Please see the handy WordPress installation guide here.
Also see this guide on setting up WordPress on our servers.
WordPress core files
Never edit any core files within WordPress.
Theme
See the theme guidelines here.
Plugins
Please install the below plugins by default:
- Advanced Custom Fields Pro (we have a pro account and license key which is on our internal server).
- Gravity Forms (as above we have a pro account and license key)
- WP Rocket (as above we have a pro account and license key)
- Wordfence
- Yoast SEO
Activate all bar Wordfence. This will be activated when the site is set live.
WP Config
Ensure the wp-config.php has the below code in it (to stop admin users installing plugins, taking unauthorised backup’s of the site etc).
define( 'DISALLOW_FILE_MODS', true );Htaccess
Your htaccess boilerplate file should have 3 things in it:
- A link to the htpassword
- WordPress’s permalink structure
- A statement to protect the xmlrpc.php from hacking attempts.
AuthUserFile /var/www/vhosts/example.com/subdomains/subdomain-name/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user admin
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>Htpassword
Your htpassword file should contain the below which incorporates our standard site login details:
admin:$apr1$VektGQLH$N2amQZZMFdiWALB2ye6fc/WordPress settings
- Settings > Permalinks should be set to ‘Post Name’
- Never tick: Discourage search engines from indexing this site when setting up the site or during development.