Best Practice for Setting Up WordPress

A guide for setting up a self-hosted WordPress site with considerations for security and optimisation.


This is best done during the initial installation and set up, but can also be performed later.

  1. Install WordPress in its own directory

    Follow the instructions at the Codex.

    This has two main benefits:

    1. Your site’s root directory is kept tidy and organised.
    2. Security through obscurity – it makes it harder to find the WordPress files of your site. The more obscure the name of the directory, the more secure it will be.

    This will change your login url, but this can be made pretty with a trick.

  2. Choose an alternative admin username

    In older versions of WordPress (pre v3.0) the default admin username was “admin”. For anyone trying to break into your website, this is the account they would try first as it has the most privileges. So keep them guessing by having a different username with the administrator privileges! You could always create a “Subscriber” account with username “admin” later, so that in the process of breaking in they wasted lots of time only to find out they have broken into an account with no privileges.

  3. Change the table prefix

    The default table prefix in a WordPress installation is “wp_”. Protect against attacks on your site such as an SQL Injection attack by changing this to something obscure (that’s right, more Security through Obscurity!). Why not use an online password generator (just search Google) to pick your new prefix? The instructions at Digging Into WordPress guide you through changing the table prefix during installation or after.

  4. Configure wp-config.php

    The wp-config.php file is where a lot of important WordPress settings are saved. Several of these settings enable you to boost security and tweak performance. As such an important file, wp-config.php needs securing. The Codex page provides a reference for the difference settings, and Digging Into WordPress has several useful guides (1,2,3).

    Some of the more important settings:

    1. Secure wp-config.php using .htaccess and file permissions – Digging Into WordPress
    2. Database settings
    3. Security Keys
    4. Revision Settings Control
  5. Install a BackUp Service

    I recommend the XCloner plugin to backup your WordPress files and database.

Leave a Reply

Your email address will not be published. Required fields are marked *