Congratulations on setting up your WordPress site. What next? There are a few important things to take care of right after installing WordPress.
1. Disable XML-RPC
WordPress provides an XML-RPC (Remote Procedure Call) API, which can be used to integrate with external systems for publishing bulk content remotely.
If you are using a mobile or desktop blogging application, they would talk to your WP site using XML-RPC. The API interaction is carried out using basic auth credentials (username/password). This is not a great mode of authentication in terms of security and is prone to brute-force attacks and vulnerabilities.
Disable XML-RPC is a simple plugin that can disable RPC endpoints.
2. Setup Jetpack
Jetpack is an exceptional official plugin, which has a whole bunch of useful tools under one roof. Any new WordPress site/blog can leverage tools like CDN, Image optimization, backups, related posts, email subscriptions. This is a must-have plugin for your site.
3. Setup 2 Factor Authentication
2 Factor Authentication (2FA) has become a standard practice for login security. To ensure your WP site is secure from unauthorized access, you can add an additional layer of security to WP log in using apps like Google Authenticator, Microsoft Authenticator, Authy.
WP 2FA is a simple plugin that helps in enabling up 2FA on your WordPress login page.
4. Restrict Login attempts
WordPress sites undergo a lot of brute-force attacks, especially on the Login page. The bots will keep making multiple requests and trying to break the login. This affects the performance of the site. This can be mitigated using a plugin like Limit Login Attempts Reloaded.
This plugin restricts the IP addresses from which the site has received unsuccessful login attempts more than the limit you have specified. An ideal option could be 3 attempts.
5. Hide your login page
WordPress admin panel can be accessible at /wp-admin or /wp-login.php URLs. Since WP is a popular CMS system (it’s true 🙂 WordPress powers 39.6% of the internet), the default login URL could be easily targeted by bots and malicious traffic.
The best way to mitigate this would be to hide the login URL to something which is not so easy to guess. This could be done using plugins like WPS Hide Login.
6. Secure your WordPress Installation
Sucuri and Wordfence are two excellent plugins for WordPress security. Sucuri provides 1 click option to harden all the loose ends of your WP site. Wordfence has an excellent firewall that actively blocks malicious traffic and DDOS attacks.
7. Remove unused plugins, themes
Any WordPress installation comes with a set of default themes and plugins. Always, it’s wise to remove any unused themes or plugins. This helps in reducing the chance of any vulnerabilities.
8. Change permalink structure
Permalink is a crucial part of how SEO optimization for your WP site/blog. By default, the permalink would be using a dynamic permalink with post/page ID in the URL. I’m sure this URL would not be liked by any of the search engine bots 🙂
http://example.com/?p=N
No need to worry, this can be changed to something meaningful. It is always good to have your post or page title as part of the URL.
In the Settings → Permalinks Screen, you can choose one of the more common permalink structures or enter your own in the “Custom structure” field.
Post name could be the best option for permalink structure. You could also build a custom structure with a combination of tags like postname, year, month, etc.
9. Change timezone
In the Settings → General Screen, you can update the Timezone where you are operating the site/blog from.
10. Update WordPress, Themes, and Plugins
WordPress, being the most used CMS, is prone to vulnerabilities. It is always suggested to keep your site updated regularly.
Most often hosting providers would not provide the latest version of WP for a while. Right after the installation of the new WP site, please check if there are any new updates available for default themes, plugins, or WordPress itself.
11. Update user profile
Finally, before jumping in to start writing posts on your WordPress site/blog, you should be updating your user profile. Jump into Users→ Profile section on admin dashboard and update details like “Display name publicly as“, “Profile Picture“, “Biographical Info“.
Now that you have done all these changes, you are good to fly 🚀
Happy blogging 🙂