"I highly recommend..."
— Brad Vos What They Say

Nine Things You Should Do After Building Your WordPress Site

WordPress Site To Do List

You heard about WordPress and how great it is for building just about any type of website. You picked a great theme to make your site look the way you want and installed a few plugins to make it do the things you need. Finally, you added your content and launched the site. All done, right?

Not so fast.

Give attention to the following essentials before you consider your WordPress site complete. They don’t take much time but are often overlooked.

Did You Do These Things?

  1. Secure Your Login
  2. Configure Backups
  3. Prepare for Updates
  4. Enable HTTPS/SSL
  5. Check Your Settings
  6. Prevent Comment Spam
  7. Welcome Search Engines
  8. Moved Your Site? Update Your URLs
  9. Switched Themes? Resize Your Images

1. Secure Your Login

Automation is being used all day and all night to guess passwords for millions of login forms on the Internet. This is called cracking. Accounts using simple passwords such as dictionary words are cracked first.

Use a different strong password for every online account you have. Google provides some handy tips. Solutions like 1Password and LastPass can help by generating and remembering a complex password for each of your accounts. All you have to do is memorize one master password.

Also install the Loginizer WordPress plugin (or if you’re using Jetpack, enable the Protect module). It is very effective at blocking automated password cracking attempts on your login form. Wordfence does the same thing (and more).

Be sure you have an SSL certificate installed as well to ensure your password cannot be snooped on when logging in.

2. Configure Backups

The importance of making regular backups cannot be overstated. You want to be able to restore a backup if ever the need arises. Here are some plugins that help.

  • UpdraftPlus – Our favorite backup plugin with optional paid add-ons.
  • VaultPress – We have used this service and found it to be solid.
  • BackupBuddy – A very popular paid backup plugin from iThemes.

It never hurts to have two backups. Your web host may have a backup feature in their control panel. If it does not run automatically, mark your calendar to log in and periodically generate and download a backup of your entire website.

Recommended: Best Backup WordPress Plugins According to 21 Pros

3. Prepare for Updates

WordPress, theme and plugin updates include new features and bug fixes. Bug fixes are important and if they are related to security, they are essential. Always run the latest versions. It only takes a few clicks.

WordPress shows available updates on your dashboard and updates itself behind the scenes when security updates are available. Major releases and updates for themes and plugins require action on your part. You can install the WP Updates Notifier plugin to receive emails. Also mark your calendar to log in periodically to check for available updates.

WordPress Updates

4. Enable HTTPS/SSL

Every website should use an SSL certificate to enable https://. This causes all passwords, user data, payment details, form submissions and so on to be encrypted. It also keeps Google from penalizing your website in their search results and from warning users about your website in the Chrome browser. WordPress now recommends HTTPS for all sites.

More and more hosts are offering free, automatically installed SSL certificates. After installing a certificate, you will also need to setup some URL redirections and replacements. Read HTTPS for WordPress: Auto-enable SSL for Free for more on this topic.

See our Security Guide for more on the topic of securing your website.

5. Check Your Settings

General Settings

Go to Settings > General and make sure the settings are as you want them. Most default settings are fine but you will want to be sure the Tagline and Timezone are appropriate.

Enable Pretty Permalinks

Your WordPress URL’s will look like one of the two below. The first is greatly preferred because it is more human (and search engine) friendly.



Go to Settings > Permalinks and choose anything but “Plain” (formerly called “Default”). A common choice is “Post name”. Nearly all web hosts support mod_rewrite which is required for “Pretty Permalinks”. Read Using Permalinks for more information.

WordPress Pretty Permalinks

6. Prevent Comment Spam

If you have comments enabled for any of your posts or pages, you can expect to receive spam submissions. I recommend this one-two punch for knocking spam out of your site.

  1. Go to Settings > Discussion and configure these options:Comment Spam Settings
  2. Install the Antispam Bee plugin (use default configuration)

New comments will be checked for signs of being spam and either marked as spam or placed into a moderation queue. You will receive an email when a new comment requires moderation in order for you to confirm that it is not spam. After a user has had one comment approved, they’re considered trusted and will no longer require moderation.

Read How To Prevent Spam in WordPress for more information.

7. Welcome Search Engines

Go to Settings > Reading and look for Search Engine Visibility. Make sure “Discourage search engines from indexing this site” is not checked. It shouldn’t be, but better safe than sorry.

Search Engines Setting

The search engine optimization plugin WordPress SEO by Yoast is worth installing even if you only use the default settings. WP Kube recently asked 40 experts what their favorite plugins are and this one came out on top. That’s saying a lot because there are about 30,000 WordPress plugins available.

Users of our themes can see our Search Engine Optimization guide for more.

8. Moved Your Site? Update Your URLs

Did you move your website from one location to another in order to set it live? Many people build a website on their computer or in a subdirectory like yourname.com/new then move it to yourname.com to go live.

WordPress stores full URL’s for things like links and images in content, menus, custom fields and so on. Check to see that they are not still pointing to your temporary site. If so, run the Velvet Blues Update URLs plugin (make a backup first). Currently this plugin does not update widgets so check those manually.

9. Switched Themes? Resize Your Images

Many themes use images sized specifically for their design. When an image is uploaded, WordPress generates a copy of it that is specially cropped and resized for the active theme. Images uploaded before switching to your current theme may not have the best sizes generated.

You can re-upload specific images or install the Regenerate Thumbnails plugin. After doing so, go to Tools Regen. Thumbnails to resize all images in one shot.

That’s All Folks

Or is it?

Please post a comment with your thoughts on what every WordPress site owner should do before considering their work done.


  1. Great list! Another free back up option is the Duplicator plugin. It is primarily designed to migrate or clone sites but is a great back up option too!

      • Another vote for Duplicator. I might have to check this one out. I’m tempted to recommend it based on the huge number of positive reviews but their page recommends beginner users not use it.

        • Duplicator is fairly easy to use for backing up your website. You can create your backup in a matter of minutes by simply installing it and clicking a button. However, yes, it does require above average technical knowledge to migrate your website. It’s such an amazing free tool i’ve ever used. :)

  2. I seem to want to keep stuff ‘in house’ these days by using jetpack for more and more. Mostly because [a] It should all work smoothly since it’s from the same folks and [b] I don’t have to worry about a whole bunch of different plugins for all those little details.

    Plus the stats package is good enough for what I want to know.

    KISS as they say!

    • Thank you for sharing your essential plugin.

      It is nice to deal with only one plugin but I don’t think Jetpack includes spam protection, login security, update notifications or SEO. If you want these things then you’ll probably need to install a few other plugins.

      My thought is that Limit Login Attempts should be built into WordPress itself. Some of the other things would make fine additions to Jetpack.

      • Agree that LLA is invaluable, if a little scary; I turned off the notification emails after a while but not before making sure I had a bulletproof password!

        I stuck with the all in one SEO even after folks seem to drift over to Yoasts plugin, I couldn’t face the changeover.

        Re the spam, didn’t you find that akismet handled it all? It never misses s trick for my little blog!

        • Akismet and Antispam Bee seem to work as well as one another. I prefer Antispam Bee because it doesn’t require a connection to WordPress.com and it is always free (Akismet is free for personal use only).

          They’re definitely both very effective though so it’s a matter of preference. It’s actually amazing how well they work.

          • Antispam Bee is the clear winner if you’re in a country with stricter privacy laws. You can’t just send comments to a 3rd party site for a spam check in those cases, you’ll have to handle them locally.
            LLA or something like it as a part of WP? Sure, sign me up. One guy (his bot, rather) has been trying to crack our login for 5 days straight now – good luck I say :-)

    • Note that JetPack isn’t “in house” in terms of WordPress itself. JetPack is maintained by Automattic, which is a separate, commercial entity, that runs the wordpress.com hosted blogging service.

      • Thank you, Chip. There is definitely some confusion out there in regard to Automattic and WordPress.

        I’ll not go on about trademark usage or Akismet being packaged with WordPress right now. ;)

  3. I’d say that it’s a good idea to:
    * Disable all plugins only used during development (such as regenerate thumbnails, post type switcher or whatever it may be).
    * Disable all debug settings if they’ve been set to true. Personally I always set up a debug and a custom debug function which writes to debug.log in wp-content.

  4. Hi. Appreciate the post. In section #5, why would you not select all four of the Discussion options?


    • Funny the after submitting my comment, that “Your comment is awaiting moderation.” pops up. : )

      • Yep, on this blog “Comment must be manually approved” is unchecked like in the screenshot. That option makes no difference when “Comment author must have a previously approved comment”. I could probably be check with the same result.

  5. Excellent tips. Thank you Steven.
    My question is why would you disable plugins and disable debug settings (if set to true)?
    And where can I read more about setting up a debug and a custom debug function that rewrites to the debug log in wp?
    You guys went over my head with that one ;)
    I’m currently assisting a local church with their new website and I found this theme on google, along with this post. Great timing as I was hoping to see it in action andrather than in a demo.

    • Hi Shane,

      Jonathan’s tips were coming from the perspective of somebody who develops WordPress themes/plugins. Some plugins are typically only used by theme or plugin developers and so they don’t need to be active on a live site.

      On a related note, it’s considered a security best practice to delete plugins that are not used. That’s useful advice for any user.

      WordPress can display errors useful to theme and plugin developers on screen and/or in a log file. If you’re working with code, this is useful. There are details here: https://codex.wordpress.org/Debugging_in_WordPress

      The vast majority of users simply install WordPress and a theme and never touch code though, since they’re using something that’s ready to go out of the box, such as our themes.

  6. Steven,

    Thanks for clarifying that. I’m one of the latter you mentioned who prefer your ready out of the box style themes… I have a coder that works with me but I don’t code myself. That’s why I was lost. And I definitely agree about deleting unused plugins. We learned that lesson long ago. Well back to work for this guy.. Thanks again Steven.

    • Yep, this is an out of the box solution. No coding required, but the great thing is for people who do want to code up something custom, they can. That’s the beauty of open source software and more specifically with WordPress, child theming.

      Let us know if you have any other questions!

  7. Great post, Steven. We do create our site on a test site, then move it to the client’s domain. It’s very important to check all of the links to make sure they work. Time consuming, yes a little, but so essential.

    Thanks for sharing:-)

  8. Awesome Steven! Thanks for putting this ‘checklist’ with the appropriate solutions/plugins to take care of the concern together for us. It’s really very handy. Also, thanks for the AMAZING theme Resurrect and this new one Exodus. (I love Risen too). I am soon to set up a few websites for some churches and I am definately looking to using a few of your themes to build the sites. Keep up the great work! :)

  9. I’m a Vaultpress person for backups. Also think everyone should add their site to Google Webmaster Tools as Google Analytics. Delete all plugins and themes not being used. Using Total Cache for speed is always a good idea and a search plugin like Relevanssi so you know what people are looking for on your site.

    • Thank you for the extra tips, Paul.

      We use Relevanssi for our guides search. It’s a fantastic plugin, and free.

      W3 Total Cache a great plugin for an intermediate or advanced user who is willing to spend a few hours learning and experimenting. Otherwise I say skip caching if the site already loads at a comfortable pace. It requires complex configuration based on many factors (server environment, theme, plugins). When done wrong, things break and/or there is no significant performance gain.

      I wonder if there is a more simplistic performance plugin suited to beginners, though.

  10. I always prefer Akismet WordPress Plugin for preventing Spam comments. I love to suggest my clients to install Akismet and most of the time i install this plugin to my client’s site….and so far it works like charm!

    Another thing i would like to add on this post is – Never allow search engines to crawl your site if your site is not fully developed. Publish at least 5 posts, fix all the permalink issues, fix your design alignments, use nofollow attributes to tag and category pages if needed and then open your site for Search Engines.

Commenting has been turned off.