WordPress security - tips and tricks. We break and protect WordPress with our own hands WordPress security

Installing wordpress is the first step in creating a website. What do you do after installing WordPress? This is a common question that beginners ask. In this article, I will show you the top 10 most important things you should do right after you install WordPress. 1. Change Title, Slogan, Time Zone, and Favicon The first three steps can be combined...

You may also be interested in:

How to make a favicon for a website

A favicon is a beautiful icon that everyone sees next to the name of the site in the browser. The favicon allows the site to stand out, both in browser bookmarks and in ...

How to decorate a site for the New Year

New Year is not far off. Let's discuss the topic - How to decorate the site for the New Year.

Security in WordPress is a very important topic when creating your web project. In this article, we will look at the basics of security when using WordPress, the most common methods and causes of hacking, and measures and means to protect your site from intruders.

Let's start with the most obvious and simple.

Weak password

The most common reason for hacking is the use of a weak password. This applies not only to WordPress sites, but also to email accounts, Twitter and Facebook profiles, and more. We are talking about passwords like 123456, "qwerty", etc.

When creating or changing a password in WordPress, there is a strength indicator to help you choose a stronger password:

• Don't use dictionary words
• Don't use the same password twice
• Use lower and upper case letters
• Use letters mixed with numbers
• Add Symbols

You should also take the privileges of your users seriously. If you need to add a user to your site who will write new articles, then it is not recommended to give this user editor rights, much less administrator rights.

Sometimes it's good for yourself to have an editor account other than an administrator. Thus, if an attacker gets into your account, he will be able to delete all posts and pages, but he will not be able to edit the theme code, install plugins, and change site settings.

The username also plays an important role, so avoid using "admin" or "administrator" as an administrator username, in which case it will be more difficult for an attacker to pick up a combination.

Password brute-force or brute force

Bruteforce is a complete enumeration of all possible combinations. You can pick up a password of any complexity - it's just a matter of time, and the more complex the password, the longer it will take to completely refactor it. To protect against brute force, it is recommended to change the password from time to time.

Admin panel security tools

There are many ways to protect your WordPress admin panel from intruders. The most effective and common methods:

• Block wp-admin directory by IP address
• Server
• Plugin - limits the number of invalid login attempts
• Google Authenticator plugin - an additional authentication factor using a mobile application
• Captcha plugin for admin login

Vulnerable WordPress Plugin

Today, there are almost 25,000 different plugins in the WordPress.org directory. Among them are vulnerable plugins that can provide an attacker with full access to your site. It is impossible to know in advance whether a particular plugin is safe, and checking for vulnerabilities can take from several hours to several weeks.

It's basically a matter of trust and reputation of the plugin developer. The likelihood of a vulnerability in a popular plug-in from a well-known developer is much less than in a completely new dubious plug-in. When choosing a plugin, pay attention to the number of downloads, update frequency, support forums, and other plugins from the same author, and if in any doubt, it's best to look for an alternative.

If you find a vulnerability in a particular plug-in, then the first thing to do is contact the developer personally, by email, via Skype, etc. If the plugin developer did not respond, then you should report it to [email protected] to remove the plugin from the WordPress.org directory.

Vulnerable WordPress Theme

Unlike plugins, all themes are thoroughly tested before being published in the WordPress.org directory, so there is little chance of finding a vulnerable theme in the directory. If you still find an insecure theme, then first of all contact the theme developer, and then at [email protected] to remove it from the directory.

We also remind you that WordPress themes should only be downloaded from . Most problems arise just with themes downloaded from third-party and dubious resources.

Outdated plugin or theme version

When a vulnerability is discovered in their theme or plugin, the developer tries to fix it as soon as possible and release an update to their product. It is not safe to continue working with an old version of a theme or plugin, and it is best to update on the day the new version is released.

This applies more to large and popular products, as a recent example with the well-known W3 Total Cache caching plugin, which, with a certain configuration, provided an attacker with full access to the site database (in English). A few days later, an update to the plugin was released.

However, updates do not always go as smoothly as we would like. If you're not sure about an update, it's best to test it on your local machine, or on a test server, before doing it on a live site. If you have problems updating, you can always contact the developer through the support forums for help.

Outdated version of WordPress

Vulnerabilities are sometimes found in the WordPress core itself, so working with the old version is not safe. As well as with themes and plugins, it is worth the day the update is released, especially if we are talking about a “technical release”.

If you find a vulnerability in WordPress, be sure to write to [email protected] a detailed description of the problem, but do not distribute information publicly.

Wrong hosting configuration

A hosting provider plays a huge role in protecting your site, especially when it comes to components over which you have no control, such as an outdated and vulnerable version of PHP, or a vulnerable module for the Apache web server. Most often this happens with cheap hosting providers who have "all inclusive and unlimited" for 5 kopecks a year. Remember: it costs money!

What to do if the site is hacked

If the attackers got to your site, then you will have a hard time, the main thing in this case is not to panic. Attackers often leave a trail (or open door) behind them in the form of third-party plugins, modified code in the kernel, and so on. Below are a few tips to eliminate traces of an intruder:

• Change all passwords for access to the hosting site, including the password for the database
• Install WordPress from scratch by downloading the latest version
• Change all secret keys in wp-config.php
• Export the entire old database and clean it thoroughly
• Change all passwords for all users in export
• Import content into newly installed WordPress
• View download directory for extra files
• Import download directory
• Carefully review each plugin and install the latest versions from the WordPress.org directory
• Carefully review the theme you are using and install the latest version

Means similar Google Webmaster Tools and Exploit Scanner will also help you find and fix signs of your site being hacked. After restoring functionality, you should try to understand exactly how the attacker made his way to your site. A good hosting provider will most often help you with this by providing an access log.

Here are some additional tips and tools to improve the security of your site, for both newbies and more experienced users and programmers:

• Don't Forget Full Backup
• If possible for the admin panel
• Use secure SFTP or SSH instead of FTP for hosting
• Delete themes and plugins you don't use
• Use a prefix other than the default for the database
• Disable file editing via wp-config.php
• Disable the execution of .php files in the wp-content directory

Third-party paid services like Sucuri and VaultPress can also help protect your WordPress site from intruders.

If you have any questions regarding WordPress security, we will be happy to answer them, and if you have additional recommendations for security measures, do not hesitate to leave a comment.

Today we will talk about the security of your site on the popular WordPress platform. The security of a blog directly depends on the degree of care for it and the quality of administration. Using simple tips and tricks, you can greatly increase the level of security.

The need for more security grows as your number of visitors increases. The more popular your resource, the more hackers will want to hack it. Based on your desires to increase the security of WordPress, this article was written.

WordPress Security 2015 contains the following recommendations:

Article navigation:

wordpress security and htaccess file.

htaccess is a file that allows you to adjust the server configuration. With it, you can do a lot of settings, including adding security to the site.

Let's look at everything in order, since .htaccess is so valuable, it means that for a start it is worth protecting it from third-party interference.

How to protect the .htaccess file of a WordPress site?

Talking about raising security with a .htaccess file without protecting it would be stupid. For this reason, we will protect our file first, and then move on.

In order to protect .htaccess, you need to add a small code to it:

order allow,deny
deny from all

This code will block access to the file from outside, which will significantly protect your site from hacking.

How to secure the wp-config.php file?

We also need to protect an important file that has a lot of information related to database access and more. You can disable access to a file from outside using .htaccess. The security code should be:

order allow,deny
deny from all

Create your private keys for the wp-config.php file.

WordPress uses 4 keys to access the site, which are specified in the wp-config.php file. You must create and set your own unique keys to ensure security. To facilitate this action, there is a special key generator, with which you will create everything you need.

You can change the keys by changing the wp-config.php file and overwriting it on the server.

Change prefix of WordPress database tables.

The database prefix is ​​created during WordPress installation, by default it is assigned as wp_tablename. If during installation you did not set a different value, you can change it in the wp-config.php file by setting the variable $table_prefix other meaning. The more complex your prefix is, the less likely it is that unauthorized access to your database is possible. An example would be this line $table_prefix = wp65zym6. You don't need to remember this value, you only set it once and never return to it.

Limiting the number of failed login attempts.

One way to prevent your site from being hacked is to limit the number of login attempts and then block the offender. These simple settings will protect you from automatic password guessing by bot programs, as well as manual entry by people.

It will come to your aid, the configuration of which will not take you much time, but will allow you to add another barrier to hackers.

Use a strong WordPress password.

In WordPress version 4.3 and above, when you install the platform, you will be prompted with secure passwords that are great for you, and you can change them later.

The security of a WordPress site largely depends on the security of access to the admin panel, so it would be a big mistake to neglect these recommendations.

Do not use login "admin" to login.

If you chose a different login, great! Make sure it's hard to pick it up by hand, also go into your database in the prefix_users table and make sure that there is no admin login registered in it. If one exists, remove it.

Update your WordPress version, plugins and themes.

Update, update and update again. Version updates of your plugins and the WordPress engine itself come out for a reason, their main task is to increase functionality and close security holes, so the importance of updating is one of the first places.

In the blog root, delete the readme.html and license.txt files.

We do not need these files, but they show the current version of WordPress and some other site information, and why do we need an extra information leak. For this, remove them.

These files are available to all users at your site/readme.html, check it out on your blog.

Periodically change the passwords for the database, administrative panel and hosting.

These actions will not take you much time. Change your passwords every one or two months and you will be able to put another tick in the security of your WordPress blog.

Make regular backups.

In manual or automatic mode, using plugins or programs, make backup copies of your site in order to quickly restore the latest version of the site if necessary. Have you been hacked? Or did you break your site yourself? Backup copies will help you quickly restore the capacity of your resource.

I want to note that recently, I have received fewer requests regarding security settings, elimination of threats and viruses. And the forums created fewer such topics.

Either the quality of the code has stabilized, or the site owners have increased their responsibility. I hope that both factors contributed.

However, the threat of infection is always present, so the protection of your site must be given due attention.

The reasons for hacking in practice come down to two things:

• abandoned and unsupported plugins- you always need to install updates;
• related to passwords and permissions- it needs to be properly configured and adhered to once;

Every site is hackable, so the only way to truly protect yourself is to create a backup.

Seriously.

Set up backups! Maybe with a plugin, or directly on your hosting..

Literally, quite recently I broke media files as a result of stupid experiments, but with the presence of a copy, the database was restored in a couple of minutes.

How to set up a schedule depends on what changes and how often on your site.

Don't include extra code

WordPress has a lot of flexibility and the ability to expand. This is a wonderful opportunity. But on the other hand, enterprising and not very technological site owners can very quickly overload their site with unnecessary code.

First, it is a blow to the performance of the site. .
Secondly, puts your site's security is at risk virus infection and increases the likelihood of hacking.
Third, you just need more time for its administration and support. When you install a new plugin or functionality for a theme, assess their real need.

Good questions might be:

• How can I opt out of this new plugin? You may see alternative options, or no need to use it at all.
• Why do I really need this plugin? What benefits will I get from using it?

For a fully functional site, it is enough to have about ten of the most necessary plugins (which includes a seo plugin, a site protection plugin, a caching plugin, an antispam, a contact form, and there may be several specific plugins for the structure of your site or its content).
If the site has 30-50 plugins installed, then you are clearly doing something wrong.

Also, it is not enough to simply deactivate unused plugins - it is best to remove them completely. Along with unused themes.

Adhere to a simple but effective principle:

Less code, less problems.

Do not give other participants rights that exceed their responsibilities

Let's be direct. No one is as responsible for the security of your site as you are.
If you grant your accounts or administrator roles to a person, even someone you trust, then you significantly jeopardize the secure operation of your site. I'm not saying that the person you've given elevated permissions will gladly hack your site, but they can contribute to it unintentionally. Think about the fact that his computer may not be as protected as yours (for example, a working antivirus is not installed), and all your efforts to protect the site are going to hell.

Limit the roles you give people. If you want a person to simply publish an article, you don't need an administrator account at all.
But there are times when you really need to grant full rights. For example, you asked a freelancer to change the code on the site.
In this case, immediately upon completion of the work, generate a new strong password and also create a new private key for WordPress to completely clear the working cookies.

Update your site and plugins

At the beginning of this article, I already noted this problem as the main source of threat to the site.

Millions of websites are attacked every day. This allows developers to quickly find dangerous vulnerabilities and fix them in future updates. But if you ignore this rule, any day you can become a victim of a hack.
In most cases, updates are smooth, you just need to look at the changes page, where the author can point out some important notes regarding improvements, bug fixes and vulnerabilities.

If you don't have 30-50 plugins installed, then the update process doesn't take long, and usually happens 2-3 times a month. Fair price to sleep well.

It happens that lazy novice developers edit plugin files directly, and updating them becomes difficult. But one way or another, this cannot be avoided.

The same "kotovasia" occurs with premium themes, which include additional premium plugins like Visual composer, Revolution slider, Layer slider and so on.

Owners customize the site, get it to work the way they want, and are understandably afraid to update it.
In practice, after six months or a year, such sites begin to fall apart: something is updated, something is not, conflicts arise, brakes, and so on.

This is a common situation, so pay attention to two things:

• make a child theme- a matter of minutes, but helps in the future to be easily updated;
• try as much as possible do not edit a lot of code in the topic- if necessary, can it be better to write additional functionality?

It's easier, of course, to fix the code right in the theme, but you lose in updates. Protecting yourself in this regard is a higher priority.

Set strong passwords

Strong passwords help you avoid brute-force attacks, i.e. guessing your password. If your password contains only 3-4 characters, and at the same time you use a login admin, then your site can be hacked in less than 1 minute! Think about it.

5-6 characters in the password is also not enough, a good password starts with 8 characters. Also, it is very important not to use simple words from the dictionary, but to use a combination of letters in different cases, numbers, punctuation marks and special characters.

Of course, such a password is not easy to come up with, especially to remember and use it. This is where automated applications come to the rescue: 1password , keepass , lastpass . Pick one and let them take care of your passwords.

Use trusted sources

If you download add-ons from third-party sites, especially all kinds of warez and free torrents, then you are seriously compromising the operation of your site.

Even if you have landed on the page of the plugin or theme you are looking for and you think you can trust the author of the plugin, it really isn't. Why?

Because the code of this plugin has not been tested for functionality and vulnerability in any way, as is done by the development team and the community at https://wordpress.org/plugins/ , and most likely, it may contain risky code even without any intention on the part of its author .

As a WordPress security measure install plugins and themes from the official repository, or from the repositories of very large companies, in the impeccability and reputation of which you are sure.

Turn on antivirus on your computer

Without a good antivirus, safe work on a computer is probably unthinkable. I won't recommend one of them, but it's a good rule of thumb to use a reputable brand, and preferably a full service one.
A good antivirus updates its code and antivirus databases on its own, so you will hardly need to monitor its work.

Do not enter passwords in public Wi-Fi areas

In public places where there is Wi-Fi, anyone can intercept traffic, and if it is not encrypted, an attacker can easily get your information.

Use an encrypted transfer method. Create and configure SSL certificates for your site, you will have peace of mind knowing that you have protected your site and your users' data.

Protected files and system directories

• Correct permissions on files and directories

Set permissions to 644 for files, and 755 for directories, so the entry is only available to the owner - you. This reduces the risk of a potential threat, especially on shared hosting.
You can manually change the permissions through the hosting control panel, or through the ftp client.

If you have shell access, you can assign permissions with two commands.

For directories:

Find /path_to_your_wordpress_folder/ -type d -exec chmod 755 () ;

For files:

Find /path_to_your_wordpress_folder/ -type f -exec chmod 644 () ;

• Protecting important files and directories - (wp-admin/, wp-config.php, wp-login.php, wp-includes)

Security /wp-admin/.
This address opens the management console of your site.

On some hostings, you can create a password for this folder directly in the control panel

Or you can do it manually.
To do this, you need to use the htpasswd file generator, then copy the resulting file to your server, for example, in the directory above your wordpress installation.

The final step is to create or open an .htaccess file in the root folder of your site, and enter the following code into it:

AuthName "Wordpress Console" AuthUserFile /path_to_your_file/htpasswd AuthGroupFile /dev/null AuthType basic require user user_name

Substitute the required values.

Protecting the wp-login.php file.

If you need to restrict entry by ip addresses, enter the following directives in the .htacesss file:

Order deny,allow Deny from all Allow from xxx.xxx.xxx.xxx

Thus, first you deny access from all sources, then you open access only for specific ip. The order is important.

Protecting the wp-config.php File.

Move this file from your wordpress root folder to the folder one level up. Set file permissions to 400 or 440 so that only read permissions are available for you and your server.

If you are unable to transfer the file, include the following code at the very top of your .htaccess, which will completely disable access to wp-config.php:

Order allow,deny deny from all

protection wp-includes/.

To further improve the security of WordPress, you can restrict the execution
scripts in the wp-includes/ folder. Add the following code to .htaccess:

RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - RewriteRule !^wp-includes/ - RewriteRule ^wp-includes/[^/]+.php$ - RewriteRule ^wp-includes/js/tinymce/langs/.+ .php - RewriteRule ^wp-includes/theme-compat/ -

If you have multisite mode, comment out the line

"RewriteRule ^wp-includes/[^/]+.php$ - "

Do not allow search robots to process service pages

Check your robots.txt file.

User-agent: * Disallow: /feed/ Disallow: /trackback/ Disallow: /wp-admin/ Disallow: /wp-content/ Disallow: /wp-includes/ Disallow: /xmlrpc.php Disallow: /wp-

All these are wordpress service folders that the search engine should not index.

Hide wordpress version from potential hackers

The version information is in the header and in the RSS feeds:

To remove it from there, you need to include the following code in your active theme's functions.php file:

Function wp_remove_version() ( return ""; ) add_filter("the_generator", "wp_remove_version");

Change the admin account name

By default, WordPress creates an account named admin, which makes it easier to hack with a brute-force attack. You definitely need to change it.

To do this, go to your database using the application phpmyadmin, find the table wp_users(the prefix may differ), there will be entries with credentials. Open the admin user account for editing.

In field user_login change the value admin to your new preferred login and click go.

Change the database prefix

If you installed the CMS from the hosting control panel, there is a high probability that the prefix has already been changed on the site. There are also ready-made plugins for this, but you can also do it manually.

1. Make a backup of your database via phpmyadmin;
2. Open the file in a simple text editor and replace the "wp_" prefix with the value of your new prefix;
3. Deactivate all your plugins;
4. Delete the old database and import the one with the new prefix;
5. Change the database settings in the wp-config.php file to use the new prefix;
6. Activate the required plugins;
7. Update CNC/Permalinks.

Enable SSL on the site

If you have obtained an SSL certificate, enable SSL support in the wp-
config.php:

Define("FORCE_SSL_LOGIN", true); define("FORCE_SSL_ADMIN", true);

This site has a certificate from Cloudflare, which is issued for free, but you need to connect and configure this service.

Limit the number of login attempts

If you notice an active brute-force attack in your server logs, you can prevent it by limiting the number of login attempts using the Limit Login Attempts plugin.

The plugin has not been updated for 2 years, but has gone through a million installations, received good reviews for work, including with current versions of WordPress.

Disable editing plugin and theme files in the management console

If you do not use editing files from the admin panel, you can disable this functionality in order to increase the security of the site. Write the following line to the wp-config.php file:

Define("DISALLOW_FILE_EDIT", true);

If your site has been hacked

1. Disable site
2. Notify your service provider if other sites may be infected
3. Make a site backup
4. Change all passwords in wp-config.php file
5. Reinstall WordPress so the engine files are replaced with fresh copies
6. Reinstall themes and plugins again to make sure they are free of malicious code
7. You can also use the available plugins to look for potential malicious code.

Remember, if hackers stole your password and entered the site, then even after you changed your password, they can still remain in the system because performance cookies are in effect. To disable them, you need to create a new private key. open

Hello dear friends.

Having completely forgotten about the basic settings of a WordPress blog, I began to publish more advanced settings. And it was necessary to start with the settings that need to be done immediately after installing the engine on the hosting.

And in this article, I will sort through the basic WordPress settings that need to be done so that they do not interfere in the future and are not an eyesore.

All these settings are not some kind of rule for you. I'm just showing you my setup. But there are some points that you must also have. Therefore, I recommend that you carefully read all the settings so that in the future it will be easier for you to manage the site.

Decided to give you a video tutorial first. See it below. If you want to read, then under the video there is also a detailed text material. But, for a more complete assimilation of the essence, without a video, nowhere.

Now for those who love to read.

Let's start with our profile settings. When registering any site, it is always recommended to set up a profile for better work with the resource. Also here.

Profile settings

First I give a screenshot of the settings, and then I will describe the necessary functions.

• Disable visual editor - in the menu of the page and post editor there is a visual editor, which is enabled by default and, when filled, shows all the content as it is. We can turn it off and then only a text editor will be displayed, which will allow us to deal with the source code of the added material;

This may be required when there are some formatting points that work only in a text (HTML) editor and when switching to a visual one, they all disappear or go astray. I use such formatting, so it happens that when you switch to the visual editor, you have to re-format.

If you have a similar situation, then I recommend that you carry out such formatting moments at the very final stage.

• Color scheme - for each, this setting is individual. You can choose the color scheme for your WordPress admin panel according to your tastes;
• Hotkeys - You can manage comments using keyboard shortcuts. Everything is written in more detail at the "Additional Information" link provided next to the description of the setting. There you can also find keyboard shortcuts for formatting, for example, to highlight a phrase with an underline (ctrl + u);
• Top bar - whether the top admin bar will be displayed when viewing any page of the blog;
• Name display settings (name) - in this item we configure how our person will be displayed when publishing articles;

This display is selected in the "Display as" item, the options for which are formed from the data entered in these settings (first name, last name, nickname). After entering this data in the drop-down list of the "Display as" item, variations will be available for displaying the author of the publication.

Choose the option you like.

• Contacts settings (contacts) - in these settings I fill in only a working real e-mail address and a link to a profile on the Google+ social network.

The last item in the profile settings you can change the password for accessing the blog admin panel. If you have a simple password, then change it immediately. We set a very complex and long password, consisting of a random set of upper and lower case characters and numbers (for example, tfh89EW4Kuyl43ferFGrs6uih).

General settings

The settings in this item are mostly about display as well.

• Site name - enter the name that will be displayed on the site page in the place where it is provided by your template. By the way, be sure to read the material about choosing the right template for a WordPress site by;

• Brief description - the same as the title, only a description;

• WordPress address and site address - no settings need to be changed. They are automatically set as necessary when installing WordPress on hosting;
• E-mail address - enter a real e-mail. It will receive various kinds of notifications if you set them up on the blog. For example, it can be plugins of various kinds of alerts;
• Membership - you can enable the registration function on the site, then in this paragraph you need to choose who the new user will become. If you have a regular blog, then the registration function is completely unnecessary;
• Time zone - choose your time zone. Although, I did not choose anything. It should be substituted automatically based on the regional settings in the operating system;
• Date format and time format - set a convenient option for displaying the date next to the published material. As for me, the standard version is the most familiar;

From this setting, nothing changes in the display for me. Apparently the template substitutes its own version. What happens when you change different options?

• The first day of the week is naturally Monday;
• The language of the site - I, of course, choose Russian.

Post settings (writing)

• I disabled the smiley conversion function, since this standard function does not work for me. Yes, and it is not necessary;
• WordPress should fix incorrect XHTML code automatically - I left the setting enabled, but I can’t comment on its performance, because I didn’t see the result of its work;
• Main heading - in this paragraph, you need to select the heading, which will include publications, when adding which you do not select a heading. For example, if you forgot to put a check-box in front of the desired heading, then it will fall into the "main heading";

• The main recording format - I never experimented with this setting, since there was no need. For a regular site, we leave the standard option.

Reading settings

These settings are made more for readers, as they determine how readers will see the content of the blog.

• Display on the main page - select the option that is more suitable for your resource;

If this is a simple blog, then of course we select the "Your latest entries" option, but if you want to create some kind of site, on the main page of which there should always be information, for example, about a company, then select the "Static page" option. Then select the page itself to display on the main page.

• Display no more than on pages - if the option to display the latest posts on the main page is selected, a certain number of announcements will be displayed. Their list should be divided into pages. The number of announcements on one page is chosen by each individual. The standard version of 10 announcements came up to me;

By the way, announcements should be paginated using . Therefore, if you don’t have it on your blog, be sure to do it.

• Show latest in RSS feeds - also left the default value;
• For each article in the feed, display - select "announcement" so that only the initial part of the material is displayed;
• Visibility for search engines - we do not set the check-box, although it does not really solve it. Search engines may or may not take it into account.

Discussion (comments) settings

This is the most voluminous section of the standard parameters.

• The default settings for the article - I turned off the first 2 settings, as they create an extra load on the blog, but there is no point in them. They try to notify other blogs that we have mentioned them in our articles, and they also try to receive similar notifications;
• Other comment settings - the tree comment feature must be enabled. By default, it is on, but you check its activity;
• Send me an email when - I turned off these settings completely, because with active commenting on the site, the mail will simply be littered with letters about adding new comments and waiting for their moderation. At the initial stage, when the site is brand new, you can leave these options active. I turned them off right away;
• Comment moderation and black list - these 2 fields are used to add comments according to the specified parameters to the moderation or black list, respectively. For example, we can add the name of an author who constantly spams to the blacklist field and his comments will never be passed;
• Avatars - these default settings are set normally. You can only change the avatar display option at your discretion. IMHO, the standard version is the most pleasant to read.

Media settings

When we add media files (images) to our articles, we have the option to select preset values ​​to reduce them to certain sizes. This is very handy when you prefer to add a single size image for aesthetic content.

Here is an example of choosing a size based on the parameters in this paragraph. These dimensions are available in the image editor when you add them to your articles.

If you want to change these dimensions to your own, then the "Media settings" item is what you need.

Here you set the parameters you need.

There is nothing complicated. Just change the standard sizes to your own.

The checkbox "Place my uploaded files in folders by month and year" should be active. This will sort the images on the hosting by year and month. Here's what it looks like on the hosting itself.

This sorting option is very convenient. Knowing the date of publication of the article, we can easily go to the hosting and download all the images in one fell swoop.

Setting up permalinks

I will not describe this point here, since this was given a very detailed material. He explained both the importance of this setting and showed how to set up the correct type of links for the article. .

Also, do not forget that really high-quality customization of a WordPress site is possible only when you install the necessary plugins and configure them correctly. Therefore, I give a list of materials that you simply must study and implement all the chips from them.

• "Please comment."

  By the way, write in the comments, please, is it convenient for you to perceive such a format for presenting material, when I first give a video lesson, and then a text version? Or is it better to first text, and at the end of the video. I will be very grateful.

  That's all. Bye.

  Sincerely, Konstantin Khmelev.