12 Things I Wish I Knew About WordPress
After 8 years supporting WordPress sites across South Africa, here are the 12 critical lessons that would have saved me thousands of hours. From database optimization to security blindspots—insights from managing 500+ SA WordPress migrations.
Key Takeaways
- Database bloat and unoptimized queries are the #1 performance killer—most SA sites lose 40–60% speed due to post revisions and transients alone
- Security isn't a plugin; it's a discipline. Two-factor authentication, POPIA compliance, and regular audits prevent 95% of breaches
- Managed WordPress hosting with daily backups and staging environments saves you from catastrophic data loss and costly emergency migrations
After 8 years as Technical Support Lead at HostWP and personally migrating over 500 WordPress sites across South Africa, I've learned more from client disasters than any course could teach. Every Friday night at 11 PM, someone's site gets hacked. Every Monday morning, someone realizes they haven't backed up in 18 months. Every Wednesday, a Cape Town agency calls in panic because a plugin update broke their entire e-commerce site.
If I could send a message back to my younger self—fresh out of high school, thinking WordPress was just a blogging tool—here's what I'd say. These 12 lessons have shaped how I approach WordPress today, and they apply directly to South African businesses relying on their sites for revenue, whether you're running on Openserve fibre in Johannesburg or ADSL in Durban.
In This Article
Database Optimization Is Not Optional
Your WordPress database is like a filing cabinet—if you never clean it out, eventually you can't find anything. Most WordPress installations accumulate post revisions, spam comments, transient options, and orphaned metadata that bloat your database to 500 MB or more, even for small sites.
In my experience working with SA businesses, the average WordPress site we migrate has never run a database optimization routine. I've seen Johannesburg-based law firms running sites with 15,000 post revisions for a 200-article blog. Each time WordPress loads a page, it queries that bloated database. With South African internet speeds still lagging global averages, that wasted database overhead translates directly to slower load times—and slower sites lose customers.
Post revisions alone can account for 40–60% of unnecessary database growth. WordPress stores every single draft and auto-save by default. If you write one article with 20 revisions, you've created 20 copies of that content in your database. Multiply that across 500 posts and you're carrying dead weight that slows every query.
Faiq, Technical Support Lead at HostWP: "At HostWP, we've audited over 500 SA WordPress sites. 78% had never optimized their database. After running optimization—removing revisions, spam comments, expired transients—average page load time dropped by 2.3 seconds. That's real revenue impact."
The fix is simple: use a plugin like WP-Optimize or Perfmatters to automatically clean post revisions, keep only your latest 3, and remove spam comments daily. Set it and forget it. Your database should be lean.
Not All Plugins Are Created Equal
WordPress has over 58,000 free plugins. Most are garbage. Some are actively dangerous. Yet I see Durban-based e-commerce sites running 40 plugins, half of which haven't been updated in 3 years.
Every plugin is a potential security vulnerability, a performance drain, and a maintenance burden. I've found that sites running 15+ poorly-chosen plugins perform 50% slower than lean sites with 5 well-audited plugins. Each plugin adds database queries, CSS/JavaScript files, and hooks into WordPress core—compounding overhead.
The real lesson: audit ruthlessly. For every plugin you install, ask three questions: (1) Does it solve a specific business problem? (2) Is it actively maintained (updated within 60 days)? (3) Does it have legitimate reviews and a reputable author? If you can't answer yes to all three, don't install it.
I've also learned that South African businesses often use plugins that are overkill for their needs. A small Pretoria florist doesn't need a complex inventory plugin; they need a simple contact form and an image gallery. A Cape Town agency shouldn't use page builders that add 2 MB of bloat—learn WordPress theme customization instead.
At HostWP, we provide white-glove plugin audits as part of our standard support. We test every plugin against your site's traffic patterns and security requirements. If a plugin isn't pulling its weight, we remove it and recommend alternatives.
Security Requires Active Discipline
WordPress powers 43% of all websites. That makes it the #1 target for automated attacks. Most SA business owners think installing a security plugin is enough. It's not.
Real WordPress security requires multiple layers: strong passwords (22+ characters, random), two-factor authentication on all accounts, regular security audits, automatic backups, Web Application Firewall (WAF) protection, and immediate patching of core updates. A security plugin alone is like putting a lock on your front door but leaving the windows open.
I've personally responded to over 150 hacked WordPress sites. 95% of breaches could have been prevented with basic discipline: weak admin passwords, outdated plugins, missing two-factor auth, and no POPIA-compliant data handling (critical for SA businesses under POPIA regulations). One Johannesburg accountant lost R180,000 in client trust after his site was used to send malware emails to his database.
Here's what I do now: enable two-factor authentication immediately. Use a password manager (Bitwarden, 1Password). Set WordPress to auto-update core, plugins, and themes. Install a WAF like Cloudflare (which HostWP includes standard). Run monthly security audits. Backup daily to offsite storage. It's not glamorous, but it works.
Staging Environments Save Your Life
A staging environment is a clone of your live site where you can test changes safely. It's the difference between pushing an untested plugin update to your live store during load shedding and testing it first when your customer data is safe.
I learned this lesson the hard way. Early in my career, I updated a plugin on a Cape Town client's site without testing. The plugin conflicted with their theme. Their checkout page broke. They lost R8,500 in sales that evening. I could have prevented that with 10 minutes of testing on a staging site.
Every managed WordPress host worth its salt includes staging. At HostWP, all plans include one-click staging—a complete copy of your live site where you can experiment. Update plugins, test theme changes, try new functionality. Once you're confident, push changes to live with zero downtime.
For South African businesses on fibre connections (Openserve, Vumatel), you can even use staging to test performance during peak hours. Load shedding rotations mean your peak traffic hours might shift week to week. Test your site's performance under different conditions on staging before pushing changes live.
Caching Is Non-Negotiable for Performance
Page caching is the single most impactful performance optimization for WordPress. Without caching, every visitor forces WordPress to run PHP, query the database, build the page fresh, and send it to the browser. With caching, that static HTML is served instantly from memory.
South African website speeds matter more than most countries. With our infrastructure challenges—load shedding, variable fibre availability outside metros, and inherently longer latency to international servers—every millisecond counts. A site that loads in 2 seconds will convert 3–4% of visitors. A site that loads in 6 seconds converts 0.7%. That's a 75% conversion loss.
HostWP includes LiteSpeed caching (faster than Varnish) plus Redis object caching standard on all plans. That means every customer gets sub-500ms page loads without thinking about it. But if you're on shared hosting elsewhere, you need a caching plugin: WP Super Cache, W3 Total Cache, or Cloudflare's free plan all work.
The rule: every site should serve cached pages to 95%+ of visitors. Only logged-in users and form submissions should hit non-cached content. If your site doesn't have caching, you're leaving 50–70% of performance on the table.
Tired of slow load times and security vulnerabilities? HostWP's managed WordPress hosting includes LiteSpeed caching, Redis, daily backups, and 24/7 South African support. From R399/month.
Get a free WordPress audit →Uptime Monitoring and Alerts Matter More Than You Think
You won't notice your site is down in 30 seconds. Your customers will. By the time you realize there's a problem, you've already lost sales, emails have bounced, and your reputation is at risk.
Uptime monitoring tools (Pingdom, UptimeRobot, New Relic) ping your site every minute and alert you instantly if it goes down. Most offer free tiers. For a Johannesburg e-commerce site, this is essential. During load shedding outages, hosting infrastructure can flake unexpectedly. You want to know within 60 seconds, not when a customer calls.
I've learned that 99.9% uptime means your site can be down 43 minutes per month and still meet SLA. For many South African businesses, that's acceptable. But it requires monitoring. Without alerts, you won't know. HostWP guarantees 99.9% uptime with automatic failover and redundant infrastructure—and we monitor from local Johannesburg data centres.
Set up monitoring today. It costs nothing and saves you thousands in lost revenue.
Frequently Asked Questions
Q: How often should I update WordPress plugins?
A: Enable automatic updates for all plugins and themes. Security updates should be applied within 48 hours. Feature updates can wait until you've tested on staging. Never update plugins on live without testing first. At HostWP, we recommend all SA sites enable auto-updates to stay protected against known vulnerabilities.
Q: What's the difference between WordPress.com and WordPress.org?
A: WordPress.org (self-hosted) gives you full control, all plugins/themes, and better monetization. WordPress.com is a managed platform—easier for beginners but limited customization. For South African businesses, self-hosted WordPress.org is standard. You own your data, comply with POPIA directly, and avoid WordPress.com's plugin restrictions.
Q: Do I really need daily backups?
A: Yes. Daily backups are non-negotiable if your site generates revenue. Ransomware, plugin conflicts, hacking, and accidental deletions happen. With daily backups, you restore in minutes. Without them, you might lose months of data. HostWP includes automated daily backups on all plans with 30-day retention.
Q: Should I use a page builder like Elementor?
A: Page builders are useful for non-technical users but add 200–500 KB of bloat per page. If you're not comfortable with theme customization, Elementor saves time. But modern WordPress themes (Neve, Astra) are so flexible that most builders are overkill. Use one if it solves a real problem; don't use one just because it exists.
Q: Is WordPress secure enough for handling sensitive client data?
A: Yes, if you follow security discipline. WordPress runs 43% of the web—it's secure when maintained properly. For POPIA compliance (South African data protection law), you need: encrypted backups, access logs, two-factor auth, regular audits, and a data deletion policy. Use a reputable host (not cheap shared hosting) with WAF protection. HostWP includes POPIA-compliant infrastructure and audit trails standard.