Congratulations! You just picked a host and successfully got WordPress installed and can’t wait to stat blogging!  Stop and pause for a quick minute and make sure that your WordPress installation is configured properly and reasonably secure.  Going through this guide should only take a few minutes, but make sure you do it all in one setting to make sure you get everything done without missing any critical steps.

This isn’t meant to be a complete primer on how to lock down your blog.  Rather this is just a checklist of things to do (and some pitfalls to avoid) when configuring your blog.

General Rules:

  • Don’t install a plugin to do anything that WordPress can do natively
  • Don’t install anything you don’t need
  • Uninstall anything you no longer need
  • If you (or your team) didn’t install it, uninstall it right away.
  • You must have a real-time scanner to protect your site

Checklist for success:

  1. Check your usernames!
    Make sure you don’t have ‘admin’ as a username and make sure you don’t have any of these usernames, either. If you do, change it right now.
  2. Disable the “Anyone can register” feature
    Odds are you don’t need/want anyone to be able to register and allowing users to create accounts is only going to increase spam and hacking attempts.
  3. Update WordPress
    Run the manual updater to make sure there is nothing to install.  You’d be amazed how many times I see hosts deploy an outdated version of WordPress.
  4. Set the time zone in WordPress.
    Tip 1: Setting the time zone to a UTC offset does not take into consideration daylight savings time, so you time will be off half of the year. Select a city instead
    Tip 2: Type the name of a city instead of scrolling through that never-ending list.  Hit “N” and New York will pop up instantly.
  5. Uninstall any plugins that you’re not using.
    If your WordPress installation came with a bunch of stuff you don’t recognize or don’t know how to use, disable it for the time being.  If you need it, it’s there for you, but be sure to delete it later.  If you’re definitely planning on using that super-duper must-have plugin that was packaged with your WordPress installation, go check the reviews for it.  If it hasn’t been updated recently, delete it.  If it has bad reviews, delete it.  If it’s incompatible with your exact version of WordPress, delete it.  If it only has a few downloads or reviews there is probably a reason…
  6. Uninstall any themes you’re not using.
    The one exception to this is the Twenty Fourteen (or latest) theme that is packaged with WordPress. Keep this one so that you can switch over to a basic theme if you ever need to troubleshoot something in your installation.  Basically you don’t want any old code laying around that could be used to exploit your site.
  7. Install a few select plugins
    Now is the time to install a few basic plugins to help you with your maintenance and security.  This is probably the most overlooked step of this guide!  See my list of plugins that every WordPress site should have installed for the list and get to installing them ASAP.
  8. Set all of the other basic settings for WordPress
    Be sure to set a title and description even if your theme displays a graphic instead of the text becasye the text is often used for Section 508 compatabilkity, Search ENgine Optimization, responsive designs, and a whole bunch of other things.
  9. Install and configure your theme, get your site up and running, get ready to blog!
    This isn’t meant to be a how-to on getting your site configured, so you’re on your own here…
  10. Update WordPress
    Manually run the updater to check for any updates.
  11. Upload a favicon…
    … or you’re probably going to be displaying the logo for your hosting company…
  12. Delete all of those disabled plugins
  13. Run a WordFence manual scan…
    …to make sure you didn’t introduce anything into your configuration that could cause issues later.

Now you can cranking on the content authoring!  Happy blogging!