When a new site signs up we do a number of things to make sure it’s backed up, updated, secure, and running smoothly. We think our WP management service is a great value, but we also think these are things every WordPress site should do. So for the do-it-yourselfers out there, here’s how we do today.


First thing we do is make sure there are backups so we can fix anything that might go wrong. It usually doesn’t, but a back up is nice. We use UpdraftPlus for all our backups. It’s a great plugin and stores everything to Amazon’s’ S3 storage solution for safe keeping. We configure it to automatically run every day.

Now that’s done, we see what needs updated. If the site hasn’t been updated in a while, then we need to do some research to make sure the plugins and themes will work with the latest stuff. Check the Updates screen and many plugins will state whether or not they work with the latest.

Compatibility with WordPress 4.5.3: 100% (according to its author)

For those that don’t, we find the plugin in the WordPress.org Plugin Directory. Checking the reviews and support tabs will usually surface any issues. If WordPress itself is really out of date, then the Directory is helpful to see if the current version is supported.

Next we check the theme. Although we don’t automatically update themes, it’s good to know if there are updates available and if they’ll work. This is something we just report on.

Next we remove any disabled plugins. They aren’t running on the site, but WordPress still loads them and they can be a security risk.

Are there any active plugins that aren’t used on the site? It’s pretty hard to tell without doing a more thorough audit. But sometimes there are obvious ones, like Hello Dolly, the sample plugin installed with WordPress. We disable and remove those too.

Next up is Akismet. Comment spam protection. If comments are turned off everywhere, then this can be removed. If comments are on and Akismet not set up with an API key, we set it up.

Anti-malware. We love the Anti-Malware Security and Brute-Force Firewall plugin and set it up next. Not only is it an amazing anti-malware scanner, it repairs issues it finds and also protects from some very common attacks, including Brute-force logins. Brute-force logins, arguably the most common way sites are hacked, are a program that just tries to guess the password by logging in over and over very fast.


To keep up on things we setup some automation. We already have the backups running every day. But what about updates and security scans?

WordPress core can automatically update itself and now that we’re starting from an up-to-date site, we make sure it does. In the wp-config.php file, we add the following if it’s not there.

define( 'WP_AUTO_UPDATE_CORE', ‘minor’ );

This allows WordPress to auto update any minor updates, this includes security fixes. We don’t enable everything in here, because major updates and plugin updates can break a site, we like to make sure that doesn’t happen.

For the rest of the updates we use MainWP. This keeps an eye on everything and lets us auto update plugins we’re confident won’t break a site. For everything else, we manually update and verify those once a month.

MainWP also includes some other great features, like fixing common security configuration problems and scanning the site with Sucuri.


Lastly we take a look at performance. The biggest things that affect performance are too many plugins, caching, and images.

We’ve already audited the plugins, but if there are still a lot, like 15 or more this could be an area of improvement.

Next is caching. Some hosting companies take care of this at the server level. For the rest a caching plugin is helpful. We use WP Fastest Cache. It’s easy to setup and works really well.

Lastly, images. Not everyone knows how to optimize images for the web, and big images can cause slowness. WP Smush will automatically optimize images and speed things back up.

Done. Almost!

With everything set up. We’re set until the next update cycle, except for one thing.

Watch for security alerts. These are usually bugs that allow attackers in so we want to catch them as soon as possible. Usually there’s an update that we can install, other times the plugin has to be disabled until an update is ready.

We hope you find this helpful to keep your site updated and secure. If you want us to handle it, you can sign up for WP Support HQ here.

Photo by Jamiecat *

Updates are important, but they can break your website, so many people just don’t update.

The problem is updates aren’t just about new features. Often they contain security fixes. Getting these security fixes is important because malware makers and spammers will scan the internet looking for “unpatched” websites. And since you now have backups, you don’t have to worry so much about updates breaking your site!

This one’s easy, here’s how:

Just go to Dashboard > Updates at least once a month and update everything.

Reminders From WP Support HQ:

  • It’s a good idea to make sure you have a backup before running the updates.
  • If you’ve made changes to your theme files, updating it will overwrite those changes. It’s probably a good idea to move those changes into a “Child Theme” before updating the theme. Updates to everything else should be fine, so don’t wait on those!

Bonus! Keep an eye out for important security updates and update as soon as you see them. These blogs are good sources to follow for security updates.


We know this is a lot! But really, we think it’s the minimum you should do to protect the investment you’ve made in your blog.

WP Support HQ specializes in taking care of WordPress sites. We do all the things above, plus a few more to keep your site running smoothly and securely.


Photo by GotCredit

You just redesigned your site, or maybe just added a new contact form to your current site, and now you’re getting a bunch of non-sense emails. Contact form spam! A lot of people default to using a CAPTCHA to fight spam, those annoying puzzle image things you hate filling out. But there’s another way, a honeypot field!

A what?

A honeypot field is a form field that scripts don’t know they shouldn’t fill out, so they do, and in doing so reveal that they are in fact a script. The great thing is that actual users don’t see them and don’t have to do any extra work to contact you!

Let’s cover two of the more common form plugins, Contact Form 7 and Ninja Forms.

Contact Form 7

You’ll need another plugin for the honeypot field. Install and activate the Contact Form 7 Honeypot plugin.

Next, edit your contact form and add the honeypot short code. I usually add it next to one of the other fields and give it a name that sounds important, like age or recommendation.

[honeypot recommendation]

Save your form!

Ninja Forms

Make sure you’re plugin is updated. That’s it!

Ninja Forms includes a honey pot field on all forms now. If you have an Anti-Spam field setup, you can remove it from your form, unless you want extra protection from scripts.

This should be a nice balance of usability for your users and little spam for you!

Photo by freezelight

Nothing is more frustrating than pulling up your WordPress website to find a blank page. The first thing that comes to mind is that someone is hacking your website. However, a serious issue such as that isn’t always the case. Often times, a blank website is the result of a corrupted plugin that is currently active.

Sometimes plugins become problematic when they are incompatible with the latest release of WordPress. This is especially true if they are no longer supported by their developers. Free plugins tend to have the problem of losing support while premium plugins are continually updated for each new WordPress release.

You can pinpoint which plugin is the culprit through a process of elimination. You will need FTP access to your domain which you can get from your hosting provider. Once you are inside of your FTP account using a FTP client, you will need to find the /wp-content directory. Once inside this directory, you will find the /plugins directory.

Rename the /plugins directory first to determine if it is one of the plugins you have installed that is causing the issue. When you reload your website in your web browser and it appears as it normally would, then it is for sure one of the plugins causing the blank page.

Now you can rename your /plugins directory back to its original name. Go into this directory and you will see a listing of all of your plugins. Move each plugin folder out of the main plugins directory one at a time. Test your website after each one you have moved. Soon, you will discover which plugin is having the issue. Once you have found the troublesome plugin, you can leave it off of your website. If you feel compelled, you can contact the plugin’s developers and ask if a fix is in the works.

Don’t worry if reading all of the above is over your head. You can outsource your WordPress support issues to professionals who can troubleshoot problems for you.

Contact us today. We work with numerous WordPress installations and have a deep knowledge of the platform, including common and not-so-common issues.