WordPress Power Series: Tips for Building Better Sites Volume 1 – Setup & Configuration

WordPress is the most popular website platform in the world, powering nearly half of all websites. Its flexibility is unmatched. Whether it’s being used as a simple blog, a full business website, an online shop, or even a vibrant online community, WordPress has something for everyone. But with that flexibility comes complexity, and many site owners don’t always know how to get the most out of it.

That’s where this new five-part blog series comes in. We’ve gathered the top tips and tricks for WordPress that every site owner should know. From the moment you install WordPress to the way you secure, optimize, and grow your site, these tips will help you avoid common pitfalls and unlock your site’s full potential.

Here’s how the series will break down:

1. Setup & Configuration – the essential first steps to configure WordPress correctly.
2. Performance & Speed – how to make your site lightning fast and keep visitors happy.
3. Security Best Practices – protecting your site and community from hackers, bots, and bad actors.
4. SEO & Marketing – tips to get found on search engines and build a steady stream of visitors.
5. Content & Design – creating a site that looks great, works smoothly, and keeps users engaged.

And since many of you are building communities with PeepSo, we’ll also highlight where built-in features save you from installing another plugin, giving you both simplicity and peace of mind.

Let’s get started with Setup & Configuration, the foundation of every great WordPress site.

Change the Default Admin Username

Every hacker on the internet knows that WordPress once used admin as the default username. If that account still exists on your site, it’s the very first thing they’ll try in a brute force attack.

Instead, create a new administrator account with a unique username, log in with it, and delete the old admin account. This simple step can stop thousands of automated attacks.

Use a Strong Password and Two-Factor Authentication

A weak password is like leaving your door unlocked. Make sure your administrator account uses a long, unique password with a mix of letters, numbers, and symbols. Even better, enable two-factor authentication (2FA).

That way, even if someone guesses or steals your password, they won’t be able to log in without a one-time code from your phone. Many WordPress security plugins offer this, and some hosting providers include it as well.

It’s not absolutely necessary to enable 2FA on every account, but for those with administrative roles, it’s essential.

Set the Correct Timezone

This might sound like a silly suggestion, but setting your site’s timezone correctly is crucial. Go to Settings → General → Timezone and select the city closest to you.

Why does this matter? Scheduled posts in PeepSo or WordPress, event calendars, and automated tasks (like backups) all rely on your site’s clock. If it’s wrong, you might find your posts going live in the middle of the night instead of at peak traffic hours.

Change the Default WordPress Login URL

By default, every WordPress site uses /wp-admin as its login address. Bots know this and hammer it with login attempts daily.

Changing the login URL makes it harder for attackers to even find your login page. This won’t stop a determined hacker, but it can dramatically reduce the volume of automated attacks.

There are already many articles written about changing the /wp-admin path, which can be done either directly with code or by using third-party plugins.

Keep WordPress, Themes, and Plugins Updated

Updates aren’t just about new features, they often patch critical security holes. Running outdated themes or plugins is one of the most common reasons WordPress sites get hacked.

Be diligent with your updates, and make it a habit to check your dashboard weekly. If you’re running a community site with PeepSo, always update the PeepSo core and add-ons to the same version number to ensure maximum compatibility and performance.

Disable Directory Indexing

On some servers, if there’s no index.php file in a folder, the server will happily list all files in that directory. That could expose sensitive files like images, backups, or logs.

Fixing it is simple: add this line to your .htaccess file:

Options -Indexes

That’s it. From then on, curious eyes won’t be able to browse your site’s folders. On servers that don’t support .htaccess (like Nginx), you’ll need to configure the server directly or contact your hosting provider for help. Solution exist, but it’s not a simple one-liner as shown above.

Limit Login Attempts

Brute force attacks are still one of the most common threats to WordPress sites. Hackers use bots to try hundreds or thousands of password combinations until they get lucky.

The best defense? Limit login attempts. This means that after a certain number of failed logins, the user (or bot) gets temporarily locked out.

Normally, you’d need a plugin to do this. But if you’re running PeepSo, you already have this protection built in. PeepSo’s login security tools let you configure lockouts, set rules for failed attempts, and even integrate captcha, giving your community members peace of mind while reducing spam and bot activity.

Backup Your Site Regularly

Even the most secure site can run into problems. Servers crash, human errors happen, and sometimes plugins conflict. Without a backup, you risk losing all your hard work.

The best practice is to set up automated, offsite backups. Modern backup plugins can save daily snapshots of your site to Google Drive, Dropbox, or Amazon S3. That way, if disaster strikes, you can restore your community in minutes.

Use a Staging Site for Testing

Never test major updates or plugin installations on your live community site. A broken update can take down your site and frustrate members instantly.

Instead, use a staging environment, a safe clone of your site where you can test changes first. Many hosting providers offer one-click staging. If yours doesn’t, plugins can create one for you.

Once you’ve confirmed that everything works as expected, you can push those changes live without fear.

Disable XML-RPC if You Don’t Need It

XML-RPC is an older protocol that allows apps to connect to WordPress remotely. Unfortunately, it’s also a common gateway for brute force attacks.

If you’re not using the WordPress mobile app or remote publishing, it’s best to disable it entirely. You can do this with a small snippet in your .htaccess file or by using a security plugin.

What’s Next?

The way you configure WordPress in the beginning sets the foundation for your site’s success. By following these setup and configuration tips, you’ll have a faster, more secure, and more reliable WordPress site.

And if you’re running PeepSo, you’ve got an even bigger advantage: some of these security and login-related tips are already built right into the platform.

Next up: In volume two of this series, we’ll dive into Performance & Speed Optimizations, because nobody likes a slow website, especially not your community members.

Brought to you by Siniša Krišan

I am experienced in various social networks and platforms. Among other things, I’m the guy you turn to for figuring out the feature’s details and resolving issues. I hail from Novi Sad, Serbia. My journey with Open Source had taken me across the globe to Bali, Indonesia, where I had spent several years working & evolving with the base PeepSo Team. I was involved with planning and development of very early versions of PeepSo and helped pushing the product forward. Although I tend to engage full workaholic mode, I am essentially a laid back person. I’m also a hardcore gamer and I enjoy playing video games with my girlfriend whenever I catch precious little spare time. I enjoy traveling and learning about new cultures and surroundings.