Initial WordPress configuration

A brief overview of the basic configuration I do for most WordPress websites. Listed primarily as a personal reminder.
Update, 2024:
I made a full list of important points (from domain registration to WordPress and plugin installation): WordPress website initial setup.

Table Of Contents (T.O.C.):

1. E-Mail, DNS and nameservers
2. Hosting account configuration
3. WordPress installing and configuring
4. Other services

1. E-Mail, DNS and nameservers

• Configuring nameservers to use Cloudflare DNS.
• Configuring Cloudflare account.
• Configuring a domain email account using a hosted email service.
• Configuring DNS records (additional explanation for Cloudflare DNS setup).
• Domain email connecting with a mail client (like Gmail), and email testing.

– T.O.C. –

2. Hosting account configuration

• Creating a hosting account
  DirectAdmin account creation and automated backups setup
  cPanel account creation
• Configuring the hosting account
  – SSL/TLS certificate installation
  – choosing a PHP version (7.4. is best for WordPress) and configuring it
  – activating basic file compression
  – hotlink protection
  – basic security:

Adding the following in the “.htaccess” file of the home directory:

# BEGIN GREMLIN EDITS

# minimizing SSL/TLS renewal problems
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^.well-known - [L]
</IfModule>

# directory listing protection
Options -Indexes

# clickjacking attack protection
Header always append X-Frame-Options SAMEORIGIN

# MIME sniffing protection
Header set X-Content-Type-Options nosniff

# XSS protection
Header set X-XSS-Protection "1; mode=block"

# redirections - see below

# END GREMLIN EDITS

For redirections – if the website uses www, then:
(test with R=302, not 301, to confirm first that it works properly, and replace bikegremlin.com with the correct domain)

RewriteEngine on
RewriteCond %{HTTPS} !on [OR]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.bikegremlin.com%{REQUEST_URI} [L,R=301]

If the site uses a naked domain, or a subdomain:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www. [NC]
RewriteRule ^ https://io.bikegremlin.com%{REQUEST_URI} [L,NE,R=301]

• Configure automated backups.

– T.O.C. –

3. WordPress installing and configuring

Install WordPress.

Add this to the beginning of the “wp-config.php” file:

// BEGIN GREMLIN CHANGES

// clickjacking attack protection
// better have this configured in .htaccess, so this is an extra
header('X-Frame-Options: SAMEORIGIN');

// XSS protection
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

// WP auto-uptade disabling
define( 'WP_AUTO_UPDATE_CORE', false );

// prolonging WP auto-save interval to 300 seconds
define( 'AUTOSAVE_INTERVAL', 300 );

// END GREMLIN CHANGES

• Install and configure WordFence security plugin.
• Secure the (WordPress) website.
• Configure WordPress to send emails using SMTP protocol.
• Install and configure The SEO Framework plugin.
• Install and configure LiteSpeed caching and optimization plugin.

• Configure Google reCAPTCHA for the website’s domain.
• Install and configure reCaptcha by BestWebSoft anti-spam plugin.

• Install GeneratePress theme, and AMP for GeneratePress, if the website will have an AMP version.
  For WooCommerce websites, OceanWP is a better theme choice.
• Install AMP plugin.
• Create a staging environment.

– T.O.C. –

4. Other services

• Create a Google Analytics account connect the website with Google Analytics.
• Connect the website with Google Search Console, and submit the sitemap.
• Submit the domain to Google Postmaster.
• Submit the domain with Easydmarc, and set the email reports to go there (configuring DMARC DNS record).
• Configure HetrixTools uptime monitoring (affiliate link).

– T.O.C. –