New to WordPress

I didn’t have any experience about WordPress till now, and all I can say that is a great CMS. With my LAMP background there wasn’t any problem to customize plugins or WordPress template. This post should be a small cookbook of tips and tricks to do before publishing WordPress site.

  1. Add essential plugins
  2. Turn on permalinks
  3. Remove unwanted themes
  4. Hide version and generator info
  5. Create robots.txt
  6. Add a sidebar to the single post pages
  7. Secure wp-admin
  8. Turn off automatic comment publishing
  9. Create favicon.ico

1. Add essential plugins

google-syntax-highlighter If you write about about programming, scripts, HTML, CSS you will certainly need google-syntax-highlighter plugin. It has brushes to paint PHP, Python, JavaScript, Ruby, Java … I also created a new brush for apache configuration – shBrushApache.js and described plugin modification in Google Syntax Highlighter to load only needed brushes. WordPress page with Google Syntax Highlighter and applied modification now loads faster and saves bandwidth.
all-in-one-seo-pack This plugin adds meta data like keywords and description to every WordPress post. Process is automated and you only have to describe page with tags and excerpt. This meta data is used by a search engines to better understand HTML page.
sitemap-generator With sitemap-generator plugin, WordPress will be able to create a sitemap page. I thought that it will have an option to create XML sitemap too, but unfortunately you will have to install another plugin for that purpose.
google-sitemap-generator With this plugin, your site will be able to serve sitemap.xml file. With sitemap.xml, Google and other search engines will find and index your pages faster.

Some of these plugins come in multilingual form – that is nice and welcome – but if your site isn’t multilingual, then you can delete other language files. This will make your WordPress pack smaller.

2. Turn on permalinks
Before go live, don’t forget to turn on permalinks. Search engine likes readable link format and that leads to the better page rank.

Settings -> Permalinks -> Custom Structure [/%category%/%postname%/]

3. Remove unwanted themes
If you use only one WordPress theme, other themes can be deleted – save space. Themes are located in wp-content/themes/ directory. I deleted all except default theme.

4. Hide version and generator info
As a web master, I will advice you to hide version and generator info. Your site will not become unbreakable, but your chance to be attacked will be smaller. Worms and other monsters need suitable hosts to spread out, and how to find a suitable host – by searching generator and version info in HTML source. In directory /wp-content/themes/default/ you will find header.php and footer.php. Open and remove HTML lines about generator and version. In /wp-includes/general-template.php at the end you will find get_the_generator function and before return line, put $gen = ”;

// function in /wp-includes/general-template.php

function get_the_generator ( $type ) {
switch ($type) {
case 'html':

// ...
// [cut]
// ...
$gen = ''; // quiet please
return apply_filters( "get_the_generator_{$type}", $gen, $type );

In sitemap.xml I also found comment about generator and version – grrrr. Open sitemap-core.php of google-sitemap-generator plugin, find line with “generator=” and comment out.

// $this->AddElement(new GoogleSitemapGeneratorDebugEntry("generator=\"wordpress/" . get_bloginfo('version') . "\""));
// $this->AddElement(new GoogleSitemapGeneratorDebugEntry("sitemap-generator-url=\"\" sitemap-generator-version=\"" . $this->GetVersion() . "\""));

5. Create robots.txt
When search engine visits Web site, it will look for robots.txt in document root. In general, robots.txt will describe sections of your site where not to go. Why? Because of intention to focus search engine to the content and to leave WordPress system and include folders. Search engine does not like the content that repeats. Means, when you wrote a post, it will be accessible from archive, category, trackback … To avoid duplicated content, add few lines in robot.txt file:

Disallow: /archive/
Disallow: /category/
Disallow: /trackback

You can see my

6. Add a sidebar to the single post pages
I use default Kubrick theme and single post page was without sidebar. Hmm, if someone enters directly to the post, he will not see category nor recent posts. Visitor will not be able to see other content you have. To add sidebar to the post template, please, go to the /wp-content/themes/default directory, and open single.php for editing. In case of Kubrick’s theme I made the following modification:

<!-- comment original line (change class name) -->
<!-- <div id="content" class="widecolumn"> -->
<div id="content" class="narrowcolumn">

and before last line with footer inclusion I added:

<?php get_sidebar(); ?>

7. Secure wp-admin
It is good to make wp-admin even more secured to prevent direct access to the WordPress administration section. I’m not saying that built in PHP authorization isn’t good enough, but don’t hesitate to improve security if you can. In my webmaster experience I had to heal defaced phpBB site. First step in forum’s resurrection was securing /admin section. We used apache Auth directives. In case of WordPress, inside wp-admin directory create two .ht* files:

# .htaccess file
AuthUserFile /path/to/document/root/wp-admin/.htpasswd
AuthName "Restricted Area"
AuthType Basic
require user mike

and create .htpasswd file

# .htpasswd file

If you are familiar with Linux, .htpasswd can be created with htpasswd utility which comes in httpd tools.

htpasswd -nb username password > .htpasswd

Default apache configuration prevents access of .htaccess file so if you can access .htaccess, you should write few lines more in .htaccess file:

# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 

    Order allow,deny
    Deny from all

I had a little problem with securing wp-admin directory. .htaccess was saved to the wp-admin directory, and I got Page not found error. Fix was to place definition of 401 and 403 error messages to the .htaccess file. Here is main .htaccess file from the document root directory:

# no directory indexing
Options -Indexes

# define error messages
ErrorDocument 401 "401 Error"
ErrorDocument 403 "403 Error"

# permalinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

8. Turn off automatic comment publishing
To turn off automatic comment publishing go to the administration panel and check: An administrator must always approve the comment.

Settings -> Discussion -> An administrator must always approve the comment 

Administrator will have to manually review and publish every queued comment. Not suitable for sites with high traffic but to start with WordPress – quite enough. I also found nice trick for spambots written by Lee Robertson – Keep the Comment Bots at Bay. Spambots aren’t smart enough and they can’t understand JavaScript (yet). Trick is to use form event onSubmit and point form action to the hidden PHP page. Event onSubmit will fire JavaScript function placed in external js file. This will not stop only spambots but visitors with turned off JavaScript – so be careful.

9. Create favicon.ico
When browser visits a Web site, it asks for 16×16 (or it can be 32×32 or 48×48) icon in document root. This icon is favicon.ico and is displayed in address bar and in bookmark list. The most simple method is to place favicon.ico to the document root. Or you can place favicon.ico to other location but then you will have to explain browser where to look:

<link rel="shortcut icon" href="/path/favicon.ico" type="image/"/>
<link rel="icon" href="/path/favicon.ico" type="image/"/>

To create favicon.ico is not so hard, I used GIMP and existing ico file. But testing was another story. I learned that IE6 will not display favicon.ico by default. You have to bookmark page, or drag icon in the address bar?! IE6 was driving me crazy because of caching previous ico file. I couldn’t force IE to look for the new one. I cleared cache (and offline content), cleared history, restart IE, delete everything in Windows\Temp\Temporary Internet Files. Nothing! I also tried to clear all the cache and history, then log out and log in. In that case new icon was showed in browser – voila! But when I drag and drop address bar icon to the desktop, old icon was shown. I stopped here and move on. Very, very dogged browser. On the other hand, FireFox works like a charm. Nothing specially to perform – I saved new favicon.ico, FF was pointed to favicon.ico like and new icon was shown.

4 thoughts on “New to WordPress”

  1. wow this is the best tutorial which helped me to start publishing my site

    Thanks a lot Dbunic

  2. @Prasad – This post is a little bit old but it can give a good point and where to pay attention during WordPress setup. It’s still useful for me as a verified cookbook …

Leave a Comment