As we all know, WordPress installation can be done in less than 5 minutes … a fact the WordPress team advertises on every occasion calling it the “famous” 5 minute install. Anyway, installing a fresh copy of WordPress isn’t quite enough to get it to the point of being able to run a site to its full potential.
Of course, no one really forces you to do anything else except installing WordPress, and then publishing some content as soon as possible, but that way you’d be leaving a lot of important issues unattended.
Over the years I’ve developed an approach for installing WordPress and then setting it up. Each blog I launch gets a similar set of settings, tweaks, and hacks. I’m not saying that my way is what you should be doing too, but I only want to point your attention to a couple of things that may be important to you and your blogs.
And I’m not even touching upon plugins here. This post is entirely about settings available in WordPress right from the get-go.
Let’s start this guide with some security settings:
Creating User Accounts
During installation, you get to create your main admin account, which will then become your only user account for the whole site.
If you’re the only author on your blog then you might decide to stop there and simply use this one account for every possible task (both in terms of publishing content and managing the blog).
This isn’t the best idea for two main reasons:
- It’s easy to get caught up in all the features WordPress dashboard has to offer, and alter the blog by accident while publishing content.
- Everyone can discover your admin account’s login just by clicking your name.
The latter is much more dangerous. You see, there are two steps of breaking into any user account: (1) discover the login, (2) break the password.
Every WordPress site is set up (by default) in a way that the author’s name displayed along with every post is automatically linked to the author archives. The link usually looks something like this:
The “some-dude” in the above example is the login name of the user account. If this account is the admin account then you’re setting yourself up for trouble.
What to do to be safe
First of all, during installation, don’t create your admin account with the login “admin” or anything else of similar simplicity. Always come up with something just a little more complicated. Preferably a random string of characters and numbers – something that is neither a word that can be found in a dictionary, nor a common name.
Secondly, once your installation is complete, go to your WordPress admin and create one more user account, assign it to the role of Editor. This is the account you’ll be using for publishing content.
An Editor’s account is basically like an admin account in terms of access rights to posts and pages. The role, however, doesn’t have any access to administrative tasks and sections of the admin panel, so it can’t be used to do any significant damage (in case someone breaks your password).
This setting can be found in Settings > General of your WordPress admin. It may sound like something obvious or maybe even redundant, but you have to remember to set it up properly if you’re publishing to an audience that’s based somewhere else than where your server is.
You simply don’t want to have posts with a publication date set to the middle of the night.
This is a really handy feature that was mentioned on this blog not that long ago. In essence, enabling Remote Publishing lets you submit content through many third party publishing apps like Windows Live Writer, for example.
This setting can be found in Settings > Writing. To find out more on how to work with remote publishing apps feel free to visit this post: Speed Up Your Blogging With Offline Blogging Apps.
There are lots of checkboxes in the Settings > Discussion section of your WordPress admin panel. They ask a range of different questions, but essentially, you don’t have to worry about them that much. There are only a couple of things to take care of here.
- Attempt to notify any blogs linked to from the article – Enable. This will enable pingback functionality. Pingbacks are sent to other WordPress blogs you’re linking to, and they may result in those blogs automatically linking back to you. Free links are always appreciated.
- Allow link notifications from other blogs (pingbacks and trackbacks) – Enable for new blogs. In the previous point you were setting the possibility of sending notifications, this one’s about receiving them. I think that every new blog should have this feature enabled. If you do this, you’ll be notified (in the comments section) whenever someone links to your blog. However, if you start seeing more and more spam links then disabling this feature is a good idea.
Whenever you’re launching a new blog you absolutely have to go to the Settings > Privacy section, and make sure that the checkbox “Allow search engines to index this site.” is checked. If not, you’ll never show up on Google. Unless that’s something you want, of course.
I’ve been talking about permalinks a lot lately, so let me just point you towards some more in-depth information on optimal permalink structure for WordPress: Getting the Permalink Settings for WordPress Just Right.
For now, however, let me just tell you that I’m always using the custom setting of /%postname%/ for all my permalinks. This way every post has a unique URL that contains some relevant keywords and nothing else. Really good for SEO.
Wp-config.php is one of the files that get created automatically during installation. It is still worth to edit it and do some manual tweaks, though.
I personally do two things:
Disable post revisions.
In 99% of the cases, post revisions are just littering your database with multiple copies of the same post. If you disable this feature each post will get only one entry in the database.
To do this you just have to edit your wp-config.php file and include this line:
From now on, the feature is not active.
Input new authentication unique keys.
Authentication keys are used for a couple of things, mainly to work with logged in user sessions. These keys need to be unique for security purposes.
To have a fresh start it’s good to generate your own list of keys. You can do it by going to https://api.wordpress.org/secret-key/1.1/ – you can copy the content straight from this page and then paste it to your wp-config.php file.
The topic of functions.php hacks is a very wide one. There are literally hundreds of different things you can do using hacks.
I like to play it safe, though, and work with just two additional hacks.
1. Don’t display login errors.
When you try to log in to a user’s account and something goes wrong you get an error info explaining what the problem is. This may be nice in theory, but it’s also a security issue. By turning those off you’re not giving any indication what went wrong to someone who tries (and struggles) to break into your WordPress admin panel.
Place this line anywhere in the functions.php file of the theme you’re currently using:
add_filter('login_errors',create_function('$a', "return null;"));
2. Remove the version number.
If you view the source of your site in any browser, among other pieces of data, you’ll get an information regarding the version of WordPress you’re currently using. For example:
<meta name="generator" content="WordPress 3.1" />
This can be considered a security issue. You can easily disable this message by using this line in your functions.php:
Setting the robots.txt file
Since we have not one but two separate posts on this matter alone, I’m not going to talk about it here. Instead, I’m sending you over to this post: Understanding robots.txt and What it Can Do for a WordPress Blog.
What you’ll find there is a complete guide on how to create a WordPress-friendly robots.txt file that will give you an additional edge in Google’s eyes.
Some final thoughts to conclude this post with… Do you really need to do all this with a new WordPress installation? – No. Of course not. But in the end, there aren’t really that many things that you absolutely must do. It’s always a matter of exchanging your time for making your work easier further down the road.
That being said, you are more than welcome to let us know about your own approach at taking care of the initial settings. What’s on your list of things to do with a new WordPress blog?