My WordPress Security Patching and Maintenance Process

A couple of quick things:

  1. I’ve been thinking that how I do WordPress maintenance might be different from how you and others do it, and that we likely have something to learn from each other in this regard. So, I’m posting two videos of me performing WP maintenance on one of my personal sites, talking through my thought process along the way. It’s less than 10 minutes, total.
  2. Let me know what you found valuable/fresh and also what you do as part of your process that I missed.

My WordPress Security Patching & Maintenance Process Demo, Part 1

Transcript:

You’ll see immediately after logging in, you see the 11 updates needed as well as some messages. I’m just gonna quickly read. It looks like I don’t need to worry about.

Are you enjoying Monster Insights? Not really <laugh>. What’s to enjoy about it? I have a bunch of plug-ins that need to be updated.

So the first thing I do is I make sure that I have a backup. And so I do that and manage wp and it has makes a backup every night automatically. I have to pay for that service. It’s about two bucks per site. And then I also have server backups being made nightly.

So I, you know, I have two backups to fall back on, and then you see there’s a bunch of 10 plug-ins that need to be updated. So I’m just gonna first do that. And then that’ll decrease this number, that 11 should go drop down to a one. And sometimes there’s additional ones that pop up after making the update based on API connections and whatnot. So it’s thinking, it’s thinking it should be done in a second here. While that actually we can’t do anything while that’s going on. So we’re waiting. There it is.

Okay, so you see it had no problem updating all those things. Great. I’m gonna go back to the updates page and you’ll see it gives me this message saying that my advanced custom Fields pro is not updated. I don’t know why that’s not updated that, but let’s go ahead and click that again.

So sometimes you’ll get these, and that’s kinda what I was describing a minute ago. Particularly the plugins that don’t come from wordpress.org. You’ll see these notifications pop up after the fact. Then I’m using this tove theme. I’m just gonna update that, see what happens. It should be noted that with theme updates, a lot of times it breaks stuff.

And so I’m gonna go ahead and view this Looks fine. I’m just gonna click around and just say, yep, looks like it’s loading everything fine. I also purged the cash here.

The next thing I’m gonna do is just check out the plug and mix and see if anything, you know, WordPress, the ecosystem changes regularly. And so I’d just like to confirm it’s looking good. I’m gonna open up the settings here on the CloudFlare, and this is not necessary, but I always like to just apply the, the recommended WordPress CloudFlare settings because it’s possible that CloudFlare has changed their stuff and that it might need to be on.

I also make sure this always online is on, doesn’t really matter. Just kind of review the settings. It all looks fine. So let’s go back to the plug-ins here. Just kind of reviewing by I and making sure that you know, everything looks, you know, the things that are, are active are the things I want active. This one’s not active, so I’m just gonna delete that.

Performance plugin for WordPress performance Clean team. I’m not even sure what that’s doing. I’m actually curious. So I’m just gonna check out the settings there. You know, I installed it maybe a year ago and I’m just curious what this even does.

So I’ll just leave it active. It, it, it’s probably fine, you know it’s also, what is WordPress Performance Team? Okay, so that’s wordpress.org. So I’m just gonna leave it active. Seems fine.

Semantic Linkbacks for Web Mentions. Okay. Vipers Video Quick Tags. That’s, that’s an old plugin that I have probably had on here for 15 years. Okay. And the rest look fine. WP Offload Media Light. I actually don’t want to run that. Is my media running from S3 right now? Looks like it’s not, so I’m guessing I can deactivate that plugin. Let’s go back there and check that out. Is it even running copy files? Yeah, I’m not even sure that, I don’t think it’s doing anything at present. Yeah, so it’s not doing anything, so I’m just gonna deactivate that.

What I’d like to do in a case like this where I’m like, Hey, maybe it’ll break something, maybe not. I deactivate it, but I don’t delete it. I’ll delete it the next time I’m in there you know, in a month or so. But I’m just gonna check first I’m gonna purge the cash, then I’m just gonna check and make sure everything’s still loading. Looks fine.

Yeah, it looks like everything’s loading. So I think that plugin was doing nothing for me. And the next thing I’m gonna do, I’m just gonna move this over. I’m just gonna run a security scan with Wordfence – looks like it ran a scan a few day.

[View on Youtube]

My WordPress Security Patching & Maintenance Process Demo, Part 2

Transcript:

All right, so I’m hearing Wordfence. I’m just kinda looking. It looks like there was a scan on a few days ago.

There’s this thing, auto login, which is probably, this is a legitimate but unprotected file that allows everyone to log in as administrator.

Recommended immediate deletion. I’ll just delete it. It might cause problems for down the road. It could be related to managed wp.

So this is Viper’s Video Quick Tags. Now this is a really old plugin. It says it’s been removed from wordpress.org.

It’s an interesting question. I don’t, I’m just gonna deactivate it because I know that what it does is it converts YouTube and other video stuff to, so it can be embedded.

But these days, because WordPress ships with that as part of the Gutenberg editor, and even prior to that, it shipped with that functionality.

I’m just gonna delete it here. So that one will be fixed. I’m just gonna mark it as fixed here. Then finally, we have modified theme.

I’m just gonna view differences here. See if it’s anything. Oh, that’s interesting. Remove decimals. I wonder if I added this Looks like something I added.

Okay, I’m just gonna leave it there. Something about adding currencies that is weird. Why would I need currencies on this site?

I don’t think I do. So I, that’s really curious. Again, I wanna see that. I’m guessing I added this. Why would I have a currency thing?

I don’t do any currency related stuff. Yeah. So what I’m thinking is that I don’t need that. Let’s see what happens when I click repair here.

If you could back up of this file if you need to, you can copy it to the following path. Click here.
I’ll download it. Sure. Let’s repair file. Okay, now it says it was restored. So fix that issue. So that’s, oh, one other thing I’d like to do is just reconfigure my cash here.

I use this SG Cache plugin and as this is how I like to do it. And then let’s check out, see what the other, see if all the environment stuff is running.

Let’s just, oh wait, I don’t need that one. I was thinking more the front end option here. Now there are many cash plugins that purport to speed up your site, and it’s worth trying them all.

Sometimes one will work and the other one won’t. So I do, I, I usually start with this one. And then we, I also have a WP Rocket subscription, so I will do that from time to time.

But that one’s a bit more complex, so I generally do that later if one of these doesn’t work. So I’m just added clicking enable for all the things.

I’m gonna purge the cash. And so now this could break stuff on the site. So I’m gonna go to the front end of the site and looks like everything’s working fine.

So in theory now it’s should all be working fine. The one thing I like to do as well when I’m doing this stuff, I like to go to Google page speed and just run a quick page speed test.

Just cause I’m curious about a how fast it is, but really if there’s any issues that exist that I am not aware of so we’ll let that run.

And then I’ll you know, generally in this case, I’m guessing there’s gonna be none. But if there was something that popped up, so 70 one’s pretty good for a mobile score, you see 9408 98 you know, I could do some more optimizing on this, but I’m not concerned.

This is just my personal blog. I don’t really care if people see it. There’s this web P thing, I might just switch that.

Cause that is an option within the sg optimizer plugin. It’s in the media option here. Just gonna go ahead. And the other thing you can do with this plugin, it’s really cool, is you can change the compression.

So I’m gonna do that. I’ll do confirm, and then I will also. So now it’s gonna do that. And then when that’s done, I’ll click on the use WebP images thing as well.

But that’s pretty much it. That’s my process. When I you know, update a site, I like to click around. In this case, there’s not a, a big menu item, but I like to just click test the functionality, click around, make sure it’s all working working fine.

But that’s my process. If you like it, I don’t know, leave me a comment or whatever, or not <laugh> let me know what you think.

Bye-bye.

[View on Youtube]

Toby Cryns

Toby Cryns is a freelance CTO, expert WordPress consultant, and teacher.

He offers free advice to improve your freelance biz.

He also publishes small droppings every now and then to twitter.com/tobycryns and twitter.com/themightymo

Follow Toby's contributions on Github and WP.org.