Things To Do with Every New WordPress Installation

WordPress is a wonderful system, but out-of-the-box, a new installation is a confusing piece of junk with many flaws. And many of these flaws have not been addressed even in the latest 4.0 version that was released around October 2014.

As someone who has been working extensively with WordPress these past 2 years, here are some things you need to do with every new WordPress installation. These tips are primarily for others who develop WordPress websites for clients.


Turn off WordPress auto-updates

Open your functions.php and add this little snippet and make sure it is in between <?php  and ?> tags.

define( 'WP_AUTO_UPDATE_CORE', false );

Auto-updates are a nice feature, but because of the way WordPress websites are put together, it’s a very bad idea. Here’s why: almost every WordPress site contains plugins. These plugins are 3rd party pieces that are “plugged in” to your website to enhance it. Plugins can add slideshows, add Facebook buttons, add music players, etc. Plugins are made and maintained by 3rd party developers. These developers design and test their plugins for compatibility with WordPress up to a certain version. When you upgrade your version of WordPress, the plugins may not work anymore because their updates will always lag behind WordPress updates. Furthermore, an update of either a plugin or WordPress is done by one click of a button, however, there is no button to undo it if it breaks your site. The lesson is this: be careful with updates, look for compatibility when updating, and be prepared to make and restore backups.


Remove that WordPress Update Nag

The second trouble with WordPress version updates is that they are constantly nagging you or your client about them. Avoid tempting your clients to click that button by simply adding some admin-side CSS to hide that nag (class is .update-nag). You can also use this to code below to add custom admin styles, such as highlighting certain menu items.

Add this to your functions.php in between the <?php and ?> tags:

function admin_stylez () {
 echo '<style type="text/css">
 #menu-posts, #menu-pages {background:#eeee33}
 .update-nag { display:none}
add_action('admin_head', 'admin_stylez');


Turn Comments Off

WordPress was originally a blogging system, so that is why you have comments available. Unfortunately, if you are not running a blog or a site where you encourage crowd participation like mine, comments are still turned on by default. Aside from looking out of place, it also increases your chances of receiving spam.

To turn comments off, go to SETTINGS > DISCUSSION and uncheck “



Make 1 Folder for All Images and Change Preset Image Sizes

By default, any images or media you upload to your WordPress site will be sorted by year and month. It will result in many many folders in your uploads folder making it hard to find certain images and making your image URLs longer.

Which do you think is better?

To fix this go to SETTINGS > MEDIA. Uncheck “Organize my uploads into month- and year-based folders.”

WordPress also will automatically make different sizes of pictures you upload (thumbnail, medium, large, and original). You can edit these dimensions in SETTINGS > MEDIA as well. For my site here, my large size is 640 pixels width.


Prevent Bots from Guessing Your Login and Password

Here’s a scary thought: WordPress sites are heavily and easily targeted by hackers looking for unsecure sites to hack. These hacks are performed by bot scripts and many hacks are done just for fun, usually resulting in a hacker banner replacing your site to mark their triumph.

Here’s how most hacks would happen: a bot goes to your login page probably at one of the following URLs:

Then the bot would type in “admin” for the user, as it is the default user for many WordPress installations. Finally, the bot would go through the process of guessing your password by going through various dictionaries and permutations. Unless your web host blocks the bot or there is something to stop it, the bot will inevitably be able to hack into your website. This is known as a “brute force” method. It is very simple, but can be very effective when there are no defenses against it and when performed by a bot, which does not sleep and can guess continuously.

There are multiple ways to combat this, but my recommendations are the WP Security and Limit Login Attempts plugins. Both lock IPs out if they are unsuccessful.


Customize the Useless, WordPress Dashboard

The default WordPress dashboard is absolutely useless.

WordPress news? Who cares.

Add a quick draft? I can just add a regular post with one more click.

Welcome? Why can’t I just add my own welcome message? 

To edit the items or to just remove them completely you can click on the tab SCREEN OPTIONS at the top right.


This only clears up your dashboard — it doesn’t solve the problem of a useless dashboard. So what you can do is use a plugin like Custom Dashboard and Login to create custom items on your Dashboard. I personally enjoy things like webmaster logs for important changes I make, Google Analytics summaries, add a How-To video, or show Disk and Database Usage. Anything’s better than what they give you.


Know of other must-do things for your fresh WordPress installs? Be sure to mention them in the comments.

6 comments on “Things To Do with Every New WordPress Installation

Write a comment