You just installed WordPress. Before you publish anything, a handful of settings and cleanup steps will save you real headaches later, and two of them decide whether Google can even find your site.
This WordPress setup checklist is the one I run through on every new site, grouped so you can work top to bottom in about an hour. Each step has the exact admin path and a quick note on why it matters, with links to deeper guides where you want them.
- Set your permalinks to Post name before you publish a single post, or you create redirects later.
- Make sure Discourage search engines is unchecked at launch. It is the most common silent reason a new site never ranks.
- Set your site title, tagline, timezone, and a dedicated admin email, then delete the default Hello World post, Sample Page, and unused themes.
- Lock down the login: no “admin” username, a strong password, two-factor authentication, and limited login attempts.
- Install one SEO plugin, one caching plugin, and automated offsite backups. Skip standalone sitemap plugins, core handles that now.
- Set up SMTP so your site’s emails actually arrive, force HTTPS, and connect Google Search Console and GA4.
Start With the Settings That Affect SEO
A few settings shape how search engines see your site, and they are worth getting right before you publish, because changing them later means cleaning up broken links and lost indexing.
Start with your permalinks. Under Settings > Permalinks, choose Post name so your URLs read as /your-post-title/ instead of ?p=123. Doing this on day one avoids the redirects you would otherwise have to manage after publishing, and our complete permalinks guide covers the edge cases.
Next, make sure Google is allowed in. Under Settings > Reading, confirm that “Discourage search engines from indexing this site” is unchecked when you go live. That box is checked on many fresh installs and staging copies, and forgetting to clear it is the single most common reason a new site quietly never appears in search.
Finally, set your site title and tagline in Settings > General. Replace the default “Just another WordPress site” with something real, since both feed your branding and can show up in search results.
Configure Your Core WordPress Settings
With the SEO basics handled, work through the rest of the general settings. In Settings > General, set your real timezone and date format so scheduled posts publish on time, and point the site email at a dedicated address like [email protected] rather than your personal inbox. While you are there, leave “Anyone can register” unchecked unless you genuinely need public accounts, since open registration is a favorite target for bots.
Then decide what your front page shows. Under Settings > Reading, pick a static page for a business or brochure site, or keep “Your latest posts” for a pure blog. And in Settings > Discussion, require approval for comments, turn off pingbacks and trackbacks (almost pure spam now), and decide whether you want comments at all. If you would rather switch them off entirely, our guide on disabling comments in WordPress covers every method.
Clean Up WordPress’s Default Content
Every fresh install ships with placeholder content and demo files. Clearing them out takes a couple of minutes and keeps your site tidy:
- Delete the demo content. Trash the “Hello World!” post, the “Sample Page,” and the sample comment. They exist only to show you what content looks like.
- Replace the “Uncategorized” category. Create a real default category under Posts > Categories, set it as the default in Settings > Writing, then delete Uncategorized.
- Remove plugins you will not use. Delete “Hello Dolly” and any other bundled plugins you do not need, keeping Akismet if you plan to use it. Here is how to install and manage plugins the right way.
- Delete inactive themes. Keep one current default theme as a fallback and remove the rest, since inactive themes still need security updates. Our steps for deleting WordPress themes walk through it.
Lock Down Security and Login
Bots hammer every WordPress login around the clock, so a little hardening up front pays off. Start with the account itself: if your install created an “admin” username, make a new Administrator with a unique name and remove the old one (our guide covers how to change your WordPress username safely). Pair a strong, unique password with two-factor authentication, either an authenticator app or a passkey, which is the single biggest thing standing between a bot and your dashboard.
From there, limit login attempts so a flood of failed passwords gets locked out, and consider moving your login off the default address to cut the bot noise (here is how to change your WordPress login URL). Round it out with a security plugin or firewall such as Wordfence or Solid Security, plus comment and form spam protection, starting with our guide on stopping WordPress spam comments. On any site you have inherited, it is also worth rotating the secret keys in your wp-config.php to invalidate old login cookies, which you can do in your browser with our free WordPress salt generator.
Install Your Essential Plugins
You only need a handful of plugins to start, one per job. Resist the urge to install twenty, since each one is code you have to maintain. Our roundup of the best WordPress plugins has specific picks, but these are the categories to cover:
- One SEO plugin. Pick a single option (Yoast, Rank Math, or AIOSEO) for titles, meta descriptions, and your XML sitemap. Never run two, and skip the old standalone sitemap plugins, since core and your SEO plugin already generate one.
- Caching and a CDN. A caching plugin plus a CDN like Cloudflare cuts your load time, which affects both conversions and Core Web Vitals. Our guide on speeding up WordPress covers the setup.
- Automated, offsite backups. Set up a backup plugin that sends copies to offsite storage, and test a restore once. Do not rely on your host alone. Here are five ways to back up a WordPress site.
- SMTP for reliable email. WordPress sends mail with PHP by default, which often lands in spam or fails silently. An SMTP plugin routed through a real provider makes sure your contact-form, password-reset, and notification emails arrive.
- SSL and forced HTTPS. Confirm your certificate is active, load the site over HTTPS, and redirect all HTTP traffic. Our .htaccess guide includes the redirect rules.
Build Out Your Site
Now you can make it yours. Install and activate your theme, then upload a square site icon (at least 512 by 512 pixels) for your favicon. If you plan to edit theme files or CSS, do that work in a child theme so updates do not wipe your changes. Build your primary navigation under Appearance > Menus (or with the Navigation block in the Site Editor on a block theme), and create your core pages: an About, a Contact, and a Privacy Policy, which WordPress can draft for you under Settings > Privacy. WordPress has no built-in contact form, so add one with a form plugin.
Connect Analytics and Search Console
Once a little content is live, connect the two tools that tell you how the site is doing. Verify your site in Google Search Console and submit your sitemap (usually /sitemap.xml) so Google knows your pages exist. Then add analytics, either GA4 through Google Site Kit or a privacy-first option like Plausible or Fathom if you would rather skip the cookie banner.
New in 2026: WordPress 7.0 Settings to Know
If you are starting on WordPress 7.0 “Armstrong” (released May 2026), a few things look different from older tutorials. The headline addition is a native AI framework, so you will notice a new Connectors screen for linking AI providers. It is entirely opt-in: set up a provider there if you plan to use AI features, or ignore it, since the actual generation tools still require installing the separate official AI plugin. Our roundup of WordPress AI plugins covers the options.
Beyond that, confirm your host is running PHP 8.1 or newer for speed and security (here is how to check your PHP version), and take a minute to get familiar with the refreshed dashboard. There is a modern admin design, a command palette you can open with Ctrl+K (or Cmd+K on Mac), and the Site Editor for customizing block themes in place of the old Customizer.
Frequently Asked Questions
What should I do first after installing WordPress?
Start with the two SEO settings: set your permalinks to Post name under Settings > Permalinks, and confirm that “Discourage search engines” is unchecked under Settings > Reading. Those two affect every page you publish afterward, so they are worth doing before anything else.
Do I really need to change WordPress settings after installing?
A fresh install will run with the defaults, but several of them work against you: ugly permalinks, an indexing block that is sometimes left on, open user registration, and demo content. Spending an hour on this checklist saves you from cleaning up bigger problems later.
Is it safe to start a new site on WordPress 7.0?
Yes. For a brand-new site there is no reason to start on an older version. The new AI features are opt-in, so a stock 7.0 install behaves like any other WordPress site until you choose to turn them on.
Wrapping Up
Run through this list once and your WordPress site is on solid footing: search-engine ready, secure, fast, backed up, and free of demo clutter. None of it takes long, and doing it up front beats fixing it after you have published.
Brand new to WordPress and not sure where the install itself fits in? Start with our beginner walkthrough on how to start a WordPress blog, and if you are still choosing a host, see our tested picks for the best WordPress hosting.
