You just installed WordPress. The installer finished, you logged in, and you’re staring at the dashboard. Everything looks fine. It isn’t.
Out of the box, WordPress ships with a set of defaults that made sense in 2005 and haven’t been revisited since. Some of them are mildly annoying. A few of them will actively hurt you — in search rankings, in security, or in the inbox of everyone who links to your posts.
Here’s the list. Go through it once, in order, and you won’t have to think about most of it again.
1. Settings → General
This is the easy one. Four things to check:
- Site Title and Tagline — WordPress fills these in with “Just another WordPress site” if you skip them during install. Change both. The tagline shows up in browser tabs and search results on some themes.
- WordPress Address and Site Address — make sure both use https://, not http://. If your SSL certificate is installed and these still say http, fix them now. Don’t change the domain here unless you know exactly what you’re doing — it can lock you out.
- Email Address — this is where WordPress sends admin notifications. Make sure it’s an address you actually read.
- Timezone — set it to your actual timezone. WordPress defaults to UTC. If you schedule posts and the timezone is wrong, they’ll publish at the wrong time. Ask us how we know.
2. Settings → Reading
The checkbox that kills your SEO
There is one checkbox on this page that can silently destroy months of SEO work: “Discourage search engines from indexing this site.” It’s meant for sites under development. It is sometimes left checked when sites go live. Google will not index a single page of your site while this box is ticked, and it won’t tell you why.
Uncheck it. Save. Done.
While you’re here: set Blog pages show at most to 10 posts. The default is 10, but if someone changed it to something large, your homepage will load slowly on paginated archives.
3. Settings → Discussion
Comments and pingbacks. Most small business sites don’t need either.
What to turn off
Pingbacks and trackbacks are a relic of 2006 blog culture. Today they’re almost exclusively used for spam and DDoS amplification attacks. Turn them off.
Comments — your call. If you want community engagement, keep them. If you’re running a business site or a solo blog, the spam-to-signal ratio isn’t worth it. Turn them off and don’t look back.
4. Settings → Permalinks
URL structures compared
WordPress defaults to Plain permalinks — URLs that look like yoursite.com/?p=123. These are unreadable, unshareable, and invisible to search engines.
Change it to Post name. Your URLs will look like yoursite.com/your-post-title/ — clean, memorable, and SEO-friendly. Do this before you publish anything. Changing permalink structure after you have indexed content breaks every existing URL and requires redirects.
5. Users → Your Profile
Change “admin” to something else. If your username is still admin, automated bots are already trying to log in with it right now. WordPress doesn’t let you change your username directly — you need to create a new administrator account with a real username, log in as that account, and delete the old admin user (assigning its content to the new account when prompted).
Use a strong password. WordPress generates one for you during install. If you changed it to something you’d remember easily, change it back to something you wouldn’t. Use a password manager. This isn’t optional.
6. Tools → Delete the Default Content
Default content WordPress ships with
WordPress ships with a “Hello World!” post and a “Sample Page.” Delete both. They serve no purpose on a real site and make you look like you didn’t finish setting up.
While you’re at it, go to Posts → Categories and rename “Uncategorized” to something that matches your content — or create real categories and make one of them the default so nothing lands in Uncategorized automatically.
7. Appearance → Editor (or Theme Settings)
If your theme has a customizer or settings panel, go through it once and set:
- Site icon (favicon) — the small image that appears in browser tabs. Use a square version of your logo, at least 512×512px.
- Logo — upload your actual logo, not the theme placeholder.
- Colors — match your brand if the theme supports it.
None of these affect how WordPress functions, but they’re the difference between looking like a real business and looking like a demo site.
“The settings that hurt you most are the ones you never knew existed. The ‘discourage search engines’ checkbox has killed more small business SEO efforts than any algorithm update.”
One More Thing: Disable XML-RPC If You’re Not Using It
XML-RPC is a remote publishing protocol that WordPress has shipped with since version 3.5. It’s also one of the most commonly exploited attack vectors on WordPress sites — bots hammer it constantly trying to brute-force credentials.
If you’re not using the WordPress mobile app or a remote publishing tool that requires it, disable it. Add this to your theme’s functions.php:
add_filter( 'xmlrpc_enabled', '__return_false' );Or use a security plugin like Wordfence, which blocks XML-RPC attacks at the firewall level before they ever reach WordPress.
The Checklist
Settings → General: HTTPS URLs, correct timezone, real email address. Settings → Reading: uncheck “discourage search engines.” Settings → Discussion: disable pingbacks, disable or moderate comments. Settings → Permalinks: switch to Post name. Users: change the admin username, use a strong password. Content: delete Hello World and Sample Page, rename Uncategorized. Appearance: set favicon and logo. Security: disable XML-RPC if unused.
Twenty minutes, done once. You won’t regret it.