Best Practices in WordPress Development


Today if we think about to do something which is most easily and the efficient result will come that’s slowly become best practice in the long run. So think about “WordPress”. WordPress is an online, open source website creation tool written in PHP. But in non-geek speak, it’s probably the easiest and most powerful blogging and website content management system (or CMS) in existence today.

Managing Your Site Content
Managing and updating content is pretty easy with WordPress: it is a content management system after all. But WordPress won’t do the hard work for you: you have to create your content, share it with a wide audience and engage with the people who are reading it and commenting on it. By doing these things you’ll create a site which encourages people to come back regularly and which gets found by search engines.
The three main areas you need to think about are:

  • Publishing regularly
  • Sharing content
  • Managing subscribers and comments

Publishing to Your Site Regularly
In the early days of working on your site, the chances are you’ll have lots of adrenalin and write new content fairly frequently. As time passes you’ll get distracted by other things, you’ll lose your enthusiasm and start publishing less and less frequently. In time you may stop publishing altogether.

If you want people to keep visiting your site and the search engines to keep finding it, this can’t happen. So you need to define a publishing schedule that you can stick to from the outset. If you’ve got loads of ideas at the beginning, by all means, start working on them, but don’t publish them yet: save them as drafts or in note form and publish them at a later date when you haven’t got so many ideas or so much time.


WordPress lets you schedule your posts in the future.
Here are some tips for creating and sticking to a regular publishing schedule:

  • Identify how frequently your site visitors will expect you to post new content. This will depend on your site and your audience and is likely to be higher if you want to make money from the site.
  • Be honest with yourself: can you realistically write, edit and publish content at this pace? If you can’t do it yourself, you may need to rethink your plans or hire other people to help you.
  • Create a publishing schedule with details of when you’ll publish and what type of content you’ll publish when: for example, you might post different types of posts on different days of the week.
  • As you come up with ideas, allocate them to dates in the future. Give yourself a reasonable amount of time before publication to allow time for writing, editing and creating or sourcing assets.
  • Take time to edit your posts. After drafting something, don’t hit ‘Publish’. Save it as a draft and then come back to it another day to make edits, or (even better) ask someone else to.
  • If you’re not going to be around on the days when you normally publish content, use the WordPress scheduling feature. In the publishing pane, you can select a future date for publication and then hit ‘Schedule’. WordPress will automatically publish the post for you when you tell it to.

Spreading the Word
Once you’ve got content, you need to tell people about it. Even established sites with audiences in the millions adopt strategies to let people know what they’re publishing. You’ve got a few tools available to help you with this:

  • Subscription– If you can entice people to subscribe to your site (maybe with a freebie such as a free e-book or report), then you have a captive audience. You can use plugins like MailPoet or our Subscribe by Email to automatically notify your subscribers when you post new content or to send them a daily or weekly digest of new posts.
  • RSS Feeds– WordPress will automatically create an RSS feed for you, but you can make things easier for your readers by using a widget to help them subscribe to it.
  • Social media– If your content is public, then social media really is the best way to raise awareness of it. But don’t go hammering all the social media platforms: you’ll spend way too much time on it and you’ll get diminishing returns. Identify what social media platforms your target audience use and build your presence on those. Identify why your audience is on social media and make sure you post at those times. A tool like Hootsuite can help you with scheduling posts.
  • Social media plugins– Plugins like Ultimate Facebook, WP to Twitter and Add Link to Facebook will help you automatically post new content to your social media accounts when you publish it on your blog. Plugins like Ultimate Facebook and ShareThis will also encourage your readers to share your content via their own social media accounts, too.

For details of some great plugins that will help you share your content, see my post on 16 plugins to help you communicate with your users.

Managing Comments
As well as engaging with your readers on social media, you’ll need to consider whether and how you’re going to use comments to let your readers voice their opinions and ask questions – and how you’ll respond.
You don’t have to enable comments; on some sites it may not be necessary, but if you’re launching a blog or community site it will help your readers feel that you care about what they think, give you a chance to understand what they think of your content, and make it more likely that they’ll keep coming back.
Here are some questions you might ask yourself:

  • Will you allow anyone to post comments, or will you approve them first?
  • If someone has already had a comment approved, will you let them comment without you having to approve in future?
  • Will people have to sign in to comment?
  • Will you use a third party tool to manage comments, or let readers use their social media accounts?
  • How often will you read comments?
  • To what sort of comments will you reply? Will you reply to everyone or have a set of criteria?

The first thing you’ll need to do is configure your discussion settings in the admin screens. In Settings -> Discussion, choose the options that work best for your site, and remember that if you turn comments off, this will only apply to new posts, so you’ll need to either manually turn discussion off in your old posts or use a plugin like Disable Comments.
In the Discussion settings screen, you can define whether comments are allowed, whether users need to be logged in to comment, whether you’ll moderate comments before they’re published, and whether you’ll allow people who’ve posted comments before to post again without moderation:


Once you’ve done this, you need to manage comments and respond to them. It can be easy to get sucked into replying to comments the instant you’re emailed with a notification, which can impact on your productivity elsewhere.
We recommend identifying a time of day (or maybe a day of the week if you don’t get a lot of comments to start with) when you review comments and respond to them.
Here are a few tips:

  • Make sure you enable the Akismet plugin, bundled with WordPress, to clear out comment spam. It will save you a lot of work.
  • Sometimes another reader will reply to a commenter answering their question or starting a discussion. This is great! It means your site is sparking off discussion among your community of readers. If you wait a while before replying to comments yourself, this is more likely, but don’t forget to post a comment at some point or people will think you’re ignoring them.
  • Beware of comments that say your post is the best thing since sliced bread but don’t add anything specific. These are often spam – if you publish them thinking it’ll make your site look good, it might actually make you look a bit needy and gullible.
  • If people do post positive and specific comments, publish them as soon as possible and reply with a thank you and an answer to any questions.
  • You may well get comments disagreeing with your viewpoint or advice. This is very healthy as it encourages debate and will get more people commenting. Respond to these comments but don’t be tempted to get defensive: your views are just as valid as those of your readers.
  • If people (correctly) point out errors in your content, thank them and make corrections. I’m talking about factual errors here, not differences of opinion!
  • If people post defamatory, obscene or libellous comments, don’t publish them – they aren’t part of healthy debate. Mark them as spam and Akismet will spam that commenter’s comments in the future, or simply delete them if you don’t want to be so strict.

I’ve seen blogs that generate thousands of comments on posts, many of which are very repetitive (‘I love your ideas on X and Y! Awesome!’). Welcome these but don’t feel you need to reply to each one individually. Time spent on writing new content will benefit your readers much more than time spent on replying to endless comments.

Managing Your Site’s Code
Of course none of your content will be displayed in your visitors’ browsers without some code. The code powering your site comes from three sources:

  • WordPress itself
  • Your theme
  • Plugins you use

You need to make sure that the code from these three sources is up to date and free of any potential problems such as spammy links, security risks and conflicts. The most important thing you can do to avoid this is to keep everything up to date but there’s more to it than that.

Keeping your version of WordPress and your plugins and themes up to date will help keep your site running smoothly and reduce any security risks.

Keeping WordPress Up-to-Date
WordPress updates are released for very different reasons, but they’ll normally include one or more of the following:

  • Bug fixes
  • Security patches
  • Enhancements.

The major releases (such as 4.1) tend to be focused on enhancements but they’ll probably include some bug fixes as well. The interim releases (such as 4.0.1) are normally focused on fixing bigs or making security patches.
We’ve been creating and supporting client websites for five years now and in that time almost every time a site has been hacked it’s because it hasn’t been running the latest version of WordPress. On just one occasion it was because the server was hacked, and on another it was because a client was running an insecure theme, but every other time it’s because people have exploited vulnerabilities in an old version of WordPress. Security patches are released very quickly after a problem is identified, and made very public, which means that the bad guys will know about the vulnerability too. So keep your version of WordPress up-to-date!

While WordPress will automatically update to the latest minor version, major versions need to be updated manually so be sure to check your WordPress installs whenever a new major release has been shipped.

Keeping Themes and Plugins Up-to-Date
The same goes for your themes and plugins: if they’re updated, it will be for one of four reasons:

  • Feature enhancements
  • Bug fixes
  • Security patches
  • Compatibility with the latest version of WordPress.

In the Dashboard, you can easily see if you have any themes or plugins that need updating. And you can update them all by going to the Updates screen:


You might want to test the updates on a local copy of your site before updating everything on your live site. While a well-written theme or plugin shouldn’t break your site, occasionally it does happen and you don’t want that to be visible to your visitors.
To make a local copy of your site, you can use a plugin like Snapshotto back up your site and then install it on your local machine. There’s more advice on running WordPress locally in the WordPress Codex.

Creating a High-Performing Site
A high performing site will generate significant amounts of traffic and increase the number of visitors over time. It will attract new visitors and encourage people to return, and it will have a low bounce rate.
Your site will have its own specific objectives: it’s important to know what those are from the outset as it will influence your site design, UI and content.

To maximize your site performance you need to know what your objectives are and find a way to measure the site against those objectives. You’ll also need to identify and use tools which will hep your site to meet its objectives. The main areas you’ll probably want to consider are:

  • SEO to attract more visitors
  • Conversion optimization to get more sales or encourage more people to contact you
  • In-site activity tracking so you can minimize bounce rates
  • Analytics to help you track visitors, conversions, bounce rates and more
  • Optimizing your site for all of the platforms your visitors use, including mobile and touch devices as well as desktop PCs.

Secure Site Management and Administration
There are some simple steps you and other users can take when managing your site to make it more secure:

  • Update WordPress each time a new version is released. This is the single most important step you can take to improve security. New releases will have security patches addressing backdoors which hackers are aware of and have been using to attack sites – so by installing the update, you close the back door.
  • Only download WordPress updates from the official WordPress site. There’s absolutely no reason to download it from anywhere else.
  • Only download plugins and themes from trusted sources. The official plugin and theme repositories are the only places I would consider downloading free themes or plugins. If you’re buying premium themes and plugins, make sure they have a GPL license and that they come recommended by other developers. It’s also wise to inspect the code before activating them.
  • Use SFTP instead of FTP when uploading and downloading or editing site files.
  • Use strong passwords, and encourage other users to do the same. Even better, force them to do it with a plugin like Force Strong Passwords. You can try using a strong password generator if you can’t think of your own!

Secure WordPress Configuration
There are a number of steps you can take when configuring your site to make things more secure, and you’ll find a lot of detail on the Codex guide to hardening WordPress.


As we say, don’t use the keys in the example above: yours need to be unique. You can use the security key generator on the WordPress site to generate your own, and then you’ll need to paste them into your wp-config.php file.
Another option you’ll want to consider, especially if your site is a Multisite installation with lots of people creating their own subsites, or if you’re running an e-commerce site, is using SSL. This will your domain https at the beginning instead of HTTP and will encrypt URLs so they’re sent securely between the browser and the server. It could also give you an SEO advantage in the future, as Google has stated that it may favor sites which use SSL. See this guide for instructions on how to set up SSL.

Locking Down Parts of Your Site
You can also try locking down parts of your site or restricting access, including the examples below:

  • Restrict access by IP address. In your .htaccess file, you can specify IP addresses from which users are permitted to edit the site. This may not be ideal for a client site or one with multiple contributors (users may want to access the site from another IP address while traveling) but will make your own site very secure. To do this, add the following to your .htaccess file, replacing with your IP address:
  • Password-protect the wp-admin directory. You can add a server-side password to the wp-admin directory using CPanel and it adds an additional layer of security to this directory, meaning any hacker that manages to get in via a username and password will also have to get through this password (which you will, of course, make very strong).
  • Disallow file editing via the dashboard. This can also help prevent problems due to user error – editing files via the dashboard is not good practice anyway compared to using a text editor with FTP, as there are no means of undoing changes. To disallow file editing in this way, add the following to .htaccess:


Security by Obscurity
The concept of ‘security by obscurity’ means that you’re not actually making your site more secure, but you are making it vary from a standard WordPress installation which might prevent access via automated hacks or really stupid hackers! You shouldn’t rely on the measures below but they can’t do any harm:

  • Don’t use default usernames. If an account with the admin username is created when you install WordPress, remove it. Create an administrator account with a unique username instead. This will protect you from opportunistic hackers looking for a backdoor via the admin account.
  • Change the WordPress table prefix. By default this is wp_, but you can change it while installing WordPress by changing the $table_prefix value in your wp-config.php file.

Monitoring Site Security
However secure you make your site, it’s always worth monitoring it so you know if you’ve been attacked and can take action as quickly as possible. There are tools and services you can use to help with this, which range on cost depending on the nature of your site and the level of service:

  • Your hosting company will probably offer levels of service which can monitor your site or fix it if things go wrong, such as a managed hosting account. Some providers offer managed to host specifically geared towards WordPress sites.
  • Sucuri offer a free security checking tool on their website but if you want automatic updates and fixes you can try their WordPress security monitoring service.
  • The Sucuri security plugin is free and will help you monitor your own site security if you don’t want to pay for a higher level of service.

For more on securing your site, see our ultimate guide to WordPress security.

As you can see from the number of topics covered in this post, managing your site isn’t as simple as launching it and then sitting back and waiting for visitors to come.
For your site to be successful, you’ll need to manage it on an ongoing basis. Exactly what you need to do will depend on the nature of your site, its objectives, and its user base, but you will probably need to consider some or all of the following:

  • Creating content, making people aware of it and engaging with readers.
  • Keeping your code up to date and sourcing plugins and themes from secure and reputable sources.
  • Monitoring and managing your site’s performance to enhance reliability and speed.
  • Enhancing search engine optimization to attract more visitors and conversation optimization to make sure their visit to your site is valuable.
  • Setting up regular automated backups and knowing what to do in case you need to use them to restore your site.
  • Enhancing your site’s security and monitoring it to check for attacks.

None of this is particularly difficult, but it can be a lot of work, and the amount of time you put in will depend on what you want to get from your site. But if you do it well, you’ll have a high performing, secure site that engages effectively with its audience and achieves its objectives, whatever those may be.

For more information about Best Practices for WordPress Development, Please drop an email to

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+

Leave a Reply

Your email address will not be published.Required fields are marked *