Recently, a vulnerability was discovered that could allow a person to run malicious code on WordPress sites. It involves common practices found in the development community for themes and plugins, and affects many popular plugins. (See http://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins, and https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html)
It is not a new issue, but the fact that it is in the public consciousness highlights the importance of maintaining your systems to benefit from recent updates and improvements.
To that end, I have compiled a short list of standard maintenance items that should be performed fairly regularly anyway, but certainly especially now.
Perform a plugin audit
I have begun to document the plugins I use when creating a website for a client. Within that document, I list which plugins I am using, whether they are free or premium, and what they do. This allows clients who are maintaining their own sites to have some concept of how their site works.
During the life cycle of a website, plugins may come and go. Perhaps a more recent redesign rendered some plugins redundant, or maybe one your company used to utilize has been discontinued. Maybe your organization added new plugins to achieve a particular purpose, and tried several of its type in order to determine which one to use.
Whatever the reason, it’s a great idea to periodically go in and make certain that all plugins are needed. If you aren’t sure, check with your developer/designer. You can also choose to simply deactivate your plugin. Doing so usually preserves your settings, and you can see if anything on the site breaks. You might also choose this time to look for newer, more compatible plugins.
Once you have compiled a list of unneeded plugins, delete them. Follow up by deleting the remaining folders and files via FTP.
Perform a theme audit
WordPress comes with several pre-installed themes. In addition, your designer may have installed additional ones in an effort to choose the best option for your site. Deleting unused themes streamlines your site by removing files that are simply not being used.
Be careful when deleting themes. It is possible that you will need to keep at least one theme besides the active one. Some designers will use what is called a “Child Theme,” which is basically an easily editable copy of an existing theme. This allows them to start from a base and customize individual elements. Child Themes require their Parent Theme in order to work properly.
While you’re at it, go ahead and optimize your code, and your database. You can use a plugin like WP-Optimize to clean and optimize database tables.
Update WordPress, your theme, and any remaining plugins
Some folks like to wait before installing updates. That makes sense. Updates can sometimes break other parts of a site, causing two plugins that used to work beautifully together to behave like feuding siblings.
That said, updates also can increase security. Really good plugin authors will alter their code upon discovering that there are issues that might compromise security (see the first article referenced). Keeping plugins, themes, AND WordPress itself up to date can help improve the quality of the code running on your site and improve the level of security.
Install a Security plugin. Or two.
Now that your site is running lean, install plugins like Sucuri or Wordfence. In fact, these plugins work together fairly well, so go ahead and install both.
Wordfence is excellent at handling brute force attempts by locking out IP addresses, deflecting phony Google crawlers, and generally establishing a blockade between your site and the folks who would love to hack it. It even has caching features to help speed up your site.
Sucuri has a free online scanner. Enter a URL (ex. sucuri.net) and the Sucuri SiteCheck scanner will check the website for known malware, blacklisting status, website errors, and out-of-date software. The plugin will help protect your site against malware, check your site settings for security, and notify you of changes to core files for WordPress, themes, and plugins.
Back it all up
Ultimately, nothing beats having a clean backup of everything you’ve got on your website. If there is ever an issue, from a client-initiated snafu to malware taking down the hosting server, you can rest easy knowing that you have backed up the site to a remote location.
The best kind of backup is one where you have multiple copies – this way if there is an infection, you can go back to a point beforehand. You also need to be certain that your backup includes the database files, as without them your WordPress site is an empty shell.
When launching a new site or a redesign, it’s probably a good idea to do all of the following:
Use a program like HTTrack Website Copier to make a static copy of all the files and text on your site. This gives you an “if all else fails” backup of the information itself, and can even be deployed in an emergency. Basically, this open source software copies every page on a website, downloading all files associated with the pages. Although WordPress generates the pages from a database, HTTrack will create static pages.
Use FTP to copy theme files and plugin files. This is especially important if you have a custom theme or a child theme, or have had a plugin customized.
Use a plugin like Duplicator, which will completely back up everything about your site, including the database entries. You can then restore your site, as it was saved at that point, if needed. I also like Updraft Plus (which was named in the list of impacted plugins, but has been updated since the vulnerability was discovered), because you can schedule full and incremental backups and have them stored in the cloud.