This guide provides a list of 7 things that you should do after installing a new Wordpress site. Some of the steps are optional, but many others are essential if you want to comply with GDPR and Google AdSense policy, to have at least basic on-site SEO and manage the updates easier.
This guide provides links to other articles which will aid in your learning of WordPress content management system. Many of the steps refer to 3rd party sites where you can find more information on a particular topic.
After you have finished this guide, you will have easy to maintain SEO optimized website that complies to GDPR and Google AdSense policy.
1. Setup domain
In order to avoid Google penalty for content duplication, you should setup your domain properly. According to Matt Cutts blog, it is necessary to redirect non-www to www or vice versa. it is a good idea to check which domain has more links indexed: if the www has more links – redirect the non-www to the www, otherwise, I suggest the opposite (www to the non-www). Check your web server documentation for more information on how to do it.
Do not forget to redirect non-https version to https, too!
2. Hardening admin panel to prevent Brute-force attack
If you check your server access logs, you will notice an enormous amount of requests to /wp-login.php. Most of these requests are performed by bots, trying to Brute-force the login form. There is a pretty easy and elegant solution to harden these attacks. Just add Basic Http Authentication for /wp-login.php URL. The bots should brute force two logins instead of one, but most probably they will fail on the first one – most of the bots are not programmed to expect basic HTTP authentication. You can add optionally IP restriction, too.
3. Install plugins
This step is not absolutely necessary, but my experience is that you most likely will need if not all the most of plugins I recommend bellow because almost nobody use vanilla WordPress. Nowadays, the SEO is essential to be properly indexed on Google and the social media are a most used channel to drive targeted traffic to your site and so you need plugins for them.
- Classic Editor – enables the WordPress classic editor and the old-style Edit Post screen with TinyMCE, Meta Boxes, etc. If you have troubles running Guttenberg, this plugin is a life saver.
- Code Snippets – An easy, clean and simple way to add code snippets to your site. The best thing is that you do not need to edit to your theme’s functions.php file again and your changes are persisted even if you change the theme you use.
- Conditional CAPTCHA – plugin that serves a CAPTCHA to new commenters, or if Akismet thinks their comment is spam. All other commenters never see a CAPTCHA. You need to obtain reCAPTCHA v2 API keys in order to use it. It is really easy – you need to log in with your Google credentials here.
- Google XML Sitemaps – this plugin improves SEO using sitemaps for best indexation by search engines like Google, Bing, Yahoo, and others.
- Share Buttons by AddThis – the official AddThis plugin that allows you to easily configure and place different social media buttons and widgets. It is free and provides nice usage stats.
- WP Post Signature – this plugin allows you to append a signature after every post. Some variables can be used, such as %post_title%, %post_link%, %bloginfo_name%, %bloginfo_url%, and so on. It supports multiuser.
- WP Updates Notifier – easiest way to be notified by email when a plugin, a theme or WordPress core gets a new version. It will help you to maintain an up-to-date site and so reduce the chance to be hacked.
4. Disable cron jobs
Long story short: WordPress does not use Linux crontab, but its own pseudo cron system implementation that works right after installation and does not need server configuration. It sends an HTTP request on every page request of your website to wp-cron.php and executes scheduled events of the core and plugins. This way planned posts are published, system updates are received and pingbacks are triggered for example. The huge problem is that this is a pseudo cron system that relies on visitors – you need somebody to hit the site at a particular time in order to execute the scheduled tasks for that particular moment. There is even a website dedicated to this problem – https://wp-cron.org/. Check it out for more detailed information on how to migrate to a real, reliable cron job system.
Search Engine Optimization (SEO) is something so essential for a successful blog, so you just can’t skip it. There is plenty of articles on the topic, so I will not go into details here. I will only mention the most important (and easy to do) steps to ensure basic on-site optimization.
- robots.txt – ensure that Settings -> Reading -> Search Engine Visibility checkbox is unticked. Otherwise, WordPress will generate a robots.txt record that discourages the search engines of indexing the blog.
- Register the site in Google Webmaster Tools (a.k.a. Google Search Console) in order to receive updates related to SEO, indexing, and security. You can even submit your sitemap and check for errors.
- Use a plugin to generate sitemap – it will speed up the process of discovering new or changed pages by search engines.
- Signup for Google Analytics, really. Yeah, there are some cool FOSS alternatives to it such as Piwiki (Matomo) and Open Web Analytics, but they have one big issue – do not provide search keywords statistics.
WP-CLI is the command-line interface for WordPress. You can update plugins, configure multisite installs and much more, without using a web browser, right from the terminal. You can use it to auto-update the core, plugins, and themes, automate the deployment process or perform repetitive tasks to multiple WP installations. Try it and you will love it!