The WordPress Best Practices Checklist

A Detailed Guide to Getting Your Site Running Optimally

Setting up your WordPress website is essential to minimise your concerns. You might have installed plugins that could cause problems or have vulnerabilities that open your site to being hacked.

We get a lot of questions from customers like these and decided to create a checklist to help site owners like you.

We wrote this checklist based on our 14+ years in business. We interviewed a separate panel of WordPress consultants to create the best possible list of recommendations from the widest variety of experiences.

We curated their responses and combined them with our insights to create a list of WordPress best practices organised into four key areas:Table of Contents

• 1. Security
  1. Change WordPress default admin name and set a strong password
  2. Update plugins, themes and WordPress regularly
  3. Always back up your WordPress site before updating
  4. WordPress Backup Tools
  5. Have an SSL Certificate installed on your website
  6. Configure an application firewall
  7. Conduct regular site scans for security vulnerabilities
  8. No old users have admin access or weak passwords
• 2. Performance
  1. Compress images
  2. Enable website caching
  3. Use a Content Delivery Network
  4. Minify CSS
  5. Get your site load speed time under 2.5 seconds
  6. Remove unused plugins and themes
• 3. Stability
  1. Set up automated backups
  2. Test backups on a schedule (quarterly to yearly, depending on how often your site’s data changes)
  3. Set up site monitoring
  4. Link your website to Google Search Console
  5. Use the latest PHP version
• 4. Marketing
  1. Change permalinks to use critical terms
  2. Set up a Google Analytics account and track your website
  3. Put a contact form on your website
  4. Have an About page
  5. Link social media accounts to feed traffic to your website
  6. Use a mobile responsive theme
  7. Create an XML Sitemap
  8. Remove Broken Links
  9. Posts and pages have a good readability score
  10. Optimise pages and posts for SEO
• Help

Read on for an epic guide with detailed recommendations for each best practice.

1. Security

The moment you launch your website, you should immediately implement security measures. Your website is under continual and automated probing by hacker scripts to find vulnerabilities and exploit them.

You may think, “My site isn’t that important and won’t be a target,” but hackers can benefit from any website. They may use your site to:

• Deliver malware to your visitors
• Route spam emails from unrelated websites
• Make it look like another website on a hidden page and scam people who have nothing to do with you

If a hacker hacks your website, it often gets put offline by your web host to limit the damage it is causing. Typically, they will restore it once you clean up your site files and database and remove all hacker changes.

If a hacker has been particularly sneaky, Google will remove your website from search results. If not caught in time, your visitors’ anti-virus software on their computer may block access to your site.

In these cases, getting removed from security blocklists and reopening to the public can take weeks.

Protect your website by applying these WordPress security tips.

A. Change WordPress default admin name and set a strong password

How to set a strong password?

A password should have no ties to your personal information, nor should it be a common word. Combining numbers, symbols, and lower and upper case letters is a standard rule for setting a strong password.

But its length makes it strong- so make your password as long as possible.

Password cracking: A short and complex password, “3$2Llm_2”, versus a longer and simpler password, “Disney_hooray#mamas_boat39”. Longer passwords are more secure!

To change your password, click the name Howdy (your name) on the top right of your WordPress dashboard. Upon clicking Howdy, there should be an “edit profile” option. Click that. Scrolling down, you will come across a “set password” option.

Changing WordPress username from admin

“Admin” is the default username for WordPress websites. If you leave your username as “admin,” you’ll give hackers a username to run password-guessing programs against. You’re giving them half of the puzzle.

But suppose you change your username from “admin” to something else. In that case, they’ll have to figure out the username and password to attack you successfully.

It’s not possible to change your username in WordPress using the same method as changing your full name or password, but there are a few ways around that.

• Method 1: Create a new user and delete the old one
• Method 2: Change your username by using a Plugin
• Method 3: Change your WordPress username using your web hosting control panel’s phpMyAdmin

B. Update plugins, themes and WordPress regularly

You only have to update the WordPress Core when a new version is released, and WordPress will let you know through your dashboard when this happens.

Each WordPress version is released to improve performance, fix bugs, refine existing features and improve security.

Hackers can identify new WordPress vulnerabilities by monitoring released patches, as WordPress is open-source software.

When you don’t update your WordPress core, your site will operate on publicly published vulnerabilities hackers know of and can exploit.

There is no staying the same with security updates- you always become more secure when you upgrade and less safe when you don’t (this is true for themes and plugins too.)

To see your website’s version, scroll down on your dashboard page and look on your bottom right. It should be there.

To update, click “Updates” on the left side of your dashboard. The latest version will be available for updating there.

How to get to WordPress updates

If your website is outdated, avoid complications by using a staging area to test out updates before updating on a live site. See below to learn how to set up a staging area.

How to update themes and plugins on WordPress?

Out-of-date, plugins are another gateway for hackers to attack your website. Using nulled themes and plugins – pirated copies of commercial themes and plugins offered for free – is another way hackers gain access to your site.

Enable auto-updates if you don’t have time to check for daily updates. If you don’t like the idea of enabling auto-updates, at least check for updates weekly. Remember: each time you update your website; you strengthen it against cyber attacks.

Setting up a staging area for updates

A staging area is a clone of your website. You use this clone to test out changes you want to make on your website before making them on a live website. This way, you don’t risk making changes that can affect your website detrimentally without an option to reverse the actions.

Tools to use to set a staging area for updates 

1. WP Staging – WP Staging is a staging area plugin available for installation on WordPress. WP Staging is the best option for a minimal admin process.
2. UpdraftClone – UpdraftClone is a staging area solution by the maker of a different WordPress plugin, UpdraftPlus.
3. cPanel – Most hosting providers create a cPanel account on your behalf. All you have to do is login into your cPanel and follow the instructions. We recommend something other than this process for beginners.
4. Set up using your hosting provider – Processes may differ depending on your hosting provider. First, check with your hosting provider if they offer the staging area option and take it from there (SiteGround, Kinsta, WP Engine, and others have this feature.)
5. Local– Local can help you set up a local, offline version of your site on your computer. The people behind Local designed it for tight integration with FlyWheel and WP Engine.

WP Staging and Local- plugin and service solutions for staging areas

C. Always back up your WordPress site before updating.

Occasionally plugins, themes, servers and WordPress versions are incompatible. And this can become apparent with your website breaking after you update any of this.

The easiest way to recover a website broken by an update is to have an available and current backup.

Many hosting providers offer backups as part of their service. However, the frequency with which they take and keep backups can make them unreliable to restore from. Because of this, it’s wise to take a backup just before updating.

D. WordPress Backup Tools

1. UPDraftPlus – A highly regarded WordPress backup, restore and clone plugin.
2. VaultPress – This plugin is great for e-commerce sites because it backs up every real-time transaction.
3. Akeeba Backup– Akeeba offers backup software that makes your WordPress site easy to back up and transport.
4. Get a good hosting provider

Note: hosting impacts security, performance, and stability, but we’ve chosen to organise it here under the security heading because cheaper hosting often comes with security issues.

A good hosting provider will have the following:

• A reliable and prompt technical support team. The support team might be available through phone, chat, or ticket based. It’s less critical to experience live communication (phone, chat) than to get competent help. There are lots of hosts with live support solutions from incompetent technicians who will waste your time.
• Stay up to date with security standards.
• Not bare-bones pricing. Cheap hosts like Host Papa need more competent help, and they overstuff servers, causing your site to get slower and slower as time passes.

Recommended hosting providers

1. Rochen – Well-run servers with a quick-responding technical team. Ticket based. Good value for pricing. cPanel hosting management.
2. SiteGround – Good shared hosting at a bit more expensive pricing. Tricky packages where the listed pricing can triple after the first invoice. Forced 2-factor authentication can make it cumbersome to get help from developers.
3. WordKeeper– A smaller hosting company with a whole WordPress support focus and a high-quality standard.
4. WPEngine – Larger value-added hosting provider with higher-priced plans for larger businesses.
5. Kinsta – Value-added mid-tier hosting with an advanced toolset and features (staging environment, DevKinsta dev environment, application profiler, Cloudflare partnership.)
6. Flywheel – Value-added mid-tier hosting with an advanced toolset and features (Local dev environment, free malware cleanup via a Sucuri partnership, agency-focused tools).

E. Have an SSL Certificate installed on your website

An SSL certificate is a digital certificate that authenticates your website’s identity and enables an encrypted connection. When not installed, your WordPress site is not secure. When installed, it activates the HTTP protocol that prompts a secure connection between your web server and the browser.

This encryption protects information communicated from the visitor browser to your website—E.g. when they enter a password to log in or enter credit card numbers to purchase. An SSL certificate turns this information into an unbreakable cryptographic code third parties can’t read.

SSL certificates also have a slightly positive effect on search engine ranking in Google.

An insecure website connection

Your users see this when they try to access your website securely, and you don’t have an SSL certificate.

Most hosting providers offer to install a Let’s Encrypt free SSL certificate. But a commercial SSL certificate is the best option for E-commerce websites. If you don’t have an active Let’s Encrypt certificate on your website, ask your hosting providers to help install one.

F. Configure an application firewall

A firewall is an application between your website and visitors, ensuring that hackers’ attacks fail to reach your website. It will filter out malicious HTTP traffic to your website.

There are three types of firewalls. They all work at different levels to protect you: the DNS level firewall, the server level firewall, and the application level firewall.

How to configure an application firewall?

DNS level firewalls

1. Cloudflare
2. Sucuri

Application level firewalls

1. Wordfence
2. Titan security
3. Admin Tools
4. Jetpack
5. WP Cerber Security
6. Defender Security

Your website hosting should provide a server-level firewall as part of the hosting.

G. Conduct regular site scans for security vulnerabilities

Sometimes hackers can place malware on your website without your knowledge. While your website will still function normally, the malware could be distributing anything from email redirection, spam, and harmful content.

A website with malware can be deactivated from a hosting server and delisted from Google search results.

Because of this, it is essential to catch successful hacking attempts early and address the implications. A regular website scan can help you improve your website’s health.

The above firewall plugins also provide site scans- if you set them up. 

If you are concerned our website may be hacked, scan your website now with the Google Transparency report, which is not foolproof. However, it will tell you whether Google has detected any suspicious activity linked to your site.

Google found no unsafe content

H. No old users have admin access or weak passwords

If your website has multiple users and administrators, all should have strong passwords that are difficult to hack. You should also remove anyone who previously had administrator access to your website to reduce the risk of hackers hacking your website via old users with weak passwords.

You can control user access on your WordPress dashboard under the “Users” option.

2. Performance

According to Kissmetrics, 47% of visitors expect a website to load in less than 2 seconds, and 40% will leave the website if the loading process takes over 3 seconds.  

A one-second delay in page response can result in a 7% reduction in conversions.

According to research completed by Pingdom, bounce rates for pages that take more than 3 seconds to load are, on average, 38%. Compare this to a 9% bounce rate for a page that loads within 2 seconds. Your bounce can cost you customers and drag down your page rankings in Google.

Use the following WordPress best practices to improve your website performance.

A. Compress images

Though fancy images make your site look good, they can also prevent you from having a fast-loading website. Unoptimised high-resolution images consume a lot of bandwidth when they load. As a result, they take longer to arrive at visitors’ browsers and slow down your website’s loading.

The first thing to take into account is to use the lightest format for the image you want to load:

• Jpeg images are the best format to use for photos because they have a slower loading time.
• Use PNG and GIFs for graphic illustrations. GIFs tend to be smaller than PNGs but don’t handle transparent overlays as well as PNGs.
• Many speed-friendly formats are coming to modern browsers, but they need more time for general use.

Beyond choosing the best format, you should still compress your images. Compression will help reduce image size and improve your website speed.

You can compress your images in your preferred graphic editing program, using an online tool, or by installing and implementing a plugin like one of the below:

Three popular Image compression plugins

1. Smush
2. Optimole
3. Imagify

B. Enable website caching

Website caching is a process that stores website data like HTML and images in an easily accessible temporary location.

When this is cached, WordPress doesn’t have to do the same work to load all that information, resulting in a quicker web page loading time.

Best WordPress Caching plugins to get you started

1. WPRocket
2. Hummingbird
3. W3 Total Cache
4. WP Super Cache

C. Use a Content Delivery Network

How far away is your server from your users? Websites load faster when there is less physical distance between a server and the user. And this is where the content delivery network (CDN) comes in.

Content delivery is a system that uses multiple servers distributed around different locations. Storing your website’s images, CSS, javascript and HTML data, CDNs deliver this content from CDN servers close to visitors.

CDNs help minimise website loading times.

There are different paid CDN services out there to choose from. However, Cloudflare and Jetpack both offer free CDN services.

D. Minify CSS

Your website uses a style sheet language to describe how your HTML pages and posts should look (CSS). However, most CSS files are filled with unnecessary white space, making them accessible for developers to read and modify.

By minifying CSS, you programmatically delete these unnecessary characters and ultimately reduce the size of your CSS file. Minified CSS reduces loading time, improving user experience and search engine rankings.

You can minify CSS using a dedicated plugin like WP Super Minify and Autoptimize. You can also use an online tool like CSS Minifier.

Optimisation tools like W3 Total cache and Hummingbird (mentioned above under image compression) also have CSS-minifying features.

E. Get your site load speed time under 2.5 seconds

If your website implements most of the best practices on this list, it will likely load in less than 2.5 seconds.

To check, conduct a website loading speed test using GTmetrix.

It will give a detailed report on your website’s performance and where to improve to reduce load speed time. We recommend a score between A and B.

Google PageSpeed Insights is another important speed testing tool to check your CSS, JavaScript and other contents that slow down websites. Target a minimum score of 70.

Tip – Check your website speed using GTmetrix and Google PageSpeed insights for a more detailed view of possible slowness causes.

F. Remove unused plugins and themes

We often see many unnecessary, unused plugins and themes on customer sites. The problem with these plugins is that they’re still loaded and processed while serving no purpose and can slow down the WordPress response time. Some are outdated and provide code hackers can exploit (even when disabled.)

Because of this, be sure to keep your site tidy and lean!

3. Stability

For a stable website, the first step is to have a good hosting provider (see our list in “Security”).A good hosting provider will ensure the server is current and secure and correctly set up the firewall. They’ll correctly resource the servers to prevent performance issues and manage maintenance professionally.

Besides relying on a good hosting provider, there are several things you can do to keep your site stable:

A. Set up automated backups

Many hosting providers offer to back up your website as part of their service. The problem is the backups are limited in frequency, so it’s not guaranteed that they will always have a tie-up with the information you need.

Additionally, worse-case scenarios occur: we gained a new customer who had previously lost two years of work because his website and hosting company accidentally deleted his automatic backups. All the hosting company said was, “Whoops! We can offer you a two-month discount as a way of saying sorry?”  

This event happened at a famous hosting company (though we’ll be nice and not say which one.)

Because of this, we recommend automated offsite backups via a WordPress plugin to provide redundancy. Should your hosting provider backup fail, you can access your offsite backups to restore your website.

Offsite locations mean separate from your website server: DropBox, AWS, Box.com etc.

You should set automated backups according to your website usage. A busy website should have at least weekly database backups compared to a smaller website with less traffic.

UpdraftPlus backup configuration

Recommended WordPress backup services

1. Vaultpress (Jetpack)
2. Akeeba
3. BlogVault
4. UpdraftPlus
5. BackupBuddy
6. BackWPup

B. Test backups on a schedule (quarterly to yearly, depending on how often your site’s data changes)

Rarely, but still occurring, backup software can run into software conflicts and create an unrecoverable backup. That’s why it’s essential to test recovery periodically. Remember: a backup is only good if you can restore it.

See the Security practices above for instructions on setting up a staging area.

C. Set up site monitoring

It’s common for websites to go down for no apparent reason. Typically, this is due to environmental changes or a successful attack on the site. Website monitoring services can alert you in real time when this happens so that you can respond immediately.

Site monitoring services:

1. Pingdom
2. Jetpack
3. Uptime Robot
4. Super Monitoring

D. Link your website to Google Search Console

Google Search Console is a powerful service with valuable tools that monitor your website ranking on Google. Google Search Console is also the primary place to submit XML sitemaps (see Marketing section).

Search Console helps monitor website performance focused on the following areas:

• Search analytics – site’s impressions, clicks and position on Google
• Content on Google – sitemaps, individual URL crawling and index coverage
• Website issues – affected URLs, mobile usability, breadcrumbs
• Web pages – detailed page crawl, index and information about pages

Regarding stability, Search Console can alert you when pages on your site are not loading correctly for visitors. 

These alerts are essential for all sites, particularly those with more content and functionality.

Here is a step-by-step Search Console training by Google to get started.

Providing the same service but for the Bing search engine, Bing Webmaster Tools is another good tool to monitor website ranking factors.

E. Use the latest PHP version

WordPress uses using an open-source scripting language called PHP. Because of this, PHP is the main code WordPress uses to process user requests on your sites. PHP also fetches and interacts with data from your database.

Now and then, a new PHP version is released. You should update your site to use the latest PHP version when this happens. Outdated PHP versions are a security risk that typically has vulnerabilities discovered over time.

Additionally, newer versions of PHP are faster and will make your WP site load quicker.

4. Marketing

While Marketing is highly customised and specific to your situation, some best practices form a strong foundation for all digital marketing in WordPress. Follow the tips below to implement them.

A. Change permalinks to use critical terms

Your users can access different pages and posts on your website separately because each page and post has a unique URL address. In WordPress, we call this URL address a permalink.

Search engines use permalinks to determine what your pages are about, which means they are an essential element of your SEO. Because of this, your permalinks must include any keywords you’re targeting on that page.

Optimised permalinks should let users know which content to expect and organise links in categories. It’s your responsibility to change the default WordPress permalink configuration from numbers to a post name with a keyword.

Important! It would be best if you changed permalinks when you first installed WordPress. If your site is live, you should create redirects for all existing pages into their new URLs to avoid making 404 errors.

The above is a standard configuration that works well for SEO.

B. Set up a Google Analytics account and track your website

Google Analytics is a popular service by Google. Unlike Search Console, Analytics provides free tools to assess visitor behaviour on your website. Using this information, you can build informed marketing strategies.

Google Analytics metrics:

• Real-time data – Location, traffic sources, content, events, conversions
• Audience – Demographics, interests, behaviour, technology
• Acquisition – Overall traffic, Google Ads, Marketing campaigns, social media
• Behaviour – Site search, site content, site speed, events
• Conversions – Goals, E-commerce, multi-channel funnel

C. Put a contact form on your website

It’s important to give visitors a line of communication with you. Adding a contact form will help with everything from them telling you about website errors to unanticipated business opportunities. The simplest way to do this is to implement a contact form.

Most WordPress contact forms are drag-and-drop and very easy to use. Once you have one up, it will work to direct any sent messages to your email inbox without you having to put your email address on the web.

A contact form is also one way to build a mailing list (provided you ask permission to send emails, of course.) Easy-to-use contact forms plugins

1. WPForms
2. Contact Form 7
3. Formidable Forms
4. Ninja Forms
5. Gravity Forms

D. Have an About page

About website pages are crucial for:

• Lowering risk around your business or content
• Building personal connections with visitors

It anchors your website, which exists in cyberspace, to real people and places.

The information you put on your About page should establish why you are a safe business to work with or a safe content source.

Some suggestions for content on your About page are:

• Other businesses you’ve worked with
• How long you’ve been in business
• Where you’re based
• Testimonials from other customers
• Pictures of you and your staff

E. Link social media accounts to feed traffic to your website

“Location, location, location!” There’s an old recommendation for brick-and-mortar businesses to set up shop on the busy streets of a town.The busy streets of the Internet are on social media. According to Statista, Facebook alone has roughly 2.85 billion users each month.

When choosing a social media platform for your business, consider where your target audience spends most of their time.

When it comes to the direction of visitors, you want to direct visitors from social media to your website- they should feed your site, not the other way around. 

It would be best to direct visitors to your website because most conversions of customers happen on the website rather than on social media. Additionally, you own your website and have complete control of your property. On social media sites, you are a renter at best. Facebook recently decimated a customer’s business because the business relied entirely on Facebook, and Facebook’s AI cut their advertising reach and hamstrung their revenue.)

Because of these reasons, for most cases, we don’t recommend setting up feeds or widgets from Facebook or Twitter on your site to your accounts on those networks. Not only do they actively remove visitors from your site, but they also typically slow down the page load speed by loading additional javascript libraries and stylesheets.

F. Use a mobile responsive theme

Mobile web traffic accounts for 54.8% of all web traffic, beating desktop and tablet (Statista). Chances are that most people visiting your website are on a cellphone.

Google bases its overall ranking in its search results on your mobile traffic and performance.

Given this, your mobile performance must be as good or better than your desktop performance.

G. Create an XML Sitemap

Search engine bots crawl your website to find out what your website is about, the type of content you post, and gauge your pages. When you have a sitemap file, you provide these bots with a map to crawl all your website pages. The sitemap is essential if you have a big website with many pages.

You can also manually submit your website sitemap to Search Console and Bing Webmaster Tools to be indexed and ranked for content you want to rank for.

Plugins that can help you create your XML sitemap:

• Yoast SEO
• WP Sitemap Page
• Rank Math
• All-In-One SEO Pack
• Google XML Sitemap Generator
• SEOPress

Free online tools to create an XML sitemap (a quick option for sites that don’t add content):

• Online XML Sitemap Generator
• XML Sitemap Generator
• Unlimited Pages Sitemap Generator

H. Remove Broken Links

Over time, website content is often changed or moved.

Given this, keeping track of link changes and ensuring all your links are current is essential. Having no broken links will provide your visitors with a better experience. It will also boost your search engine ranking results.

Use Ahrefs broken link, Dead Link Checker (more comprehensive), or the Broken Link Checker WordPress plugin to check your website.

Ahrefs broken link checker

I. Posts and pages have a good readability score

People rarely make it to search engines’ second page because they find what they are looking for somewhere in the content ranking on the first page.

Different factors go into boosting content quality. But often -especially for niche content- what shows up high on Google is the easiest to read and best communicates the answers the searcher seeks.

Clear writing will also help retain your readers’ attention and reduce bounce rates.

A shortcut to getting an idea of how well-written a page is using a tool that provides a “readability score.” The popular SEO plugin Yoast is an example of this. Readable is an example of a service that offers this.

Writing tools to achieve a good readability score

1. Grammarly
2. Hemmingway app
3. ProwritingAid

J. Optimise pages and posts for SEO

Before we even get into optimising web pages and posts, your content needs to:

1. Be relevant to searchers
2. Be presented in your user’s language – keywords, jargon, and phrases

Get the H1 Tag right.

The H1 tag is the most critical header tag in your pages and content because it lets search bots know what your page/post is about. How the title comes out also depends on your theme.

Work on your meta tags.

Your website’s Meta tags tell the search engine bots what your page is about. Two important meta tags work together to optimise your content.

Titles

The web page title is the most important real estate on your website. This is where your most important keywords related to the webpage should be placed. A good format for the web page title is <product/service name> <location> – <company name>, E.g. Website Developerment Perth – Webby Website Optimisation. A search engine result snippet shows the web page titlea and is the first line people see. It must also entice readers to click on your website.

Meta description

The meta description is like your Ad in the Google search engine results telling people why they should read your content. So it should be well written.

Google often pulls out its meta description based on the post content. But it is still necessary to have your own backup because it will sometimes show.

For a solid snippet that earns clicks to your website, the title and the meta description must complement each other.

To avoid a high bounce rate, ensure the meta description matches the content on the page.

A few good SEO audit services for WordPress sites:

1. Semrush
2. Ahrefs
3. Moz

Plugins that can help you optimise your site:

1. All In One SEO Pack
2. Yoast
3. RankMath
4. SEOPress