5 Common WordPress Setup Mistakes (And How to Fix Them)

Lopsided Building

Getting a WordPress site up and running is a piece of cake.

Many web hosts provide the convenience of one-click installation, which is awesome and arguably under-appreciated. It makes setting up a decent looking site possible for a wide range of people who wouldn’t otherwise go through with it.

Of course, the problem with quick installation solutions is that the setup isn’t all that thorough. After all, the installation process is designed to only meet minimum requirements. While you’ll end up with a functional WordPress site, it might not be of the best quality.

Often, the process will leave your site with setup related issues. Today, we’ll address five of the most common WordPress setup mistakes and offer simple solutions. After all, while WordPress is designed to be used out of the box, it’s important that you have an understanding of what’s included in that box, so to speak, if you want to have a clean install that prioritizes security and user experience.

1. Selecting the Wrong Subfolder

Have you ever gone to a website and noticed that the blog is installed in a subfolder (like http://www.yoursitename.com/blog/)?

This is perfectly normal and acceptable. However, you can always tell when someone is a WordPress newbie when you see this instead: http://www.yoursitename.com/blog/wordpress/.

What’s the big deal, you might be wondering? So what if there’s an extra subfolder. That’s not a major issue, right? Well, no. It’s not a major issue, but it is redundant and unnecessary. It shows that the webmaster failed to remove the contents of the WordPress installation folder and place the files into a pre-named “blog” folder. But an even simpler method is to just upload the WordPress folder as it is and rename it to “blog” or whatever else you want to call it. This might seem nit-picky, but it’s a common setup mistake that you should avoid if you want to create a clean install.

2. Failing to Modify .htaccess

Protecting your site is important for its continued success. You don’t want to build up a good following only to have the site taken down by hackers!

First thing’s first: set up folder permissions. This is straightforward and can easily be done within your web host’s control panel. Here’s a to-the-point rundown of the process. It makes it so only the folders that contain content you want the world to see will be viewable. The rest is password protected. Note: you will need an FTP client to complete this and the following steps. WordPress.org offers more information on this.

Once you’ve got that out of the way, you need to protect your WordPress configuration and login files. Let’s start with wp-config first.

You’ll need to download your .htaccess file. The .htaccess file is a configuration file that many different web servers use to override global directory configuration settings. You should find it in the root directory of your site. If you’ve installed WordPress in a subdirectory, however, the file can be found in the topmost folder where the installation resides. Open the file.

Next, paste the following text directly into the file. Don’t try to type it out yourself because you may make a typo. Copy and paste is your friend!

# protect wpconfig.php

order allow,deny
deny from all

You can save and upload the file back to your site now or make a few additional modifications to beef up site security even more. A really easy one is to disable the server signature. This hides the server version number and operating system info from prying eyes. And trust us on this: if someone is looking at this info, he or she may very well be someone trying to sneak their way into your site’s files through the backdoor. Then who knows what could happen?

To make this mod, paste this text into your .htaccess file:

# disable the server signature
ServerSignature Off

Another quick change is to disable directory browsing. This way, people trying to poke around on your site won’t be able to dig into the directories on your web host you don’t want them to see.

Here’s your quick fix for that:

# disable directory browsing
Options All -Indexes

The last step for securing your site is to protect the .htaccess file itself from prying eyes and malicious users.

Add this text before you save it and upload the file back onto your site:

# protect the htaccess file

order allow,deny
deny from all
satisfy all

3. Failing to Establish a Backup Plan

VaultPressIf you don’t have a backup plan for your WordPress site, you’re playing with fire. You need to back up all of your files, including the WordPress theme (and any modifications you’ve made to it) your images, your posts, your categories and tags, your robots file, the aforementioned .htaccess file, and the entire database itself. Failing to do this means nothing is standing in the way of you losing literally everything on your site.

You basically have two options when it comes to backing up WordPress sites: server-side backups and plugins. Server-side backups are provided by your web host. You can schedule them to happen every day. Just make sure the host uses a different server for backups than those they use to host their sites. You should also regularly download a copy of your site to your own hard drive for extra safe keeping.

A plugin is convenient but it uses PHP to connect with your server. This is exactly how most hackers would attempt to get into your site, so it’s not necessarily a safe option. All it would take is for someone to hack a plugin author’s WordPress account, add a few lines of code to the plugins, and sit back and wait for people (like you!) to download them. You could have a plugin installed on your site right now that is providing someone out there backdoor access to your info.

Even if you wanted to take your chances with a plugin-based backup system, some backup plugins store backups in the wp-content folder. So if your site goes down, the backups go down, too! Not always a reliable option.

Having said that, my backup service of choice for individual sites is VaultPress. Although it uses a plugin, the service is brought to us by the fine folks at Automattic (the guys who keep WordPress ticking) and I have no concerns about security.

If you have multiple sites then I have just one word for you: ManageWP. Yep — as part of our service we offer automatic scheduled backups for all of your sites!

4. Choosing the Wrong Theme

There are thousands of different themes to choose from but selecting a theme just because it has the most bells and whistles isn’t the best idea.

Think about the end user’s experience first and foremost. What features would make the site appealing to your target audience? What layout is the most intuitive for the type of content you’re offering? For instance, selecting a theme designed for a photography blog when all you post is text just won’t work.

Also, make sure basic elements like text color and link color are intuitive — you can’t go wrong with black and blue — and that they’re compatible with most browsers. If you throw a lot of time at theme customization, you need to make sure the site will appear as you intend.

If you’re going to buy a theme, make sure it comes with excellent documentation and support. You shouldn’t expect anything less if you’re shelling out cash. Also, finding a theme that relates to your industry in some way is often a good choice.

WooThemes are an awesome premium theme developer — this is their flagship theme, Canvas.

There are themes available that fit just about every niche so do your research before making a purchase. Check out our themes of the month post series for an awesome selection of free themes.

5. Choosing a Poor Permalink Structure

Permalinks are the, well, permanent links associated with each blog post and page on your WordPress site. They typically come after the “/” in your blog folder. The default structure is usually an ID number that does nothing to tell readers what the page they’re visiting is about and it gives search engines zilch to work with (this means say goodbye to SEO).

Instead of sticking to the default permalink structure, change it to something like “/%postname%/” or “/%category%%postname%/” Both of these give readers and search engines the information they need. Many SEO plugins offer tools to set this feature but you don’t need them for that: you can easily set the permalinks to whatever you want by going to your Dashboard and clicking Settings > Permalinks.


While you may face other issues when setting up a WordPress site, I consider these to be the most common. So the next time you opt for a quick install solution, remember that you may need to go in and manually set up a few things and make a few changes if you want your site to look, feel, and function like you’re a real pro.

Photo Credit: Håkan Dahlström

Tom Ewer

Tom Ewer is the founder of WordCandy.co. He has been a huge fan of WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he's not working, you're likely to find him outdoors somewhere – as far away from a screen as possible!


  1. ro

    If an error was made by saving certain theme color settings etc. – is it possible to roll back in time by 6 hours to get everything the way it was. And how to do that? The error is not related to a specific post but to the entire look of the front page.

    1. Tom Ewer


      Unless you have a backed up version of the site saved, I’m afraid not. If you haven’t done any backups, your hosting provider may have, so it could be worth asking them.

  2. Dare

    Hi Tom,

    You really spelt out important points and issues here. My first blog was hosted with bluehost…however, in the course of reading junks, I totally destroy the blog by tampering with the .htaccess.

    My second blog was hosted with synthesis using genesis theme and the guys did an absolute fantastic job setting it up.

    It’s always a good point to always back up your blog at regular intervals.

    Thanks for sharing.

    1. Tom Ewer


      Don’t like Bluehost, love Synthesis, so I think you’ve done the right thing Dare 🙂

  3. Kris

    If the .htaccess modification are so crucial why WordPress doesn’t include them out of the box?

    By the way, if you don’t want your WP site being iFramed by some script kiddies use the following in .htaccess:

    Header append X-Frame-Options SAMEORIGIN

    1. Tom Ewer


      Hey Kris,

      WordPress doesn’t include a lot of arguably crucial elements of functionality out of the box, because crucial is a subjective word.



  4. Netz

    Hi Tom,

    Again a great read from you. I enjoy your “tone” and the way you write. I would also get a security plugin – But backup is always good.

    1. Tom Ewer


      Thanks Netz!

  5. Anigel

    Your .htaccess edits to protect wp-config.php and htaccess files look wrong. There should normally be a file element around the order allow,deny etc so that apache knows what file you are denying access to.

    1. Tom Ewer


      You’re absolutely right Anigel, my apologies. I think the code got mangled within WordPress when I switched to WYSIWYG view. Irritating! It should be fixed now 🙂

      1. michael

        the “options all indexes” code kills my site 🙁

  6. Mark Sheldon

    Nice post 🙂
    The 6th mistake might be choosing the wrong website host that slooows everything on your site down.

    1. Tom Ewer


      A perennial problem for many of us…

  7. Bart

    Editing of your .htaccess can in many cases be done via your hosting panel (Like DirectAdmin) This is much easier than via FTP

    1. Tom Ewer


      Hey Bart,

      I think that’s a matter of opinion actually. I’d much prefer to do it via FTP — it’s quicker for me.



      1. McBart

        Hi Tom,

        Really? I tried both with ftp and in DirectAdmin. The second is way faster for me and also it’s instantaneously.

        I think it’s a good idea to give readers both option and let them decide themselves. What do you think?

        1. Tom Ewer


          I agree. I guess you thought this through in a little more detail than I did 😉

          1. McBart

            That was the reason I commented. Thanks!

        2. Shane

          Hi there,

          I use Transmit from Panic (http://panic.com/transmit/) – an awesome FTP client. You can open your .htaccess (or any file) into your specified application to edit it, then save it from that app, and Transmit uploads it right back to the site. It cuts out a few extra steps most of the time. I found this to be a solid solution for making fast changes through FTP.

          Always good to see other opinions! Cheers!

      2. Debra

        I prefer using FTP because I then have the file where I made changes on my desktop in case something goes wrong. I can then undo whatever changes I made in Editpad. I do this when I am editing the code in themes too.

        1. Bart

          True it’s essential to have a backup of the your files, before you start editing. There are many ways to do that, also when you directly edit your files on the server.

Leave a Reply

Your email address will not be published. Required fields are marked *

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!