Installing WordPress in your web hosting server is the easy part, the hard one is to tweak your WordPress installation so that you achieve your desired objectives. There are lot of important things that you should do right after installing WordPress to ensure that your site is secured from hackers, to ensure that your site is properly optimized for search engines and other things.

So let’s get started.

Please remember that I have organized each point in the decreasing order of priority which means, the one written on top is the most prior while the one in the way bottom is least. You can skip some of the things but if you follow each and every point, it will help your website or blog in the long run.

1. Change the admin username

Make sure that the default username is not “admin” since anyone can guess that username and use it to gain unauthorized access into your WordPress installation area. Right after installing WordPress, login to your WordPress administration area, go to “Users” and create a new user.

Make this new user an “Administrator” and change the “admin” user to “subscriber”. Use this new user to login to WordPress administration area and abandon the “admin” user which comes by default.

2. Disable User registration

If you are the only author of your WordPress website and do not need other people to signup as users or authors of your WordPress blog, disable the user registration option once and for all. To do this, login to WordPress administration area, go to “Settings > General” and un check the checkbox –> Membership – Anyone can register.

3. Schedule an Automatic database backup

Please ensure that you have scheduled an automatic database backup for your WordPress site, so that you can restore the site if something goes wrong.

I personally prefer using WP-DB manager and WP-Proking for automating database backups, please read this article to explore different ways on backing up your WordPress database.

4. Change the Default Permalink Structure

WordPress comes with a default permalink structure which is not at all friendly for search engine optimization. Make sure you use an optimized permalink structure.


My advice is to go with the “Post name” permalink structure, since this is the most optimized one for search engine ranking and user experience.

5. Install an Anti Spam WordPress plugin

A new blog is prone to spam comments and you should not allow spammers and imposters to post fake comments on your WordPress site. Spam comments are a serious SEO threat so go ahead and install the very useful Akismet plugin for WordPress which will save your site from unnecessary spam comments.

6. Remove the admin bar

I am not a big fan of using the admin bar on top of the site, which I feel is very annoying. Consider removing it by going to your WordPress administration area > Users > Your profile  and uncheck the checkbox “Show Toolbar when viewing site”

7. Delete Default post and comments

When you are done installing WordPress, you will see that a default “Hello world” post is published with a comment. Consider deleting this post and the comment since it would not look professional to keep the default content on the site. You may also consider editing the post and write an introductory post but I would recommend deleting it and starting afresh.

To delete the default post, go to “Posts>Edit” and delete it. You can delete the default comment from “Comments” section of your WordPress administration area.

8. Turn off Post Revisions

Post revisions are a good feature that automatically saves the content of your post while you are creating or editing it. While it comes in handy to save revisions, it can also take up lots of space in your database and greatly increase it’s size.

If you think you will not need post revisions feature and want to keep the database healthy, consider disabling post revisions in WordPress once and for all. To do this, add the following code in your wp-config.php file

define( 'WP_POST_REVISIONS', false);

You can limit the number of revisions WordPress saves per post by adding this line

define( 'WP_POST_REVISIONS', 3);

For your information, the wp-config.php file is located at the root of your WordPress installation directory. This depends in which directory you have installed your blog or website, please read this article to learn more about WordPress installation directories.

9. Password protect important directories of your website

By default, WordPress is installed in the root of your website unless you choose a subdirectory to install WordPress. When this software is installed in your web server, it has two very important directories

  • wp-admin
  • wp-includes

The wp-admin directory should be password protected to ensure it is safe and cannot be accessed by hackers who would otherwise try to gain unauthorized access into your WordPress installation. Read this article to learn how to password protect your wp-admin directory.

Important note: Please do not password protect the wp-content and wp-includes folder. Leave it as it is, since password protecting these two directories may break your site, since the images and other scripts may not load properly. The only password protect the wp-admin directory and leave the other two as it is.

10. Remove unused Plugins and Themes

WordPress by default installs the most recent default theme and the “Hello Dolly” plugin which is of no use. And keeping the default theme in WordPress is not recommended since it makes your site look all the same as a default blog. Consider removing the default plugins and themes and install a good WordPress theme from WordPress theme gallery.

To install a new theme on your fresh WordPress site, log in to your WordPress administration area and go to “Appearance > Themes”. You can remove the default plugins by going to “Plugins > Installed Plugins”

11. Integrate Google Analytics

It is important for you to know what is happening in your website, which pages are being viewed the most, where do you get your visitors from and other statistics which will let you make better decisions for your blog or website. All of this is not possible without the very awesome Google Analytics.

Please read this article on how to integrate Google Analytics in your website or blog

12. Integrate Google Search Console

Google search console is a free service by Google which lets you find out how Google sees your site. It helps to get your site added to Google search console and take steps to optimize your site’s seo, so that it ranks higher in search results.

This will also help you ensure what problems search engines are having while trying to crawl and index your site, which you should fix to ensure search engines continue to give the traffic you want.

Please read my article on the same – How to verify your site in Google search console.

13.Install the most useful WordPress Plugins.

WordPress is great but it does lack some important features which a blogger would need going forward. This includes fighting comment spam, adding a contact form, doing SEO, checking broken links and other things on the site which it requires for proper functioning.

To enhance the capabilities of your website, you should install the most useful WordPress plugins and add added functionality in your website or blog. In this list, I have included the bare minimum plugins which you must install on your WordPress site and add important functionalities. I agree that the list of plugins will change over the course of time but to get a head start, start with that list.

14. Setup General Settings

Although you will need to do this only once but consider setting your General settings properly within your WordPress administration area. Login to your WordPress administration area, go to “settings > general” and enter the following one by one

  • Site Title – Enter the name of your site or the Title you want to display to search engines and users when they open your site’s homepage.
  • Tagline – Enter a meaningful tagline which explains the purpose of your website in a line. You can choose to ignore this option as well but some WordPress themes do display the content of the tagline in the site header.
  • WordPress address – This is the URL of your website and in 99% of the scenarios, you don’t need to touch this at all. Edit this if you know what you are doing.
  • Site Address (URL) – Enter the address here if you want your site homepage to be different from your WordPress installation directory.
  • Email address – This is the email address which will be used for administrative notifications, so set your email address carefully and only set that email which you own and not a random one.
  • Membership – If you don’t want users to signup as a new user for your website, consider un-checking this option.
  • New user default role – Choose the new user default role as “Subscriber”.
  • Timezone – You should choose a city name which is closest to your location. Setting the time zone correctly is very important since it may affect a lot of things going forward e.g notifications, email responses and so on.
  • Date and Time Format – Select a date and time format which you would want to use in your website for publishing dates, comment date and so on.
  • Week starts on – I chose to start the week on Monday but you can choose another day if that’s what you want. This won’t affect anything unless you choose to display posts published in a specific week in a part of your site’s template or design. 99% chance is that you won’t need to touch this setting.
  • Language – Choose the preferred language in which you want to use the site and the WordPress admin section and WordPress will change the language accordingly. Be careful though, don’t choose a language which you can’t read.

After setting up your General settings, it helps to take a screenshot of that page and save it somewhere for future reference. If something goes wrong and you want to refer to the previous settings, you can refer to that screenshot.

15. Disable the use of HTML comments in WordPress

HTML comments can sometimes break the design of your site depending on the content of the comment posted by the comment poster. Also, disabling HTML comments in WordPress will ensure that spam comments which contain lot of HTML tags never show up on the site as bad links.

To disable the use of HTML comments, drop the following code in the functions.php file of the theme you are using (if you current theme does not have a functions.php file you will need to create one)

 // This will occur when the comment is posted
    function plc_comment_post( $incoming_comment ) {

    // convert everything in a comment to display literally
    $incoming_comment['comment_content'] = htmlspecialchars($incoming_comment['comment_content']);

    // the one exception is single quotes, which cannot be #039; because WordPress marks it as spam
    $incoming_comment['comment_content'] = str_replace( "'", ''', $incoming_comment['comment_content'] );

    return( $incoming_comment );

    // This will occur before a comment is displayed
    function plc_comment_display( $comment_to_display ) {

    // Put the single quotes back in
    $comment_to_display = str_replace( ''', "'", $comment_to_display );

    return $comment_to_display;

If you do not want to edit the functions.php file, you can use this plugin which will ensure all the comments on your blog are displayed in plain text without any formatting.

I am not a big fan of WordPress comments and prefer using Disqus, read my article on how to remove WordPress’s native comments from your site and switch to Disqus.

16. Add a Robots.txt file

A Robots.txt file is a text file which is placed at the root of your website and tells search engines which parts of your site should not be crawled and shown in search results. You should set up a Robots.txt file to ensure that unnecessary files and directories are not crawled by search engines

Typically, this is what your default robots.txt file should look like

User-agent: *
Disallow: /?s=*
Disallow: /wp/wp-admin/
Disallow: /wp/wp-includes/

Check the robots.txt file of this site, you will see that even though I have the WordPress blog installed in a subdirectory, I have placed the robots.txt file in the root directory (public_html) folder of the website. More information on Robots.txt file can be found here.

17. Create at least two pages – an about page and a contact page.

To add some credibility to your site, you should add at least two pages – an about page and a contact page.

Having an about page projects your personality to your readers, so they will know who you are, your background why you write on this site and so on. This will help you connect with your readers at some point in time

A contact page allows site visitors to contact you, in case they want to be in touch with you for some reason. Often times, an advertiser will look for contact information on your site’s contact page, so it is essential you keep these two pages on your site.

18. Add A Favicon

A Favicon is that tiny little icon on the left top corner of the browser tab. A Favicon is not mandatory but it is good to have since it helps visitors identify your site among a sea of other tabs.

If you have a logo of your website or blog, you can convert that logo into a favicon. Go to the favicon generator website, upload your logo and then generate the Favicon. Once generated, download the favicon and then upload it to your website (you can upload it from your WordPress administration area under Media). Next, go to Appearance > Customize > Site Identity and upload the favicon.

This will set the favicon for your WordPress website and you will be able to see the tiny little icon next to the browser tab.

19. Remove Unnecessary Meta tags from WordPress header

By default, WordPress will add a lot of meta tags in the head section of your website. These meta tags are good but they aren’t necessary for most occasions and you can simply get rid of them to keep the source code clean.

Go to your theme’s functions.php file and add the following code

remove_action('wp_head', 'rsd_link'); 
remove_action('wp_head', 'wlwmanifest_link'); 
remove_action('wp_head', 'wp_generator'); 
remove_action('wp_head', 'wp_shortlink_wp_head'); 
remove_action( 'wp_head', 'feed_links', 2 ); 
remove_action('wp_head', 'feed_links_extra', 3 ); 
remove_action('wp_head', 'adjacent_posts_rel_link_wp_head');
remove_action('wp_head', 'print_emoji_detection_script', 7);
remove_action('wp_print_styles', 'print_emoji_styles');
remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
remove_action( 'admin_print_styles', 'print_emoji_styles' );


20. Prevent Users from Browsing your Site’s Folders

There are curious eyes out there who may try to sneak into your website directories and file structure. They will do guesswork, remove certain parts of your URL to see the folder structure of your website. Which is not good for you.

To prevent this behavior, add the following code to your website’s.HTACCESS file

Options All -Indexes


There are lots of other things you can do after installing WordPress on your website or blog but these are the basic ones. Remember, what you want to do after installing WordPress completely depends on what your objectives are from the site and your level of knowledge. There are webmasters and bloggers who install caching plugins and give first priority to site speed. There are bloggers who give first priority to content creation. There are bloggers who give first priority to design, typography, look, and feel.

What you give priority is totally up to you, but these are the bare minimum things you should be doing after finishing a new WordPress installation.