WordPress is the best content management system for most websites, and that’s why we use it on the majority of our projects that don’t require the eCommerce heavy lifting that Magento, our other favorite website framework, provides. WordPress is very popular, yet unfortunately as a result, it is also a popular target for hackers. Thankfully, there is a very active ‘good guy’ developer community looking out for any potential vulnerabilities, and quickly working to resolve them with security updates. These include not only the WordPress core development team, but also many plugin developers and WordPress security experts like WordFence and Sucuri. As a result of this, WordPress is a very secure platform if properly maintained.
If you have read about large scale WordPress hacks, those are exploits that target sites which are not properly maintained and are running older versions of the software with known vulnerabilities. As such, it is imperative that you ensure your WordPress site is regularly monitored, and updated with the latest software.
For most sites, there are generally three groups of software which can lead to issues if not properly maintained: the WordPress core, plugins, and themes. The good news is that the WordPress core, along with all well supported plugins and themes, are regularly monitored by the WordPress security community, and updates are released often. These updates can usually be applied to the site with a simple click of the ‘update’ button for each, but this apparent simplicity is often where do-it-yourselfers can get into trouble.
Nine times out of ten the update will go through without any issue and the site will continue to be fully functional and secure. On some occasions, however, the update can cause compatibility issues, due to conflicts between the WordPress framework, installed plugins on the site, or the site’s active theme. In the worst of cases, the update can completely break the site, requiring a full file and database restore, and close inspection of the error log following the restore and subsequent troubleshooting of the issue in a development environment. As part of our hosting package, we have regularly scheduled backups of the file system and database around the clock, and prior to any maintenance work our development team also makes a local backup to ensure your most recent content can be restored in the event of complications with the update process.
One of the greatest features of WordPress is access to a library of thousands of plugins, which allow for increased functionality in nearly limitless ways. User forums, advanced eCommerce, and event management are just a tiny sampling of the kind of expansion you can add to your site. Where novices can often get into trouble, however, is installing plugins that are not actively maintained, or with poorly written or worse yet, insecure code frameworks. Anyone can write a plugin and submit it to the WordPress plugin repository, and although there is some vetting process by the development community, there are still quite a few plugins that haven’t been updated in years and are likely to contain, at the very least, compatibility issues which would lead to broken functionality. There are also plugins available for download from third party plugin repositories, as well as developer’s websites. Navigating this landscape can prove to be perilous to a WordPress site’s health if the person maintaining and installing plugins on the site is not experienced and lacks the necessary skills to review the plugin’s code and changelog history to suss out any potential issues.
Themes can pose the same risk as plugins if there is a theme installed on the site which is not regularly updated. This can be true even if the theme is not the actively applied theme in use on the site. Like plugins, there is a wide range of quality in themes available, and anyone can post a theme for download on the their site. Again, the WordPress theme repository as well as major premium theme vendors like themeforest.com are your safest bets, but there are plenty of themes available from those sources which are outdated or poorly coded. It takes a well trained developer to sort through the features lists and marketing to determine whether a theme is actually going to be well supported and work seamlessly with WordPress and other plugins, or if it’s going to be a buggy nightmare with poor support for any issues that arise.
Another reason why leaving updates to the professionals is wise, is that a team of WordPress experts like Watermelon is constantly plugged into the greater development community, and by monitoring various security blogs and networks, we will become aware of any security issues typically well before the developer is able to release an update. We are constantly ahead of the curve with WordPress security, and are so confident in our maintenance plan and processes, that in the rare instance that a security breach occurs while a site is on our watch (on a monthly maintenance plan), we will clean up the site and rid it of any malware completely free of charge.
In addition to regular updates to your WordPress site, there are also important external monitoring tools that professionals use to monitor and improve performance, search engine health, and mobile usability, all of which are critically important to the overall usefulness of the site to your end users.
WordPress is a fantastic content management system, and in this day and age, aside from very specific niche requirements or heavy eCommerce lifting, it is the far and away obvious best choice for any new website. Just like any other investment such as a new car, your website is an important asset that requires regular maintenance to continue to run smooth and be safe. WordPress is built with the end user in mind, and managing content and front end functionality can be done by anyone willing to take the time to learn the basics, but keeping the site up to date, and regularly monitoring for security, performance, or SEO issues is best left to the experts.