In my experience as a WordPress developer and consultant, I have run across many users of WordPress who fall victim to some very bad habits. When consulting client about WordPress site management, I’ve seen a lot, and I’ve fixed a lot.
Here are some of the most common bad habits that I’ve come across when it comes to WordPress site management. I’ll tell you what they are and how to fix them. Some of my comments might seem harsh, but consider it a dose of tough love. I’m trying to help you, not insult you.
If you are blogging for money or maintaining a professional brand image, don’t try to chintz on these. Bad habits will end up costing you more in both money and time. If you don’t know how to do some of these, it is prudent to either learn or to hire someone (even if that is just on a consulting basis). It will save you money in the long run!
Bad Habit #1: Running JUST a production site.
When you are running a WordPress site (or any site for that matter) it is an absolute imperative that you maintain a testing and/or staging environment for your site. For most people, this is running a testing webserver on your local machine. Regardless of how you do it, you MUST do it. You need to keep a clean version of the site for backup, and a version for testing. If you do all of this on your live production site, you are asking for trouble. A virus, a system crash, your accidental wipeout of your production database; something bad is going to happen. It’s just a matter of when.
Best Practice: Work in a three stage environment – Testing, Staging, and Production.
I run a testing system where I test things out before putting them into production. This allows me the opportunity to make sure everything checks out before moving things to staging.
Staging is my clean environment. Everything has been tested and checked out before getting here. Running some type of version control such as Subversion or Git is a good idea here. That way you can roll back if your updates blow up.
Lastly, the production environment. This is what the world sees. There is zero margin for error. A bug or a crash is bad for business. We need the ability to immediately restore service; that comes from staging.
Bad Habit #2: Upgrading WP core and plugins on the production site without testing first
As a plugin developer, a common support question that I receive whenever I release an update is somewhere along the lines of, “I updated to the most recent version and now my site is broken.” My initial question is usually along the lines of, “Is this your live site? Did you test the update prior to upgrading.” Most often, the responses are “Yes, this is my live site. No, I just upgraded.”
Best Practice: Always test updates in a testing environment prior to moving to a production site
DON’T DO IT! Always, always, always test first. See bad habit #1.
Bad Habit #3: Editing core theme files directly rather than creating a child theme
Many users get a theme they like and then just start jumping in to customize it to their liking. The problem with this is that when the theme developer releases an upgrade, all of your changes are wiped out. Frustrating the first time you discover this; but foolish if you keep doing it after that.
Best Practice: Get in the habit of creating child themes.
I hear it all the time, “But I’m not a developer or designer. I don’t understand this PHP and CSS stuff.” And you want to run a web site? If that is truly your thought, you should be hiring someone to work in this area, even if it’s just on a consulting basis. But if you are going to do it all yourself, then you had better understand this stuff.
It’s not hard to create a Child Theme. This page in the WordPress Codex will get you started learning about Child Themes and there are some good links to tutorials.
Bad Habit #4: Editing plugin files directly
This is just as bad if not worse than Bad Habit #3. First, just like themes, when the developer releases an upgrade, you are going to overwrite your changes.
I have seen some people make customizations to plugins and be aware of this. So what do they do? They don’t upgrade. Here is why that’s especially bad: what happens if that upgrade has something to do with security? Or keeping up with the latest updates to WordPress itself?
The other problem with doing this is that you could break something. You could unintentionally create a security hole, or simply just break the plugin. If you are running a test site, that’s not as big of a deal as you can just restore the plugin from the repository. But if you are in a bunch of bad habits, such as testing on your production site, well, that’s asking for trouble.
Best practice: Don’t edit plugin files directly
I worked with a client once that was several versions behind in WordPress because he had several plugins that he had tweaked and therefore wouldn’t upgrade them, which lead to being unable to update WordPress. He was following best practice #1 running a test site so he knew he couldn’t upgrade. But that didn’t save him from being vulnerable to attack. The version of WordPress he couldn’t/wouldn’t upgrade to had several vulnerability fixes. If you’ve ever been hacked, you know what a pain it is to fix.
I know everyone wants to fully customize and that does lead to a professional look. But you have to use some common sense here. Sometimes it’s better to leave things the way they are. The best plugins are more extensible and thus can be customized without touching the core of the plugin.
If you absolutely MUST use a particular plugin and you MUST customize it, it is probably better to keep a side-by-side customization in your testing environment. That gets a little complicated for discussion in this article, but if you want to be solid, that’s the way to go.
Bad Habit #5: Default permalinks
I know, I know. Some of you are saying, “I don’t run WP in an Apache environment, so it’s impossible for me to use pretty permalinks.” Not true. Most of the time, it’s out of laziness, or the unwillingness to spend the money to have a developer do it for you. I’ve seen some pretty high traffic, well-known sites with http://thesite.com/?p=1234 in the address bar. It looks unprofessional, and in this day and age if you are managing a WordPress site, it’s inexcusable to not correct it.
Believe me, I’ve talked to some of these people, and they almost always have an excuse. Yet in another part of the conversation they will tell me how important SEO is to them. Really? You could start improving your content optimization by changing your permalinks to something more keyword friendly.
Now it is time to do a little soul searching. None of these bad habits takes much effort to correct. Most of these things are so easy to correct there is no reason not to. And the benefit to your business should be obvious. Correcting these things will make it easier for your WordPress Site Management in the long run. And don’t miss these 3 bad habits you must avoid regarding WordPress site security.