The Importance of Maintaining your WordPress site, and how to do it.

By Otavio Fonseca

As of 2021, WordPress powers 40% of all websites and holds a 61% market share among CMS platforms. On any given day, over 500 sites are built with WordPress, compared to around 70 on other platforms like Squarespace or Shopify.

Given its widespread use, WordPress is a frequent target for malicious actors, leading to numerous instances of exploitation.

While its high usage can sometimes result in a significant number of infections, giving WordPress a bad reputation among some developers, it remains largely secure. No system is entirely attack-proof, but there are many ways to minimize and mitigate potential breaches to your WordPress site.

Why Do Hackers Target WordPress?

From my experience, the majority of WordPress exploits aim to:

  • Hijack traffic: Redirect users to other sites for ad impressions and fake traffic.
  • Build backlinks: Link to their services, including dubious ones like fake pharmacies or other black-hat SEO practices.
  • Distribute malware: Spread malware or engage in crypto mining.

When a vulnerability is publicized, hackers often deploy bots to scan the web for that weakness. If found, they infect the site and move on to the next.

These attacks are rarely personal. I often joke: “Don’t take it personally; they’re not specifically targeting you. There isn’t one person manually attacking your server.”

You can significantly reduce the likelihood of such issues by following these guidelines:


Even the most diligent website maintainers face unexpected problems. Your website might crash during a theme or plugin update, or hackers might exploit a newly discovered vulnerability before it’s patched. While no strategy is foolproof, quick recovery is crucial. Regular backups can save your reputation and minimize losses.

Backup Strategies:

  • Hosting Company Backups: Many hosting companies offer automated backups and quick restore options. WordPress-dedicated managed hosting services often provide near-instant restores and good support.
  • File System Backups: Use plugins to create daily backups stored locally.
  • Offsite Backups: For added security, maintain backups outside your hosting company. Some plugins can store backups on external services like Amazon S3 or virtual drives (Google Drive, OneDrive).

My preferred WordPress backup plugin is UpdraftPlus. Ensure your backups are running correctly and can be restored when needed.

Back-up strategies (use all of them!)

Hosting company backups – Most hosting companies will offer automated backups and a quick way to restore your site to a past snapshot.  WordPress dedicated managed hosting services will allow for virtually instant restores (and good support)

Backups within the file system – you can use a plugin to make daily backups and store them locally

Offsite backups – In the spirit of multiple safety points (and a pinch of paranoia) I highly recommend having a backup outside your hosting company.  Some plugins will deposit a copy of your files and database on an external service.  If the site is small, you could have it emailed it to you.  If it’s big, I would consider an external repo, like Amazon S3 or some Virtual drive (Google Drive, Onedrive, etc)

My goto choice for WordPress backup plugin is UpdraftPlus

Check your backups  – It’s a good idea to, once in a while, check to see your backups are running properly and it’s also a good idea to see the backups are restorable.

You gotta keep’em updated

Site Health

Site Health: Check if you’re running the recommended PHP version and other site health recommendations at:

Plugin Updates: WordPress offers nearly 60,000 plugins, but some can become vulnerable. Install plugins from reputable developers, preferably from the official repository, and keep them updated.

Theme Updates: Themes control the visual elements of your site. Update themes not only for aesthetic improvements but also for security fixes. Choose themes and plugins from developers who promptly address issues. Avoid themes that include bundled plugins, which can complicate maintenance if vulnerabilities arise.

Core and Minor Updates: Apply WordPress updates, especially those with security patches. For major updates, ensure compatibility with your existing plugins and themes by testing in a staging environment before updating your live site.

Handling Updates

If an update breaks your site, a backup will allow you to restore it quickly. To avoid downtime, test updates in a staging environment first. If successful, you can update your live site with more confidence.

Staying Informed

Join mailing lists that announce WordPress vulnerabilities and new malware variants. I recommend Wordfence’s WordPress Security Mailing List for timely alerts.

Comment Management

A comment section increases interactivity but can attract spam. Regularly monitor and remove spam comments to maintain a professional appearance and prevent negative impacts.

Consider Managed Hosting

Even with robust security measures, if your server has a backdoor, your site remains vulnerable. Managed hosting services handle server patching, DDoS mitigation, and provide daily backups and staging environments, freeing you from these tasks. I recommend WP Engine for managed hosting.

Security Plugins

Security plugins add extra layers of protection. I highly recommend Sucuri Security, which offers comprehensive features in its free version and additional firewall options with a paid subscription.


WordPress requires ongoing maintenance, much like a houseplant needs water and sunlight. Neglecting it can lead to problems over time.

At Daneli Consulting, we help minimize attack risks and protect your reputation. If you experience a hack, contact us, and we’ll assist in resolving the issue.