How to Keep Your WordPress Website Updated and Secure

Whether you are a small business owner, or have a personal website, you need to keep your website secure and up to date. In this blog post we will be talking specifically about how to keep your WordPress website updated and secure.

Other website builders (e.g. Squarespace and Wix) carry out some (but not all!) of these tasks on your behalf. Get in touch if you’d like to know more about your specific website builder.

Website Updates and Maintenance

It’s very important to keep your website up to date.

The WordPress installation itself, your Themes and your Plugins will all issue regular updates to:
– fix bugs
– fix security issues
– make improvements


You can update your WordPress installation, themes and plugins via UPDATES.

Your WordPress installation may be set to update automatically by the hosting company, but you can re-install if needed.

Plugin Updates

For plugin updates, you can go directly to PLUGINS | Installed Plugins 

You can set some plugins to auto-update, and this can be a good idea for your core plugins.

Theme Updates

For theme updates, you can go directly to THEMES, found under Appearance.

You should check for updates every time you login, or at least once a week.


Inactive/unused/old Plugins

Leveraging vulnerabilities in out dated plugins is a common route into your website for hackers. It is good practice to review your plugins regularly and:
– DELETE unused plugins
– REVIEW website needs to make sure you still need all the plugins you have
– DELETE old plugins (that haven’t been updated recently) and REPLACE with newer more up to date plugins

Plugin Health Checks

You can check all of your installed plugins to make sure that they are being updated regularly and that they are compatible with your version of WordPress (note that it can take a few days for plugins to catch up with a new version of WordPress!).

Click on VIEW DETAILS. Make sure it was updated recently, not two years ago! Make sure it’s compatible with your version of WordPress (or at least the version before). See how many active installs there are. Check the average rating.

You want regularly updated, compatible plugins, that are well-tested, and liked, by others!

Inactive/unused/old Themes

Leveraging vulnerabilities in out of date themes is also a common route into your website for hackers.
– KEEP one additional theme – the latest default WordPress theme is a good option for this (right now, that is Twenty Twenty-Three)
– DELETE all other unused themes

Site Health Check

The health check will highlight:

Deal with critical issues immediately!

Improvements are not always relevant/actionable – a quick Google search will help you determine this – or ask us!

You should review your Site Health Check status every month or so.

Website Admin and Optimization

In addition to ensuring that your site is updated and healthy, there are some specific plugins that can help you keep your site safe and tidy:

Jetpack (e.g. image loading, spam, monitoring)
Smush/Imagify (image optimization)
Updraft/Vaultpress (back ups)
Wordfence/Sucuri (malware scanning and firewall)
WP Optimize (database optimization, caching)

This list is not exhaustive and your requirements will depend on your specific site needs. Some of these plugins are free, and some are paid, or have paid versions.

Image Optimization

Image size affects page loading time and user experience. You should optimize (resize, rename) your images BEFORE uploading to WordPress, using a free tool like Fotor, but you can also optimize further using a plugin to compress your images even more.

Make sure to add alt tags once you upload for accessibility (screen readers).


Your host should take regular backups of your site – check how often they do this, and if they have a one-click restore or easy rollback option. You may need to pay for this with some hosts.

It is worthwhile taking an off-site backup too, with a plugin like Updraft, so that you have your own backup in case of a problem with your host.


Your host will provide a level of malware scanning and firewall. Check what they do.

You may choose to add your own too. Wordfence is a popular option, and you can run a scan any time, and fix problems directly from the dashboard. 

TAKE A BACK UP before doing anything!


Whenever you make a revision/update, or trash a post or a comment, or receive a spam comment, data is added to your database.

It is good practice to clean up your database regularly to delete the rows of data that you don’t need.
WP-Optimize is a popular option for this.

There are plenty of options to keep your site safe, backed up and secure, in addition to those provided by your host.

We can talk you through the options for free and paid solutions to help you choose the right options for YOUR site.

Contingency Planning

We have previously written a detailed post on Digital Contingency Planning for Small Businesses but is worth summarizing here! And, this is relevant to personal website owners as well as small businesses.

We will focus here on the digital considerations, and expand a little beyond just your website! 

The questions to ask yourself are: What happens if you are not available to complete a task? What happens if you, or others, are unable to login to necessary accounts? What happens if a business critical issue occurs and your details are out of date?

In the first instance, list all the accounts that you access online:

Website information includes who your domain is purchased from, and where your website is hosted. Your Email host is another important one. The same should be included for newsletters if you send those.

Financial information might include banks, loans, accounting software, payment processing, and payroll processing.

Business information might include insurance, utilities, suppliers, and subscriptions to cloud services or software. Google, Microsoft, and Dropbox are examples in this category.

Customer information could include CRM software, or cloud storage for your customer database.

It may be useful to keep an organizational password manager to store these in. This would allow the sharing of just one password when needed.

For every one of your accounts include:
– Short description about how you do business with that organization.
– Emails and phone numbers that are used for security measures.

You need to avoid a security code going to a cell phone the organization doesn’t have access to anymore!

How detailed these instructions need to be will depend on how reliant you are on these services. It will also depend on how knowledgeable your organization is. Make sure that more than one person has access to the main account information!


While it may seem intimidating and overwhelming to keep your WordPress website updated and secure, these tasks only take minutes to complete and doing them regularly ensures that your website is safe. You may think that no one would want to hack your little website, but the Clients we have helped would prove otherwise. You may not realize that an out-of-date plugin that conflicts with the latest version of WordPress can bring down your whole site with a critical error, but it happens.

Keeping on top of these tasks will make sure you are in the best position to avoid these scenarios, and will help you to fix a problem should it arise.

If you have any questions about keeping your website up to date, or our terminology wasn’t clear, please use our contact form to send us a message. Thanks!

Scroll to Top