How to Backup, Secure and Optimize WordPress

As soon as your site is up and running, the importance of backing it up and generally battening down the hatches (i.e. ensuring everything is secure) really can't be overestimated! Losing data and/or being hacked really is an absolute disaster — and, worse still, may cause such lasting damage to your business that things continue to go south well after you've managed to 'fix' things. The goal of this particular guide is to help ensure you've not only prepared for the worst, but also generally optimized everything for the best possible performance too: a subject we'll also be returning to in a later guide as well.

So, you have a shiny new website, and it's likely you're working around the clock to get more visitors and clicks. Apart from regularly adding fresh content, the most important part of your job is going to be backing up, securing and optimizing your website.

The good news is that backing up and securing can be automated easily, and some parts of optimisation can also be set-and-forget. In this article, we'll show you how to do this — giving you the freedom to spend more time on the parts that need the human touch, and therefore add the most value to your site.

Backing Up

Backing up your website is crucial — it's one of the best security practices, and will also give you that all-important peace of mind. During the course of a website's life, things will go wrong. Hacks are only part of the problem — hardware failures, human error and all sorts of other issues could require the use of a backup.

A WordPress website consists of four main parts:

  • The WordPress software
  • Plugins and themes
  • Content — your posts, pages, comments, etc
  • Media — your uploads

The last two items on this list are the most important ones. The WordPress software is readily available, and, unless you're using custom-built ones, so are the plugins and themes, so losing these isn't a huge problem, as you can just re-download them. Your content and media, however, are a different story altogether. Lose those and you've basically lost your whole website.

In the WordPress world, there's one backup tool to rule them all: VaultPress. The reason it's so powerful is that it's built by Automattic — the company behind WordPress — meaning it's always up-to-date, always compatible, and works out of the box like a charm.

Backing Up With VaultPress

VaultPress is an online service that connects to your website via a plugin. The basic service costs $9 a month (or $99 a year), while the premium service is available for $29 a month (but for almost all websites, the basic plan is just fine). I'd recommend buying a subscription, even if money's tight; if you plan on making money with your website, this is $9 you should certainly invest.

Once you have a subscription, download the VaultPress Plugin — if you're not sure how, take a look at our guide to choosing and installing plugins. Once the plugin's installed, it'll ask for your registration key, which you should have received when subscribing to the service.

The next step is to tell VaultPress how to connect to your site, which can be done by adding a new site in the VaultPress dashboard and setting up a connection.

Connecting VaultPress to your site

As you can see, you have quite a few options. FTP or SFTP will be the easiest to set up — your host can give you all the details you need to make this work — although SSH may be the best, as VaultPress will have easy access to your database and files. Don't worry if you can't set that up, though, VaultPress will figure things out over SFTP and FTP just fine.

Now you're done, and you can forget about backing up forever! If anything does go wrong, VaultPress can restore your website with a single click. I've only needed to do this a couple of times, but, when I did, it was a life saver.

VaultPress also gives you some stats and — more importantly — security updates. If it finds something nasty on your site during a scan, it'll let you know so you can take steps to remedy the issue.

Other Backup Systems

I actually haven't used anything else since VaultPress came out. It's one of those services that works all the time, every time. There are a number of other solutions, such as Backup Buddy (minimum $80 a year) or BackUpWordPress (free), but I've found these to be lacking when compared with VaultPress.

Securing WordPress

WordPress is an extremely secure system that's constantly updated — however, badly coded themes and plugins can put your site at risk. While you may not be able to filter these, you can do a lot to make sure your data and your website are protected if anything does go wrong.

Security Habits

The most important factors are you and your other users — for example, you could have the best security systems in place and then choose the password '1234', putting your site's security at risk. Here are some easy-to-learn habits you should get into to increase your security:

  • Keep WordPress updated
    This one's pretty important. Nowadays, security updates are rare because the system is very mature, but they do still happen from time to time. WordPress will automatically apply these in most cases, but the bottom line is this: If you see a new version notice at the top, apply the update right then and there. No ifs, no buts. It's very important to note here that some developers will ask you not to update WordPress because their plugin/theme could break — the solution to this issue is to fire the developer. A well-coded plugin won't break on a WordPress update (in fact, it's unlikely that even a badly coded one will).
  • Use strong passwords
    WordPress now has a password strength meter, and it'll force you to tick a box to acknowledge the use of a weak password. Don't use short passwords; don't use single or joined words in any language. If you must, use a tool such as 1Password or LastPass to remember passwords. It's true that this can be a pain, but ask yourself whether laziness is a good enough reason to leave a big hole in your security.
  • Don't use the admin username
    In general, don't do anything that is the 'norm'. Many people use 'admin' as their main admin account — hackers know this and will target those usernames.
  • Don't use administrator accounts for everything
    Unless you're doing something that needs admin rights, don't use an admin account. Most of your time will be spent adding content, managing users or editing content, and these can all be done with an editor-level account. Also, don't give anyone more privileges than they need: An author doesn't need to be an editor, and an editor doesn't need to be an admin.
  • Don't send or save passwords
    I know of a site that was transferred away from the owner, even though the website wasn't hacked. Someone gained access to the owner's email account where they found all the information needed to transfer the whole website — as-is — to their own hosting account. Don't keep sensitive information in your emails, and, if you receive something sensitive, use LastPass or 1Password to store it, then delete the email

Security Plugins

Once you have some good habits going, you should secure your site against specific attacks. There are a bunch of plugins available, so choose wisely. I find that it's best to use a single feature-rich plugin instead of a bunch of small ones.

The two most popular plugins are All In One WP Security & Firewall and iThemes Security. Both offer a comprehensive list of security functionality, including:

  • detection of weak points in your security, such as the use of 'admin' as a username
  • login lockdown — the prevention of multiple failed login attempts
  • IP blocking
  • database and file security
  • firewall features.

You don't really need to know about all the intricacies involved in these plugins — just set and forget.

Security Services

Some companies specialize in helping you secure your website. They not only offer services such as active security scanning, but also security audits and consultation. If you have a large website that's your primary source of income, this could be a great investment. Having someone on-hand to tell you what needs to be done and what you need to look out for can be invaluable in the long run.

Companies such as Sucuri and WordFence are well known and respected, and they're both safe bets.


Website optimization is an industry in itself, so I'll just mention the automatic optimization techniques that are available. We'll focus on two areas here: SEO and speed.

Search Engine Optimization

For SEO, it's best to use one of the well-known and extremely popular solutions: Yoast SEO or All In One SEO Pack.

According to most users, Yoast is the superior product. Yoast also leads SEO research, and is at the forefront of new developments, but both options are detailed and provide everything you need to increase your SEO ranking.

SEO is as much of an art as it is a science, and Yoast has a great SEO guide and an equally good SEO blog that you can use to learn all about optimization and stay ahead of the game.

Speed Optimization

Speed optimization is a large part of every website's task list; increasing website performance can directly lead to more income. There are quite a few pieces to this puzzle, and, from hosting to plugin and theme choice, they all make a difference.

Measuring Speed

In most cases, you'll want a loading time that's less than three seconds, although for certain types of website (image or video-heavy ones) it may be acceptable to go a bit over that. One of the best ways to measure your site's speed is with tools such as GTmetrix.

GTmetrix scans a specified webpage, and not only gives you the final loading time but also the components of it and what you need to do to get better results. This will help you increase the speed of your website easily — just follow the on-screen instructions.

Another well-known tool is Pingdom, but I prefer GTmetrix because its interface and package options allow you to schedule speed tests as frequently as hourly.

The Right Host

You could have the best site in the world, but things could still go south if you get hit with heavy traffic. A good host will make all the difference because it'll ensure your website stays snappy — even under high loads — and will mitigate speed issues caused by bad themes and plugins by providing a buffer.

We have a bunch of articles here at WinningWP that can help you choose the right host — take a look for more information.

Choose Plugins and Themes Wisely

Just as badly coded software makes your computer sluggish, badly coded plugins can slow your site down considerably. In general, it's a good idea to use plugins from trusted sources — look at reviews, ratings, the author of the plugin and other similar metrics to determine whether or not a plugin is worth your time.

We have a great guide on how to choose a plugin, which takes you through this process — give it a read!

Use A Caching Plugin

The idea of a website cache is simple: Each time someone views your site, the server does a bunch of processing to produce the resulting page. The result of that processing time is usually the same — think of a single post, for example, it doesn't really change with time.

A cache simply saves the result of all that processing, and, if the same page is requested, it serves the saved result. The processing doesn't need to be done again. On pages that change, the cache is cleared so the page gets re-generated.

Some great caching plugins are W3 Total Cache, WP Super Cache and WP Rocket. WP Rocket is the newest of the bunch, but seems to be pretty great and is growing rapidly.


A CDN — or content delivery network — is a way to serve content to a user from a location geographically closest to him or her. You could have a server somewhere in the US, for example, where all your content is served from — regardless of where the site visitor is located. Data travels pretty quickly on the web, but a few thousand kilometers is a considerable distance and can affect speed — especially pings and connection times.

A CDN distributes your content — usually your media — over multiple data centers around the world. If you use a CDN, an image would be served to a user from the server that's nearest to them. In some cases, this would mean as close as 500km. Not bad!

Popular CDNs are Amazon CloudFront, MaxCDN and CDN77. All three either have dedicated WordPress plugins or can be set up from one of the caching plugins from before.

Final thoughts

With a couple of simple steps, you can create a website that's faster, more secure and better optimized.

There is, of course, a lot more you can do than we've covered here — especially in the optimization arena. Security and backups tick away in the background, but optimization is essentially a never-ending task. You can look into keyword targeted content, AB testing, not to mention design, user experience, user interface design and all sorts of other industries.

My suggestion is to chip away at these bits and pieces as time allows, and always strive to make your site a little bit better. Don't forget, though: The goal of your website is most likely conversion; you could have the fastest, most secure site in the world and make no money from it. This is why automating these things and getting them out of the way is so important — you should be focusing on making the best use of your existing visitors, grabbing their attention, retaining them, and getting them to buy something!

Enjoyed the above? Read on: View More Guides

WinningWP Staples

There's more to us than just WordPress guides. Here's a few favorites:

Glossary of Terms
Overwhelmed by jargon? WordPress terms explained in plain English.

(View Page)

Plugins, tools and services
Under the Hood
Wondering what plugins, tools and services we used here at WinningWP? We spill the beans...

(View Page)

WordPress Deals
WordPress Deals & Coupons
Save oodles of cash on some of the best hosting, themes & plugins around!

(View Page)

What Next?!

Everything backed up, secured and optimized? Great! What's Next?

Get Creative!

Next, you'll likely be at about the right stage to start making a few customizations!

Choose Hosting!

Still trying to navigate the WordPress hosting minefield? Here's a handy Guide to Choosing the Best Service!


Good luck!

Without a proper backup, losing data can be a devestating setback. Being hacked is almost always a huge blow to your site's reputation, your brand's credibility, and may even have near fatal repercussions for your business as a whole; and failing to optimize your site, whilst almost always nowhere near as bad as losing data or being hacked, can slowly erode your company's bottom line without you ever even realizing it. Be sure to do everything you can to avoid falling into any one of these traps!

***Last updated 1st January 2017***

Love WordPress? Follow us on Twitter