1. Home
  2. WordPress
  3. 50 Things To do After Installing WordPress! [A Comprehensive Guide]

50 Things To do After Installing WordPress! [A Comprehensive Guide]

WordPress is an amazing platform to build your website or a blog. It’s powerful, easy to install, loaded with features, active community, millions of plugins etc…But…it’s also the platform loved by hackers. You can install WordPress in just 2 minutes, but your job should not stop there. There are plenty of things to do after installing WordPress – it ranges from security, SEO, accessibility, performance, customization etc…Let me share what I learned over the years with WordPress and the outcome is, 50 things that you should do after installing WordPress.

Note: I’ll be using WordPress version 4.2.2 for all the below tips. However, it’s advised to confirm compatibility with other WordPress versions. I also assume that the WordPress is running on a Linux operating system with Apache HTTP server.

WordPress security and tweaks

Here are those!

Download Free ebook on WordPress Optimization, SEO and Security

1. Change WordPress table prefix (during install)

Every information on your site is going to be stored in a WordPress database thus making it hacker’s favorite target. Hence it’s very important to change the default table prefix (wp_) to something else, because the spammers and hackers out there knows what the default table prefix is (wp_) and that allows them to perform SQL injection kind of attacks. Unfortunately, many people would install WordPress with default settings which include default database prefix. This would lead for hackers to plan a mass attack by targeting the default prefix wp_.

It’s always advised to change the prefix while you install WordPress, thus making a smartest way to protect your database.

change default table prefix
Note: If you are planning to change the table prefix after installing the WordPress, then here’s the guide.

2. WordPress database need not be called as ‘wordpress’ or ‘wp’ (during install)

WordPress database need not be called as ‘wordpress’ or ‘wp’. It’s a good practice to create database with unique name and avoid using ‘wordpress‘ or ‘wp‘ or your website name, thus protecting your site by mere hiding these details from the bots and the lazy hackers. This is security by obscurity.

3. Don’t create username as ‘admin’

The hackers will love the default usernames! Don’t create a WordPress account with default username as ‘admin’ or any other common username. The hackers have a huge collection of common username and password, which is later used for Brute force method to attack wordpress blogs. Recently, a security firm reported that more than ninety thousand wordpress sites has been attacked using Brute force method. It’s highly recommended to change your default usernames. You can also change the default username on existing WordPress installations by following few simple steps listed below:

Note: Avoid using Author’s original name as usernames.

4. Install coming soon plugin while you do development at the backend

This point might surprise many, but it’s really important. Whether you are launching a new website or if you are carrying out some developmental activities, or simply performing a bit of routine maintenance, then you may not want to leak certain information to the public. These are the times coming soon page can come in real handy. For example, if you look at the HTML source of the default theme, you will find certain unwanted Meta tags added by WordPress – leaking version information and an archive page with a default “Hello World” post displaying the username of the published account (mostly the first account that you created during the installation). So until you remove all those (just keep scrolling down to see how), it’s better to install a coming soon plugin through which you can create a landing page or coming soon page in as little as 5 minutes without any programming or design skills.

Tips: You don’t need a lot of crazy features to get a nice landing page or coming soon page. Keep your landing page or coming soon page with a narrowly focused message.

5. Display name should not be username

By default username is set as display name and that’s seen in author URL as well. For example, have a look at the below snapshot and you will see the circled word ‘test‘, which is a WordPress account that posted the article. Using the username as display name is something that I’m not a fan of.

remove username from author url

To change that, click Users > All Users and click Edit to access the user profile to change the display name.

WordPress author display name

But you have to do this on every user profile and it’s not going to stop if the site allows users to register – because the WP is going to set the username as Display name automatically.

To change the default display name for new registrations, copy and paste the below code in functions.php

function change_display_name( $user_id ) {
 $info = get_userdata( $user_id );
 $args = array(
 'ID' => $user_id,
 'display_name' => $info->first_name . ' ' . $info->last_name
 wp_update_user( $args );

Above code credits

Once the above code is added in functions.php, try creating a new user and you should see ‘Display name publicly as‘ set to ‘First and Last name‘ of the user.

Change default display name

Ok, but there is a catch here – What if the user changes his Display name?

You can simply disable the ‘Display name publicly as‘ field from Profile page and prevent user from changing it. To do that, copy and paste the below code in functions.php

function disable_display_name() {
    global $pagenow;
    if ( $pagenow == 'profile.php' ) {
            jQuery( document ).ready(function() {
                jQuery('#display_name').prop('disabled', 'disabled');
add_action( 'admin_head', 'disable_display_name', 15 );

6. Disable Plugin and Theme Editor in wp-admin

When you login to WP as admin, you’ll find “Editor” link under Appearance and Plugin menus. The WordPress file editor can be a great tool because it allows you to edit PHP files associated with the theme and plugins on your site directly from the WordPress administration area. Mostly administrators utilize this tool to edit their theme’s style.css file in order to make tweaks to their site. This can be a blessing in disguise. Basically, this is a potential backdoor to your server. The problem with the WordPress file editor is that it allows users to run PHP code on your site.  Anytime a user is able to run their own code, this presents a security risk.  If an insecure admin account is hacked, the WordPress file editor is the gateway through which a full-fledged attack can be carried out and also WordPress users can mess things up.

Note: If you still want to use it and it makes your life easier, take enough precautions with site security so that you are the only one who ever sees it.

To remove that, copy and paste the below line in wp-config.php

define( 'DISALLOW_FILE_EDIT', true );

disable plugin theme editor

Now set the permalinks via Settings > Permalinks. Permalinks are the permanent URLs for posts, pages and categories. It also plays a major role in WordPress SEO.

8. Disable XML-RPC

XML-RPC is enabled by default and it allows you to publish posts remotely (via WordPress app or Windows Live Writer), pingbacks, trackbacks and many other features. During early days, hackers used brute force attacks on WordPress login page. However, lately they are evolving and now leveraging the XMLRPC wp.getUsersBlogs method to guess as many passwords as they can. This attack is being made possible due to implementation of requiring username and password in XMLRPC calls. In these kind of attack, the hacker just inputs username and a password to the wp.getUsersBlogs call, which simply returns correct or not.


According to the reports from a security firm, hackers use xml-rpc to perform DDos attack on WordPress sites. It might be, and you could have no idea that your site is attacking other sites. If you are not going to do remote publishing and to stop your WordPress website from being misused, then disabling XML-RPC is a good idea.

Being a well known issue within WordPress and even the WordPress developers are aware of it, it can’t be patched though as in many cases this terms out to be a feature.

You can disable XML-RPC via plugins such as Disable XML-RPC Pingback and Prevent XMLRPC.


Copy and paste the below line in functions.php to disable XML-RPC completely.

add_filter('xmlrpc_enabled', '__return_false');

Note: The same can be achieved by using popular security plugins.

You can test your website with this online tool to verify your site is DDos’ing other websites.

Pages: 1 2 3 4
Updated on December 15, 2017

Was this article helpful?

Related Articles

Leave a Comment