WordPress is a very easy to use and very efficient blogging platform. However, that doesn’t mean it, nor its users, are perfect.
There are some mistakes that even experienced WordPress admins seem to make when setting up and running a WordPress install. Some of them are due to WordPress’ default settings, others are just easy to forget and lose track of.
So, if you’re a WordPress user and want to make sure you didn’t forget anything, here’s a quick rundown of some of the most head-slappingly easy mistakes you can make.
(Note: All of the page references are from WordPress version 2.7.1 and are for self-installed WordPress blogs. Your setup may be different.)
General Settings
First, log into your admin section and visit the “General” page under the “Settings” drop down, there, look for the following items.
- Change the Tagline: It can be easy to forget to change the tagline if you don’t use it in your theme. Still, it is important to change it because A) It may be used in metadata for your site and B) You may change your theme.
- Check Your Email: Change your email address recently? Make sure it’s correct here. It is used for several administrative functions. You will also want to do this on your profile.
- Disable Membership: If you do not require users to register to comment, you probably don’t have much use for this feature so it is best to disable it.
- Check Your Timezone: Your timezone doesn’t change for daylight savings time so it is important to check and make sure it is still accurate. This can cause problems with forward posting new entries especially.
Writing
Next, under the settings drop down, visit the “Writing” page and check the following items:
- Disable Remote Publishing: If you don’t use external blog editors, it is best to disable both Atom and XML-RPC publishing as they could feasibly be a security risk. If you do use such an application, be sure to keep them enabled.
- Disable Post Via Email: Make sure that the post via email feature has bogus information unless it is a feature you actively use. You don’t want that option available as it too could be a security issue.
- Check Update Services: Make sure that, at the very least, Pingomatic (http://rpc.pingomatic.com/) is in your Update Services box. You may wish to add additional links, such as FeedBurner (http://ping.feedburner.google.com).
Privacy Settings
Next, also under the “Settings” drop down, you check the “Privacy Settings” page and check this one item:
- Enable Blog Visibility: Make double sure that your blog is visible to the search engines. Many disable this feature when they work on their blogs but forget to re-enable it.
Permalink Settings
Also under the settings drop down, open up your “Permalink Settings” page and check the following item:
- Use “Pretty” Permalinks: WordPress’ default permalinks are pretty ugly (/?p=xxx) and changing them is important for SEO and reader benefit. If you are not changing from the default permalink setup, use a permalink migration plugin to ensure you don’t create non-working URLs.
Users
Under the Users tab, make sure of the following items:
- Remove “Admin” Account: Ensure that the default admin account has been removed and that the actual administrator is logging in under a different username. This can create security problems.
- Delete Unused Accounts: Remove any accounts that you aren’t actively using. This reduces the number of ways an attacker can log in to your site.
- Check Permissions: Also, make sure the other accounts you do have that no one has more permissions than they need.
WP Super Cache
Finally, if you have WP Super Cache installed visit the admin page under the settings drop down and make sure of the following things:
- Enable Super Cache: This is an extremely easy mistake to make. Many disable Super Cache while they make changes and forget to re-enable it. Double check that it is and that it is set to the highest setting practical.
- Check Your Expiration Time: Read the information below the two expiration times (there may only be one if you are on half-on mode) and make sure your expiration time is within reason. Too long or too short may slow your site down.
- Disable Lock Down: If you have “Lock Down” mode enable, disable it. If you aren’t in the midst of a major traffic surge, having it on causes issues with your site including comments not posting.
Bottom Line
In the end, this isn’t intended to be a complete list of WordPress mistakes, much less a complete guide on securing WordPress (feel free to leave your suggestions/stories in the comments). These are just some of the easier mistakes to make that might not always be obvious when looking at your site.
It’s worth taking a few moments every once ina while to do a “reality check” to make sure your settings are in order and your house is fairly clean. After all, we all make mistakes (I’ve made a few of these myself, some repeatedly) but the key is to catch them before they become a problem.
If you can do that, you might not be a perfect administrator, but your readers might not know it.
Hi Jonathan.
Need your advice on the Check Update Services.
Should bloggers use the default Check Update Services in wordpress or the Feedburner's PingShot ?
What are your thoughts on this ?
You know what really pisses me off? People that disable the BACK BUTTON on their sites to prevent me from returning to the page I came from, which WAS your twitter page, where I WAS going to follow you b/c I thought you had a good blog. Now I think you are scum.
Good article with lots of great tips, especially for beginners. I currently use b2evolution, but it's a struggle to use because it is not really well documented. I am seriously considering switching to wordpress, but that is also a daunting task.
Nice post, now I'm better on WordPress……
Rosell: My thoughts are that it doesn't particularly matter. The default, I believe, hits more services but Pingshot has the advantage of being tied to your actual FeedBurner feed. However, both will do an adequate job. Whichever one you are using, I'd stick with just make sure that you are pinging the relevant services.
Jen: First, I'm a writer at this site, not an administrator, I do not make decisions such as this one. However, I'm using Safari on the Mac and the back button works fine. I don't think this site has done anything to deliberately disable that button.
Blog Angel: WordPress is better documented but it is a separation of degrees. It may be a daunting task but there is an import script to make it easier. http://wordpress.org/support/topic/202095
Fortunately for me I think I have surpassed all of that. I think this is really a great and helpful post especially for those who are planning to start a wordpress blog. Most of them really aren't even aware of some of the things you have listed in there.
I find that some easy administrative tasks are always forgotten. That is why when I set up a new blog I have a sort of checklist like your post to make sure I have taken care of the basics.
This is a good list for getting started in this area. There are definitely more things to do based on security measures, but that is another post for another day.
Jen – I don't appreciate you coming here and shouting the word scum. Nevertheless, I will explain what happened. First of all, the back button is not disabled, I'm not sure why anyone would want to do that.
When you click on a link on twitter then the page is loaded in a new tab or window (depending on how you have your browser set up). Because the page is loaded into a new window, there is no back button i.e. in that tab there was no previous page. Therefore, to get back to twitter all you have to do is either close the tab which was loaded or switch tabs to the twitter page.
In the future I would appreciate it if you did not respond in such a manner. I don't think the authors deserve a reply like that. All we are all doing is trying to make a living
There's also the SEO plugins too. I happen to like Headspace, but All in One SEO is cool too.
That way you can write better title tags, no-index tag and archive pages, etc.
Melvin: I have to admit that I thought I had too, but I was doing this list, I realized my time zone wasn't set correctly for DST. While it's definitely a list for beginners, even the hardcore can slip up
Seth: There will definitely be a longer security checklist, a lot of the security mistakes are things that people don't even know they can do (such as move their config file one directory up). So yes, I need to do a separate one but this wasn't the right venue, I agree completely. Another post, another day (week).
Kevin: Ah, that's what happened. Honestly, I'm not even sure how one could disable the back button without somehow erasing the history. That would be a huge security hole if one could do that. There are ways to make it hard to go back, such as redirects, but not outright disable it that I know of.
Correct me if I'm wrong…
TravisLusk: Indeed, there could be a whole other list of SEO mistakes with WordPress. I'm feeling a series coming on…
Great stuff! My old website was one of my first to use WordPress and I wasn't savvy with much of the setup process and all the options available to me too. Bookmarking this for another reading later!
Josh: Glad you liked it!
Thanks for the tips as well as a reminder.
Wow, pretty helpful checklist. I found some things I was missing. The blog by email feature is nice, but really ought to be turned off unless you are blogging multiple time per day. Thanks.
You know what really pisses me off? People that go off half-cocked (Jen) making accusations that they haven't really thought through. I can be pissed off at people like that because I am guilty of the same thing every once in a while…it's called 'delayed intelligence syndrome'.
At any rate, good post, I see (and am guilty of some, ha!) many of these every day.
Very nice tips for wordpress beginners, every new beginner should get a print out of here, and apply the tips before they actually try wordpress. keep doing the mistake of helping ppl again n again, thums up.
You can also consider discussing the tips on
http://www.blogcatalog.com/group/blogging-tips-bl…
Its all about blogging tips for profits, and for fun.
Very useful info, Thanx alot….