Over the years, I’ve seen a ton of WordPress sites — and not all of them have been pretty.
We’ve helped hundreds of clients who either weren’t sure how to fix a problem on their site or whose previous developer left them high-and-dry, and when we’re able to look at their WordPress Dashboard, it’s often a mess.
Sometimes the site hasn’t been updated in months (or years) and sometimes it’s just clear that best practices weren’t followed.
It happens, and it’s our job to help get these sites clean and running as they should be.
If you’re worried that your site isn’t performing as well as it should be, it’s possible you have some issues that need to be fixed (reach out and we’re happy to help).
Here are common WordPress mistakes you don’t want to make.
Don’t Ignore Plugin Updates or Make Them Un-updatable
WordPress is software that’s always in development, so when security fixes and other updates are made available, you need to update. That’s true for both the core WordPress software as well as the plugins you use on your site.
The easiest thing for a hacker to do is find that you’re running an out-of-date version of WordPress or a plugin that has a known vulnerability and use that knowledge to hack to your site.
Rarely are you specifically targeted for hacking; more often, it’s a bot that’s crawling the web and looking for code that’s out-of-date that can be exploited. Don’t be that person.
One of the most common reasons I’ve heard for not doing updates it that you’ve edited the core WordPress software or plugin, and by updating, you’d lose whatever changes you make.
Don’t do this.
Editing the core WordPress software is a big no-no, as it breaks your ability to update the software easily.
Editing plugins isn’t recommended — even if you need some functionality the plugin doesn’t provide — as it makes updating difficult as well. (Want to change how a plugin works? Filters and actions are your friends.)
Don’t Make Content Changes in Your Template
The entire purpose of having a content management system (CMS) like WordPress is so that your design and your content are stored separately.
This gives you the ability to update or overhaul your design without having to re-work your content. The content is stored in a database and your theme is the design; swapping out a new theme doesn’t require you to also migrate content.
I’ve seen plenty of poorly-made themes that have content saved in the actual theme files; some with as little as the content of the 404 page to others with paragraphs of text stored in the template.
You should not need to edit your template to make content changes. It should all be accessible via the WordPress Dashboard.
Don’t Leave Unused Plugins Installed or Activated on Your Site
If you’re not using a plugin, delete it.
Don’t just deactivate it — delete it.
Any additional code (especially a third-party plugin that you or the developer haven’t updated for a while) on your site is a security risk.
Every so often, go through the plugins on your site and make sure you’re actually using them. It’s not unusual to have installed and used a plugin for a bit and then not needed it again; if you have one, deactivate and delete it.
Don’t Save Unnecessary Information to Your Database
Your WordPress database is only as good as you use it, and there’s plenty of plugins that will overwhelm the database with unnecessary information.
For example, if you’re using the popular Redirection plugin, do you really need to log every time someone gets redirected? Did you even know the plugin does that? It’s not necessary and just clogs up the database.
(PS – turn off redirection logs by clicking on “Options” and then setting “Redirect logs” and “404 logs” to “No logs”.)
Other plugins that save a ton of information to the database that you should avoid include Yet Another Related Posts Plugin, WordPress Popular Posts, and a number of statistics plugins that save every page load to the database.
There’s always a better alternative for these types of plugins; go with the option that doesn’t bog down the database.
Don’t Ignore Basic Security
If you have a website, you have a security risk. It’s just reality.
Don’t ignore WordPress security fundamentals:
- Delete the admin user.
- Don’t allow more people than required to have access to your back-end (and don’t make them all administrators, unless they absolutely have to be).
- Install an SSL certificate. It doesn’t matter if you’re not collecting credit card information; it’s a best practice and Google has begun shaming sites that aren’t secure.
Here’s a few more ways to keep your site secure.
WordPress mistakes are common; if you’ve made any of these, fix them as soon as possible.