A brief overview of the basic configuration I do for most WordPress websites. Listed primarily as a personal reminder.
Update, 2024:
I made a full list of important points (from domain registration to WordPress and plugin installation): WordPress website initial setup.
Table Of Contents (T.O.C.):
- E-Mail, DNS and nameservers
- Hosting account configuration
- WordPress installing and configuring
- Other services
1. E-Mail, DNS and nameservers
- Configuring nameservers to use Cloudflare DNS.
- Configuring Cloudflare account.
- Configuring a domain email account using a hosted email service.
- Configuring DNS records (additional explanation for Cloudflare DNS setup).
- Domain email connecting with a mail client (like Gmail), and email testing.
2. Hosting account configuration
- Creating a hosting account
DirectAdmin account creation and automated backups setup
cPanel account creation - Configuring the hosting account
– SSL/TLS certificate installation
– choosing a PHP version (7.4. is best for WordPress) and configuring it
– activating basic file compression
– hotlink protection
– basic security:
Adding the following in the “.htaccess” file of the home directory:
# BEGIN GREMLIN EDITS
# minimizing SSL/TLS renewal problems
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.well-known - [L]
</IfModule>
# directory listing protection
Options -Indexes
# clickjacking attack protection
Header always append X-Frame-Options SAMEORIGIN
# MIME sniffing protection
Header set X-Content-Type-Options nosniff
# XSS protection
Header set X-XSS-Protection "1; mode=block"
# redirections - see below
# END GREMLIN EDITS
For redirections – if the website uses www, then:
(test with R=302, not 301, to confirm first that it works properly, and replace bikegremlin.com with the correct domain)
RewriteEngine on
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.bikegremlin.com%{REQUEST_URI} [L,R=301]
If the site uses a naked domain, or a subdomain:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www. [NC]
RewriteRule ^ https://io.bikegremlin.com%{REQUEST_URI} [L,NE,R=301]
3. WordPress installing and configuring
Add this to the beginning of the “wp-config.php” file:
// BEGIN GREMLIN CHANGES
// clickjacking attack protection
// better have this configured in .htaccess, so this is an extra
header('X-Frame-Options: SAMEORIGIN');
// XSS protection
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
// WP auto-uptade disabling
define( 'WP_AUTO_UPDATE_CORE', false );
// prolonging WP auto-save interval to 300 seconds
define( 'AUTOSAVE_INTERVAL', 300 );
// END GREMLIN CHANGES
- Install and configure WordFence security plugin.
- Secure the (WordPress) website.
- Configure WordPress to send emails using SMTP protocol.
- Install and configure The SEO Framework plugin.
- Install and configure LiteSpeed caching and optimization plugin.
- Configure Google reCAPTCHA for the website’s domain.
- Install and configure reCaptcha by BestWebSoft anti-spam plugin.
- Install GeneratePress theme, and AMP for GeneratePress, if the website will have an AMP version.
For WooCommerce websites, OceanWP is a better theme choice. - Install AMP plugin.
- Create a staging environment.
4. Other services
- Create a Google Analytics account connect the website with Google Analytics.
- Connect the website with Google Search Console, and submit the sitemap.
- Submit the domain to Google Postmaster.
- Submit the domain with Easydmarc, and set the email reports to go there (configuring DMARC DNS record).
- Configure HetrixTools uptime monitoring (affiliate link).