Do not install every update immediately

• Wait 1-2 days to see if bugs become known (especially for major releases).
• Exception: Critical security updates - these should be installed as quickly as possible.

5. Check compatibility

• Read the changelog: What has changed? Is my setup affected?
• Check compatibility with PHP version, WordPress version, other plugins/themes.

6. Observe the sequence

• Update themes first, then plugins, then the WordPress core.
• This makes it easier to control dependencies.

7. Activate automatic updates only selectively

• Auto-updates can be useful for non-critical, well-maintained plugins, but should still be used with caution.
• Never for complex or security-relevant plugins, e.g. WooCommerce, membership or form plugins.

8. Test after the update

• Click through all important functions (contact forms, orders, logins, etc.) 
• Check frontend + backend, also mobile.

9. Keep an update log

• Briefly document what was updated, when and by whom. 
• Helps with troubleshooting if something no longer works later.

10. Use deployment strategy (if available)

• Install updates via GIT/CI/CD: test locally → staging → production 
• Clear processes help to minimize errors and downtimes.

To maintain a website well, you can use a number of tools that make it much easier to monitor several websites at the same time.

We have listed a few tools for the different categories here:

Tracking of website accesses

• Google Analytics
• Matomo

Website monitoring

• SYSSY
• Uptime Robot
• Pingdom
• Uptrends

Server monitoring

• SYSSY
• Wordfence
• Dynatrace
• New Relic

SEO

• SYSSY (Rudimentäre Checks)
• Google Search Console (kostenlos)
• Screaming Frog (kostenlos für kleine Websites)
• XOVI (kostenpflichtig)
• Sistrix (kostenpflichtig)

Performance

• Google Lighthouse

With SYSSY you can cover many things to perform and document good maintenance. SYSSY was created precisely out of this need to monitor and maintain many websites of different sizes.

If important user data is stored in a CMS, updates should be carried out regularly and the website should be monitored for security vulnerabilities.

The GDPR also requires you to protect user data and carry out security updates so that user data is not compromised. Particular caution is required, especially in online stores where payment data may also be stored.

Attention: GDPR & security - As soon as personal data is processed, you are obliged to technically secure your website - this also includes regular security updates and access controls.

A WordPress website is not a sure-fire success - regular maintenance is mandatory. If you delay updates or recognize problems too late, you risk not only security vulnerabilities, but also SEO losses or data loss.

The most important things in a nutshell:

• Regular updates: Update plugins, themes and core weekly or monthly - depending on the size of the website.
• Backups before every update: Ideally automated - and test restores regularly.
• Test first, then live: Ideally, updates should be tested in a test environment before they go live.
• Set up monitoring: Detect errors, downtimes or security gaps at an early stage - with server and site monitoring.
• Check Analytics & Search Console regularly: Keep an eye on indexing problems, 404 errors and campaigns.
• Use automation, but with caution: Only use auto-updates if you are sure that they will not cause any problems.
• Document maintenance: Especially important if several people are working on the site.

With a clear maintenance process, your WordPress website remains stable, secure and performant - and you have your head free for content and growth.

Summarized for the quick readers

• Always test first
• Backups before every update
• Maintain the update rhythm
• Automate monitoring + tracking
• Take security vulnerabilities seriously

Let us help you with website management

Do you want help with website management and monitoring?
SYSSY works for you in the background!

Register now for free