There are lots of things to do after you install WordPress: adding content and installing plugins and themes alone is likely to be a bit job. This article talks about some other things you might want to do. It is not a “10 things to do after installing WordPress” guide. There are already plenty of good guides like that (we quite like WordPress Beginner’s guide). Instead, this article covers some of the things you might overlook.

Enable URL rewriting (pretty URLs)

When you first install WordPress it doesn’t automatically use pretty URLs. For instance, the URL of the standard “Hello world!” post is example.com/?p=1. The question mark is a so-called query string, and the bit after the question mark is a key-value pair. In this case, it tells your browser to go to post number 1 (p=1).

You probably want to use pretty URLs so that the URL is something like example.com/hello-world. You can enable this via Settings » Permalinks. There are various predefined options, and you can also use a custom setting. For instance, you can easily add the year and month to your URLs. In that case the URL to the dummy post would be example.com/2021/01/hello-world.

Changing URLs ('permalinks') via the WordPress dashboard.

When you enable pretty URLs WordPress adds some rules to your website’s .htaccess file. The default file looks as follows:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Get an SSL certificate

Now is a good time to also get an SSL certificate for your website so that it can be accessed over HTTPS. This is good for security, as data sent to and from your website will be encrypted. And it is also good for search engine optimisation (SEO). Search engines such as Google prefer websites that use HTTPS. We offer a full range of SSL certificates, including free Let’s Encrypt SSL certificates.

Once the certificate has been installed you can change the WordPress URL via Settings » General. You need to change the protocol (that is, change http) to https).

Basic website setting in the WordPress dashboard, including the website URL.
You can change the WordPress address via the Settings menu.

Add a force redirect

The WordPress URLs are used by WordPress for internal links. For instance, the link to our dummy “Hello World!” post will automatically use HTTPS. However, when people click on a link that goes to http://example.com rather than https://example.com then they are not automatically redirected to HTTPS. To make sure that all traffic is routed over HTTPS you can add a redirect rule to the top of your .htaccess file.

The following rule strips the ‘www’ subdomain (if present) and redirects traffic to HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]

And if you want your website address to always include the ‘www’ subdomain then you can use the below rule instead:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://www.%1%{REQUEST_URI} [L,NE,R=301]

Check update settings

Both the core WordPress installation and any plugins and themes that are installed receive regular updates. Any available updates are prominently displayed in the WordPress dashboard, and you can apply updates in a few clicks.

By default, WordPress automatically updates minor release version. These are the most common type of updates for the core WordPress install. They typically fix security issues, and they sometimes add new functionality. These types of updates are separate from major version updates. Major versions usually come with lots of changes. For instance, WordPress 5 introduced the new “block editor”. By default, these updates have to be applied manually via the WordPress dashboard.

Changing update settings via Softaculous

If you installed WordPress via Softaculous then you can manage the update settings via Softaculous. Simply access Softaculous via the cPanel control panel; locate your WordPress install and click the Edit button to make changes to the set-up.

Wordpress update settings in Softaculous.
You can change the update settings for your WordPress site via Softaculous.

As a bonus tip, on this page you can also disable update notification emails. Softaculous sends emails when updates are available or applied, which can result in a fairly steady stream of emails. If you have no need for these emails then you can disable the notification by ticking the box.

Changing update settings via the wp-config.php file

Alternatively, you can define if and how WordPress should apply automatic updates by adding a rule to the wp-config.php file. If you only want to get minor updates automatically then you can add this rule:

define( 'WP_AUTO_UPDATE_CORE', minor );

To get both minor and major updates you can instead set the value to true:

define( 'WP_AUTO_UPDATE_CORE', true );

And if you prefer to always apply updates manually then you can set the value to false:

define( 'WP_AUTO_UPDATE_CORE', false );

Plugin and theme updates

By default, plugins and themes are not automatically updated. If you want to automatically update plugins and/or themes then you can configure that via the Plugins page in the WordPress dashboard. There are also plugins that let you configure updates. As at January 2021 Easy Updates Manager is the most popular choice.

Check comment settings

Comments are enabled by default in WordPress. Anyone can leave a comment under posts, and by default comments are not published immediately. Instead, submitted comments need to be moderated.

You can tweak comment settings via Settings » Discussion. For instance, you don’t want people to be able to leave comments then you can untick Allow people to submit comments on new posts. It is worth noting that disabling this option doesn’t disable the comment from on existing posts.

Changing comment settings via the WordPress dashboard.

Unless you like pingbacks you probably also want to disable the first two options on the page:

  • Attempt to notify any blogs linked to from the post will send a ping to any external website you link to. If the site in question accepts such pings then the site page you linked to will show that have linked to it.
  • Allow link notifications from other blogs on new posts defines whether or not you want your website to accept pings from other sites.

Add spam protection

By default, comment forms on WordPress don’t have any spam protection. If comments are allowed then it is likely that you will very quickly receive dozens or even hundreds of spam comments. These comments are typically submitted by scripts that have just one job: keep posting one comment after another.

In short, if you leave comments enabled then you need to add some spam protection. There are various WordPress plugins that can add a captcha, and a few that don’t require you to register with Google. Some other useful plugins, such as All In One WP Security & Firewall, also include the option to add spam protection to forms. We explain how to install the plugin and enable a captcha in our article about managing WordPress plugins.

Protect your account

It is worth double-checking your WordPress user settings on the Users page. If you chose the name admin, please change it to something else. Not using the default user name is an easy way to make your account more secure. Also, are you using a long, complex and random password for your account? If not, change your password. Attacks on the WordPress login page are relentless. Using weak login credentials makes your website an easy target for attackers.

Disable the WordPress cron

WordPress uses a cron system name WP-Cron to check if there are updates and to perform other tasks, such as publishing scheduled posts. It is a very useful feature but it can cause performance issues. WordPress runs the wp-cron.php on every page load, which can result in a large number of POST requests.

The way WP-Cron is implemented has little to do with cron jobs. Real cron jobs are scheduled to run at set times, and not every time an event happens (such as a page load). It usually makes sense to disable WP-Cron and to set up a real cron job via cPanel. There is an example of how to do that on our cron jobs in cPanel page.

Deny access to xmlrpc.php

Attackers typically try to compromise a WordPress website by brute-forcing the wp-login.php and xmlrpc.php files. The former is the default login page for the WordPress dashboard, and the latter is used to enable your WordPress install to communicate with other systems. In particular, it is used by the pingbacks feature we mentioned earlier, WordPress apps on mobile phones and the Jetpack plugin.

If you don’t use pingbacks, a WordPress app and/or the Jetpack plugin then you can deny access to the xmlrpc.php file. To do so, add the following to your .htaccess file:

# Deny access to xmlrpc.php

order deny,allow
deny from all

You can also use a rule that denies all IP addresses apart from yours. To do so, add a line that reads allow from followed by your IP address:

# Deny access to xmlrpc.php

order deny,allow
deny from all
allow from 12.34.56.78

Of course, replace 12.34.56.78 with your IP address.

This article is part of a mini-series about getting started with WordPress. You can also read the following articles: