Getting a WordPress site up and running is a piece of cake.
Many web hosts provide the convenience of one-click installation, which is awesome and arguably under-appreciated. It makes setting up a decent looking site possible for a wide range of people who wouldn’t otherwise go through with it.
Of course, the problem with quick installation solutions is that the setup isn’t all that thorough. After all, the installation process is designed to only meet minimum requirements. While you’ll end up with a functional WordPress site, it might not be of the best quality.
Often, the process will leave your site with setup related issues. Today, we’ll address five of the most common WordPress setup mistakes and offer simple solutions. After all, while WordPress is designed to be used out of the box, it’s important that you have an understanding of what’s included in that box, so to speak, if you want to have a clean install that prioritizes security and user experience.
1. Selecting the Wrong Subfolder
Have you ever gone to a website and noticed that the blog is installed in a subfolder (like http://www.yoursitename.com/blog/)?
This is perfectly normal and acceptable. However, you can always tell when someone is a WordPress newbie when you see this instead: http://www.yoursitename.com/blog/wordpress/.
What’s the big deal, you might be wondering? So what if there’s an extra subfolder. That’s not a major issue, right? Well, no. It’s not a major issue, but it is redundant and unnecessary. It shows that the webmaster failed to remove the contents of the WordPress installation folder and place the files into a pre-named “blog” folder. But an even simpler method is to just upload the WordPress folder as it is and rename it to “blog” or whatever else you want to call it. This might seem nit-picky, but it’s a common setup mistake that you should avoid if you want to create a clean install.
2. Failing to Modify .htaccess
Protecting your site is important for its continued success. You don’t want to build up a good following only to have the site taken down by hackers!
First thing’s first: set up folder permissions. This is straightforward and can easily be done within your web host’s control panel. Here’s a to-the-point rundown of the process. It makes it so only the folders that contain content you want the world to see will be viewable. The rest is password protected. Note: you will need an FTP client to complete this and the following steps. WordPress.org offers more information on this.
Once you’ve got that out of the way, you need to protect your WordPress configuration and login files. Let’s start with wp-config first.
You’ll need to download your .htaccess file. The .htaccess file is a configuration file that many different web servers use to override global directory configuration settings. You should find it in the root directory of your site. If you’ve installed WordPress in a subdirectory, however, the file can be found in the topmost folder where the installation resides. Open the file.
Next, paste the following text directly into the file. Don’t try to type it out yourself because you may make a typo. Copy and paste is your friend!
- # protect wpconfig.php
- <files wp-config.php>
- order allow,deny
- deny from all
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
You can save and upload the file back to your site now or make a few additional modifications to beef up site security even more. A really easy one is to disable the server signature. This hides the server version number and operating system info from prying eyes. And trust us on this: if someone is looking at this info, he or she may very well be someone trying to sneak their way into your site’s files through the backdoor. Then who knows what could happen?
To make this mod, paste this text into your .htaccess file:
- # disable the server signature
- ServerSignature Off
# disable the server signature ServerSignature Off
Another quick change is to disable directory browsing. This way, people trying to poke around on your site won’t be able to dig into the directories on your web host you don’t want them to see.
Here’s your quick fix for that:
The last step for securing your site is to protect the .htaccess file itself from prying eyes and malicious users.
Add this text before you save it and upload the file back onto your site:
- # protect the htaccess file
- <files ~ "^.*\.([Hh][Tt][Aa])">
- order allow,deny
- deny from all
- satisfy all
# protect the htaccess file <files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
3. Failing to Establish a Backup Plan
If you don’t have a backup plan for your WordPress site, you’re playing with fire. You need to back up all of your files, including the WordPress theme (and any modifications you’ve made to it) your images, your posts, your categories and tags, your robots file, the aforementioned .htaccess file, and the entire database itself. Failing to do this means nothing is standing in the way of you losing literally everything on your site.
You basically have two options when it comes to backing up WordPress sites: server-side backups and plugins. Server-side backups are provided by your web host. You can schedule them to happen every day. Just make sure the host uses a different server for backups than those they use to host their sites. You should also regularly download a copy of your site to your own hard drive for extra safe keeping.
A plugin is convenient but it uses PHP to connect with your server. This is exactly how most hackers would attempt to get into your site, so it’s not necessarily a safe option. All it would take is for someone to hack a plugin author’s WordPress account, add a few lines of code to the plugins, and sit back and wait for people (like you!) to download them. You could have a plugin installed on your site right now that is providing someone out there backdoor access to your info.
Even if you wanted to take your chances with a plugin-based backup system, some backup plugins store backups in the wp-content folder. So if your site goes down, the backups go down, too! Not always a reliable option.
Having said that, my backup service of choice for individual sites is VaultPress. Although it uses a plugin, the service is brought to us by the fine folks at Automattic (the guys who keep WordPress ticking) and I have no concerns about security.
If you have multiple sites then I have just one word for you: ManageWP. Yep — as part of our service we offer automatic scheduled backups for all of your sites!
4. Choosing the Wrong Theme
There are thousands of different themes to choose from but selecting a theme just because it has the most bells and whistles isn’t the best idea.
Think about the end user’s experience first and foremost. What features would make the site appealing to your target audience? What layout is the most intuitive for the type of content you’re offering? For instance, selecting a theme designed for a photography blog when all you post is text just won’t work.
Also, make sure basic elements like text color and link color are intuitive — you can’t go wrong with black and blue — and that they’re compatible with most browsers. If you throw a lot of time at theme customization, you need to make sure the site will appear as you intend.
If you’re going to buy a theme, make sure it comes with excellent documentation and support. You shouldn’t expect anything less if you’re shelling out cash. Also, finding a theme that relates to your industry in some way is often a good choice.
There are themes available that fit just about every niche so do your research before making a purchase. Check out our themes of the month post series for an awesome selection of free themes.
5. Choosing a Poor Permalink Structure
Permalinks are the, well, permanent links associated with each blog post and page on your WordPress site. They typically come after the “/” in your blog folder. The default structure is usually an ID number that does nothing to tell readers what the page they’re visiting is about and it gives search engines zilch to work with (this means say goodbye to SEO).
Instead of sticking to the default permalink structure, change it to something like “/%postname%/” or “/%category%%postname%/” Both of these give readers and search engines the information they need. Many SEO plugins offer tools to set this feature but you don’t need them for that: you can easily set the permalinks to whatever you want by going to your Dashboard and clicking Settings > Permalinks.
While you may face other issues when setting up a WordPress site, I consider these to be the most common. So the next time you opt for a quick install solution, remember that you may need to go in and manually set up a few things and make a few changes if you want your site to look, feel, and function like you’re a real pro.
Photo Credit: Håkan Dahlström