After you get your WordPress site up and running, install a beautiful theme (or get someone to make one for you) and add your content, it more or less takes care of itself, right?

Wrong. Keeping your WordPress website running smoothly takes time and attention. Although there are lots of ways to secure and improve the performance of your site, there’s also a handful of quick and simple things you can do that will make a huge difference, and we’ve outlined them below for you, along with links to some useful resources.

Technical knowledge required: Very little — you’ll need to be able to install WordPress plugins and tinker with settings within the WordPress panel. But no coding is needed!

In this article:

  1. Keep WordPress core, themes and plugins up to date
  2. Install a security plugin
  3. Use strong passwords
  4. Change the WordPress administrator user name and URL
  5. Take regular backups
  6. Scan for SEO weaknesses
  7. Ensure your website is mobile-friendly
  8. Speed things up

Security & backups

Exciting it’s not. Fun it ain’t. But security should be your number one priority when it comes to WordPress. Being open-source and relatively simple to set up, WordPress is now used on 40.5% of all websites, and 64.5% of websites that use a content management system (as of March 2021: source). As a result, it has a significant base of community support, which has meant the availability of a wealth of plugins, tutorials and themes you can get your hands on, often for free.

WordPress CMS market share 2021

WordPress’ dominance as a content management system (CMS) is huge.

But there’s a downside to such fame. It also means that WordPress is one of the most hacked CMSs. Due to how easy it is for anybody to get a basic website up and running and available to the world, without an awareness of programming, some buggy plugin code or an out-of-date plugin can leave you exposed to all kinds of attacks, from both human hackers and automated systems.

For the same reasons, it’s key to have a backup process in place, so that when things do go wrong, you’re not left without a recovery plan.

Tip 1: Keep WordPress core, themes and plugins up to date

It’s easy to forget to check on plug-in versions regularly. Who wants to do that anyway? Nevertheless, it’s critically important to update all your website’s software regularly, as developers release ‘patches’ to fix security holes and performance issues. Fortunately, there’s an ‘automatic updates’ feature in WordPress that you can enable for many (though not all) plugins. Just browse to the ‘Installed plugins’ page in the WordPress admin panel, and look for a link on the far right side of each plugin called ‘Enable auto-updates’.

WordPress plugins list

Many WordPress plugins can be updated automatically, though doing so comes with its own risks.

Word of warning: We actually recommend updating the WordPress core, and each plugin, one by one, and checking the main pages of your website over after each update. That way, if an issue crops up, you’ll have a good idea of what could be the culprit.

Tip 2: Install a security plugin

Similar to how — I’m sure — you wouldn’t dream of running your PC without a firewall in place (you wouldn’t, would you?), WordPress also needs real-time protection from attacks.

To complement the above tip on keeping things up to date, you should also make use of a tool that will scan and monitor your website for vulnerabilities and misconfigurations that could leave you exposed to hackers. We like iThemes Security, which as well as highlighting things you could do to tighten security, such as improve password strength (see next tip), can also send you automatic emails whenever something’s happened that looks suspicious.

Tip 3: Use strong passwords

Your mother’s maiden name, favourite pet, first school, those are all out. For your website’s admin panel password (or for any other password for that matter), you will of course need something that will not only be impossible for a human to guess. But also, your password must also stand up to brute force attacks carried out automatically by bots. The trouble is, such complex passwords can be hard to remember, especially since you’re not supposed to use the same password for more than one website.

One solution is to use a ‘pass phrase’, which is actually several full words combined rather than an alphanumeric scramble. This is easier to remember than a random jumble of letters and numbers and can be just as secure. Find out more about pass phrases.

Tip 4: Change the WordPress administrator user name and URL

A quick and worthwhile trick to make it more difficult for attackers to locate your website’s WordPress login URL (web address) is to change it.

If you’re code-savvy, there are ways to do this manually. But you can also achieve it with a plugin, such as WPS Hide Login.

When you first set up WordPress, your administrator username will be ‘admin’. Pretty obvious, right? An additional security measure you can take is to simply change this to something more unique, such as your name. Whilst this alone won’t make much difference without any of the other safeguards mentioned above, it’s simple to achieve and certainly can’t hurt. Here’s how you do it.

Tip 5: Take regular backups

As the web, and so the threats that are out there, constantly evolve, it’s critical to take regular backups of your website while it’s working well, so that you’ll have something to roll back to when things take a bad turn.

You can install plugins that will take snapshots of your entire WordPress website at a frequency you decide. If something goes awry due to a dodgy plugin update or you get hacked, you’ll be able to select the ‘last good’ copy of the site and be up and running again quickly, and with minimal loss. It’s less ‘undo’, and more ‘System Restore’ for Windows (or ‘Time Machine’ on Mac, if that’s your bag).

ManageWP – manage WordPress site backups and updates

ManageWP provides both scheduled and manual backups for WordPress sites.

Without such measures in place, if you find out your website has become corrupted by malicious code, you’ll have no recent backups to restore to. The result? A lot of work to get back to where you were.

ManageWP is a plugin that will set you up quickly and easily with a backup solution. It also includes a number of other useful features for managing your WordPress website (or a group of sites).


Once you have your site secured and backed up, it’s time to see how you can make it work harder for you.

Tip 6: Scan for SEO weaknesses

SEO, or Search Engine Optimisation, is the process of improving the quality and quantity of website traffic to a website or a web page from search engines. It’s a powerful but often overlooked consideration.

Much of what makes your website SEO-friendly has to do with how well it has been designed, programmed, and the quality of its content. That’s too much to cover here, so we’ll assume you’re already taking strides to address each of those (if not, you might like to give us a call). Instead, here are few quick tips to help you boost your site’s SEO even further:

Without specialist SEO knowledge, it’s not always obvious what you could be doing to make your pages perform better on search engines. Tools such as Yoast can help here.

Yoast not only provides SEO recommendations for your website as a whole but also appears on each individual page, making suggestions to improve content quality and readability.

Yoast also installs a site map ‘XML’ file, which allows Google to understand your site structure, and retrieve essential pages of a website very fast.

Tip 7: Ensure your website is mobile-friendly

Google is paying more attention than ever before to how well websites perform on mobile devices. This affects how well your site will rank. Using a tool such as Google’s own ‘Is your website mobile-friendly?’ can give you ideas for what to improve.

Google tool to test if a site is mobile-friendly

The Mobile-Friendly Test provides quick feedback on how well a website performs on mobile devices.

Tip 8: Speed things up

If your site has lots of pages or is image-heavy, you may benefit from using a CDN. In simple terms, a Content Delivery Network is a geographically-distributed network of computers. It helps speed up website performance by making sure that website assets such as images are being served from a location that’s as physically close as possible to where the website visitor is located.

There are a number of CDN plugins for WordPress, but one we like is Hummingbird Pro.


While this is by no means an exhaustive list of WordPress maintenance techniques, we hope it will give you some ideas to improve your website’s security, performance and resilience.

What other killer WordPress performance tips have you found? Let us know on Twitter.

Note: We don’t endorse or guarantee the quality of any of the plugins mentioned on this page, and you should definitely do your own research. That said, we’ve experienced good results from them.