Based on 10+ years of WP experience, here are some of the top things to seriously consider doing right after installing a new WordPress website – guaranteed to save you time, money, and of course nervous cells.
So, you’ve got yourself a fresh new WordPress website. It wasn’t even that hard to set up (and even free if you used a service like Warpgate), so the entire situation is a bit anticlimactic:
You stare into the pristine WP admin panel, or on your default-themed, empty front-end, meditating on what to do next.
Two obvious ideas come to mind: customizing your new site’s appearance and adding new content.
Good call, good call –
– but before uploading that logo and diving into your first blog post, why don’t we ensure the foundation we build upon is solid?
In this guide, we’ve collected a short, no-nonsense list of more or less ubiquitously useful things to make your entire website more stable, fast, and secure:
Adjust default WP settings for prettier URLs and less spam
While WordPress comes with more or less sensible factory settings, there are several checkboxes you might want to change right away.
Most of the tweaks we’ll be looking at can be found in the Settings → Discussion section, which deals with how visitors can interact with your content, such as commenting.
Because whenever people get to add their comments on the Internet, at least some of them are bound to abuse this feature (we’re not even talking about bots). This can lead to massive spamalanches for your blog, which can ultimate hard your reputation and even search rankings.
It makes sense to go over ALL items on that page, but here are the ones that we most recommend changing or reviewing:
Some explanations, in the same order:
- If the “Allow link notifications from other blogs” option is active, we definitely recommend un-ticking it right away. Such notifications, called trackbacks and pingbacks, essentially display links to other blogs that mention your content. This feature was introduced to WP many years ago with a noble goal of facilitating discussions and driving relevant traffic across websites, but, quite predictably, spammers quickly found ways to abuse the crap out of it. Little benefits, lots of spam – sounds like a no-brainer.
- Moving on to regular old comments. Ask yourself: do I want to have comments in my blog/news at all? If the answer is ‘no’, make sure to un-tick the “Allow people to post comments on new articles” checkbox (and skip the rest of the items in this bullet list).
- If you did enable comments, we recommend reviewing the order in which they will displayed: while the default is “older first”, it often makes sense to show the freshest comments on top for a more active discussion.
- If you want to receive an email each time someone posts a comment on your blog, tick the appropriate boxes in the “Email me whenever” section. Experience shows that most webmasters tend to un-tick this with time…
- Finally, definitely activate the “Comment must be manually approved” option in the “Before a comment appears” section: regardless of the number of comments you’ll receive on your posts, believe us you don’t want to automatically let them all through (see the part about trashbacks above).
While you’re already in the Settings part of your WP admin, you might as well drop by the Settings → Permalinks view and make sure the “Post name” option is selected.
You can check out the other options there to see for yourself that it’s the best-looking one with maximum human-readability (this is also why it’s used by the majority of WP websites on the internet).
Alright, good, the default settings have been tweaked, now for the essential precaution many, many people neglect (much to their detriment):
Perform free daily backups of your entire website
Imagine me saying this in an old, wise sensei voice: there comes a moment in every webmaster’s life when they say to themselves:
I wish I had a backup of this!!
Yes, with two exclamation marks. That’s because it’s usually a scream. On a more serious note, though –
Backups are important. Because crashes, because hackers, because malware, because glitches in themes and plugins that result in the white screen of death.
There are SO MANY things that can go wrong with a complex system that is the website, it’s probably not a question of whether you’ll need to restore yours from a backup someday – more like: which day, exactly?
Many web hosts offer auto-backups as a paid add-on, an extra service to up-sell you during the checkout for your hosting plan.
The good news?
The same thing can be done for free, with minimal setup time, and on any WordPress install!
Arguably the best free plugin for performing regular backups is UpdraftPlus. It’s easy to start using out-of-the-box, but it also contains tons of powerful features which you might gradually discover and appreciate later on.
Just in case you’re wondering how to install new plugins on WordPress, here’s a quick memo: go to Plugins → Add New admin section and enter the name of the plugin or a keyword into the search bar in the top right corner. In the results grid, locate the plugin you want and hit the grey “Install Now” button on it; after the installation is complete, the button will become a blue “Activate” – click on it as well to make the plugin active. Done!
Now go to Settings → UpdraftPlus Backups and click on the Settings tab (in principle you can do manual backups by just clicking the big blue button in the Backup/Restore tab, but we’ve here for automating this chore, right?)
The easiest setup that should do well for most webmasters is daily backups to Google Drive – it’s free, easy to manage, and MUCH more secure than storing your backups on the same server as your website.
Adjust the schedule drop-downs as shown on the screenshot below and choose Google Drive from the storage options (if you don’t have a Drive yet, just get it here for free):
All you have to do now is scroll down and hit “Save Changes”, then go back to the top of the page and click on the link in the “Authenticate with Google” section (also highlighted on the screenshot above).
Follow the prompts from Drive to configure permissions – this process is quite self-explanatory, but just in case here’s a quick guide from Updraft’s official website and a couple of FAQs in case you run into issues.
That’s it! UpdraftPlus will attempt to create the first backup right away, so check your Drive in several minutes to make sure everything’s working as intended –
– you don’t want to be the person shouting to themselves, “I wish I had checked that my backups actually worked!!”
Just like that, you’ve saved money on paid extras and added several hours to your life (because of all the stress you’ve avoided, you know 😌).
Log in with your phone for much better security
Every day, thousands of WordPress websites get hacked via brute-force attacks – this is when nasty folks use dark-side tools to guess your WP admin login and password combination.
What makes it even more tragic is that most of these instances can easily be prevented – by using unique logins, stronger passwords, and two-factor authentication (2FA).
That last one is a just a fancy phrase for “logging in using two independent sources of data”.
The first source is something you know (i.e. your login and password combo), and the second one is something you have – for example your personal mobile phone.
There are dozens of 2FA apps out there, one of the most popular is the Authenticator by Google (available on both Android and iOS devices):
In case you were wondering – yes, it just generates a bunch of random-looking numbers every 30 seconds.
Beautifully simple, right? For someone to access your website, they would need to guess your password AND access your phone. Which has a much lower probability of happening than any of those things separately, unless you are kidnapped and interrogated (what did you have on that website?!)
After you install the app on your phone you can add one of the 2FA plugins in your WP admin, such as this one (or that one).
Taking the first mentioned plugin as an example, here’s how you connect your smartphone with your WP login:
- First, tap on the plus sign in your Authenticator app and add a new account. Choose “scan a barcode” for convenience.
- After that, go to Users → Your Profile in your WP admin and find the Google Authenticator Settings section.
- Click on the “Show/Hide QR Code” button and scan the revealed QR with your mobile device.
Voila! You will see a new entry on your smartphone’s Authenticator app, and the WP admin login screen will now have a third field where you’ll need to input the random number sequence from the app.
***
If tapping on your phone a couple of times is too tedious and seems not worth it for better website security, at least promise you’ll do this:
– make sure your WordPress login is not “admin” – if it is, create a new user with a less obvious login, give it admin privileges, and delete the old user (you can do all this in the Users section of your WP admin).
Also, verify that your password is not anything that’s on this list.
Better yet, use a long and non-obvious password; a combination of 3 or more words will do just fine if you throw in a number and a symbol.
Will implementing all of the above give you a 100% guarantee from brute-force attacks?
Well, there’s really no such thing as 100% security (or, as Harvard Business Review puts it, the only way to ensure complete security of a system is to shut that system down).
On a more practical note, your website will become so much less attractive to hackers if you implement 2FA and a strong password, they will likely focus their attempts on other, less sensible webmasters’ online property (aand your daily portion of cynicism has been served).
Start with a free theme for instant additional savings
Yeah, like you were already rushing to shell out $60 for a premium WordPress theme! Bear with us, though 🐻 (he-he, always wanted to do that… sorry!)
This one is not intended to dissuade you from using premium WP templates – in fact, as someone who’s done their share of professional theming on both ends of the cost spectrum, I do think that much more work is put into creating paid ones, on average.
No, the goal in this tip is to bring home the concept called separation of presentation and content.
This is an important design principle for many modern systems, but in case of WordPress it means specifically that
a website’s content – the text and images on its pages and posts – is kept separate from its structure, which in turn is kept separate from the add-ons determining its visual appearance and functions.
In other words, you can change your WP site’s content, structure, appearance, and functionality completely independently from one another.
Isn’t that awesome? It’s probably one of the big reasons why WordPress managed to conquer the Internet.
In the context of this particular tip, separation of presentation and content means that you can change a site’s theme at any time, leaving the existing content and structure intact!
In fact, such switches tend to be much smoother if you’re using a free theme – that’s because nowadays many premium WP themes, like those found on ThemeForest, come with their own fancy content builders, which are typically incompatible with WordPress’ native Gutenberg editor which was released in 2018.
They’re also typically incompatible with each other, for obvious reasons.
Which kind of defeats the purpose of the entire separation of presentation and content thing…
Need still more reasons to start with a free theme for your new WP website? In addition to being, well, FREE and more interchangeable?! Alright, no problem:
- In order to be hosted on the official free repository at wordpress.org/themes, a theme must pass a much stricter screening process: there are many more rules on security and compatibility which are non-negotiable.
- The entire code of every free theme in that repository is open-source and therefore can be audited by anyone, at any time. Premium themes aren’t too inclined to share their code with the public, for obvious reasons.
- Modern premium themes constantly need to justify their prices, which leads to cases like Avada, which boasts “48 complete website designs”. In other words, you’re paying for 47 designs that you’ll likely never use.
- Most of the visual appeal of paid templates comes from the use of carefully selected images, anyway. When looking at a premium theme’s preview page, try to imagine it without all of its pictures: does it still look special and pretty?
Just to reiterate – premium WP themes offer many useful features, from design to plugin-like functionality.
BUT, you probably won’t need most of it for your particular website, especially in the beginning.
And even if you did, there’s almost nothing that can’t be replicated with beautiful images and free plugins.
Auto-update your WordPress core, themes, and plugins
Speaking of themes and plugins. Are yours up to date? And more importantly – does this even matter?
Yes, experts say, it matters a great deal – because all software, even the most popular systems like WordPress, is (still) written by people.
Who are prone to mistakes, and, however knowledgeable, cannot be perfect code generators 100% of the time.
That’s why every month, dozens of new vulnerabilities are being discovered in the most widely used WordPress plugins and themes – and even in the WP core itself.
This is a bit like the story with regular back-ups we’ve discussed above – everyone sort of gets the importance of keeping their website’s software up to date, but sadly, very few actually do it.
Just look at the official stats:
At the time of writing, the latest WP core version is used by just a third of all websites. And that’s not even touching the themes and plugins!
Given the sheer number of ways for online rascals to hack, exploit, and destroy websites using known vulnerabilities in outdated WordPress, that pie chart should be redrawn like this:
…But, but, doing all those tedious updates by hand is tedious!
Absolutely – and that’s why there are dormant auto-update options built right into the WordPress core.
Some hosting providers (including Warpgate, of course) handle theme, plugin, and core updates for you, in the background – but even if yours doesn’t, at this point you might already guess where to look:
Free WP plugins!
This one, for example, does all the auto-updating for you – at regular intervals or according to your predefined schedule.
See – it’s quite easy, really. Just a couple of clicks, and your website will stay up to date without you ever having to think about it again.
Let’s stay in that green part of the pie!
Vote on Upcoming Tips
We tried to keep this guide as short as possible, yet still ended up with more than 2500 words of text🤐
That’s why we’ve decided to be extra focused when it comes to expanding it – and that’s where you can help:
→ vote for the items that you’d like to see added to the list, by mentioning which of the shortlisted topics seems more important to you:
// Get all SEO essentials for free with this single plugin // Set up free threat monitoring and malware scans // Minimize the impact of images on site load speed // Make your pages load faster in any country (for free)
Cast your vote in the comments section below, and we’ll gradually augment this guide with even more tips, rants, and suggestions that save you money, time, and nerves!