WordPress is a very easy to use and very efficient blogging platform. However, that doesn’t mean it, nor its users, are perfect.
There are some mistakes that even experienced WordPress admins seem to make when setting up and running a WordPress install. Some of them are due to WordPress’ default settings, others are just easy to forget and lose track of.
So, if you’re a WordPress user and want to make sure you didn’t forget anything, here’s a quick rundown of some of the most head-slappingly easy mistakes you can make.
(Note: All of the page references are from WordPress version 2.7.1 and are for self-installed WordPress blogs. Your setup may be different.)
First, log into your admin section and visit the “General” page under the “Settings” drop down, there, look for the following items.
- Change the Tagline: It can be easy to forget to change the tagline if you don’t use it in your theme. Still, it is important to change it because A) It may be used in metadata for your site and B) You may change your theme.
- Check Your Email: Change your email address recently? Make sure it’s correct here. It is used for several administrative functions. You will also want to do this on your profile.
- Disable Membership: If you do not require users to register to comment, you probably don’t have much use for this feature so it is best to disable it.
- Check Your Timezone: Your timezone doesn’t change for daylight savings time so it is important to check and make sure it is still accurate. This can cause problems with forward posting new entries especially.
Next, under the settings drop down, visit the “Writing” page and check the following items:
- Disable Remote Publishing: If you don’t use external blog editors, it is best to disable both Atom and XML-RPC publishing as they could feasibly be a security risk. If you do use such an application, be sure to keep them enabled.
- Disable Post Via Email: Make sure that the post via email feature has bogus information unless it is a feature you actively use. You don’t want that option available as it too could be a security issue.
- Check Update Services: Make sure that, at the very least, Pingomatic (https://rpc.pingomatic.com/) is in your Update Services box. You may wish to add additional links, such as FeedBurner (https://ping.feedburner.google.com).
Next, also under the “Settings” drop down, you check the “Privacy Settings” page and check this one item:
- Enable Blog Visibility: Make double sure that your blog is visible to the search engines. Many disable this feature when they work on their blogs but forget to re-enable it.
Also under the settings drop down, open up your “Permalink Settings” page and check the following item:
- Use “Pretty” Permalinks: WordPress’ default permalinks are pretty ugly (/?p=xxx) and changing them is important for SEO and reader benefit. If you are not changing from the default permalink setup, use a permalink migration plugin to ensure you don’t create non-working URLs.
Under the Users tab, make sure of the following items:
- Remove “Admin” Account: Ensure that the default admin account has been removed and that the actual administrator is logging in under a different username. This can create security problems.
- Delete Unused Accounts: Remove any accounts that you aren’t actively using. This reduces the number of ways an attacker can log in to your site.
- Check Permissions: Also, make sure the other accounts you do have that no one has more permissions than they need.
WP Super Cache
Finally, if you have WP Super Cache installed visit the admin page under the settings drop down and make sure of the following things:
- Enable Super Cache: This is an extremely easy mistake to make. Many disable Super Cache while they make changes and forget to re-enable it. Double check that it is and that it is set to the highest setting practical.
- Check Your Expiration Time: Read the information below the two expiration times (there may only be one if you are on half-on mode) and make sure your expiration time is within reason. Too long or too short may slow your site down.
- Disable Lock Down: If you have “Lock Down” mode enable, disable it. If you aren’t in the midst of a major traffic surge, having it on causes issues with your site including comments not posting.
In the end, this isn’t intended to be a complete list of WordPress mistakes, much less a complete guide on securing WordPress (feel free to leave your suggestions/stories in the comments). These are just some of the easier mistakes to make that might not always be obvious when looking at your site.
It’s worth taking a few moments every once ina while to do a “reality check” to make sure your settings are in order and your house is fairly clean. After all, we all make mistakes (I’ve made a few of these myself, some repeatedly) but the key is to catch them before they become a problem.
If you can do that, you might not be a perfect administrator, but your readers might not know it.