START here

Initial WordPress configuration

A brief overview of the basic configuration I do for most WordPress websites. Listed primarily as a personal reminder.

Table Of Contents (T.O.C.):

  1. E-Mail, DNS and nameservers
  2. Hosting account configuration
  3. WordPress installing and configuring
  4. Other services

1. E-Mail, DNS and nameservers

– T.O.C. –

2. Hosting account configuration

Adding the following in the “.htaccess” file of the home directory:


# minimizing SSL/TLS renewal problems
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.well-known - [L]

# directory listing protection
Options -Indexes

# clickjacking attack protection
Header always append X-Frame-Options SAMEORIGIN

# MIME sniffing protection
Header set X-Content-Type-Options nosniff

# XSS protection
Header set X-XSS-Protection "1; mode=block"

# redirections - see below


For redirections – if the website uses www, then:
(test with R=302, not 301, to confirm first that it works properly, and replace with the correct domain)

RewriteEngine on
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*){REQUEST_URI} [L,R=301]

If the site uses a naked domain, or a subdomain:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www. [NC]
RewriteRule ^{REQUEST_URI} [L,NE,R=301]

– T.O.C. –

3. WordPress installing and configuring

Install WordPress.

Add this to the beginning of the “wp-config.php” file:


// clickjacking attack protection
// better have this configured in .htaccess, so this is an extra
header('X-Frame-Options: SAMEORIGIN');

// XSS protection
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

// WP auto-uptade disabling
define( 'WP_AUTO_UPDATE_CORE', false );

// prolonging WP auto-save interval to 300 seconds
define( 'AUTOSAVE_INTERVAL', 300 );


– T.O.C. –

4. Other services

– T.O.C. –

Please use the forum for any comments or questions.

If you've found any errors or lacking information in the article(s) - please let me know by commenting on the BikeGremlin forum.
You can comment anonymously (by registering with any name/nickname), but I think it is good to publicly document all the article additions (and especially corrections) - even if their author chooses to remain anonymous.

Skip to content