James' WordPress install checklist as of February 2012

This is intended as just a reminder: a summary checklist. The "how-to" links have more info and screenshots.
This checklist is written for WordPress 3.0.

What you need to do for WordPress to work is highlighted like this. Recommendations look like this. Entries like this are things i like to do — you may like them, or, they may not fit your needs. are things

!!! After wget, CHANGE local php file exts to html !!! and remove this line !!! or you're gonna look really stupid on the live site !!!

Installing WordPress

install: Step 1 - General dos

  what why how-tos
  Always access your site cPanel with "https", not "http" Security: Your connection is encrypted, and password and information can't be sniffed by hacker. You will need "shell access" on your account to do these. If you don't have it, contact your hosting company and get it.
  Always upload files with sftp or scp, not just plain ftp.
  Be ready with:
  • Access info for your web server (via shell or FTP)
  • A text editor (like NotePad++)
  • An FTP Client (like FileZilla)
  • FireFox web browser
  If you have problems:
  • Deep breath.
  • Read error messages.
  • Remember that a thousand other people probably already had the same problem — and you can find their answers!
  Multiple sites (MPMU) If you are installing multiple sites together, for multi-language etc., you will have some other things to do.

install: Step 2 - Database and WordPress files

  what why how-tos
Create database
  Collection collation and connection collation: utf8_general_ci Unicode — So that any language will work in your site.
  Make my local development database with same name as live (usually has accountname_dbname format) Easier to transfer things between development and live.
  Make my local site development username and password use my local root username and password Easier to take care of things on local — otherwise i would have a lot of different username/passwords on local for different sites i'm developing.
Upload unzipped WordPress (or copy to local site folder)
  Upload files into ...
  • If developing a new WordPress site for an existing website, make a subdomain and put wordpress files in the subdomain folder.
  • Otherwise put the files in the main document root ('www', or 'public_html').
But not as a sub-folder of the main site document root, without subdomain (like mysite.org/wpsite/). This is kinda messy, and not necessary — a subdomain is much cleaner.
  Check file/folder permissions writeable by server:
  • .htaccess
  • wp-content/uploads folder
WordPress writes permalink instructions to htaccess
wp-content/uploads folder needs to be writeable so server can save uploaded files in it.
  Maybe: Make a subdomain for media files Sometimes i would rather have all images, videos, etc on a separate subdomain. (If i do this, then i can't upload through WordPress' Media Manager, and so also i can't get automatic image resizing and thumbnails.)  
  Changing wp-admin folder name? Security. Would be a good thing to be able to do — but we can't do it yet. Just to let you know.

install: Step 3 - wp-config.php

  what why how-tos
Edit wp-config.php
  Rename wp-config-sample.php to wp-config.php So it will work :)
  Move wp-config.php to folder above document root, with permissions 640. Security – WordPress will find it there, but it is not accessible through web (by hackers!).
  Edit wp-config.php for database info So WordPress can access the database :)
  In section "Authentication Unique Keys and Salts" do what it says there: Security.
  In section "WordPress Database Table prefix":
Change the normal "wp_" value of the $table_prefix to something different.
Security. Make it something hard to hack, like 'xz84lt_' – Only WordPress uses it, you never have to type it again.
  Set debug
  • define('WP_DEBUG', false);
    (Just have it there. Then if we ever have problem and want to see error messages, change false to true)
See error messages when we have a problem with our code or some plugin.
  Modify the auto-save interval:
  • define('AUTOSAVE_INTERVAL', 160 );
    (the default is 60 seconds)
Longer delays in between auto-saves saves space in database. Also i think you will be less likely to get the annoying "there is a new auto-save" message.
  Modify number of post revisions:
  • define('WP_POST_REVISIONS', 5);
    (Save only the last 5 revisions.)
Save space in database. On most sites we don't need every revision to a post, way into the past.
  Maybe do other advanced options for wp-config.php For security, debugging, etc.

install: Step 4 - Do the install!

  what why how-tos
admin username and password
  Make the admin username not "admin". Security: One more thing a hacker can't guess.
But don't have it be a person's name. 1) The admin account is a role, not a person. 2) That person may be gone in the future. So for both reasons, it looks silly.
  Give admin a secure password. Security: One more difficult thing for a hacker. letters (uppercase and lowercase), numbers, punctuation.

WordPress Settings

Now you are logged into wordpress. Before we start building anything, let's make some useful settings. (You can always easily change them later.)

settings: settings menu (In the left sidebar, at the bottom)

  what why how-tos
General
  E-mail address:
  • Use an address that is checked often. It should either be the admin's e-mail, or the person who gets it should forward the mail right away to the admin.
  • Don't use an address that is @yourdomain – if something goes wrong with your domain, WordPress can't send you mail!
Your WordPress install will send you mail if there is some problem on the site. Plug-ins may send mail to this address as well.  
  Timezone: You may want to set it to the timezone of the country of your site. Then the time you post a story, will show as the time of your country.
India is +5.30
 
  Date format: j F y is nice. It shows like:
23 October 2010
Something like 4/5/2010 is NOT useful. In most of the world that is 4 May 2010 — but in US and some other places, it is 5 April 2010!
 
Writing
  Size of the post box – i usually like it to be bigger, like 30 or 40 lines Give more room to write.  
Reading
  Settings here depend on the site.    
Discussion (comments)
  Uncheck "Allow people to post comments on new articles." Most of the sites i work on don't have comments.

If you decide to allow comments, be aware:
  • It is a lot of work to monitor the comments, both for spam and to make sure they are high quality.
  • You will definitely need to install Akismet and other security plugins!
Media Where files will upload through WordPress, and what sizes WordPress will change them to, when you use the WordPress "Media Manager"
  You may wish to keep things just as they are for now. As you get more experienced with WordPress, you may find things you want to change.
On some sites, i upload graphics, videos, etc on a separate subdomain, and don't use the Media Manager at all.
 
  "Uploading files" You can change where files are saved to on the server  
  "Organize my uploads into month- and year-based folders" I usually uncheck this.
If it is mostly a news website, then i will want this checked.
 
Privacy
  You would want the first one checked So google etc will search your site. What this does, is put an entry in the robots.txt file, that all search engines read.  
Permalinks Always do permalinks! So you don't have ugly urls like index.php?p=234
  "Day and name" are most useful
  • Your .htaccess file is in the top folder of the WordPress files.
  • It needs to be writeable by the server (usually "world-writable")
  • If it is not there or not writeable, WordPress will tell you, and will display some text that you can copy and put into a file and upload.
    Remember that the filename has to be exactly .htaccess – notice that "."!
  • You can change it anytime as you get the idea what you need.
  • The settings will change how the url for "Posts" are displayed. At the same time, they will enable pretty URLs for "Pages", which will always appear as /parent_page_name/sub_page_name/ — nice!
  • After you have enabled or uploaded this file, change its permissions to not world-writeable. Hackers love to mess with this file. (If you change your permalink structure, you will need to remember to make it world-writeable again then so WordPress can change it. Then change it back again!)

settings: users (In the left sidebar, above "Tools")

  what why how-tos
Create user
  Make at least one non-admin user.
This user will add content: make posts, upload graphics, etc.
Security: Use the admin user only for doing admin things.
Security: Give all users good secure passwords.

settings: the dashboard (Left sidebar, very top - what you see when you first log in.)

  what why how-tos
Screen options
 
  • untick "WordPress Blog" and "Other WordPress News"
  • tick "one column"
cause i like it like that :) ...

settings: files and folders (things to do in the WP files themselves)

  what why how-tos
functions.php
  add_filter('login_errors',create_function('$a', "return null;")); Don't show error on login page.
  remove_action('wp_head', 'wp_generator'); Security: Remove wordpress version from html head.
file permissions
  Theme files: Make all permissions 644
  • Now you will be able to view the stylesheets and template files through WordPress, but you won't be able to edit them.
  • This is a Good Thing. The WordPress theme editor is just a form textarea. It is not a real editor. It's ok for quick changes, but not for real edits.
  • Make your edits locally with your good powerful real text editor, test them on your local development install, and then upload to the server when they are all working!
  Make folders non-indexable
  • in .htaccess file: Options All -Indexes
    or
  • adding index.html to each folder, that shows nothing, or redirects.
Security: You don't want hackers, or curious monkeys, to see the contents of your directories.
visual editor
  Remove it
  • Delete the wp-includes/js/tinymce/ directory.
    This will ensure that the visual editor cannot be loaded. And will automatically remove the "Use visual editor" checkbox on user's profile pages.
    (NOTE: you will need to delete or rename this directory after every WordPress upgrade.)
  • Why? The kind of sites i build are not for casual bloggers. I have custom fields and custom post types for content, and my code and the css adds the design. Much more efficient! Visual editors just mess this up.

Theme

Some things you may want to do in your theme files.

theme: theme files

  what why how-tos
Child theme
 
  • Don't make changes to a theme: Make a "child theme"
It will inherit all the function and design goodness of the parent theme, and you can change anything you want in your child theme.
You can upgrade the parent theme, and it won't mess with your changes.
header.php
  In the <head> part:

<?php wp_head(); ?>
Make sure that you have wp_head() in your header — plugins use this action hook to put their special stuff in the <head>
  If you are using JQuery etc, in the <head> part:

<?php wp_enqueue_script("jquery"); ?>
If you are using any of the major javascript libraries such as jQuery, know that they are already included in WordPress. So call them like this.
Make sure they go before wp_head()
footer.php
  At the end of your footer.php

<?php wp_footer(); ?>
Plugins use this action hook to put their special stuff in the footer of your page.

theme: general good practices

  what why how-tos
css
 
  • For font-size, use relative sizes, as %
  • Don't use absolute measurements, like px or pt
  • % works best in all browsers
  • In some browsers, people can't resize the font if it is set in px. This is not nice. (Web is not print!)
javascript
 
  • Use the JavaScript libraries that come with WordPress whenever possible.
Libraries such as jQuery will be updated when you update Wordpress
Libraries will be included more efficiently, and not duplicated.
 
  • Use anonymous function for jQuery code, like this:
        (function($) { // function to create private scope with $ 
        // Your code here 
        // This is your private scope, can use $ without conflict.
    })(jQuery); // Invokes nameless function, pass it jQuery object.
    
To avoid global conflicts with other scripts using the shortcut "$" alias for the "jQuery" object.
Speed up your website
 
  • 35 best practices divided into 7 categories, to:
    minimize http requests, compress your html/css/javascript files, preload files, reduce size of images and cookies, and more.
When your website loads fast, your user is happy. When your user is happy, they get your website's message.

Plugins for the site admin security

plugins: for the site

  what why how-tos
Contact Form 7
  Install:
download, unzip, activate.
Make many kinds of forms.
  Customize:
in wp-config.php
Restrict access to CF7 admin panel to site admin only.
define( 'WPCF7_ADMIN_READ_CAPABILITY', 'manage_options' );
define( 'WPCF7_ADMIN_READ_WRITE_CAPABILITY', 'manage_options' );
Subscribe 2
  Install:
download, unzip, activate.
People can subscribe to your site and receive new posts in the mail
It looks pretty good, and well-supported Haven't tried it yet.
  Customize: ... ...
Search
  Install:
download, unzip, activate.
WordPress' search isn't that good.
  Customize: Sidebar → Settings → Search Everything
Choose what you want it to search.

plugins: admin

  what why how-tos
Backup DB: WordPress Database Backup
  Install:
download, unzip, activate.
Creates backups of your core WordPress tables as well as other tables of your choice in the same database.
  Customize: Include other tables in the backup.
Backup Files: Wordpress Backup (by BTE)
  Install:
download, unzip, activate.
Backs up upload (images), current theme, and plugin directories. (These are the ones you need.)
Are available for download and optionally emailed to a specified email.
  Customize: Adjust the interval between backups, and the email address to which the backups are sent.
Cache plugin: WP SuperCache
  Install:
download, unzip, activate.
Make site faster
Can also protect against some kinds of hacking attempts.
Get the plugin, and read the how-tos:
  Customize: See the settings at the plugin page, and Recommended settings, from HostGator.com:
JW Admin
  Install:
download, unzip, activate.
Customize look and functionality of WordPress admin and login.
(See list of everything this does in Description heading of the jw-custom-admin.php file.)
  • Customizes look of login and admin screens, with colors and site logo.
  • Display some instructions on dashboard.
  • Remove some Dashboard widgets we don't need.
  • Remove wordpress info; don't show errors on login screen.
  • Makes so that theme and plugin files cannot be edited through WordPress.
  • Adds custom role "Observer" — i can give students an account where they can see everything on the back end, including administrator-level, without being able to do anything.
  • Make some changes for admin in the wp-admin files:
    • Remove "Visit Site" button; change formatting; reword tooltips; change "Howdy";
    • remove "Favorite actions" menu.
  • Get from james
  • See header comments in main plugin file jw-custom-admin.php
Customising the admin can be helpful to your back-end users, and it's fun too! Here's some ideas:
  Customize: No settings interface — To modify, edit jw-custom-admin.php file; customize css in css files.
Maintenance Mode
  Install:
download, unzip, activate.
Show nice page while site is down for maintenance
  Customize: ... ...
Reveal IDs
  Install:
download, unzip, activate.
See id numbers of posts, pages, categories, etc.
You need to "save the options" for it to start working. Click on that link, then scroll down to blue "Save Changes" button and click.
  Customize:
Sidebar → Settings → Reveal IDs ...
Can choose which items you want to see ids for. I just check all of 'em!
User role that can see the ids?
"Author" for page, post, and link. Administrator only for all the others.
Site Statistics
  Install:
download, unzip, activate.
See what people are doing on your site
Tracks views, post/page views, referrers, and clicks.
Requires a WordPress.com API key.
All of the processing and collection runs on WP servers and not yours, so it doesn't cause any additional load on your hosting account.
To install:
  1. Create a stats directory in your plugins directory. Typically that's wp-content/plugins/stats/
  2. Into this new directory upload stats.ph and open-flash-chart.swf from the plugin folder.
  3. Activate the plugin through the "Plugins" menu in WordPress.
  4. It will ask you to enter your WordPress.com API key: do that.
  5. Sit back and wait a few minutes for your stats to come rolling in. (View in your dashboard.)
  Customize: Nothing to do, unless you want to get radical and edit the plugin file.
WP-UserOnline
  Install:
download, unzip, activate.
See who's logged in.
Adds display of users online at bottom of "right now" admin widget in dashboard, and adds a widget (in appearance section) that you can put on a web page.
  Customize: nothing - it just works.

plugins: security Your very first security defenses are good passwords, backups,
and anti-virus on your windows machine.
There is no magic plugin to protect you from yourself :)

  what why how-tos
  Anti-spam: Akismet It is already there in your plugins.
Folow the instructions: get an API key, and enable it.
  Anti-spam: Bad Behavior For link spam, if you have comments, forums, etc.
  Firewall: WordPress Firewall Looks like this is the only firewall plugin.
Investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks
But it was last updated august 2009, and is not getting a lot of downloads
  Security scanner: Exploit Scanner Searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. It does not remove anything. That is left to the user to do.

Know more

About installing WordPress :
About WordPress Security:
General info:

It would be great to have Tibetan and Chinese translations of this page. Can you help? Contact us! http://tibetangeeks.com/contact/