Blue WondersConsultancy
Help Center

WordPress

Backups, migrations, safe updates, and incident response basics.

Back to Help Center
Maintenance & security

Keep your WordPress site stable.

These are practical best practices for clients who run WordPress — whether we host it or you do.

How to back up your site safely

A reliable backup includes both your files and your database. If you only back up one, restores can fail or lose content.

  • Confirm you have both files + database backups (not just media)
  • Keep at least one offsite copy (cloud storage, separate provider)
  • Use scheduled backups for production sites (daily or weekly)
  • Test restores occasionally (a backup you can’t restore isn’t a backup)
  • Before major changes, take an on-demand snapshot

If you’re on a maintenance plan, ask us what your current backup schedule and retention window are.

Migrating a WordPress site to new hosting

Most migration issues come from DNS timing, plugin conflicts, or file size limits. Plan the move and keep the old host active until the new site is verified.

  • Lower DNS TTL at least 24 hours before the move (if possible)
  • Create the new hosting environment (PHP version, SSL, caching)
  • Migrate files + database, then update URLs and permalinks
  • Verify forms, email notifications, logins and checkout flows
  • Switch DNS and monitor traffic/errors during propagation

For business-critical sites, we recommend migrating during a low-traffic window and keeping a rollback plan.

Maintenance mode and safe updates

Updates are safest when they’re staged. If you update everything on production with no backup, a small plugin conflict can cause downtime.

  • Back up first, then update on a staging environment
  • Update in this order: plugins → theme → WordPress core
  • After each step, check critical pages and forms
  • Use maintenance mode during planned updates (short window)
  • Remove unused plugins/themes to reduce attack surface

If you need to update urgently due to a security issue, we’ll prioritize a fast patch with a short verification checklist.

What to do if you suspect malware

If your site is redirecting, showing warnings, or sending spam, treat it as urgent. The goal is to contain impact first, then clean safely.

  • Change admin passwords immediately and enable 2FA where available
  • Disable or remove unknown admin users
  • Take the site offline temporarily if it’s actively harming users
  • Scan files and database; remove injected code and rogue plugins
  • Patch vulnerabilities and rotate credentials (FTP/SSH, DB, email)

If you contact us, include the domain, what you observed, and when it started. Avoid reinstalling plugins blindly until a backup is secured.