Essential WordPress Setup

Essential WordPress Setup

This recipe will walk you through the essential WordPress setup you should complete on every site.

Using free plugins, these steps will help make your site more secure and faster to load.

You’re going to be putting a lot of work into your site and using it to generate revenue. As an essential business asset, you need to ensure it’s protected. A few simple steps will make your site unattractive to hackers using large scale automated attacks.

They’re only interested in the weakest sites that can be most easily compromised. This recipe will help ensure your site is a tougher nut to crack.

I’m sure you’ve read that the speed of your site is essential. More than a couple of seconds loading time can lead to visitors hitting the back button. Two of the plugins in this recipe can make a huge difference to the speed of your site.

Finally the recipe includes a site backup plugin. I’ve lost track of the number of people who have lost a revenue generating website and had no backup. Sites getting lost due to server failures or catastrophic WordPress problems are relatively rare. It does happen however, so ensure your business can recover as quickly as possible.

Once a backup plugin is configured, it will automatically save your site on a regular basis. If the worst ever happens, you will be able to quickly get everything up and running again.

Go It Alone Rating What is this?

1: Install 2FAS Light – Google Authenticator

This is a free plugin that adds two factor authentication to your site. You’ve probably got this protection set up on other online accounts, such as Facebook.

If you try to sign in from a new device, the website sends you a code to enter to confirm your identity.

This plugin works much the same, but a code isn’t sent to you. Instead you install an app on your phone or tablet and this supplies you with a code.

The developers behind this plugin offer a free plugin, but I prefer to use the Google Authenticator app. You can find the app at the links below.

There are a number of two factor authentication plugins to choose from. I favor this as it’s simple and also allows you to add as many users as you like.

Additionally, users can also choose to remember devices. That means you only need to enter a code the first time you log in using a device. In future, when you log in from the same device, the plugin will remember you and not require a code.

After activating, click the 2FAS Light link in the left hand column. You can then reveal a QR code and scan it with the authenticator app on your device.

The app will then display a six digit code that you can enter into the Token input field on your site. Click the Add Device button to complete the setup. You should see a message confirming it configured correctly.

I recommend you double check everything is working correctly before logging out of your site.

Open your site in an Incognito or Private browsing window and go to the admin log in. Complete the first step of the log in as normal. On the next screen, enter the code from your app and log in.

If there’s a problem logging in, try again to ensure you entered the code correctly.

Should it still fail to login, go back to the 2FAS Light admin screen and scroll to the bottom of the page. Click the Click here to delete your configuration link and that will remove two factor authentication from your account. You can then try and set it up again.

2: Install Wordfence

Wordfence is a very popular plugin with more than a million active installs.

It serves as a Web Application Firewall, but you don’t need to understand what that means. Put simply, it makes it harder for hackers to compromise your site.

The plugin works by looking for attempts by visitors to leverage know weaknesses in WordPress, plugins and themes. As weaknesses are discovered, Wordfence updates to block them from being used until the problem is fixed.

Wordfence has a paid for version too and this is updated as quickly as possible. The free community version is updated 30 days later. In most cases the free version will offer the necessary protection, but the paid for version will give you increased security and peace of mind.

After activating, you should see a message to complete setting up your firewall. This is very easy, so just click the link. You will then be asked to download the .htaccess file in case there’s a problem. I’ve never had a problem, but this is a useful safety step.

After saving the file to your computer, complete the set up by clicking the button.

Wordfence will now run in Learning Mode for the first week. This is a more relaxed state while it learns what is normal behavior for your site. Some plugins need to execute actions that could also be used by attackers. Wordfence uses this first week to what to consider as normal actions that it should continue to permit.

If in the future you ever find a Wordfence error page being displayed, a quick fix is to turn Learning Mode back on and try again. Remember to turn it off again after or set a short date to automatically turn it off.

You can try the same fix if you ever have a plugin that doesn’t seem to work correctly when you click a button or link. It’s possible Wordfence is blocking the plugin behind the scenes.

3: Install Really Simple SSL (optional)

This is only necessary if your web hosting has an SSL certificate. All good hosting accounts should include an SSL certificate nowadays. This makes your site more secure and should prevent hackers from stealing passwords and other information your users enter on your site.

To check, open your site and look at the address bar of your browser . Look to see if there’s a green padlock displayed. If there is, you have an SSL certificate.

If there’s no padlock, try editing the address so it starts with https. For example, for this site I would enter Again, if there’s a green padlock, you have an SSL certificate installed. If not, contact your web hosts to see if one can be installed.

When your account has a certificate, the Really Simple SSL plugin will help ensure all your visitors view the secure version of your site.

After activating the plugin, a message will be displayed asking it you want to turn on SSL. Assuming you’ve already checked your site and seen the green padlock, you should have no problems activating this.

4: Install WP Fastest Cache

Caching plugins can make your site faster to load. By default, WordPress creates each page dynamically when a visitor views it. That means it gets all the necessary information from a database and combines it with various template files to create the page.

This process can be quite slow and demanding on your web server. Caching plugins work by storing a static version of each page of your site. This is much quicker recreating the page every time a visitor tries to view it.

There are a few caching plugins to choose from and WP Fastest Cache is not as popular as some of the biggest plugins. However, I use and recommend it because it’s one of the easiest to configure.

A badly configured caching plugin can make your site slower. WP Fastest Cache has fewer options than the biggest plugins making it quicker and easier to set up. It also consistently performs well in comparison tests.

After activating, click the WP Fastest Cache menu item. In most cases, you need just worry about the Settings tab.

The grayed out settings on this page are only available in the paid for version of the plugin, so ignore those.

You can check all the checkboxes and click the Submit button, subject to the following notes.

  • Mobile: Don’t show the cached version for desktop to mobile devices
    This should be fine to leave unchecked with most responsive WordPress themes. However, if your site displays incorrectly on mobile, turn this on.
  • Minify HTML and Minify Css
    These should be fine to activate, but if your site displays incorrectly, try turning them off one at a time.
  • Combine Css and Combine Js
    Like the minify options, in rare cases these may cause problems. Check your to ensure it appears and behaves correctly.
  • GZIP
    Most modern web hosts will support this. If your site won’t load correctly, try turning this off.
  • Language
    Set this appropriately for the language of your site

A few of these settings will open pop-ups with more controls. Just click the respective question mark icons to open advice on these or leave set to the defaults.

5: Install an Image Optimizing Plugin

I’m suggesting three options, each with their own pros and cons. I make some suggestions to help you select the one that best suits your needs.

With each of these, you can use their default settings unless noted below.

A: EWWW Image Optimizer

This is the plugin I currently use. This may be a good choice if your site is hosted on your own Virtual Private Server (VPS).

On a new site without existing images that have been uploaded, this will probably be fine to use on shared hosting.

On a site using shared hosting with a lot of images already uploaded, you may be better off with one of the other plugins. These will put less strain on your server.

If you choose this, ensure you set PNG Optimization Level to Lossy Compression for best file size savings. You shouldn’t notice any loss in image quality.

The Pros:

  • Installs on your own server so if your site is available it works
  • Allows you to bulk optimize existing images on your site

The Cons:

  • May not work on some shared hosting plans
  • If you bulk optimize on shared hosting, your site may use more resources than permitted. This could lead to a warning or see your site disabled.

B: Image Optimizer

I used to use this on several sites, but have switched away from it now. I switched because there were problems with the service while I was uploading a large number of images. Because the problems persisted for many days, this significantly affected my workflow.

If you’re not uploading lots of image, occasional problems with the service may never be an issue for you.

On shared web hosting, this is arguably the best choice as it has a relatively generous maximum image upload size.

The Pros:

  • Uses an external service to resize images, so less strain on your site
  • Allows you to bulk optimize existing images on your site

The Cons:

  • Occasionally the external service fails which slows down image uploads and means resizing fails
  • Maximum image size that can be resized is 5MB – that should be fine for most users

C: Smush Image Compression and Optimization

This used to be a paid service only, but there’s now a more restricted free version. The pros and cons are specific to the free version.

This is another good choice for shared hosting. As long as your theme doesn’t require particularly large images, you probably won’t exceed the 1MB limit for optimizing images.

You’ll be able to see in the media library if some images have been skipped for optimization. If you see that happening regularly, one of the other plugins or the paid upgrade may be a better option.

The Pros:

  • Uses an external service to resize images, so less strain on your site
  • Allows you to bulk optimize up to 50 existing images on your site at a time

The Cons:

  • Maximum image size that can be resized is 1MB – you may need to reduce the file size of some images before uploading

6: Install WP-Optimize

This plugin can serve a useful role in the background, helping to keep your site’s database running efficiently.

It may not produce dramatic or obvious results, but it’s a worthy addition to keep your site better optimized.

After activating, you can manually run several optimization procedures. These are designed to remove data that’s no longer required and may be slowing down database queries.

Click WP-Optimize in the left hand menu. Click the Settings tab first and click the Keep last X weeks data checkbox. This setting defaults to 2 weeks and I suggest you keep that as is.

Check the Enable scheduled clean-up and optimization checkbox. I recommend leaving the schedule set to weekly.

Click the Add logging destination link and select Log events to email from the drop down. Be sure to enter your email address in the next field and click the Save Changes button.

This clean the database once a week and email you information about what happened.

Now you can click the Wp-Optimize tab and click the Run all selected optimizations button.

7: Install XCloner – Site Backup and Restore and XCloner Google Drive

There are a few much bigger backup plugins than Xcloner. I like and recommend it however, because it lets you backup to Google Drive for free. This is often a paid for extra with other plugins.

The advantage of Google Drive is that you can set up a free Google account for your site and get 15GB of storage space. That should be plenty of space to save multiple site backups.

While this was originally created for cloning a site to new server, it’s work great for backups too.

After activating, go to Site Backups in the left hand menu and then Remote Storage.

Click Google Drive Storage to open the controls. Before clicking the link to create a new application click the question mark icon to watch a video explaining what you need to do.

You can the enter your Client ID and Secret and authorize the connection. The Folder ID or Root Path setting has some help information by clicking the question mark.

Setting the Google Drive Cleanup to five to seven days should be fine. Ensure you set Keeps Deleted Backups in Trash to Disabled. Don’t forget to click the Save Settings button.

With storage set, go to Generate Backups.The default settings should be fine, so you can click the Generate Backup tab and then the Start Backup button.

When it completes the backup, be sure to click the Schedule Backup tab and set the backup to run on a regular basis. You should set it to send the backup to your remote storage location. I usually set this to run once a day, but if your site rarely changes, you can make this less often.


This recipe gives you the basics for helping make your site faster and more secure.

It should be one of the first things you do when configuring a new WordPress site. Don’t ever put this off till later because there’s more exciting things to do.

These steps are essential, so always get them out of the way first. Don’t become one of those site owners who learns their lessons the hard way.

I’m Ian Pullen and when not working as a dog and cat butler, I’m a designer/developer and writer who works on projects for solopreneurs, SMBs and multi-nationals like Unilever and Lenovo.
Learn more


© Ian Pullen - Shoestring Hustle 2018