This is a checklist for WordPress websites owners. We consider it essential reading for every website manager. The list is not in any particular order and it's definitely not an exhaustive list. For all WordPress websites we recommend you have an experienced web developer or IT person to manage your website and perform regular updates & maintenance.

1) Update, update, update
WordPress is a very popular piece of software, powering 40% of all websites. Updates for the core software are released throughout the year, sometimes several updates per month. Popular plugins will also have regular updates. Your WordPress admin dashboard will display the number of updates available. We can't stress enough the importance of performing regular updates. You should discuss this with your web developer to make sure there is a proper routine for updates and maintenance. 

2) Use the latest PHP version
In your cPanel control panel you can manage the PHP settings for your website, including the PHP version, PHP extensions, and custom PHP variables like memory_limit and max_input_vars. Almost all PHP settings can be managed via the cPanel control panel, without the need to manually create a php.ini configuration file. 
If you / your web developer want to update the PHP version, enable a PHP extension, or set a custom PHP variable, you have lots of options available to you in the cPanel control panel.
Please follow our guide here:
https://my.maxer.com/knowledgebase/158/Manage-PHP-settings-for-your-cPanel-hosting-account.html

Please note your website software and plugins must all be compatible with the PHP version. That's why it's important to keep everything up to date. New PHP versions are released approximately once a year. The default/native PHP version on our servers is currently PHP 7.3 (at time of writing August 2021). Our technicians are responsible for maintaining the PHP versions on our servers, including installing new PHP versions when they are launched and also decommissioning older PHP versions when they reach end-of-life. The following article contains a table listing the various PHP versions and their lifespan, which you might find useful.
https://my.maxer.com/knowledgebase/186/PHP-Version-Lifespan-including-Launch-Date-and-End-of-Life.html

If updating the PHP version in your cPanel control panel causes your website to break, you should follow the steps in this guide:
https://my.maxer.com/knowledgebase/187/Troubleshooting-a-broken-website-after-switching-PHP-version.html

3) Enabling HTTPS on a WordPress website

When you visit any website your web browser connects using HTTP or HTTPS. The S stands for secure. In <insert year>, all web pages should be using HTTPS, meaning they are protected by SSL encryption. In 2018 Google and other companies started to penalize non-SSL websites. Maxer Host sell a range of branded 1-year SSL certificates (Secitgo, GlobalSign, GeoTrust) which are perfect for businesses of all sizes, plus we offer a free 90-day recurring AutoSSL service on all our hosting plans, so there's really no excuse for having a non-SSL website.
Please follow our guide to enable HTTPS across all pages on your WordPress website:
https://my.maxer.com/knowledgebase/165

4) Take over wp-cron.php and reduce resource usage
WordPress software includes a WP-Cron.php file that carries out regular maintenance tasks on your website to keep things running smoothly. As its name suggests, WP-Cron should be setup to run as a cron job on your hosting account. When a cron job is not setup, WordPress will run the file every single time someone visits your website. This can result in hundreds or thousands of unnecessary requests each hour. These requests often use a lot of CPU (computing power) and EP (entry processes) on your web hosting plan.
Thankfully, it's easy enough to fix this by disabling WP-Cron and then configuring a cron job for it to run a little less frequently!
We recommend running it once or twice an hour, or on busier/larger websites run it once every 10-20 minutes.
If you manage your website using the WordPress Toolkit in the cPanel control panel, enable the option "Take over wp-cron.php" and it'll create the cron job for you. If you don't use the WordPress Toolkit, please follow our guide: https://my.maxer.com/knowledgebase/175

5) Install a caching plugin
This would be the most important step of all when it comes to performance and resource usage. 

Caching for WordPress is important for several reasons:

  1. Faster Page Loading: Caching stores a static version of your website’s pages, which means that the server doesn’t have to generate the page from scratch every time someone visits it. This results in faster page loading times, which can significantly improve the user experience.

  2. Improved Site Performance: By caching frequently accessed data, WordPress can reduce the load on the server, which can improve site performance and reduce the chances of the site crashing during high traffic periods.

  3. Better SEO Rankings: Site speed is an important factor in Google’s ranking algorithm, so a faster website can result in better search engine rankings. This means that by caching your website, you can improve your SEO and drive more traffic to your site.

  4. Reduced Server Load: Caching can reduce the load on the server, which means that you can handle more traffic without having to upgrade to a more expensive hosting plan. This can save you money and improve the scalability of your website.

  5. Better User Experience: A faster website with improved performance can result in a better user experience, which can lead to increased engagement, lower bounce rates, and higher conversion rates.

Overall, caching for WordPress is important because it can significantly improve the performance and speed of your website, which can result in better SEO rankings, increased traffic, and a better user experience.

We have separate guides on this topic:
How to improve WordPress site performance with W3TC
How to improve WordPress site performance with LSCache
Memory-Based Caching vs. Disk-Based Caching
How to enable the MemCached PHP extensions using the CloudLinux PHP Selector

6) Install a security plugin
WordPress has many security plugins like: Wordfence, iThemes Security, Sucuri, WP Cerber or BulletProof Security. Some have free versions, some a one-off fee, some a yearly fee. We recommend choosing one with your web developer or IT person, they are likely to have a preference. Some plugins will conflict with each other, you only need to install one!
Here is an article comparing WordPress security plugins: https://wpmailsmtp.com/wordpress-security-plugins/

7) Install an anti-bot plugin
WordPress has many human validation (anti-bot) plugins like: Google Recaptcha, Really Simple CAPTCHA, hCaptcha or Visual Captcha
Captcha is a helpful tool to protect the contact forms and order/checkout pages on your WordPress websites. It prevents spam and unwanted posts from bots by testing if the website visitor is human or a bot. 
The Google Recaptcha is the most well known and highly effective. If you use Contact Form 7 plugin, it offers integration with Google Recaptcha: https://wordpress.org/plugins/contact-form-7-simple-recaptcha/ 
We recommend choosing one with your web developer or IT person, they are likely to have a preference.

8) Install an anti-spam plugin
Every WordPress website will be targeted by spam bots. If it's online, they'll find it. Therefore, anti-spam plugins should be standard practice for all websites. At Maxer Host, we have very strict policies on spam/abuse to protect our hosting network and all our clients. If a contact form on your website starts sending spam, as the website owner you are ultimately responsible. Our abuse department will contact you if we find any spam/abuse from your hosting account. We really appreciate when website owners (or their IT person / web developer) proactively protect their website.

There are many anti-spam plugins like: Cleantalk, Akismet, Antispam Bee.
Cleantalk Anti-Spam plugin is (in our experience) very effective. It uses the cloud to share data on the IP addresses of spammers and prevent them accessing any part of your website. Plus it can be installed in under 60 seconds. If your website is being targeted by spammers, we think you'll be surprised at how quickly Cleantalk can stop them. Cleantalk offer a 7-day free trial and if you like it, Maxer Host can give you a free license key (providing your website is hosted with us!*).

Here's how you can install and configure CleanTalk: How to protect your WordPress site from SPAM using the CleanTalk plugin

9) Enable text compression
In cPanel control panel, on the "Optimize Website" page, there are three options:
- Disable compression: The default option, none of your website content is compressed.
- Compress All Content: Might work well on some sites, but make sure images are already optimised, otherwise hosting resources will be wasted on unoptimised images.
- "Compress the specified MIME types" (recommended): We recommend this option because it will compress text/html content only. It won't waste a moment on trying to optimise content like images that should already be scaled/optimised and don't need compressed further.

10) Optimize images
All websites should have their images scaled & optimised. Images that are over-size or unnecessarily high-resolution will slow down your website, increasing the loading time, and potentially increasing the resource usage on your hosting plan.
For WordPress website, there are lots of image optimisation plugins available, for example EWWW Image Optimizer and Smush. Ask your web developer what they recommend using.

11) Limit number of plugins
Plugins are an essential part of WordPress, but how many is too many? A good rule of thumb is to never exceed 20 plugins.
Too many plugins can lead to security breaches on your site, site crashes, bad performance, slow loading speeds, and more. We recommend a regular review of your WordPress website to make sure the plugins are actually necessary. You should balance the number of plugins and the speed/performance of your website. Excessive plugins will cause a slowdown, even on the best hosting plan! 
There is an interesting article here: https://torquemag.io/2018/02/wordpress-plugins-many-many/

12) Check for error_log files
If your website is displaying a blank white page on the landing or homepage, this normally means PHP error messages are being suppressed. Instead of displaying error messages on your website for everyone to see, PHP will create a file called "error_log" and save all the errors there.
We have a guide on this below. Our advice is that you / your web developer should routinely check the main website directory (normally public_html) and also the wp-admin directory to see if there is an error_log file. If there is one, you / your web developer should review the PHP errors/warnings and fix all the issues.
https://my.maxer.com/knowledgebase/145/Wordpress---Wordpress-White-Page-Screen-of-Death.html

13) Use Cloudflare (or similar)
Cloudflare is a reverse proxy service. What this means is that once your website is part of the CloudFlare community, your web traffic is routed through CloudFlare’s global network. CloudFlare’s network automatically optimizes the delivery of your web pages by caching static content like CSS, Javascript and images as well as through compression. As it's a global network, it will make your website faster for someone visiting at the other side of the world. By caching content on their own systems, less resources/bandwidth are used on your hosting service. This could save you money. These days, a reverse proxy service is just common sense. Cloudflare has the largest market share, 80% of all websites using a reverse proxy and 18.5% of all websites (correct October 2021).
You can signup at Cloudflare.com

Our support team will be happy to advise you on the setup of a reverse proxy service. If you contact us about Cloudflare, please first grant us access to your Cloudflare dashboard by following this guide: https://my.maxer.com/knowledgebase/202/Grant-our-technical-support-access-to-your-Cloudflare-dashboard.html

CloudFlare also has paid plans ($20 or $200/month) and these include advanced features like a WAF (web application firewall), which might benefit some business websites.

14) WooCommerce, wc-ajax can slow down page loading speed.
WooCommerce is a very popular plugin to turn WordPress into an e-commerce store. Many themes include WooCommerce integration.  one of the popular plugins to make your WordPress site into an online store. The AJAX component “wc-ajax=get_refreshed_fragments” can drastically increase the page load time. On most sites you'll find it increases the page load time by 1-2 seconds, but in some cases as much as 10-20 seconds. If you use GTmetrix, you may find that wc-ajax is listed as one of the longest requests on the Waterfall tab of a GTmetrix report. If you are having page speed issue with WooCommerce we recommend you review the Ajax calls. There are solutions available for different scenarios and improving the page loading time.
https://www.webnots.com/fix-slow-page-loading-with-woocommerce-wc-ajaxget_refreshed_fragments/

15) Prevent comment/pingback spam
WordPress comment spam is often worse than contact form spam! Comment spam will generate email notifications causing issues with your email service and also spam could appear on your website or in search engines. If you are regularly publishing posts to your website, bots will be visiting your website, and many of them will try to cause a nuisance. To fight this, we recommend a 3 pronged approach.

(a) Disable comments on new pages/posts

Does your website get any value from comments? How many comments are legitimate? Would you consider disabling comments altogether?

There is a setting in WordPress admin > Settings > Discussion to "Allow people to submit comments on new posts". We recommend you uncheck this box and therefore comments will be disabled on new posts by default. You'll still have an option to enable comments on an individual post, either when you are creating it or later when you are editing it.

If you think it's necessary to allow people to submit comments, then consider only allowing comments on posts for X days. There is a setting in WordPress admin > Settings > Discussion to "Automatically close comments on posts older than X days". We recommend setting this to somewhere between 7 and 30 days. This depends how often you will login to WordPress Admin to moderate new comments (accepting or rejecting them).

(b) Disable comments on old pages/posts
We find a big problem is not new posts, but those old posts from 5 or 10 years ago. You'd probably completely forgotten you ever wrote them, but spam bots will still find them!

If you are familiar with phpMyAdmin, the database manager in your cPanel hosting control panel, here is an SQL command you can run to close stop comments/pingback on posts older than 30 days:

UPDATE wp_posts SET comment_status = REPLACE (comment_status, 'open', 'closed') WHERE post_status = 'publish' AND (post_type = 'post' OR post_type = 'page') AND post_date <= CURDATE() - INTERVAL 30 DAY;
UPDATE wp_posts SET ping_status = REPLACE (comment_status, 'open', 'closed') WHERE post_status = 'publish' AND comment_status = 'closed' AND (post_type = 'post' OR post_type = 'page') AND post_date <= CURDATE() - INTERVAL 30 DAY;

You can change the 30 day value to something lower/higher as you wish. If your WordPress database has a custom prefix, you might need to change wp_posts to the custom prefix like wp4d_posts, otherwise phpMyAdmin will report that the database table doesn't exist.

You can delete any unapproved/pending comments with this SQL command:

DELETE FROM wp_comments WHERE (comment_approved = '0') OR (comment_approved = 'spam');
DELETE FROM wp_commentmeta where meta_key like "%akismet_%";

If you're not familiar with phpMyAdmin and don't want to run SQL commands,  you could use a plugin like Disable Comments to... you guessed it, disable comments. You can find it here: https://wordpress.org/plugins/disable-comments/

16) Limit number of post revisions
An excessive number of post revisions can really increase the size of the MySQL database on your website. You can define the number of post revisions kept by WordPress, you can clear out old revisions, and there's some plugins to simplify the process. Please read the guide here: https://betterstudio.com/blog/how-to-delete-wordpress-revisions/

You can delete any revisions stored in the MySQL database without impacting the posts that are published. You can use this SQL command:

DELETE FROM wp_posts WHERE `post_type` = "revision" AND `post_name` LIKE "%revision%"


17) Disable public registrations
The registration form is frequently targeted by bots. We recommend disabling public registration on almost all websites. It's not normally necessary unless your website has a membership/registration function. Public registration can be disabled in the WordPress admin dashboard on the General Settings page. In the settings page, you'll find the Membership option where you can uncheck the "Anyone can register" box to disable registration. Uncheck the box and save the settings.

18) Review resource usage
Every web hosting plan has generous resources so that your website can have the best speed/performance. We use a system called LVE (lightweight virtual environment), developed by CloudLinux, to prevent any one account impacting the hosting server. The LVE system helps to maintain server stability by enforcing fair usage limits. It constantly records usage data for every hosting account, which customers can review in their hosting control panel.
Website owners, web developers and IT people should be aware of the resource limits on their hosting plan, know how to view the current resource usage by checking your cPanel control panel, investigate any spikes in usage, and plan for growth / special events.
Please follow our guide: https://my.maxer.com/knowledgebase/149/cPanel---Resource-Usage-Limit-Reached.html

19) Convert MySQL database from MyISAM to InnoDB

MySQL database servers have two main storage engines, MyISAM and InnoDB. The storage engine is the management software used to create, read and update data in the database. A website owner can choose what storage engine is used for each of the MySQL database tables on a website.
For small websites, the storage engine doesn't make much difference. However, for larger/busier websites and e-commerce stores, you should considering converting the storage engine from MyISAM to InnoDB, especially if your website has large database tables. You should discuss the best storage engine with your web developer or IT person.
Please follow our guide: https://my.maxer.com/knowledgebase/196/Convert-your-MySQL-database-from-MyISAM-to-InnoDB.html

DISCLAIMER: The scripts provided in our knowledgebase are for informational purposes only. We do not provide any warranty or support. It is essential to review and modify the scripts to fit your site's specific needs. There may be unforeseen outcomes when adding new script code to an existing website. You should discuss it with your website manager and seek advice from an experienced website developer if you are unsure.

Updated by SP on 04/05/2023

Was this answer helpful? 5 Users Found This Useful (5 Votes)