5 Things to Do First When Setting Up a New WordPress Website
My name is Ivan Arnaudov and I am a small business owner from Bulgaria. I manage and host 3 small e-commerce webstores, and help other small businesses like mine by building and managing their own websites.
In this series of blog posts which WPX.net generously invited me to write, I plan to share with you things I have learned during my 20+ years of experience of building websites that you can apply to any project and save yourself some time.
Every beginning is difficult, so I will start at the moment a new WordPress website is created, and take it from there. That is why I chose as the first topic of my column the list of 5 things that I do first when I set up a new website.
To me, putting up a new WordPress website is a bit like moving into a new office or an apartment: although I am familiar with how everything is supposed to work in principle, I still need to make sure stuff operates as expected (electricity; heating; plumbing; alarms, etc.). And of course, like everybody else, I want to add some finishing touches to make the place feel like my own.
Table of Contents
Item #1: Make sure the website can send email reliably
This is the very first item on my list because the ability to send email is vital for every website, yet people often seem to underestimate it grossly. There are so many aspects of the website operation that depend on reliable outgoing emails:
- Allow users to perform password recovery;
- Notify webmaster about different events (updates, technical difficulties);
- Notify subscribers about newly published content;
- Notify commenters about quotes and replies;
- Notify webmaster about spam comments;
- Send order updates to WooCommerce customers, etc.
Out of the box, every WordPress installation relies upon the email sending facilities of the hosting server. Good web hosting companies (WPX included!) have done a lot to configure properly their mailers, but there is still the risk that some nervous spam filter will see that emails from one domain name arrive via an IP address that resolves to another domain name, and flag them as forgery or spam.
This is why I make sure firsthand that everything works well from the very beginning. For this job, I will make use of a simple WordPress plugin and an email testing service.
Install and configure WordPress SMTP plugin
I install a free plugin called “WP Test Email” by Boopathi Rajan.
When activated, it nests itself under Tools > Test Email in the WordPress admin menu. The interface is simplicity itself:
Somewhat confusingly, the ‘Save Changes’ button does not actually save anything. It simply accepts an email address and a subject line, and sends a message on behalf of the WordPress system user.
The quick solution would be to email myself, but this will not give me all the feedback I need. The test will yield a definitive, but uninformative result. The message will arrive or get dropped; and if it arrives, it will either go to my inbox or be flagged as spam.
However, if it arrives, I will not know if everything went perfectly, or whether the message barely avoided being dropped by the relay server or the spam filter. If it doesn’t arrive, I will not know anything about the reason for the nondelivery.
Fortunately, there is a much better solution: a mail delivery testing service.
Testing Email Delivery
The tool I rely upon for quick assessment of deliverability is Mail Tester. It performs a series of checks and offers a very detailed explanation of each problem it discovers. It is free to use for up to 3 tests a day, which should be more than enough. Prepaid packages of tests are available for those who use it for thorough email troubleshooting.
I open Mail Tester in a new browser tab and, as usual, enjoy its nice illustration for a moment, before I copy/paste the temporary email address it gave me into my SMTP plugin.
As I mentioned before, the WPX mailer comes well configured out of the box, and that is why I am not at all surprised to receive a fine 9/10 score from Mail Tester:
For those of you who are curious: yes, it is possible to achieve a perfect 10/10 score. But such a result is not possible using the mail sending facilities of shared hosting alone; it requires some additional tools.
If your website needs to send a lot of emails (dozens of messages a day or more), it is not a good idea to rely on the web hosting service mailer because every outgoing email increases the potential risk of getting blocked by spam filters.
Also, even if you are not abusing the email service, you’re still sharing the same sending IP with dozens of other websites. The WPX sysadmins do a lot of things behind the scene to prevent abuse of outgoing email, but there is always risk of temporary or permanent degradation of email deliverability.
I have prepared a separate long-form blog post that discusses alternatives and shows you exactly how to do move away from web host mailer services to a more reliable solution. But since we are talking about a brand new website, this result is fine.
Now that I know I will not find myself locked out of this WordPress installation, or miss a message concerning an update or a problem with the website while I am working on it, I can disable and remove the WP Test Email plugin if I feel like it; it has served its purpose. However, I usually keep it around until I hand over the website to the customer, along with an instruction how to use it from time to time to test email delivery.
Item #2: Change some default WordPress settings
There are a few configuration settings that I usually have to change on a new WordPress website, especially if I have just created it from scratch, pending development. Here they are, along with my justification for each operation.
Deselect ‘Anyone can register’ in General > Membership
There are three cases where site visitors need an account with a WordPress website: (1) to post and respond to comments under blog articles; (2) to access content (as in membership sites, closed communities, etc.) and (3) to shop regularly (in WooCommerce).
Even if I am working on an e-commerce or a membership website, I prefer this feature disabled in the beginning, and only activate it at a much later stage — during testing.
As for reason #1 (commenting), I strongly prefer 3rd party commenting systems such as Disqus or Facebook comments. The commenting system built into WordPress is arcane and clunky. It has horrible UI and is easily abused by spam bots. I never use it on any of my own websites.
Disabling membership is a simple way to restrict commenting, because I can restrict the ability to post comments can to registered users only. Not giving users the ability to register makes it impossible for them to leave comments via the native commenting system.
Check the state of Settings > General > ‘New user default role’
This feature comes hand in hand with the previous one. It doesn’t have any effect if user registrations are disabled, but imagine the potential implications if somebody carelessly switched the default role to ‘Administrator’ and somebody else enabled ‘Anyone can register’ without paying attention. Correct, you will have just pwned yourself.
So, in order to spare yourself possible future embarrassment, make sure the drop-down points to either ‘Subscriber’ (for regular websites) or ‘Customer’ (for WooCommerce sites).
Site Language, Time zone, Date/Time Format
While still in Settings > General, I take time to adjust the time zone and date/time format, depending on the location of my customer. There is nothing more annoying to be in Europe and to have your website operate on USA East Coast time. Paying attention to such small details also does a good job of impressing my customers.
Check status of ‘Search engine visibility’
This setting is found under Settings > Visibility. For newly created websites, it is best set to ‘Restrict’, even if it is not reliable on its own and there should be other measures in place to block access to the website during the design/development phase.
For me, it is equally important to verify this setting is disabled when I am taking over a website previously managed by somebody else. You have no idea how often this toggle stays enabled and forgotten, while the poor site owner wonders why Google is not picking up their new website despite the tons of content in it!
Item #3: Secure access to the WP admin dashboard
If you come from another hosting company to WPX, you have certainly noticed that WPX have a clever login protection system. It intercepts calls to
wp-login.php and presents a CAPTCHA screen which the used needs to solve to reach the actual login screen.
This is an excellent way to defend against brute force attacks, but it will not allow protection if the admin credentials for the website somehow get leaked. This is why I employ a second form of authentication along the username/password.
For my own websites, it simply gives me extra confidence that they will not be breached via admin login; for websites that I develop and/or manage on behalf of my customers and especially when there are other active admin-level accounts, it gives me another level of assurance that I will not be blamed for a breach because of a password leak.
There are multiple plugins that offer 2FA (two factor authentication) but most of them require payment to unlock their full functionality. The one I prefer is called simply Two-Factor. It is written by a collective of WordPress programmers and is free. It also offers the widest range of 2FA authentications:
- Email codes
- TOTP tokens (codes generated by a mobile app like Google Authenticator or Authy)
- FIDO-compliant hardware keys like YubiKey or my favorite, Solo Key
- One-time use backup codes
As far as I can tell, even after several years of use, Two-Factor is still the only plugin that supports my preferred way of 2FA: using hardware keys.
The 2FA plugin works by attaching itself to each user profile and adding the possibility to add one or more authentication methods:
I always activate at least 3 factors (email; TOTP or FIDO U2F; a set of single-use backup verifications codes). I adjust the TOTP or FIDO U2F factor as the default, and then proceed to add a pair of Security Keys. I usually carry one of these keys with me, while the other one is kept in safe storage.
Item #4: Fill Author Bio Profile and Gravatar
The Author page is a small but important source of information about me that serves as attestation of my involvement in any project. According to different sources — including Google’s own John Mueller — author’s pages are not significant for SEO purposes.
This makes it easy for me to explain it to my customers and to calm their fears that I will be “stealing” traffic or link authority from them. It might be just old vain me, but I believe it is important to keep this small footprint the same way artists sign their work.
Note that most themes don’t have specific templates for author pages, and if opened, they will show a list of blog posts (which will be empty, if I am only involved in the creation of the website but not in its content). But I have prepared another blog post where I will show you how easy it is to create or customize the author page. Here’s how the wonderful Neve theme shows my author page:
Item #5: Change Admin Dashboard Colors
This last one might sound a bit weird but if you need to be involved in multiple WordPress projects simultaneously, like I have to sometimes, you will understand the purpose of this operation immediately.
The main problem with the WordPress dashboard is that it looks all the same on each and every web site, regardless of how different their front ends are. There are subtle differences like the specific site name shown in the top left corner of the admin bar, and possibly the different contents of the admin menu. But sometimes it is extremely easy to get confused and to think you are working on one website, while you are actually making changes to another, simply because it happens to be open in a neighboring browser tab.
That is why I have found great solace in the dashboard customization feature called ‘Admin Color Scheme’ that can be reached by editing a user profile. As standard, WordPress ships with 9 different admin color schemes, but the WordPress Core Team also maintains a plugin called Admin Color Schemes which alters and expands that range to 12 vibrant, lovely color variations of the admin theme.
Admin dashboard customization is also extremely important when one is working in parallel on the development/staging and production website (for example, when a new feature needs to be deployed following testing). Here, the stakes are even higher.
Traditionally, I used to insert a bit of custom CSS code to alter the admin bar of a production website to make it an ugly, irritating color, like this:
However, I recently came across a plugin that does the same but does it much more elegantly. It is called ‘Contextual Adminbar Colors‘ and is specifically designed to distinguish between different environments (dev, staging, production).
This plugin was authored by an awesome French WordPress agency called Whodunnit which has my eternal gratitude.
And, finally: if you are into customizing your WordPress admin dashboard, here are are a couple more customization options that I sometimes use:
Grey Admin Color Schemes is an alternative to Admin Color Schemes that makes the dashboard colors less saturated and more predominantly grey.
Aquila Admin Theme introduces material design to WordPress admin dashboard and brings sense of structure and elegance. It rearranges the components on the horizontal admin bar quite substantially and gets rid of some unnecessary parts of it (like the utterly useless ‘Howdy’ callout).
The only thing that Aquila Admin Theme lacks is compatibility with the standard admin color palettes and, by extension, with the wonderful color schemes shipped with ‘Admin Color Scheme’. It does have a rudimentary color scheme editor but the output simply isn’t the same. Still, it provides a lot of functionality which you may like, so definitely give it a go.
Custom Admin UI is another admin theme that applies material design principles to the WordPress dashboard by adding more space around the elements and effectively making the whole thing feel much less cluttered.
Two warnings about this last one: (1) it might not be compatible with all schemes provided by Admin Color Schemes and (2) because it makes the vertical admin menu wider, some other plugins that have custom admin dashboards might conflict with it. If you notice an issue, just disable the plugin.
Update: 16 May, 2022
UiPress is a very powerful admin customization tool that can be used to completely reorganize the WordPress admin dashboard. However it is also not free; and while I cannot argue about the value it offers, I generally do not recommend paid WordPress products, even if I have opinions on them. It is your money, it should be your decision.
All of the above being said, I have a very good reason to update this article: very recently, UiPress released a free version of their product called UiPress Lite (follow the link, select ‘Lite’ from the tab and click on ‘Get Started’. The website will get you through a checkout sequence but you won’t be paying anything. This process is required so that you can get an account, and have a UiPress Lite license assigned to it. You can then download and install the plugin.
The free version gets you the overall interface design and the ability to switch between daytime and dark layout. The pre-defined dashboards serve only as showcase for the features of the premium version. But even without them, UiPress Lite gives you a really beautiful, and refreshingly different yet not completely foreign UI for WordPress. Give it a go!
So… Those were the five things I always do when I create a new WordPress website, or take over the development and/or management of an existing website on behalf of a customer.
I hope that I have shown you at least a couple of things you didn’t know about WordPress, and that you will make good use of my tips to customize the environment to your liking.
Leave a comment below to let me know if any of these have been useful to you, or share your own’s “5 first things” with the other readers!