Every WordPress website requires specific configuration settings to ensure it’s built on a strong foundation. Consistency reigns supreme in my ever-so-humble opinion. That’s why whenever I’m building a new site for a client, I use my basic WordPress settings checklist before I start installing a theme or plugins.

Here’s what to consider, in order:

1. General Settings

Location: Settings → General

This is basic housekeeping, but it matters.

  • Site Title & Tagline: The site title appears in browser tabs, search results, and RSS feeds (yes, people still use RSS feeds, albeit much less often than years ago). Make it accurate. The tagline is often displayed in themes and picked up by search engines, so use something descriptive, not “Just another WordPress site.”
  • Site Icon: This is where you upload an appropriately sized favicon of your client’s logo. I always ensure I use a site icon to make the site look professional. Plus, it helps the client’s branding when visitors begin to recognize the favicon in their browser tab. Make sure the image is on a transparent background!
  • WordPress Address (URL) & Site Address (URL): Both should match and both should use https:// (not http://).
  • Administration Email Address: What you enter here depends on how you run your business. If you’re simply selling the site to a client and will not offer maintenance or hosting, then use the client’s preferred email. However, if you’re hosting the client’s site and conduct maintenance, use an email that you monitor regularly. WordPress can send critical alerts like plugin updates, new user registrations, comment notifications, etc. Choose wisely.
  • Membership & Default Role: Unless you’re intentionally running a membership site, leave “Anyone can register” unchecked. If you do require registrations, set the default role to Subscriber for now. Never use Editor or Administrator. You can change this in the future if you create custom user roles.
  • Timezone: Set this to the client’s actual timezone. This affects scheduled posts and it’s surprisingly easy to forget.
  • Date Format: Pick a consistent format. ISO (Y-m-d) is clean but it’s not commonly used to display the date in the United States. Choose a format that is familiar to the client’s locale. I prefer F j, Y, which displays the date as June 3, 2026. It’s clear and professional which is perfect for most businesses.
  • Time Format: The same goes for the time format. I prefer g:i a which displays the time as 12:50 pm. Some people prefer the a.m./p.m. capitalized, so choose g:i A for them.
  • Week Start: Finally, unless you’re outside the US, change the week start to Sunday. To the rest of the world, the week starts on Monday.

2. Permalinks

Location: Settings → Permalinks

This is one of the most important settings on this entire list, and one of the most commonly skipped.

By default, WordPress uses plain URLs like /?p=123. These are terrible for both SEO and usability.

Change your permalinks structure immediately, ideally before publishing any content. Changing it later will break existing URLs (requiring redirects to fix).

The two most popular options:

  • Post name (/sample-post/): Clean, readable, and great for most websites.
  • Custom structure with category (/%category%/%postname%/): This one is my personal favorite for blogs or sites with articles.

For most sites, Post name is the right choice. Select it, click Save Changes, and move on.

Note: Saving permalink settings also regenerates your .htaccess file (on Apache servers), which is what makes clean URLs actually work.


3. Reading Settings

Location: Settings → Reading

Two things to check here immediately:

  • Search Engine Visibility: Make sure the checkbox that says “Discourage search engines from indexing this site” is unchecked. This gets accidentally left on from development and will tank the site’s discoverability. Go check it right now!
  • Your homepage displays: Decide whether your front page shows your latest post or a static page. For most business sites, a static homepage is the right call. For blogs, latest post is fine, as long as you design the archive template properly.

4. Discussion Settings

Location: Settings → Discussion

Comment spam is a real problem on WordPress. Set the defaults now so you’re not cleaning up a mess later.

Default Post Settings

Three checkboxes control what’s enabled on every new post by default:

  • “Attempt to notify any blogs linked to from the post”: This sends a pingback to external sites you link to. It’s rarely useful and contributes to pingback spam across the web. Uncheck it.
  • “Allow link notifications from other blogs (pingbacks and trackbacks)”: This lets other sites notify you when they link to you. In theory it sounds nice, however, in practice it’s almost entirely spam. Uncheck it.
  • “Allow people to submit comments on new posts”: Keep this checked if your client wants comments or uncheck it if they don’t. Either way, individual posts can override this setting, so you can always enable or disable comments post by post.

Other Comment Settings

  • “Comment author must fill out name and email”: Check this. It adds minimal friction for real commenters and deters some bots. Plus, later on you can tie it into your client’s email marketing platform.
  • User must be registered and logged in to comment”: Only enable this if you’re building a membership or community site. For most sites it creates unnecessary friction.
  • “Automatically close comments on posts older than X days”: Enable this and set it to 30-60 days. Old posts are the biggest spam targets on WordPress sites and rarely need active comment sections. Disable it if the client’s site relies on active engagement with posts.
  • “Show comments cookies opt-in checkbox”: If your client is subject to GDPR or similar privacy regulations (most sites are), enable this. It lets returning commenters opt in to having their info saved.
  • “Enable threaded (nested) comments”: Fine to leave this enabled if your client expects active discussions. 5 levels deep is the default and is more than enough. Most sites do not require this.

Comment Pagination

If your client is expecting high comment volume, enabling pagination keeps page load times reasonable. For most sites this doesn’t matter. Leave it off until it’s needed. If you do enable it, set “last page” as the default display so new comments are visible first.

Email Me Whenever

  • “Anyone posts a comment”: Useful when the site is getting started. Turn it off once comment volume makes it too noisy for your client.
  • “A comment is held for moderation”: Keep this on. You want to know when something needs an administrator’s approval.

Before a Comment Appears

  • “Comment must be manually approved”: This is the safest default. Every comments goes through administrator approval before it’s published. Loosen this once your client has a track record of what legitimate comments look like.
  • “Comment author must have a previously approved comment”: A good middle-ground setting. Once the admin approves someone’s comment once, they get through automatically. This works well in combination with manual approval for new commenters.

Comment Moderation

WordPress holds comments in the queue if they contain a certain number of links. The default is 2. That’s a reasonable threshold. Most spam comments are link-heavy. You can also add specific words, phrases, URLs, or IP addresses to the moderation queue here (one per line). Your client can build this list up over time as they see patterns in their spam.

Disallowed Comment Keys

Any comment matching words or IPs in this list goes straight to Trash, not the moderation queue. Use this for patterns you’re confident are always spam. Be conservative here. False positives mean legitimate comments get silently deleted.

Avatars

Avatars are pulled from Gravatar based on a commenter’s email address. “Show Avatars” is on by default but I always disable it. Most website visitors don’t have a Gravatar and it doesn’t add any real benefit to have it enabled. Only use this if the client site is a membership or community site, and even then, you can set up better ways to use avatars than Gravatar.

If your client isn’t planning to use comments at all, the cleanest solution is to uncheck “Allow people to submit comments on new posts” under the Default Post Settings and be done with it. You can ignore everything else in this section if that’s the case.


5. Media Settings

Location: Settings → Media

WordPress automatically generates multiple sizes of every image you upload (thumbnail, medium, large). The defaults are fine for most sites, but it’s worth knowing they exist and can be adjusted if needed.

More importantly: make sure you have a consistent image optimization workflow. Large, uncompressed images are one of the top causes of slow WordPress sites. Either use an image optimization plugin or compress images before uploading.


6. User Settings & Security

Location: Users → All Users

  • Change the “admin” username: If WordPress created a default admin account, create a new account with a different username, make that new user an admin, then delete the old default admin account. Brute-force bots target admin as the first login attempt on every WordPress site.
  • Use a strong password: Use a password manager and generate strong, random passwords. Don’t reuse passwords on any client site…ever.

7. Updates

Location: Dashboard → Updates

Keep WordPress core, themes, and plugins up to date. The majority of WordPress hacks exploit known vulnerabilities in outdated software.

You can enable automatic background updates for minor releases in wp-config.php:

php

define( 'WP_AUTO_UPDATE_CORE', true );


For plugins and themes, consider enabling automatic updates for trusted ones, especially security-critical plugins like your firewall or login protection tool.


8. The wp-config.php Essentials

Your wp-config.php file controls some settings that aren’t accessible in the dashboard.

A few worth adding:

php

// Force SSL for admin and login pages
define( 'FORCE_SSL_ADMIN', true );

// Limit post revision storage (default is unlimited)
define( 'WP_POST_REVISIONS', 5 );

// Disable the file editor in the dashboard (security best practice)
define( 'DISALLOW_FILE_EDIT', true );

// Set debug mode (leave false on production)
define( 'WP_DEBUG', false );


The file editor setting (DISALLOW_FILE_EDIT) is particularly important — it prevents someone who gains dashboard access from injecting malicious code directly through the theme or plugin editors.


A Quick Checklist

Before you do anything else on your new WordPress site, confirm you’ve handled:

  • Site title and tagline set
  • URLs using https://
  • Permalinks set to “Post name”
  • Search engine visibility is on (checkbox unchecked)
  • Comments configured or disabled
  • Default “admin” username removed
  • Strong password
  • Auto-updates configured
  • DISALLOW_FILE_EDIT added to wp-config.php

Getting these settings right takes about 30 minutes. Not getting them right can cost you your business. Do it on every site and everything you build on top will be on solid ground.