8 WordPress Habits Every Small Business Owner Should Build
WordPress makes it easy to manage your own website without paying a developer for every little update. You can publish posts, swap out images, update your contact info or hours or add a new product or service without ever having to mess with code. But there are a handful of habits that separate people who maintain healthy, fast, secure websites from those who end up with slow pages, hacked accounts or a media library with duplicate images taking up server space.
Most of the time, these issues happen because website owners don’t know what they don’t know. No one ever told them to optimize an image before uploading. So I’m taking you under the hood as it were, and sharing the most frequent slip-ups I see on client websites.
The good news is that while small business owners may get these wrong, they can be easily fixed. We just have to build that muscle memory. Starting these good habits each time will become second nature and keep your site safe, optimized and secure.
Let’s dive in! Here are the most common things I see small business owners overlooking… and exactly how to fix each one.
1. Uploading unoptimized images
This is the single most common performance killer on small business WordPress sites. Someone takes a photo on their phone which ends up being huge. We’re talking anything over 400kb and 4000 pixels wide. Then they turn around an upload it directly to their WordPress site or media library. Cue the slow page load. Images are almost always the largest files on a webpage. Oversized ones make your visitors wait and slow pages mean visitors leave before they ever see your offer.
The fix: Before uploading, resize your image to no wider than 1200–1500px and compress it. TinyPNG is free and takes 30 seconds. A large, 4mb photo can drop to under 200kb with no visible quality loss. For a hands-off approach, plugins like Imagify or ShortPixel compress images automatically on upload. If you want to learn more about this specifically, I wrote a guide to image optimization that walks you through the whole process.
2. Not naming images before uploading
This one seems minor until you have 400 images in your media library all named IMG_3847.jpg. WordPress uses the filename as part of the image URL but it’s also how you (and search engines) can identify and find what the image contains.
A file named storefront-exterior-spring.jpg is searchable, descriptive and perhaps most importantly, findable six months later when you want to reuse it elsewhere on your site. DSC00042.jpg? Not so much.
The fix: Rename image files on your computer before uploading. Use lowercase letters, hyphens instead of spaces and plain descriptive language: team-photo-2024.jpg, logo-horizontal-white.png. Once an image is in your media library, you can insert it anywhere without uploading it again, which also keeps your library clean and your storage lean. *This is especially important on hosting plans where you may have to pay if you exceed storage.
3. Skipping alt text on images
Alt text is the written description you attach to an image. It serves two important purposes: it tells screen readers what’s the image is all about (accessibility points), and it tells search engines what the image shows (SEO points). Leaving it blank is a missed opportunity at best and an accessibility failure at worst (which also opens you up to non-compliance).
The fix: Every image on your site should have a short, accurate description of what the image depicts. You add alt text in the media library or directly in the block editor when inserting an image (though I recommend the library so you only have to enter it once). The goal is to write for a human who can’t see the photo. Close your eyes and create a short description that explains the image so you can conjure it up as if you’d never seen it. You don’t need to stuff keywords in there; it’s best to write naturally. Alt text is just one piece of the accessibility puzzle, though. Here’s a broader look at making your WordPress site accessible.
4. Not testing your contact forms
This one gets overlooked more than almost anything else. A contact form that looks fine on the page can quietly stop working after a plugin update, a theme change, or a hosting configuration tweak, and you’d never know unless someone told you. And spoiler alert, most people won’t tell you. They’ll just move on.
If your contact form is broken, you’re not just missing inquiries. You’re actively losing potential customers who tried to reach you and got nothing back. But there are actually two things that can go sideways here. The form itself can break and people wouldn’t be able to submit, which is a problem unto itself, BUT even when people can submit without an issue, the email notification might not be getting delivered to you. That means you’re missing out on knowing when someone is trying to reach you. WordPress relies on its own mail function to send those notifications and many email providers will block or route these notifications to spam.
The fix: Send yourself a test message through every form on your site at least once a month (like when you’re doing your plugin updates!) and make sure it lands in your inbox. On just about every site I create that uses some type of contact form, I install FluentSMTP which is a free plugin that routes your WordPress emails through a proper mail service, dramatically improving deliverability.
5. Not backing up offsite
Most people either skip backups entirely or assume their host is handling it. Some hosts do run backups, but storing your backup on the same server as your site means that if something goes wrong with the server, you could lose both.
The fix: Use a backup plugin like UpdraftPlus (free tier available) and configure it to send backups somewhere off your hosting provider. Places like Dropbox, Google Drive or OneDrive all work. Set it to run automatically at least weekly, or daily if you publish content often. You want a copy of your site that exists completely independently of your hosting account.
6. Ignoring updates for plugins, themes and WordPress core
I know I go on and on about this but if I had a nickel for every website I inherited where there are a great many updates to run, I would be retired in Italy by now. WordPress regularly releases updates for its core software and most plugin and theme developers do too. Those updates often include security patches that close vulnerabilities hackers actively exploit. Running outdated software is one of the most common reasons WordPress sites get compromised.
The fix: Log in to your WordPress dashboard at least once a month and check Dashboard → Updates. I recommend running these one by one, to make sure nothing breaks. (Make sure to run a backup before running any update… read on) But also, take a look at the versions. They typically have a three-digit value, like 1.2.3. Going from something like 1.2.3 to 1.2.4 is usually considered minor, while 1.2.3 to 2.2.3 is much larger. If the version jump is big, you possibly run the risk of something breaking, as it can (sometimes) mean you haven’t been keeping up with the smaller updates. The further you fall behind, the higher the risk of something breaking during an update and the tougher it will be to figure out.
Bonus: if a plugin hasn’t received an update from its developer in over a year, consider replacing it with something else. These plugins are deemed “abandoned” and are huge security risks.
7. Installing too many plugins
Speaking of plugins… they are what make WordPress so versatile, but they’re also one of the easiest ways to slow down your site, introduce security vulnerabilities, and create conflicts that are frustrating to diagnose. Every active plugin adds code that loads on every page so activate enough of them and the cumulative drag is real.
The fix: Do a quick plugin audit. Go to Plugins → Installed Plugins and look at what’s there. You should have an understanding of what each one does and if the functionality isn’t something you need, you should deactivate and delete. Plugins that are deactivated but still on your list are still potential security vulnerabilities. If you plan to continue using a plugin and it’s just a temporary deactivation, make sure you keep it up to date as if it were active. If you installed something to solve a one-time problem years ago (this is common with a plugin that does something like regenerating thumbnails), it’s probably not still needed. Keep only what’s actively doing something useful and those from developers who are still maintaining the code.
8. Using a weak password without two-factor authentication
WordPress login pages are constantly targeted by automated bots running brute-force attacks. They just keep trying username and password combinations found in another security breach somewhere until something works (this is why you shouldn’t use the same password on every site!). Even moderately complex passwords aren’t enough on their own.
The fix: Use a strong, unique password (and perhaps a password manager) and enable two-factor authentication on your admin account. Security plugins like Wordfence or iThemes Security can add 2FA in a few clicks. This single step stops the vast majority of automated login attacks.
Bonus: Connect Google Search Console
Google Search Console is a free tool from Google that shows you how your site is performing in search. It tells you what people are searching for when they find you, which of your pages rank, and whether Google has flagged any errors that could keep your pages or site from being found. The data starts accumulating the day you connect it. While you don’t need to understand all of it right now, it’s helpful to have the data at your fingertips when you are ready to dive into it.
The fix: Connect your site at search.google.com/search-console. Verification takes about five minutes using a plugin like Site Kit by Google. (Site Kit will also encourage you to install Google Analytics, which is another “install now, analyze later” service I would recommend). Once installed, you can let one or both of these run quietly in the background. What the Search Console data actually means is worth a post of its own but for now, just get it connected and measuring.
The short version
You don’t need to be a coder or developer to run a healthy WordPress website. Compress and rename your images before uploading, fill in alt text, keep everything updated, back up offsite, keep your plugin list lean, use strong credentials, and connect Search Console. Doing those things consistently and building them into your routine will serve you well and put you ahead of the curve.
That said, small business owners frequently wear all the hats, so if you’d rather put your energy into running your business and leave the website maintenance to someone else, that’s what I’m here for! Reach out to start a conversation ⟶
