Installing WordPress is a breeze, but each brand new install comes with its own potential security and performance flaws that need to be addressed before you do anything else, in order to hit the ground running.By this, we mean making sure your installation is running in tip-top shape right from the start, with no clutter or performance and security errors that could cause you headaches down the road.

The web is filled with tutorials to guide you through the WordPress installation process, but there aren’t many that take the time to explain what additional steps you should take afterwards, in order to make sure you’re properly set up. Let’s fix that now.

Installing WordPress

Every hosting provider worth its salt will offer you a foolproof automated installation option for WordPress, which will get you up and running within a few short clicks.

That said, you can also go the manual route by downloading and installing WordPress yourself. There is no particular reason for you to do this (unless you want to get to know the inner workings of WordPress better), so we recommend the automated route.

The choice is yours!

Step 1: Choose a Secure Password

Once WordPress is installed and you’re looking at a shiny new Admin screen, the first question you must ask yourself is: Am I using a unique and secure password? We’re not here to judge, but if your password is something like abc123, perhaps it’s time to retire that bad boy.

There’s plenty of literature online when it comes to secure password creation, but to keep things simple, let’s stick with the WordPress password generator:

Use a secure password

As you can see in the example above, the generator produces seriously secure passwords. (If you’re concerned about being unable to store your password securely, you can always use a solid password manager, such as 1Password or LastPass.)

Step 2: Change the Database Prefix

By default, WordPress will create a database for your site with a wp_ prefix. This predictable prefix poses a problem, since it leaves you open to the possibility of SQL injections, should attackers find a vulnerability in your installation.

The easiest way to tackle this problem is to simply change the default prefix into something that isn’t so predictable. The easiest way is by using the iThemes Security plugin, a super powerful (and free!) security plugin.

WordPress Plugin: iThemes Security
iThemes Security Plugin

If you peek at the plugin’s myriad options, you may be overwhelmed, but don’t fear! Let’s go through the steps for carrying out this important tweak:

1. Allow iThemes To Write to the wp_config.php File

Navigate to the Security tab on the Dashboard. Once there, click the Settings tab:

iThemes Security settings

There are a number of options here, but the one that interests us is Write to Files in the Global Settings section at the top. Check that, scroll down a little, and click Save All Changes:

2. Change the Database Prefix

Once we’ve allowed iThemes Security to access the wp_config.php file, we need to change the database prefix. Clicking the Advanced tab underneath Security will bring you to the screen we need.

Rather than get bogged down with the other options here (though they’re worth reviewing another time!), we need the Change Database Prefix section at the bottom:

change wordpress database prefix

At the bottom of this section, check Change Table Prefix and click Change Database Prefix. You’ll notice a warning to backup your database first. Because this is a new install, we won’t need to do this, but when your site is up and running, it’s a good idea to create regular backups.

That’s it! Your database is now much more secure.

Step 3: Delete All Unused Content on Your Site

Your next step should be to delete the sample post and page included in every WordPress installation. These don’t pose a security risk, but we don’t want search engines to index them, nor readers to see them!

Navigate to the Posts tab on the left hand side of the Dashboard. There will only be the default Hello world! post here. Hover over the title and click Trash.

delete default blog posts

The advice for posts also applies to pages – navigate to the Pages tab, hover over the title, and click Trash in the same way you did for the Hello world! page.

While we’re at it, we’re also going to delete any installed themes and plugins that you won’t be using. Even inactive themes and plugins represent a potential security risk, and uninstalling them is a good habit to get into from the get-go.

Navigate to the Appearance > Themes. Each theme must be deleted individually: click its thumbnail, then click Delete in the bottom right hand corner. You’ll be given a prompt, just in case you change your mind:

delete unused wordpress themes

For plugins, clicking the Plugins tab on the left hand side brings you to a screen listing all of your currently installed plugins. You can either click Delete on each unwanted plugin, or toggle the relevant checkboxes and choose Delete from the Bulk Actions dropdown, clicking Apply when you’re ready.

delete unused wordpress plugins

Step 4: Set Your Permalinks

By default, WordPress will display your pages with a post ID structure, which is pretty unintuitive. We can easily change this by navigating to Settings > Permalinks from the WordPress Dashboard.

Here you’ll find a wide variety of alternative permalink structures, the most popular of which are Post name and Day and name:

wordpress permalink settings

Pick your favorite!

Step 5: Configure Your Comments Section

WordPress comes with commenting functionality, enabling readers to interact with you and each other on every post you publish.

Comments can be turned on and off for each individual page, but you can also change some general parameters by navigating to Settings > Discussion:

There are a few settings here that will be of interest:

  1. Allow people to post comments: The most important option – if this isn’t ticked, readers can’t post comments!
  2. Allow link notifications from other blogs: You’ll probably want to uncheck this so you don’t get pesky trackback notifications showing up in your comments section.
  3. Comment author must fill out name and email: This helps to stop spam comments by having to give a name and a real email address before the comment is accepted.
  4. Comment must be manually approved: Before a comment is posted to the page, it’s held as Pending for moderation in the Comments section. You can then choose to Approve it or mark it as Spam, depending on what you decide.


All of the work may seem unnecessary, but if you take the time to go through with it, you’ll have a cleaner and more secure site, which could well save you some major headaches down the line.

Just follow these key steps and you’ll be golden:

  1. Choose a secure username and password combination.
  2. Change your database prefix.
  3. Customize your permalinks.
  4. Delete all your unused content (including themes and plugins).
  5. Configure comments options to your liking.

Do you have any additional tips for setting up a fresh WordPress installation? Let us know in the comments section below!



eighteen + 18 =