You heard about WordPress and how great it is for building just about any type of website. You picked a great theme to make your site look the way you want and installed a few plugins to make it do the things you need. Finally, you added your content and launched the site. All done, right?
Not so fast.
Give attention to the following essentials before you consider your WordPress site complete. They don’t take much time but are often overlooked.
Did You Do These Things?
- Secure Your Login
- Configure Backups
- Prepare for Updates
- Enable HTTPS/SSL
- Check Your Settings
- Prevent Comment Spam
- Welcome Search Engines
- Moved Your Site? Update Your URLs
- Switched Themes? Resize Your Images
1. Secure Your Login
Automation is being used all day and all night to guess passwords for millions of login forms on the Internet. This is called cracking. Accounts using simple passwords such as dictionary words are cracked first.
Use a different strong password for every online account you have. Google provides some handy tips. Solutions like 1Password and LastPass can help by generating and remembering a complex password for each of your accounts. All you have to do is memorize one master password.
Also install the Loginizer WordPress plugin (or if you’re using Jetpack, enable the Protect module). It is very effective at blocking automated password cracking attempts on your login form. Wordfence does the same thing (and more).
Be sure you have an SSL certificate installed as well to ensure your password cannot be snooped on when logging in.
2. Configure Backups
The importance of making regular backups cannot be overstated. You want to be able to restore a backup if ever the need arises. Here are some plugins that help.
- UpdraftPlus – Our favorite backup plugin with optional paid add-ons.
- VaultPress – We have used this service and found it to be solid.
- BackupBuddy – A very popular paid backup plugin from iThemes.
It never hurts to have two backups. Your web host may have a backup feature in their control panel. If it does not run automatically, mark your calendar to log in and periodically generate and download a backup of your entire website.
Recommended: Best Backup WordPress Plugins According to 21 Pros
3. Prepare for Updates
WordPress, theme and plugin updates include new features and bug fixes. Bug fixes are important and if they are related to security, they are essential. Always run the latest versions. It only takes a few clicks.
WordPress shows available updates on your dashboard and updates itself behind the scenes when security updates are available. Major releases and updates for themes and plugins require action on your part. You can install the WP Updates Notifier plugin to receive emails. Also mark your calendar to log in periodically to check for available updates.
4. Enable HTTPS/SSL
Every website should use an SSL certificate to enable https://. This causes all passwords, user data, payment details, form submissions and so on to be encrypted. It also keeps Google from penalizing your website in their search results and from warning users about your website in the Chrome browser. WordPress now recommends HTTPS for all sites.
More and more hosts are offering free, automatically installed SSL certificates. After installing a certificate, you will also need to setup some URL redirections and replacements. Read HTTPS for WordPress: Auto-enable SSL for Free for more on this topic.
See our Security Guide for more on the topic of securing your website.
5. Check Your Settings
Go to Settings > General and make sure the settings are as you want them. Most default settings are fine but you will want to be sure the Tagline and Timezone are appropriate.
Enable Pretty Permalinks
Your WordPress URL’s will look like one of the two below. The first is greatly preferred because it is more human (and search engine) friendly.
Go to Settings > Permalinks and choose anything but “Plain” (formerly called “Default”). A common choice is “Post name”. Nearly all web hosts support mod_rewrite which is required for “Pretty Permalinks”. Read Using Permalinks for more information.
6. Prevent Comment Spam
If you have comments enabled for any of your posts or pages, you can expect to receive spam submissions. I recommend this one-two punch for knocking spam out of your site.
- Go to Settings > Discussion and configure these options:
- Install the Antispam Bee plugin (use default configuration)
New comments will be checked for signs of being spam and either marked as spam or placed into a moderation queue. You will receive an email when a new comment requires moderation in order for you to confirm that it is not spam. After a user has had one comment approved, they’re considered trusted and will no longer require moderation.
Read How To Prevent Spam in WordPress for more information.
7. Welcome Search Engines
Go to Settings > Reading and look for Search Engine Visibility. Make sure “Discourage search engines from indexing this site” is not checked. It shouldn’t be, but better safe than sorry.
The search engine optimization plugin WordPress SEO by Yoast is worth installing even if you only use the default settings. WP Kube recently asked 40 experts what their favorite plugins are and this one came out on top. That’s saying a lot because there are about 30,000 WordPress plugins available.
Users of our themes can see our Search Engine Optimization guide for more.
8. Moved Your Site? Update Your URLs
Did you move your website from one location to another in order to set it live? Many people build a website on their computer or in a subdirectory like yourname.com/new then move it to yourname.com to go live.
WordPress stores full URL’s for things like links and images in content, menus, custom fields and so on. Check to see that they are not still pointing to your temporary site. If so, run the Velvet Blues Update URLs plugin (make a backup first). Currently this plugin does not update widgets so check those manually.
9. Switched Themes? Resize Your Images
Many themes use images sized specifically for their design. When an image is uploaded, WordPress generates a copy of it that is specially cropped and resized for the active theme. Images uploaded before switching to your current theme may not have the best sizes generated.
You can re-upload specific images or install the Regenerate Thumbnails plugin. After doing so, go to Tools > Regen. Thumbnails to resize all images in one shot.
That’s All Folks
Or is it?
Please post a comment with your thoughts on what every WordPress site owner should do before considering their work done.
Great list! Another free back up option is the Duplicator plugin. It is primarily designed to migrate or clone sites but is a great back up option too!
Thank you for sharing about Duplicator. I can see it certainly must be one of the best-rated WordPress plugins: http://wordpress.org/plugins/duplicator/
It’s great that there are so many backup solutions available for WordPress.
Duplicator is the only plugin I use now for backups and migrations, so easy to use.
Another vote for Duplicator. I might have to check this one out. I’m tempted to recommend it based on the huge number of positive reviews but their page recommends beginner users not use it.
Duplicator is fairly easy to use for backing up your website. You can create your backup in a matter of minutes by simply installing it and clicking a button. However, yes, it does require above average technical knowledge to migrate your website. It’s such an amazing free tool i’ve ever used. :)
Thanks for sharing your experience with Duplicator.
I seem to want to keep stuff ‘in house’ these days by using jetpack for more and more. Mostly because [a] It should all work smoothly since it’s from the same folks and [b] I don’t have to worry about a whole bunch of different plugins for all those little details.
Plus the stats package is good enough for what I want to know.
KISS as they say!
Thank you for sharing your essential plugin.
It is nice to deal with only one plugin but I don’t think Jetpack includes spam protection, login security, update notifications or SEO. If you want these things then you’ll probably need to install a few other plugins.
My thought is that Limit Login Attempts should be built into WordPress itself. Some of the other things would make fine additions to Jetpack.
Agree that LLA is invaluable, if a little scary; I turned off the notification emails after a while but not before making sure I had a bulletproof password!
I stuck with the all in one SEO even after folks seem to drift over to Yoasts plugin, I couldn’t face the changeover.
Re the spam, didn’t you find that akismet handled it all? It never misses s trick for my little blog!
Akismet and Antispam Bee seem to work as well as one another. I prefer Antispam Bee because it doesn’t require a connection to WordPress.com and it is always free (Akismet is free for personal use only).
They’re definitely both very effective though so it’s a matter of preference. It’s actually amazing how well they work.
Antispam Bee is the clear winner if you’re in a country with stricter privacy laws. You can’t just send comments to a 3rd party site for a spam check in those cases, you’ll have to handle them locally.
LLA or something like it as a part of WP? Sure, sign me up. One guy (his bot, rather) has been trying to crack our login for 5 days straight now – good luck I say :-)
Note that JetPack isn’t “in house” in terms of WordPress itself. JetPack is maintained by Automattic, which is a separate, commercial entity, that runs the wordpress.com hosted blogging service.
Thank you, Chip. There is definitely some confusion out there in regard to Automattic and WordPress.
I’ll not go on about trademark usage or Akismet being packaged with WordPress right now. ;)
True about Jetpack, but it’d be really embarrassing for a few folks if it didn’t play nicely with WordPress now wouldn’t it?
Stellar tips, Steven!
Thank you, Eric!
It is mind boggling how many bots are trying to get in, it’s like those scenes in the Matrix movies where they’re trying to tunnel into the ship!
Fortunately the hundreds of attempts a day on my blog that LLA log are trying ‘admin’ so are never going to get anywhere.
I was so shocked, I started out posting their IP addresses on https://www.projecthoneypot.org/, but it just got to the point where life is too short and all that. It did prompt me to add a ‘pot’ to my own site though.
That’s another good tip: change the admin username.
My thinking is that with Limit Login Attempts and a strong password, this shouldn’t be necessary, but it’s still definitely something worth doing. I believe I read somewhere that future versions of WordPress will not let the admin username be used.
I’d say that it’s a good idea to:
* Disable all plugins only used during development (such as regenerate thumbnails, post type switcher or whatever it may be).
* Disable all debug settings if they’ve been set to true. Personally I always set up a debug and a custom debug function which writes to debug.log in wp-content.
Excellent tips, especially the second one for developers. That’s easy to forget. I prefer to write to debug.log too.
Hi. Appreciate the post. In section #5, why would you not select all four of the Discussion options?
Funny the after submitting my comment, that “Your comment is awaiting moderation.” pops up. : )
Yep, on this blog “Comment must be manually approved” is unchecked like in the screenshot. That option makes no difference when “Comment author must have a previously approved comment”. I could probably be check with the same result.
Excellent tips. Thank you Steven.
My question is why would you disable plugins and disable debug settings (if set to true)?
And where can I read more about setting up a debug and a custom debug function that rewrites to the debug log in wp?
You guys went over my head with that one ;)
I’m currently assisting a local church with their new website and I found this theme on google, along with this post. Great timing as I was hoping to see it in action andrather than in a demo.
Jonathan’s tips were coming from the perspective of somebody who develops WordPress themes/plugins. Some plugins are typically only used by theme or plugin developers and so they don’t need to be active on a live site.
On a related note, it’s considered a security best practice to delete plugins that are not used. That’s useful advice for any user.
WordPress can display errors useful to theme and plugin developers on screen and/or in a log file. If you’re working with code, this is useful. There are details here: https://codex.wordpress.org/Debugging_in_WordPress
The vast majority of users simply install WordPress and a theme and never touch code though, since they’re using something that’s ready to go out of the box, such as our themes.
Thanks for clarifying that. I’m one of the latter you mentioned who prefer your ready out of the box style themes… I have a coder that works with me but I don’t code myself. That’s why I was lost. And I definitely agree about deleting unused plugins. We learned that lesson long ago. Well back to work for this guy.. Thanks again Steven.
Yep, this is an out of the box solution. No coding required, but the great thing is for people who do want to code up something custom, they can. That’s the beauty of open source software and more specifically with WordPress, child theming.
Let us know if you have any other questions!
Great post, Steven. We do create our site on a test site, then move it to the client’s domain. It’s very important to check all of the links to make sure they work. Time consuming, yes a little, but so essential.
Thanks for sharing:-)
That’s the moment of joy, completing the final checks. Launched! :)
Awesome Steven! Thanks for putting this ‘checklist’ with the appropriate solutions/plugins to take care of the concern together for us. It’s really very handy. Also, thanks for the AMAZING theme Resurrect and this new one Exodus. (I love Risen too). I am soon to set up a few websites for some churches and I am definately looking to using a few of your themes to build the sites. Keep up the great work! :)
I’m glad you found it useful. Thank you for considering us for your church site projects.
I’m a Vaultpress person for backups. Also think everyone should add their site to Google Webmaster Tools as Google Analytics. Delete all plugins and themes not being used. Using Total Cache for speed is always a good idea and a search plugin like Relevanssi so you know what people are looking for on your site.
Thank you for the extra tips, Paul.
We use Relevanssi for our guides search. It’s a fantastic plugin, and free.
W3 Total Cache a great plugin for an intermediate or advanced user who is willing to spend a few hours learning and experimenting. Otherwise I say skip caching if the site already loads at a comfortable pace. It requires complex configuration based on many factors (server environment, theme, plugins). When done wrong, things break and/or there is no significant performance gain.
I wonder if there is a more simplistic performance plugin suited to beginners, though.
I always prefer Akismet WordPress Plugin for preventing Spam comments. I love to suggest my clients to install Akismet and most of the time i install this plugin to my client’s site….and so far it works like charm!
Another thing i would like to add on this post is – Never allow search engines to crawl your site if your site is not fully developed. Publish at least 5 posts, fix all the permalink issues, fix your design alignments, use nofollow attributes to tag and category pages if needed and then open your site for Search Engines.
Thanks for sharing, Shamim.
Commenting has been turned off.