If you follow The CogitActive Saga, you might remember from the Installing WordPress post my many
What I should have done textboxes. After signing up with SiteGround, I wanted to set up my domain (i.e. step #1 in SiteGround Getting Started Tutorial), but I was dragged into a series of events that resulted in the automatic installation of WordPress by SiteGround’s Wizard. To make a long story short, instead of checking my newly installed WordPress first, I resumed my intended course of action that is pointing my domain name to my website.
While I did address in the aforementioned post (and textboxes)
what I should have done instead, I did not cover in details these preliminary setups, or to be more specific, the first entrance into the WordPress Dashboard. Too busy with large-scale projects (e.g. WordPress Multisite, Child theme), I could have forgotten about the very first thing you should do after installing WordPress. Better late than never!
When you log in into WordPress, the first thing you see is the Dashboard, which
presents information in blocks called widgets1. There are five widgets included by default (with a new installation; see below), but plugins – as well as themes – can add new ones. You can also decide which of these to display using the Screen Options buttons at the top right of the Dashboard.
You save screen space by customizing your Dashboard to suit your needs.Lisa Sabin-Wilson
All the widgets appear in the expanded (open) position by default, but each of them can be contracted (i.e. collapsed) by clicking anywhere within its title bar. The customization of the Dashboard goes beyond this feature, though, since you can rearrange the widget by dragging and dropping them so that they appear in the order you prefer.
Welcome to WordPress!
shows links for some of the most common tasks when setting up a new site1; these links being organized in three groups.
The Get Started group contains a Customize Your Site button that opens the Customizer, where you can tailor the active theme. The link below the button brings you directly to the changing theme panel within the Customizer.
The Next Steps group provides self-explanatory links to various areas that would be otherwise accessible via the menu on the left (e.g. Pages > Add New). Thus, the Edit your front page link is a shortcut to the Homepage Settings panel (within the Customizer). The last link is nothing more than the URL of your site – it
opens your site, allowing you to view what it looks like to your visitors2.
The More Actions group, like the other, provides shortcuts to various areas – Appearance > Widgets, Appearance > Menus and Settings > Discussion – to accomplish what is labeled on the links (i.e. manage widgets, create menus and turn comments ON or OFF, respectively). The last link is different, in that it redirects to First Steps with WordPress (Classic Editor) – an article with more information about how to start using your new WordPress site.
To recap, except for the last link, which brings you outside the Dashboard, all the others are shortcuts to functionalities that can be accessed elsewhere. This brings me to the most useful part of this widget: the Dismiss on the top right corner. This link
allows you to remove this [widget] if you’d rather not have it there2. Actually, this would simply uncheck this widget from the Screen Options list described earlier; meaning you can bring it back if needed.
At a Glance
As described on the WordPress.org article, this widget
provides a summary of the number of posts, pages, and comments on your site. Each of these content types are displayed in the form of a link and, when clicked upon, direct you to the specific area to manage that content1.
Below this information, there is a statement, which tells you
what WordPress version you’re running on, as well as the current theme that you have activated on your site1. Apparently, if you are using an outdated version of WordPress, this
version announcement will tell you so and it
encourages you to upgrade to the latest version2.
In keeping with WordPress.org description,
this widget shows the upcoming scheduled posts, recently published posts, and the most recent comments on your posts – and allows you to moderate them1. Specifically, WordPress displays a maximum of five recent items per category (i.e. the five most recent posts and the five most recent comments).
The comments can indeed be managed right from this widget. When you hover your pointer over a comment, six links appear below it: Approve/Unapprove, Reply, Edit, Spam, Trash and View. The links at the very bottom of this widget (All, Pending, Approved, Spam, and Trash) bring you to the corresponding tab in the Comments screen.
While Lisa Sabin-Wilson describes this widget as
a handy form that allows you to write, save, and publish a blog post right from your WordPress Dashboard2, I don’t see how this differs from Post > Add New. One more and less!
WordPress Events and News
lists upcoming local events and the latest news from the official WordPress blog1. It also pulls in posts from WP Tavern, a site focused on all things WordPress. Hence, it is a good place to
keep up with the latest WordPress related news1.
If you ever find yourself confused by a setting or feature on a specific screen, there is
a useful Help tab . . . located in the top-right corner of your Dashboard2. This contextual tab displays helpful information, and what is more, provides help
that’s relevant to the screen you’re currently viewing in your Dashboard2.
The topics and text you find in the Help tab exist to assist you while you work with the WordPress platform, helping make the experience as easy to understand as possible.Lisa Sabin-Wilson
You might not find all the answers there, but it is the first place you should check out for help.
Going through the above widgets, you may have noticed that At a glance and Activity indicate that you have already published a post, namely “Hello World!“. You have even received a comment for that post – from Mr. WordPress in person! Last, but not least, you are also the proud author of a page. How is that possible?
These contents are automatically added with every new WordPress installation so that you can have an idea of what your site can look like (i.e. not being entirely blank). The dummy post is nothing more than a welcome and actually invites you to
delete it and
start writing your own. The dummy comment is simply a quick tutorial on how to manage comments. Similarly, the “Sample Page” provides dummy content and the following statement:
As a new WordPress user, you should go to your dashboard to delete this page and create new pages for your content.
Now, if you used SiteGround Wizard to install WordPress (as I did), instead of the aforementioned dummy page, you will have a “WordPress Resources at SiteGround” page. As suggested by its name, the latter contains general tips and links to their WordPress resources. While SiteGround argues that the goal of this page is to provide a better client experience by pointing the just-starting customer to useful resources, Nate Shivar has a different opinion about this page (see this section of his SiteGround hosting review). Basically, he claims that
if you don’t delete the page, you are in violation of Google’s Webmaster Guidelines and open to a manual penalty.
The link scheme denounced by Nate Shivar could be a concern indeed; however, a more serious matter – a matter of security – alarms me! The simple existence of these contents – live on the Internet – put your website at risk.
Let me explain. Whether it is the dummy content published by WordPress or the resources page from SiteGround, they are all from the same author – that is the sole user available on a new WordPress installation. You! What is wrong with that you may wonder? The problem is that you are the Administrator. As you may know, this user role comes with full privileges;
the Administrator can do anything on a WordPress site (or multisite)3. For this reason, it is the most targeted by hackers; hence, the crucial necessity to secure the Administrator account with strong login credentials.
You should also ensure it remains secure. Not providing either one of your login credential (i.e. Username and/or Password) is a good start. Indeed, if a hacker already has your Username, it makes it easier for him to find your Password using brute force attacks. That is why you should not use “admin” – the WordPress default username – for this account; hence, the recommended security best practice of renaming the default WordPress administrator account. As explained in Installing WordPress, I did choose a strong Password, as well as a complex Username, for my login information. So what is the problem?
Keep your Administrator account secure!
Securing the WordPress administrator account and ensuring it remains secure is not just a one time procedure, but a continuous process.Robert Abela
Given the prime importance of this, it is worth mentioning (or reiterating) some best practices:
- Do not use any default (e.g. admin) or easy to guess Username.
- Choose a strong Password (i.e. at least 12 characters long and consisting of letters, numbers and symbols).
- Do not share your credentials4.
- Log in ONLY via HTTPS. Otherwise, someone listening in can steal your Username and Password.
- Only use the Administrator account when its privileges are needed.
- Do not write and publish any content with the WordPress administrator account.
While there is no security solution that works 100%, these tips will improve the security of your Administrator account, hence of your website!
As listed in the textbox, a basic rule is never to publish anything using the WordPress Administrator account. Never! Let me explain why. Publishing the aforementioned dummy contents made the name of the author, and what is more the Username of that author, publically available. Again, that would not be a concern for an author with a lower role (see below), but this is a serious problem when the author happens to be the Administrator. As explained in this video by LattePress, if you publish a blog post (or a page), the Username of the author will be disclosed;
thus making it easier for a malicious attacker to launch a targeted dictionary, or password brute force attack3.
You may think that your site might never be a victim of a targeted attack. The truth is that every online website is a target. In fact,
WordPress sites are under constant attack by bots attempting to guess your users’ passwords. Sure enough, it didn’t take long for hackers’ crawlers to find my Username (as divulged by the aforementioned dummy contents) and use it in brute force attacks. Fortunately, I had a very strong password.
To recap, delete immediately the aforementioned dummy contents; they put you at risk! Don’t wait it’s too late; hackers’ crawlers are faster that you can imagine.
In addition, as advised in the above video, you should create a new user with a lower role (e.g. Author or Editor) to publish your content. Moreover, it is best to mask the Username of this user by providing a Nickname (within the User Profile screen) and selecting this Nickname from the Display name publically as drop down menu. More tips coming soon on that matter.
Create a separate account with a lower role (such as Author) and use that account for everyday posting. Reserve the Administrator account purely for administration of your website.Lisa Sabin-Wilson
When you install WordPress, it comes with three default themes, namely Twenty Fifteen, Twenty Sixteen and Twenty Seventeen (at the time of my installation). As unfold in How did I choose my theme?, I decided to go for the outstanding Twenty Seventeen theme. What about the other two?
If you aren’t using them, why not do a little housekeeping on your themes?The WordPress team
Removing themes that you are not using is actually a good practice. First, this makes your site more secure; the more themes you have installed, the more opportunities for hacking. Second, this helps you saving some storage space, as well as reducing the size of your backup. Third, once deleted you don’t have to bother with keeping them updated: less workload on you, the dashboard and the server! This might actually result in a nominal performance improvement as well.
Of course, you don’t want to delete an active theme. Moreover, it is recommended to keep at least one of these default themes – ideally the most recent one – for troubleshooting. They can be invaluable tool for ruling out theme conflicts.
For the same reasons put forward for themes, you want to delete plugins that you are not using. There are two plugins – Hello Dolly and Akismet – bundled with any installation of WordPress. Actually, as already alluded in Setting up WordPress Multisite, SiteGround installed a slightly customized version of WordPress (beyond the aforementioned page); that is with an additional plugin, namely Jetpack.
The question, however, is which of these three pre-installed plugins will I use? While the decision to delete the two unused default themes was a no-brainer, determining the fate of these plugins will require more thoughts…
Coming next: Goodbye Dolly
1 See Dashboard Screen. ^
2 Lisa Sabin-Wilson (2017) WordPress All-in-One For Dummies – Third Edition. Hoboken, New Jersey: John Wiley & Sons. ^
3 Robert Abela (2019) Securing the WordPress Administrator User Account. WP WhiteSecurity. ^
4 As explained by Robert Abela3,
if a developer needs administrator access to your WordPress site, create a temporary administrator account for the developer and once the project is ready, delete such account. I followed this sound advice during a recent misadventure (see A (SiteGround) ticket to hell cont’d and A (SiteGround) ticket to hell concl’d). ^