Health Check Plugin

The free WP Health Check plugin is a relatively new arrival, having been introduced a few months ago by “The community”. It has a remarkably polarized set of user reviews – divided almost exclusively between 5s (“Works great!”) and 1s (“Warning! Broke my site!”).  The authors strongly urge to backup your site before installing and using this plugin – always a good idea.

wp health check plugin

For me, the plugin works perfectly and is a superb addition to my WP troubleshooting toolbox. Among it’s features …

  • On the Health Check tab, “The health check shows critical information about your WordPress configuration and items that require your attention.” In my case it seems to show a couple of false positives, but for an extremely useful free plugin I can live with that.
  • On the Debug Information tab, a ton of detailed data. Most of it I don’t understand, but if I ever need it I’m sure I will be very happy it’s there.
  • Most important – the Troubleshooting tab. A standard, basic WP troubleshooting step is to deactivate all plugins and switch to the default 20-something theme. This has gotta be confusing to anyone who happens to be visiting my site at the time. The appearance of my site completely changes, and a bunch of theme and plugin-dependent stuff stops working. The Health Check plugin solves that problem by deactivating plugins and switching themes just for me – site visitors continue to see the normal, functioning site. I can selectively turn on specific plugins and my usual theme as I troubleshoot.
  • On the PHP Information tab – lots more detailed data.
  • I especially love the Tools tab. I can verify the integrity of all WP core files – an important step in my periodic maintenance to be confident I have not been hacked. I can also verify that wp-mail is working.

Reminder – backup your site before installing and using this plugin. It works perfectly for me but has broken some sites.

Manual or auto WP install?

The best approach to installing WP is a surprisingly testy topic. Manual or auto WP install? WP purists espouse the manual method using the Famous 5-Minute Installation. Dunderheads like myself much prefer the automatic install script provided by web hosts.

Manual or auto WP install

I’ve done the 5-minute install several times, and it works great. Never have I done it in 5 minutes though, so the name is a bit misleading. First time, proceeding nervously and with excess caution, took about an hour. Once I had gone through it a couple of times, it took me about 10 minutes. I’m sure if I practiced enough I could get it down to 5 minutes, but if I’m having to install WP often enough to get that much practice something is horribly wrong.

Once I discovered the Softaculous auto-installer, provided in cPanel by every web host I’ve used in recent years, I never went back to manual. Softaculous makes WP installation quick and easy-breezy, and offers bonuses like auto-updating and auto-backups. It also makes deleting my entire WP site easy-breezy, in case I really horribly mess up my site and have to reinstall from backup (yes, it has happened several times).

The Softaculous WP install does have a few potential gotchas though, and is worth a bit of discussion. In cPanel, I click around until I find the Softaculous WP install icon.

Softaculous WP install icon

I click on the attractive blue circle W, and off I go.  On the Overview screen, I click Install Now to get the Software Setup screen. Here’s where the potential gotchas start. The first choice is Protocol. If I have already setup SSL, I choose ‘https://’, otherwise I choose ‘http://’ (I can always change it if I install SSL later). I could also choose ‘https://www.’, but I have never understood the point of the ‘www’ – just more letters to type.

Next, I choose the installation directory. The default choice is ‘wp’, but I typically want to install in the root, so I delete ‘wp’ leave this blank.

Next come the Site Settings. I type in my preferred Site Name and Site Description, but I don’t need to ponder over these as they are easy-breezy to change later. I never select ‘Enable Multisite (WPMU)’ because it scares me.

Next is setup for my Admin Account, and first up is the Biggest Gotcha Of All – Admin Username by default is inexplicably set to ‘admin’! *** CHANGE IT ***.  Hackers love that WP installs with this default admin username, and bots pound constantly on WP login pages using ‘admin’ and guessing at the password. My admin username need not be complex like my password, it just needs to be non-obvious and most especially NOT ‘admin’.

Never use 'admin' username or 'password' password.

Never, ever do this

Next is Admin Password. This I need to choose carefully. It needs to be something that I can remember (or else I need a secure way to remind myself) and impossible for someone else to guess. Google can find lots of advice on how to choose a secure password.

Next I can choose a Language (English for me) and Plugins (nope, easy to install later). Even though I choose no plugins, WP will inexplicably install Hello Dolly, which I always delete, and Akismet, which I might delete or keep depending on the nature of the planned site.

And finally, Advanced Options, rolled up by default. I always expand it as these are my favorite features of the Softaculous auto-install. First are the Database Name and Table Prefix. These can be short and simple but should be non-obvious – i.e. not ‘wp’ and ‘wp_’ (though I wouldn’t worry too much about this).

Next, I select to Auto Upgrade core, themes, and plugins. I also enable auto-upgrade in my custom plugin, so Softaculous provides welcome redundancy to the critical task of keeping my site up-to-date.

Next, backups. For me, monthly automatic backups, keeping the most recent three, seems about right. I do my own backups and keep a copy off my site, so again Softaculous provides much-appreciated, last-resort redundancy to this critical contingency measure. I can never be too rich, too charming, or have too many backups.

Next I have the choice to email myself installation details, and that’s it. I click Install, and if all goes as planned I am rewarded with: “Congratulations, the software was installed successfully”. Yea me.

Optimizing the WP Database

Optimizing the WP databaseEvery time I edit a post or page, WP keeps a copy of the old version in my database. It is a great feature, handy when I mess up and need to revert to the previous version. But once my post or page is final, I have no use for the prior revisions. By default, WP keeps all the old versions, forever, and they can add up over time. I recently checked one of my sites and was surprised to find 3,566 useless old pages cluttering up my database. A large, cluttered database slows my site, as the server takes longer to retrieve information.

I should always make sure I have an up-to-date backup of my site. This is especially true before doing any database maintenance. I never know when something could go horribly wrong.

To clean out old posts and pages, as well as other database clutter, I can use a popular free plugin called WP-Optimize. Once all the clutter is removed, WP-Optimize can defragment/compact the database tables for optimum efficiency. Since my site is on a LiteSpeed server I could also use similar functionality provided by the excellent LiteSpeed Cache plugin.

I can limit the number of future page and post revisions that are saved by adding a line to wp-config.php. In my case, I save the latest two revisions: define('WP_POST_REVISIONS', 2);

Update (2018-07-18):  Another cause of database clutter is deleted plugins. A well-behaved plugin should clean up after itself – giving me the option of removing all its data from my database when I delete it. Many plugins are not so polite. Deleting the plugin removes only the files, leaving now-useless database tables behind. A tool that can help with this is Plugins Garbage Collector. After making sure I have an up-to-date DB backup, I can run PGC to search my DB for tables left behind by deleted plugins, then remove those tables.

Uptime Monitoring

keep track of uptime in practiceWP hosting providers, even at the low end, almost universally claim ninety-nine-point-something percent uptime. I want to keep track of uptime in practice, not just claimed or ‘guaranteed’. I use both of the most widely recommended free uptime monitors – Uptime Robot and StatusCake. Both are easy – though somewhat different – to set up, and both offer a free tier. By using both, I hope to catch transient downtime that one or the other may miss. On the free tier Uptime checks my sites every five minutes and StatusCake – well, they don’t really say, just a “Slower interval rate” than the one minute interval of the lowest cost paid plan. Both monitor from multiple locations across the globe. And both will happily take my money if I opt for a more robust paid plan.

Down for Maintenance Page

temporary Down for Maintenance pageIf my site crashes, or I have to take it offline for maintenance, I want to redirect all traffic to a temporary ‘Down for Maintenance’ page. And I want to get the page up quickly, so my visitors are greeted by a relatively friendly page, not just an error. It seems a good practice to be proactive and create a simple ‘Down for Maintenance’ html page and htaccess file to redirect traffic, so that both are ready to deploy in a jiffy when needed.

There are various ways to achieve a ‘Down for Maintenance’ page. Perishable Press offers good advice on one approach. Another approach – one that I prefer – is to create a custom 403 error page. All visitors that are denied access to the site will be redirected to the 403 page. I can deny access to all IPs except my current IP, so that I can work on the site to fix it. Fortunately I can easily find my current IP address just by asking Google.

Google IP address lookup

I place the following code placed in my site’s root htaccess file:

# htaccess for Maintenance Mode
# –
# BEGIN Maintenance Mode
# *** Remember to: Pause CloudFlare; Enter allowed IP address(es) ***
# –
# Point 403 errors to Maintenance page
ErrorDocument 403 /maintenance.html
# –
# Block all IPs except for me
Order deny,allow
Deny from all
Allow from
# –
# END Maintenance Mode

My maintenance page is …

<title>Maintenance Mode | a WP Point of View</title>
<p style=”text-align: center; font-size: 2em; font-family: Verdana, Arial, Helvetica, sans-serif;”>a WordPress Point of View </p>
<p style=”text-align: center; color: #000080; font-size: 1.5em; font-family: Verdana, Arial, Helvetica, sans-serif;”> has been temporarily taken offline for maintenance</p>
<p style=”text-align: center; font-size: 1.2em; font-family: Verdana, Arial, Helvetica, sans-serif;”>Something broke. I am working to fix it.</p>
<p style=”text-align: center; font-size: 1.2em; font-family: Verdana, Arial, Helvetica, sans-serif;”>Sorry for the inconvenience. Please try again later.</p>
<p style=”text-align: center;”><img src=”wppov-logo.png”></p>

Automatic updating WP, themes, and plugins

The vast majority of hacked WordPress sites were compromised due to outdated plugins, themes, or WP core. I need to keep my site updated. But should I update manually, or automatically? If I choose automatic, updates will be more timely but there is always a small chance that an update will break something. If I update manually, I can make a full site backup first, and restore if anything breaks – but I am at more risk of a hack occurring in between my manual updates.

Automatic updating WP, themes, and plugins

I had always kept my WP, themes, and plugins up to date manually, as a item on my monthly maintenance checklist. After the WP REST API exploit debacle, I decided to switch to automatic updating. I now auto-update everything – major and minor core releases as well as plugins and themes. I am choosing better hack protection over oops-the-update-broke-my-site risk.

Configuring auto-updates is easy-breezy. I just add the following to my child theme functions.php file, or better yet to my custom plugin.

// Automate updates for WordPress core
add_filter( 'allow_minor_auto_core_updates', '__return_true' );
add_filter( 'allow_major_auto_core_updates', '__return_true' );

// Automate updates for themes and plugins
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );

I have to keep in mind that ‘automatic’ does not mean instantaneous. PHP is not a continuously running process, something like a page load has to trigger it. And since my pages are globally cached for blazing site speed, I can never be sure when a trigger will happen. In practice though, even my low-traffic sites are staying updated much more timely than with my previous manual method.

Update: Explicitly setting automatic updates for minor core releases (i.e. maintenance and security releases) may seem redundant. This is default behavior since WP 3.7. However, WP 4.3 broke this feature, and most sites that were upgraded to 4.3 could not auto-update to 4.4. With the explicit setting in my custom plugin, my sites auto-updated to WP 4.4 just fine. Sometimes redundancy can be a good thing.

Maintenance Checklist

WP maintenance checklistI use a checklist to remind myself of the various tasks to perform during periodic WP site maintenance. For me monthly seems about right for these tasks. A very active site would benefit from more frequent maintenance.

  1. From my website: Send a test email from my Contact form
  2. From my Admin Dashboard:
    1. Backup the site.  I use UpdraftPlus, set to auto-backup once per month to Google Drive.
    2. Update WP, Themes, and Plugins if updates are available, and if auto-update did not already take place.
  3. In cPanel:
    1. Run the virus scanner
    2. Check resource use
    3. Check the error log
  4. Check for broken links using
  5. Check for malware using the free online services sucuri sitecheck and quttera
  6. For trend analysis:
    1. Check and record pingdom site speed test results
    2. Check and record number of pageviews in the last 30 days, using Google Analytics

Additional annual tasks (I do these around my birthday each year):

  1. Optimize the database (LiteSpeed Cache plugin includes this functionality. The very popular WP-Optimize works great too.)
  2. Update authentication keys and salts
  3. Change all my passwords associated with the site.
  4. If any plugin has not been updated for about 18 months or more, look for a replacement

Keys and Salts

change my WP keys and saltsWordPress uses a cookie to keep track of my login state. While the technical details are a bit out of my comfort zone, if an attacker gets his or her hands on or forges my admin authentication cookie, he or she could take over my admin role and cause a great deal of mischief.

I can easily make my authentication cookie much more secure using keys and salts stored in my wp-config.php file. Google can easily find details and instructions in a number of articles, including All You Need To Know On the WordPress Unique Authentication Keys and Salts.

It seems a reasonable security precaution to change my WP keys and salts periodically – annually seems about right for me. I just need to remember that doing so will cause anyone logged into my site to get booted out and have to log in again.

Update: I stumpled onto the excellent Salt Shaker plugin. It updates WP security keys and salts automatically, every month. I could also choose every week or every day, but that seems like overkill. I now use Salt Shaker on all my WP sites.

WP Backups

#1 most important WP security and maintenance practiceMy #1 most important WP security and maintenance practice: Always have an up-to-date backup, stored off my site. If I irreparably mess up my site, or it gets hacked in spite of my precautions, I can delete everything and restore from backup. If my host provider doesn’t love me anymore and locks me out, or goes bankrupt and disappears, I can restore to a new host provider.

My ideal backup method would be free, easy, and automated. It would produce backups that are lean, auto-saved on Google Drive or similar free cloud storage, and easy to restore. Unfortunately I have yet to find an ideal solution. Methods I have used are summarized in the following table.

Free Auto Easy
Lean Cloud
Manual X  Manual
Softaculous X X X  Manual X
WP Clone X X X  Manual X
BackWPup X X X Auto but limited
Update: UpdraftPlus X X X X Auto X

WP can be backed up manually. Doing so involves separate processes to backup the files and the database. The database backup can seem a bit daunting, and easier methods are readily available.

The WP backup solution provided by Softaculous offers some advantages. It is built into my host provider cPanel, so no need for a plugin. It is automated and easy to use. On the other hand the backup files are bulky, and stored by default in my site file structure. This creates a single point of failure – if my server crashes or my host provider locks me out, I lose both my site and the backups. I have to manually move the backups to local or cloud storage.

WP Clone has saved my bacon more than once. It is easy to use. It produces lean backups because it does not include the core WP files, which are very easy to reinstall. It is intended as a tool to migrate WP – not for regular backups. It works so well for me that I use it for regular backups anyway. Disadvantages: According to the plugin provider, it “fails in 10-20% of installations”; It requires manual action, it cannot be scheduled; Like Softaculous it stores backup files in my site file structure – I have to manually move them to cloud storage.

BackWPup is probably the best free backup solution for most WP users. (Or maybe not. See updates below.) It is free, automated, and easy for backups. It can save backup files automatically to a limited selection of cloud storage providers. Disadvantages: Backup files are bulky; As of the date of this post it offers no restore capability – restores are manual; Cloud storage choices in the free version do not include Google Drive.

I use WP Clone as my primary backup tool. It works for me, in spite of the need for manual actions. I love that it produces lean backups and makes it easy for me to restore to a new host, even a new domain name if necessary.

I use Softaculous as a secondary backup. If I need to restore and my WP Clone backup fails, I have a Softaculous backup as plan B.

I am keeping an eye out for a free, fully automated, cloud storage WP backup solution. Haven’t found one yet.

Update 2018-02-27: I recently migrated all of my sites to an MDDHosting reseller account. WP Clone did the job, but not perfectly. On my largest site WP Clone left most of the image gallery behind, several sites had numerous broken urls, and – curiously – anyplace a post used a percent sign (%) it was replaced by a long string of nonsense text. Fortunately the image gallery was easy to migrate manually, and the Better Search Replace plugin made short work of the other problems. Still, I was I little disappointed in WP Clone and may look again at other solutions in the future.

Update 2018-04-26: I finally made time to circle back and re-evaluate backup solutions. Yikes – there have been two major WP releases and umpteen minor releases since WP Clone was last updated. Not good. I switched to UpdraftPlus – I’m not sure why I didn’t include it in my original eval – it must have somehow slipped under my radar.  It is free (a few nice-to-have features are limited to the premium version, but the free version has all the essentials). It allows for scheduled auto-backups to Google Drive and many other storage choices.

Update 2018-06-03: UpdraftPlus is working great but I discovered a few quirks. The free version seems to be intended for a single site. Backing up multiple sites – ten in my case – to a single Google drive requires a bit of finagling.  UpdraftPlus will happily back up multiple sites to a single location, but will not keep track of which backup belongs to which site. So, on each site, I have to set the “retain this many scheduled backups” to the total number of backups – for example 3 backups x 10 sites = 30. I also have to make sure that each site backs up on a different day of the month, so that I can distinguish among the backup files when it comes time to restore. Perfectly understandable that the good people behind UndraftPlus would reserve multi-site convenience for the premium (i.e. paid) version. And the free versions still works great for me – just requires a little more logistics on my part. UpdraftPlus retains my high recommendation.