Monitor Website Security

Protect your website from attacks by ensuring a proper security system.

WordPress, by nature, poses some security risks. Due to the crowd-sourced nature of how plugins and themes are added paired with the fact that it’s the world’s largest CMS, it’s a big target for hackers.

You can take some simple steps to ensure your website is safe from most of the vulnerabilities.

Install Website Security

There are many security options to choose from, some hosts (like Kinsta) even provide high-levels of security for you. Most WordPress users choose a security plugin like Wordfence, iThemes Security, or WebARX.

These pieces of software (which come in paid and free options) harden your website, help protect from brute force attacks, and regularly scan your website for vulnerabilities.

Ensure that your website security software is up-to-date and make it a habit to routinely check the logs of any scans to make sure nothing has gone wrong. You’ll likely get notifications from your security software letting you know when a plugin or theme you have installed has a known vulnerability. Make sure to prioritize fixing any of those issues, as well as keep good backups of your website.

Optimize Your WordPress database

Delete unneeded items like revisions and spam comments for an optimized database.

Over time your WordPress database starts to collect a lot of unnecessary files like revisions, auto drafts, deleted posts, orphaned & duplicated data, spam comments, and more.

All of these just take up space in your database, and by regularly cleaning them out you can improve your website’s performance.

How to clean your WordPress database

There are several ways you can do this, but the easiest is with the free plugin WP-Sweep which can be found in the WordPress repository.

After you download, install, and activate the WP-Sweep plugin, from your dashboard navigate to “Tools” > “Sweep”.

The plugin will show you all the different bits of data you can clean up with a blue button labeled “Sweep”.

WP-Sweep Dashboard
WP-Sweep Dashboard

You can sweep these up one at a time, or scroll to the very bottom and hit Sweep All.

Be careful as you clean up files, some of the options will delete any posts or pages you have set to “Draft”.

Update WordPress Core Themes Plugins

Keeping your software up-to-date helps protect against security vulnerabilities and gives you enhanced functionality.

Chances are you already know how to update WordPress… but I promise, if you Google it you’re going to find a lot of different opinions on how it should be done. You’re also going to find people that tell you that it has to be done this way or that.

I have no desire to lecture you one way or another— here are some simple tips I’ve found useful. Find what works best for you, and how you feel comfortable. Just whatever you do, keep all your software up-to-date! You shouldn’t be going weeks (or months, or years!) without running updates. Once a week seems to be my personal sweet spot.

Tips for running WordPress Updates

There’s are my personal recommendations.

  1. Use a staging site for updates (or don’t). If you want to be extra careful, and you have all the time in the world, you can clone your website to a staging environment, run your updates, check for any errors and then know if it’s safe to update or not. But, I’m going to be honest— who the hell has time for that? I’ve generally found updates to reputable plugins to be fairly reliable… And in a worse case scenario I have backups to restore.
  2. Make sure you have backups before updates (especially major ones). If you’re running regularly scheduled backups (at least once a day) you should have a backup that’s no more than 23 hours and 59 minutes old at worst. Chances are it’s fresher than that. Might be a good idea to double check first that your latest backup was completed.
  3. Update WordPress Core, then your Themes, then your plugins. This is the best consensus I could find between everyone’s different strategies. It makes sense— if you think of these things in terms of hierarchy, then you’re updating the biggest bit first and the smallest ones last.

Tools like MainWP or ManageWP can help you do WordPress updates faster by connecting in all your (or your client’s) websites into one central dashboard where you can run updates all at once.

Perform Visual Inspection

Routinely browse the website to make sure crucial elements look and function properly.

When you perform regular maintenance on your website (like plugin, theme, and core updates) you might be affecting the functionality and/or the aesthetics of your website. These could be unwanted changes that negatively affect visitors experience on your website.

These things can be hard to detect with any automated systems, however there are some cool visual regression tools on the market.

The easiest solution is to just browse the website after major updates to ensure key components are functioning properly. A quick visual inspection of the most important pages will help give you peace of mind.

If you’ve updated a specific plugin, visit the areas of the website where that plugin is used and ensure they still look and function as intended.

It’s my experience that most updates don’t cause problems— but it’s better to be safe than sorry!

Uptime Monitoring

Identify and investigate any downtime for the month to ensure stability.

Uptime monitoring is simply checking to see if your website is online or not, and alerting you when it goes down. For your care plan or maintenance clients, you’ll want to make sure you know if their website is down before they do (so you can fix it before they find out!)

Free solutions like Uptime Robot will check your website every 5 minutes for free, and send you an email alert if your website does not respond. The free account allows you to add up to 50 monitors.

There are alternatives to Uptime Robot like, Uptrends, Pingdom, and Freshworks — all with free and paid checks.

In my experience each platform will have pros and cons— and one might report outages faster than others. Do yourself a favor, try out a few (on the same website) and see what works best for your needs.

Another thing you’ll want to keep an eye out for are false positives. Any uptime tool I’ve tested has always sent me “down” reports when the website (to the best of my knowledge) never went down. It can be an annoying waste of time… But checking in on these alerts can save you from a website being down for a long period without your knowledge.

Ensure Successful Backups

Ensure your scheduled backups are being completed and test their validity.

The best fail-safe you can have for your WordPress website is regular backups. No matter if your website is hacked, compromised, or if an update just goes awry— a backup can be there to save the day! Some sort of failure is inevitable. A backup is your first line of defense!

Simply deploy a backup to before you experienced your issue, and poof— the problem is gone.

How to setup automatic backups

There are a ton of ways within the WordPress ecosystem that you can setup automatic backups, but before I share some of my favorites with you I want to key in on something… These need to be automated backups!

You want your backups running on an automatic schedule (most brochure websites can get away with 1 backup a day, while some ecommerce websites require them even more frequently).

This gives you a set-it-and-(almost)-forget-it system that happens without you having to think about it.

Use a host that provides automatic backups

Most decent web hosts will provide automatic backups of your website and database. Before investing in a hosting account, make sure this is the case. At a bare minimum they should be creating daily backups of your websites on their server.

While this is the easiest backup solution (because it is done for you), it’s not always the most reliable. You don’t want this to be your only website backup plan.

Use a backup service and/or plugin

There are plenty of backup solutions to choose from that offer both free and premium plans. With most free backup solutions you’ll have to provide some kind of storage for the backups (like Dropbox or Google Drive). Premium backup plugins often will provide storage for you.

One great feature you can look for when you’re making your decision is “incremental backups”. Incremental backups start by taking a full backup of your website, then only backup items that change between your scheduled backups. This reduces the load on your server when creating a backup.

Here are a few backup solutions you can take a look at:



WP Time Capsule

Ensure your backups are successful

It’s not enough to set your backups and forget about them. Backups do fail!

Each month you’ll want to take stock of your backups to make sure they are going through successfully. Beyond that, it is a good idea to regularly test your backups by trying to deploy one onto a development install. Even when a backup shows its successful, sometimes there can be corruption that keeps it from restoring properly.

It would be time consuming to test your backups each and every time, but you can set aside a few minutes each month to test a few at random to see if you have any issues. If everything works fine, you’re probably okay. If you experience issues, you might want to test more and try and determine the problem.

Test Your Website Speed Featured Image 1

The time it takes your website to load has a major impact on your website’s success.

As time goes on, internet users become less and less patient. Today, a website that takes 5 seconds to load will be abandoned by 90% of people! To ensure delighting your visitors, and keeping the Google-Gods happy, you need your website to load in less than 3 seconds (but the shorter the time, the better).

How do I test my website speed?

There are three popular free tools for testing your website’s loading time, and we’ll go over the benefits and drawbacks for all three below. In most cases, it doesn’t hurt to go ahead and test your website using all three of these tools in case one picks up on something the other didn’t.


GTMetrix Website Testing
The GTMetrix Homepage

GTMetrix offers free testing using multiple server locations and across several different browsers. In order to access all the options you’ll need an account, but the free account seems to do just about everything you need in my experience.

Once you landing on the GTMetrix page, sign in (or sign up for an account) and pick the testing location nearest you (by default it’s set to Vancouver, Canada).

Type in your URL into the search bar, and then hit “Test Your Site”.

After a few seconds you’ll be taken to a new screen that gives the results of your test.

From a high-level overview, you can check the ‘Performance Scores’ (given in letter-grade format) and the ‘Page Details’, which cover the fully loaded time, page size, and number of requests (all of which you want to be as small as possible).

GTMetrix Report
GTMetrix Report

What makes GTMetrix great is all the information and data you can collect underneath that overview section.

Their reports will give you suggestions on optimizations you can make, a waterfall chart showing the loading time of each request, and even the timings of each stage of your page load.

Because of all the data they provide, I tend to lean on GTMetrix most often. However, keep in mind the “Fully Loaded Time” is typically higher than what a user will likely experience. This accounts for loading external scripts (like Google Analytics or Facebook Pixels) which your visitors will never see.


Pingdom Testing Tool
Pingdom Testing Tool

Pingdom is another popular choice for website speed tests. Just like GTMetrix, simply plop your URL in the search bar, select your testing location (nearest where you expect traffic to come from) and hit ‘Start Test’.

Within seconds you’ll be given your results.

While Pingdom doesn’t offer as many testing results as GTMetrix, I do often find their Load Time to be more representative of what the user sees in the browser.

They will provide you with basic steps you can take to improve your performance and the loading time by content type.

PageSpeed Insights

PageSpeed Insights Testing Tool
PageSpeed Insights Testing Tool

The last tool we’ll discuss here is Google’s PageSpeed Insights.

This test is arguably the most important (because it most closely represents what Google will determine about your website’s performance), but also the most frustrating to use.

Using WordPress, and especially with a Page Builder, you should expect to see worse results here than the two previous tests., and unfortunately their instructions for making improvements isn’t a lot of help either.

What’s nice is that they test both the mobile and desktop versions of your website since Google places a high importance on mobile speeds.

Neil Patel has a great article on improving your scores on PageSpeed Insights, which I’ll point you to as a reference. Personally, I just haven’t had much luck improving these scores— but I wanted to include them because of their importance.

Final Thoughts

There are tons of statistics on how the loading time and performance of your website has dramatic effects on the amount of traffic you’ll get, your bounce rate, and even your rankings. Because of this, it’s important you take the time to try and optimize your images and code so that they perform their best.

When performing the tests listed in this article, try running the same website 2 or 3 times on each platform. You’ll likely notice that the results vary each time and you can take an average of the tests.

Having great hosting, implementing caching, and optimizing images often have the biggest effect on your results.

Test Submission Forms Receipts Messages Featured Image 1

Manually test any submission forms to ensure the proper user experience.

Want to make a customer fighting mad? Leave a broken form on the website you just built for them!

Forms are generally one of the most common “conversions” website owners want visitors to make. It can be tempting to assume they are working just like you intended, but it’s important to test each and every form before you publish it live on a website.

Simple Form Testing Procedure

To test your forms, make sure they set to submit to an email address you have access to (you’re going to need 2 email addresses for these tests, so we’ll call this email address ‘Email A’).

After you’ve set ‘Email A’ as the “to” address in your form, navigate to the front end of your website and fill in the form as if you were a customer, this time using a different email address (‘Email B’), and submit the form.

You’ll want to check the inbox for ‘Email A’ and make sure the form submission make its way to the inbox.

If you are sending any kind of receipt to the customer, check the inbox for ‘Email B’ and make sure that arrived too.

Advanced forms, automation, and e-commerce

Sometimes you’ll have forms that are more complex than a simple “contact form”. In this case, you’ll want to make sure any automations are firing correctly, or that transactions are going through.

Again, the best way to test this is to do it manually and submit the form as a user would. With access to both ‘Email A’ and ‘Email B’ you’ll be able to see exactly what the website owner and the customer will see.

Test it again!

It’s a great idea to test your forms before you go live, but you’re going to want to test them again after the website is published. This ensures everything is still working as expected after the go live.

If the website your building is for a client, you’ll want to get them involved in the process by submitting the form to their email address, and ensuring they get the notifications they need.

Depending on how your transactional emails are setup, your customer might not know what to look for. It’s important that they are on the lookout and recognize these emails as these are often new leads or orders from their website.

Check for Broken Links 1

Broken links will send visitors nowhere and can cause damage to your SEO.

In the process of developing a website, it’s common to put in temporary links (like using only the number sign or hashtag symbol (#) where the link should go) as a placeholder until you have the right page to link to. You don’t want to take your website live with these links which can cause frustration for your user and damage your SEO.

How to check for broken links

The most thorough and effective way to check for broken links is to do it manually. You don’t have to click on every button or link on your website, you can simply hover you mouse over it and you should see a preview of where the link is pointed appear at the bottom of your browser, like this:

link preview
Link Preview

By only checking for the link preview (as shown above) you can make your way quickly through each of the links on your website.

An automated solution for finding broken links

A broken link checker, like Dead Link Checker, will scan your website and alert you to any broken links. However, this isn’t nearly as effective because a link with the value of “#” will not be seen as broken, even though it’s likely not what you want to be linking to.