Over the years, I have set up hundreds of WordPress installations. But every time I do that, I have to look around for guides and tips for making WordPress usable and secure. That takes up a lot of my time and repeating this step is always a pain in the butt.
This article is for documenting the things that I do after initial WordPress setup. I’m writing this to keep a tab on the things I do. In future when I set up a WordPress website; I’ll use this guide to quickly do the initial setup which would otherwise take hours to do by searching and messing with stuff.
- 1 Add a basic robots.txt
- 2 Canonical robots.txt
- 3 Canonical Sitemap.xml
- 4 Enable Automatic updates for WordPress Core and Plugins
- 5 Disable Server Signature
- 6 Stop People from Browsing your server directories
- 7 Disable external access to wp-config.php
- 8 Block access to readme.html
- 9 Disable File Editing in the wp-admin Panel
- 10 Disable Logging of PHP Errors
- 11 Enable GZIP Compression for your website components
- 12 Add Expires Header to your website’s static components
- 13 Remove Query Strings
- 14 Redirect to HTTPS
- 15 Disable HTML in the comments section
- 16 Adjust Auto-save intervals
- 17 Stop WordPress from Guessing URLs
- 18 Disable Login Hints
- 19 Update WordPress Secret Keys
- 20 Remove WordPress Version
Add a basic robots.txt
The robots.txt file should be present in the root directory of your WordPress installation. This file lets the search engines know what to and what not to index. Depending on what kind of content you have, you may want to modify this file. But, not having a robots.txt isn’t something that you should do. Here’s a basic version that I use for most sites that I set.
You can learn some best practices from Google’s Robots.txt Specifications.
By convention, the robots.txt should be in the root directory of your website. Most bots follow this convention. This isn’t however, a universal rule followed everyone. Some badly coded bots and scripts can scan your whole website to locate the robots.txt file. You can avoid this issue by telling every bot about your robots.txt location. Add the following code to the .htaccess file.
Similar to how search engines are, you can also set up a canonical URL for the Sitemap.xml for your website. Add this code to your .htaccess file.
Enable Automatic updates for WordPress Core and Plugins
There is no point in worrying about security if you are running an outdated version of WordPress or plugins on your website. You can always try updating them manually, but that’s not always possible. You can automate this process by editing the wp-config.php and adding the following code to it.
You can add all three of these snippets to enable automatic updates for everything. Be warned, though. If some update breaks your site, you’ll have a hard time knowing which one did the deed.
Disable Server Signature
Whenever your server encounters an error, it reveals the full server signature to the user. You don’t want that to be visible to anyone for security. To disable that, add the following code to your .htaccess.
Stop People from Browsing your server directories
Some servers allow anyone to view the files present in them. This can cause a lot of issues with security because they can see what stuff you have there. To stop that, add the following line to your .htaccess file.
Disable external access to wp-config.php
No one except you should access the wp-config.php. This file stores your authentication keys. It also stores the salts for these keys, so if someone can access them, this can prove to be a massive security hole. Disable access to your wp-config.php file by adding the following directives to your .htaccess file.
Block access to readme.html
A lot of WordPress blogs don’t block access to their readme.html file. Though not a big issue, this can cause your WordPress version to be publicly available. You don’t want that.
Disable File Editing in the wp-admin Panel
If someone gets’s access to your wp-admin panel, they can mess around with your stuff. Most certainly with the code in your .htaccess and robots.txt files. Some plugins also allow you to edit some files without logging into your cPanel. You don’t want that. Add the following code snippet to the wp-config.php file to disable file editing.
Disable Logging of PHP Errors
You shouldn’t publicly display PHP errors on your website. Disable them by adding the following directive to your .htaccess file.
Enable GZIP Compression for your website components
The Internet is becoming fatter. That’s not okay. There’s no excuse when you can use GZIP on your site to compress web pages before they reach your readers. Small page size means decreased load times and better user experience. Add this to your .htaccess to enable GZIP compression.
Add Expires Header to your website’s static components
Don’t copy and paste this exact snippet to your .htaccess though. Adjust the values according to the kind of content you are serving. Use Expires Headers carefully.
Remove Query Strings
If you use a one-click WordPress installer, you’ll see that there is a .htaccess file already present in the directory of your installation. It will have some
Directives already defined. To remove the query strings from your URLs, add the following code between the
RewriteBase / and
Redirect to HTTPS
If you want to use HTTPS on your website (you probably should), add the following lines in your .htaccess. Put them between the
RewriteBase / and
Disable HTML in the comments section
There is no need for people to put HTML in their comments unless your blog certainly caters to that audience type. For most people, disabling HTML will be the best option. Add the following code to the functions.php of your WordPress theme.
Adjust Auto-save intervals
By default, WordPress auto-saves your posts every minute to avoid loss of your data. If you think that’s too frequent or too slow, then you can adjust this value. Add the following code to your wp-config.php and adjust the number to your liking.
Stop WordPress from Guessing URLs
Add the following line of code to your theme’s functions.php.
Disable Login Hints
You don’t want your hacker buddies to get access to your blog by brute forcing their way in. When you enter a wrong username or password, or a combination of the two, WordPress tells you whether your username was wrong or the password. You should disable that. Add this code to the functions.php file.
Update WordPress Secret Keys
Your WordPress installation security keys are to prevent unauthorized access to your blog. You can update these keys to be more secure. Go to this page and copy the keys. Now, open the wp-config.php file from your WordPress installation and replace them one by one.
After doing that, all your session cookies will become expired. So, anyone logged into your website will be logged out.
Remove WordPress Version
It’s unnecessary and potentially a security risk to show your WordPress installation version to the whole world. You can disable the display of WordPress version from everywhere by adding the following code to the functions.php of your theme.
I guess this should be enough.