How to Maintain a Healthy WordPress Website
Maintaining a healthy WordPress is fundamentally important for every website manager. From optimization tips, to security, to maintenance, running updates and lots more, we need to implement best practices to be sure we are free from hackers, stay safe and healthy.
Fortunately, the release of WordPress 5.2, came with some great features and improvements for the WordPress CMS Being the most popular CMS today. We will in this post examine some basic tips necessary to keep your WordPress website healthy and conclude with the new features of WordPress 5.2..
Your WordPress site health will be based on tests your WordPress website passes successfully. If you pass all of them, your score would be 100%. As it focuses on ensuring that your site is up to date, healthy, and secure, the Site Health Score is, undoubtedly, something that will help make the web better.
Is Site Health Score Percentage Actually Important?
The simple and straight answer to this will be yes! You will find out that most of the tests your website will have to pass for a good site health score are performance and security related. So, passing the site health test simply means you are up-to-date with security and performance for your WordPress website. Most people would like their website to run smoothly and be as likable as possible. Seeing a 100% score will give you the reassurance that your WordPress website is performing exceptionally well.
We are aware that people are naturally highly competitive and will strive for the precious 100% score. Because of that, we decided to share some tips on how to get that perfect score on your website. In fact, this goal is not as hard to accomplish, as some may expect. So, let’s get on with the guide!
1. Update Your WordPress Version
The first test your WordPress website must pass is the update test. It is important that you maintain a healthy WordPress website by keeping up with the latest updates. That simply means you have to be running the latest version. It is extremely important that you ensure you are run the latest version of WordPress. Please note that prior to performing the actual update of your WordPress platform, it is important that you ensure a full backup of the current website is performed.
To proceed with the actual upgrade, you will have to log into the WordPress Dashboard, go to Update (Dashboard → Update), and then click on the “Update Now” button. After doing that, make sure you don’t click back or try reloading the page. Usually, you would only need to wait a few seconds. Also, keep note that your website will be in maintenance mode during the time your WordPress version is being updated.
Following the installation of WordPress 5.2, go to Tools → Site Health to check your score.
When you go there, you will see that this tool helps you a lot in your way to the perfect score. You will be able to see not only your current score but also all the recommended improvements. Additionally, you can check out every test that your website has already passed.
We’ve managed to get these awesome 100% score, and we will help you accomplish it for your website. It’s fairly easy.
2. Keep Only One Default Theme
We strongly advice that you keep only the latest of the default themes, which currently is “Twenty Nineteen.”
Follow that by cleaning up all unused themes and plugins. To remove a theme, your path to go would be Dashboard → Appearance → Themes. Continue with finding the theme for deletion and hovering over it. You will see a “Theme Details” button. Click on that button and a window with info and options about that particular theme will be opened. At the bottom right corner is the “Delete” button. You know what to do from there.
Note that when a theme is currently active, there won’t be a button for its removal.
3. Keep all Plugins and Themes Up To Date
The main reason to keep every theme and plugin up to date is to avoid hacker attacks. Ultimately, those would lead to your website going down. Also, Google would begin warning all potential visitors, saying that your website could be hacked. Since you don’t want downtimes and you want visits on your site, we recommend that you take the time and update all active plugins and themes.
4. Run on The Latest PHP Version
As at the time of writing this ost, PHP 7.3 is the highest level available. However, we strongly recommend that you always use PHP’s most current version. There are some things that also need to be mentioned on why you should upgrade to the latest PHP version:
WordPress 5.2 checks whether your current and most secure version of PHP is the latest possible. If that’s not the case, one of the Site Health suggestions will be to update PHP;
Note that if your site is still on a 5.x version of PHP, it’s highly vulnerable and could get hacked;
If we compare PHP 7.3 with its 5.6 version, we see that version 7.3 handles almost three times the requests of 5.6;
Currently, most of the plugins work only if the latest PHP version is installed, which is one more reason for an update.
Also read: How to Find and Clean Backdoors in a Hacked WordPress Site
5. Use a Stable and Supported Version of a Database Management System
This is also very important. Fortunately, at Todhost, we support MySQL 5.6+, which supports UTF 8 Unicode. The UTF 8 is to make sure that your website can store text content that is non-English, in addition to some other strings (e.g., emoticons) without the risk of unexpected issues.
6. Use HTTPS for your WordPress Site
It is recommended that your entire website should be running on the secured https mode. Keep in mind that HTTPS requires a valid SSL certificate to be issued for your site. Fortunately again, at Todhost, we offer free SSL support for all clients with no additional costs for Let’s Encrypt SSL certificates. Thanks to our integration with Let’s Encrypt, you can easily enable and issue Free SSL certificates right from within the cPanel section of your website. To do so, you should go to Client Area → cPanel → Let’s Encrypt.
All that remains is to click on +issue for your chosen site:
But why does HTTPS really matter? Last year Google had announced a project that would improve the overall web security via encouraging all site owners to make the necessary switch from HTTP to HTTPS. As part of the plan, their popular Chrome (web browser) would mark all unencrypted websites as “Not Secure” starting July 2018. This, of course, had a great impact on site traffic given that a security warning undoubtedly introduces uncertainty and hesitation among site visitors.
Even if you do not bring much attention to the security of your site, Google definitely does. HTTPS has been sometimes described as just a minor Google ranking factor when it comes to organic internet search algorithms but we have found that it can have severe impact on site raning when not taken seriously. It’s more often seen in the form of a “site quality” score, alongside many other factors, such as page speed and mobile responsiveness. There are multiple different “best security” practices and enhancements that are implemented for ensuring a website is locked down.
Nevertheless, padlocking your site still would not be enough to ensure the automated redirection of your HTTP traffic to the secured HTTPS version of your site. Eventually, people will find their way in reaching your website over HTTP://. For that reason, we strongly recommend the use of HTTP Strict Transport Security (HSTS), instead of the HTTPS option. Doing that will help you avoid cookie hijacking, SSL protocol attacks, SSL stripping, as well as other attempts to bypass your SSL protection. Here comes the best part – you exponentially improve your overall SSL rating with Todhost.
7. Have Cron Job Enabled
Site Health checks for running scheduled events. WordPress uses Cron Job wp-cron.php task scheduler to periodically check for updates to plugins, themes and WordPress itself. It is also what makes sure to publish scheduled posts on time. It does that in the background.
What happens if WP-Cron unexpectedly stops working? Not to worry! There is a plugin with the name of “WP-Cron Status Checker”, which is quite handy.
8. Turn Off WordPress Debugging
Debug mode is often enabled for gathering additional details about an error or site failure but may contain some sensitive information which should not be available on a publicly available website. Removing the debugger would prevent any leaking of personal server information.
Go in wp-config.php. The default setting there is for WP_DEBUG to be set to false.
Go ahead and double check. In case it’s not – make it so:
define( 'WP_DEBUG', false )
9. Do not Disable Rest API
The REST API is one way WordPress, and other applications, communicate with the server. One example is the block editor screen, which relies on this to display, and save, your posts and pages. Disabling Rest API would make WordPress function inadequately. There are certain Android apps which also require the Rest API to be enabled.
10. Do not Disable Background Updates
Background updates are more important than a lot of people would think. They ensure that WordPress can auto-update if a security update is released for the version you are currently using. Disabling them is one of the things that put your WordPress website at a greater risk of being hacked.
WordPress 5.2 Comes With New Features Enhancing Site Health
WordPress 5.2 “ was officially released on May 7, 2019, and is available for download on the official WordPress website.
In all fairness, this version comes with a lot of features, the biggest one being the new Site Health check tool which will help educate users and give developers the essential information they need. Other improvements include PHP error protection (fewer white screens of death), block editor improvements, new dashicons and emojis, and various developer and accessibility updates.
The WordPress team, captues the great features and performance improvements in its description:
WordPress 5.2 gives you even more robust tools for identifying and fixing configuration issues and fatal errors. Whether you are a developer helping clients or you manage your site solo, these tools can help get you the right information when you need it.
This is the second major release since the launch of the WordPress block editor (AKA Gutenberg) in WordPress 5.0. Below we’ll dive into all the new improvements and the most important changes you will find with this latest WordPress .2 release.
Site Health Check
The first site health check features came in WordPress 5.1 when they added PHP version compatibility checks for plugins and themes. In WordPress 5.2, they’ve added a completely new tool which comes with two new pages to help debug common issues due to server and software configurations, PHP versions, etc.
Under “Tools” → “Site Health” there is a new page called “Status.” The site health check shows critical information about your WordPress configuration and items that require your attention.
One thing you’ll probably notice is that they’ve added a percentage score grade at the top of the page based on how many tests your site passes. Some aren’t happy about this and there is a discussion among developers (Ticket #47046) of whether or not a grading system should exist. The main reason is that scores sometimes create additional problems as users are obsessed with scoring 100%.
However, a check for things like inactive plugins and themes is important. This is because many don’t realize that simply because something isn’t active on your WordPress site doesn’t mean someone can’t execute the code if they browse directly to it. Therefore, in order to keep your WordPress site secure, it’s recommended to completely remove inactive themes and plugins if they aren’t being used.
The tests in the new Site Health tool includes checks for the following performance and security-related items:
- Latest WordPress version
- Up to date version of PHP
- Up to date SQL server
- Required and recommended PHP modules are installed
- UTF8MB4 is supported
- Scheduled events
- Working HTTP requests
- REST API available
- Can perform loopback requests
- Only running active themes
- Up to date plugins
- HTTPs connection
- Secure communication
- Debug mode off
- Can communicate with WordPress.org
- Background updates are working
Site Health Info
Under “Tools” → “Site Health” there is another new page called “Info.” This is a place to find helpful debugging information about your WordPress site’s configuration which you can share with developers, hosting providers, etc. There is a handy “Copy site info to clipboard” button which allows you to easily grab the information and paste it into a text file to share with a third-party.
The Site Health Info page contains hundreds of different data points about your WordPress site. Without a doubt, this new page will help developers get the information they need from users faster.
Here’s just a snapshot of some of the awesome and very helpful details you can quickly see.
- WordPress: WordPress version, site language, user language, Home URL and Site URL, permalink structure, multisite check, number of users.
- Directories and Sizes: WordPress directory location, size, upload location and size, theme location and size, plugin location and size, database size, total installation size.
- Active Theme: Name of theme, version, author, author website, parent theme, theme features, theme directory location.
- Must Use Plugins: Details of any must use plugins currently running, version numbers, and author names.
- Active Plugins: Active plugins running, version numbers, and author names.
- Media Handling: Active editor, ImageMagick version number, string, resource limits, GD version, Ghostscript version.
- Server: Server architecture (such as Linux, Windows, etc.), Web server (such as Nginx or Apache), PHP version, PHP SAPI, PHP max input variables, time limit, memory limit, max input time, upload max filesize, post max size, cURL version, SUHOSIN status, Imagick library status, .htaccess rules.
- Database: Extension, server version, client version, database user, host, name, prefix.
- WordPress Constants: ABSPATH, WP_HOME, WP_SITEURL, WP_CONTENT_DIR, WP_PLUGIN_DIR, WP_MAX_MEMORY_LIMIT, WP_DEBUG, WP_DEBUG_DISPLAY, WP_DEBUG_LOG, SCRIPT_DEBUG, WP_CACHE, CONCATENATE_SCRIPTS, COMPRESS_SCRIPTS, COMPRESS_CSS, WP_LOCAL_DEV.
- Filesystem Permissions: Check against the following directories to see if they are writable. Main WordPress directory, wp-content directory, uploads directory, plugins directory, themes directory, must use plugins directory.
PHP Error Protection
WordPress 5.1 was originally scheduled to introduce a new feature called “fatal error protection” which would protect from the WordPress white screen of death while updating PHP. However, due to several critical flaws, this feature was delayed. It has now been included in WordPress 5.2.
With this protection, WordPress will recognize when a fatal error occurs and pause the offending theme or plugin in the WordPress admin dashboard so that you’ll still be able to log into the backend of your site and (hopefully) fix the problem. For less tech-savvy users, this is a great new feature.
However, we always still recommend using a staging environment when testing out a new version of PHP.
If your site experiences issues while upgrading PHP versions, you will still be able to log into the backend to fix the problem.
On the backend, you will see a message letting you know that your WordPress site is currently in recovery mode and that there may be an error with a theme or plugin.
Miscellaneous Developer Updates
Block Editor Improvements
There were dozens of improvements made to the block editor (Gutenberg) that is shipping with WordPress 5.2. Here are a few:
- In 5.0,
WP_Screen::is_block_editor()was introduced to allow developers to conditionally execute code depending on whether the block editor is being loaded. However, there were some issues with this that have now been fixed in WordPress 5.2. See #46195.
- Media and text blocks got enhanced.
- Image and block resizers are much better than before.
- There were performance improvements made in terms of loading time.
PHP Coding Standard Updates
WordPress now officially recommends running PHP 5.6 or higher with your hosting provider. If you’re curious, Todhost supports up to PHP 7.3!
With WordPress 5.2, this means developers can take advantage of new coding standards such as namespaces, anonymous functions, short array syntax, short ternary syntax, and assignments with conditionals. If you’re a developer and have already been running on PHP 7 or higher for a while now, this might not impact you, but it’s good to see WordPress making updates.
Read more about updates to the coding standards.
- New function:
- A new theme template file:
- New body class:
- New menu item class:
The second change is in regards to data exports:
User Data exports no longer use a hardcoded list, but now use the default list of allowed tags in
wp_kses(). New filtering is now available as well.
Read more about the privacy updates in WordPress 5.2.
New Body Tag Hook
WordPress 5.2 adds a new
wp_body_open() hook, which lets themes support injecting code right at the beginning of the
<body> element. The WordPress team encourages theme developers to start using this. Read more about some of the other miscellaneous developer updates.
New Emojis and Dashicons
In terms of visual updates, WordPress 5.2 has new emojis and dashicons. In WordPress 5.2 the latest version of Twemoji, 12.0.1, was added. Version 12 includes 230 new emojis, including accessibility emojis and our personal favorite, the Sloth. See #46805.
Dashicons are used to prettify your WordPress admin dashboard. It was definitely time for an update as they haven’t changed since WordPress 4.5. WordPress 5.2 has 13 new icons, including Instagram, a suite of icons for BuddyPress, and rotated Earth icons for global inclusion. WOFF 2.0 font file format has also been added.
Check out the full list of new icons.
Notable Accessibility Changes
Along with WordPress 5.2 comes a number of changes working together to improve contextual awareness and keyboard navigation flow for those using screen readers and other assistive technologies.
- Post formats are now in list tables.
- New link markup on the WordPress admin bar submenu.
- The currently viewed archive in the archive dropdown widget is now pre-selected.
- A new media view was added to the media library.
- Headings were added to the data tables on the Export Personal Data and Erase Personal Data pages.
- The alt text field is now the first field displayed in the media modal.
Ticket #39309 was opened in 2017 describing a security issue with the WordPress infrastructure. Basically, if someone was able to compromise
api.wordpress.org, they could issue fake updates and take control of user’s WordPress sites.
Therefore, as of WordPress 5.2, it now checks for the existence of a
x-content-signature header. If one isn’t found, it falls back to a signature file. Regardless of the method, the update packages are now digitally signed using Ed25519 and are base64-encoded.
We hope our si,ple guide can do the trick and lead you to the desirable 100% site health status. Remember that this score is not just the ultimate. The perfect Site Health Score is composed of elements that were always important. The thing that changed in WordPress 5.2 was making people more aware of how to take proper care of their websites.