Know Your Readers: How to Setup Analytics On Your Blog and Why It’s Critical to Your Success

You’ve probably felt the overwhelm.

You read the blogs and listen to the experts on the steps to take to grow your new blog.

Analysis paralysis sets in with so much varying information on what to do first (or next).

No matter what any blogging teacher tells you, there is one step you must take with your new blog that is critical to your blog success..

(If you don’t have your WordPress blog setup yet, follow this tutorial)

It has nothing to do with your theme, plugins, or SEO.

And you should implement this one thing even if you have no traffic coming to your blog. When you take the steps I am about to show you, your blog will work for you while it grows, giving you peace of mind.

That one thing? Properly setting up tracking and analytics on your blog.

The good news for you is that it will cost you nothing, and you don’t need to be a tech genius to do it.

Why must you do this?

Imagine trying to manage your money without ever seeing or knowing your bank balance, transactions, credit card statements, or investments. You would always be guessing.

Running your blog is the same.

You want to understand precisely who your audience is and what their behavior is on your blog. Once you have this information, you can concentrate your efforts to get the maximum return on your time.

With free tools like Google Analytics, you can set it up once and forget about it.

It will be running in the background and tracking everything for you as your blog grows.

It’s one of those things that you will be kicking yourself down the road if you do not set it up from the start.

In this article, I will show you step-by-step how easy it is to set up tracking on your blog, and how to analyze this data to compound the growth your blog.

But before we jump right in, let me give you a quick example of harnessing your blog data for explosive growth.

By setting up Google Analytics early on my blog Good Food Eating, I began to notice trends in the activity of my readers.

One blog post, in particular, was starting to get a significant amount of traffic.

Identifying Content Trends with Google Analytics

Being opportunity minded, I realized that this post was not bringing me any subscribers, nor was it generating any income.

But, could I expect anything different?

There was no “call to action” within the post.

People would find my blog, reading the content, and leave because I was not instructing them to do anything once they finished consuming the content

So, I decided to run a test…

Within the post, I introduced a simple call to action where people could trade their email address for an ebook. The topic of the ebook being directly related to the subject of the blog post they were reading.

We’ll take a deeper look at how I did this later in the article, but this strategy alone created a 500% increase in my blog subscribers and doubled the traffic to my blog.

Without this data, I would be guessing and spending my time testing things that will not bring a significant return.

When you track your numbers, you make educated decisions about your blog that bring you measurable results.

Most people shy away from tracking and analytics. Likely because it all just seems too technical, too complicated, and you just want to write on your blog.

Trust me, I know how you feel. But, in a few months from now (or less) you can dig into your Google Analytics data that has been tracking in the background and used it to grow your blog traffic or email list.

As Google points out:

“Measurement helps us make good business decisions, without it we don’t know what to change or work on”.

Highly successful bloggers such as Pat Flynn from Smart Passive Income and Darren Rowse from Problogger talk openly about their use of Google Analytics to track progress and make informed decisions around growing their blogs.

Just like highly successful bloggers we can all use our numbers to work out what to change and what to work on, so we can maximize our investment of time, energy, or money.

Today I’ll use my new site Diabetes Meal Plans as an example to guide you through the Google Analytics setup. And I’ll also share what some of the stats mean, what to look out for, and a few tips on how that can help you as a blogger to build your list and traffic.

I’d like to point out that this is not the type of post you just read.

If you do have Google Analytics, then open it up and see if you can gather some tips and intel on how to use it better. If you don’t have Google Analytics installed yet, then follow this tutorial from start to finish and you’ll be up and running tracking your stats in no time.

Setting Up Your Google Analytics Account

The first place to get started is to sign up for a Google Analytics account.

In the top right-hand corner, you can either ‘sign in’ or ‘create an account’. If you’ve set up a Gmail account before, just go ahead and sign into that. If you’ve never had a Google account, or if you want to setup a different email and account for your blog, then click on ‘create a new account’ to get started.

Once you’re inside, you’ll see a panel like this:

sign up in 3 steps

Go ahead and click on ‘Sign Up’ and you’ll be taken to the next screen.

Set Up A New Website Account

Once you’re inside, you will be asked to set up a new website. You can complete this process in just a few minutes by filling in the following details.

  • Account name – use the name of your blog or business
  • Website name – pretty obvious
  • Website URL – enter your domain name
  • Select your industry from the drop down categories
  • Select your reporting timezone – I live in Australia but still have mine set to The U.S. because I do a lot of things in U.S. time. This does not affect your overall stats.
  • You can decide who you share your data with, Google and such – leaving the default settings here is fine

You can change any of these preferences later if you make a mistake. But there’s not too much that can go wrong here.

After you’ve gone through that setup, click on the blue button at the bottom to ‘Get Tracking ID’. A pop-up box will appear, and you have to accept Google’s Terms of Service.

Add Your Unique Tracking Code

Next you’ll be given a tracking code that needs to be plugged into your website so your blog can communicate with Google. This is just a copy and paste operation. You DO NOT need to be a tech wizard to accomplish this step.

Step 1: First check your theme

wordpress dashboardLook in your WordPress theme settings first to see if you can paste the code directly into it. In your WordPress dashboard look for your theme icon. For example, I use a Genesis theme, and the theme has a unique section in the WordPress dashboard.

Not all themes have this so the other place you can look is under ‘Appearance’, sometimes there will be a ‘settings’ section for your theme in there.

The Google Analytics code goes in the <head> HTML tag of your site. So what you need to look out for is something that says: “Enter scripts or code you would like in the wp_head”. Or it might say: “Paste script here to go before the closing </head> tag”.

If you can do it directly via your theme that’s great but if you can’t, then turn to a WordPress plugin for help.

Step 2: Use A WordPress Plugin

A WordPress plugin is a simple way to get analytics installed and if you think you might ever change your theme, can save you time down the track. But I’ll just point out the differences with these plugins and share what’s best to choose.

Many people like the type of plugins where you can view stats directly in your WordPress dashboard (eg: Google Analytics by Yoast), meaning you don’t have to go inside Google Analytics at all. They are popular because they seem easier, but I want to share a word of warning here. In my experience, plugins like this can slow down your site once you start getting traffic.

Sure you can always change this, but I do think it’s better if you go directly to Google Analytics and get familiar with reading your stats there. It may seem a bit daunting at first, but by the time you work through this tutorial you’ll know what to look for, and you’ll have a bunch of ideas on how to use your stats too.

If I wasn’t using a Genesis theme, I’d use the Code Snippets plugin because it’s lightweight and gives you the flexibility to add other code in future, meaning you’ll have less plugins to be concerned about overall.

Setting Up Your Google Analytics Property Settings

Once you’re inside Google Analytics you’ll see a whole bunch of stuff on the left hand side, from ‘Property settings’ through to ‘Social settings’. It will state all this other stuff like data collection through to search term exclusion, but you really don’t have to worry about setting any of this up.

By default, Google adds all the general tags and metrics you need, so the only one you need to be concerned about is the ‘Social settings’. Click through to that and enter all your social sites.

Here is the example of the social settings on my new site.

GA social settings2

Essentially you’re adding all your online real estate to this list. And one very important thing to remember is to make sure you add your own URL as well –

What this does is show you where your ‘name/ brand’ is getting shared and found.

For example, someone else shares my Facebook page on theirs and traffic comes through from there. So instead of just giving me generic social stats, it makes me more detailed. I’ll be monitoring the difference in my future stats to see how this performs.

Later down the track once you get your basics installed, you can come back to the ‘Admin’ panel to make any additions by clicking on it from the top navigation.

Though I won’t be covering it in this article, I’d highly recommend you also add Google Webmaster Tools to your site and connect it to Google Analytics. Later down the track you might also want to explore adwords and adsense.

Understanding the Google Analytics Dashboard

After all that is done, which will take around five minutes, you’ll finally be ready to check out the dashboard.

To get there, just click on ‘Reporting’ in the top navigation menu. Right now you’ll have zero numbers and will see a flatline in front of you like this.

GA dash

We’ll go through all the workings in just a minute, but first, let’s test your Google Analytics install to make sure it’s working properly.

Testing To Make Sure Your Install Is Right

On the left sidebar click on ‘Real Time’ and this literally brings up a ‘Real Time’ feature. I think this is a fun and cool feature, and you can often find me sitting in my office with it running on my second laptop. I just like viewing who is coming and going on my site in ‘real time’.

And as John Jantsch suggests, the ‘Real Time’ feature is also great for tracking live campaigns or competitions, reacting to mentions of your brand, and testing ad campaigns. You’ll find in time that there are any number of ways you can get creative and use the power of your numbers.

But, for now we’re here to test our Google Analytics install.

So what I did was visit my own site from Facebook and clicked on a couple of pages, just to make sure it was working okay. While you’re doing this, you should see the ‘Real Time’ feature in action, showing you what pages have been clicked or where the traffic (all of two clicks) is referred from.

GA real time feature
You can monitor the real-time activity of your blog visitors

Once you see some stats coming in on ‘Real Time’ you know it’s set up right, then wait a few hours and some more stats should start coming in for other areas. Of course, if you have no traffic then it might take a few days, but you will slowly see the stats starting to increase.

So that’s it, you’re now all up and running.

Next, let’s get down into the nitty gritty on some of the things you’ll find inside Google Analytics.

You can find all this info via Google’s site, but this is my shortened, more easily understood version. I’ll also share some ideas in each section to get your stats juices flowing, so you can get creative and use your numbers to help grow your blog.

Getting Familiar With The General Stats Dashboard

Let’s start with the dashboard where you’ll view all your general stats, so click on ‘Reporting’ in the top navigation to get back through to your flatline and take a peak.

GA dash

  • Sessions = visits – the number of times users/ unique visitors interact with your site within the date range period. Unique visitors can have just one session or they might have several sessions during that period.
  • Users = unique visitors – the number of people visiting your site within the selected date range.
  • Pageviews = total pageviews – the total number of pages viewed on your site during the date range period.
  • Pages/ Session – the average number of pages per session that a visitor engages with.
  • Avg. Session Duration – the amount of time the average session lasts.
  • Bounce Rate – the percentage of people who come to your site and leave again straight away without clicking on anything. Having a lower bounce rate is a good sign, but it’s not the be all and end all because bounce rate can be influenced by any number of things such as opening your own site links in a new window instead of the same window, cookies, software, plugins and so forth. Of course, you can always work on improving it but to be honest, I’ve never paid too much attention to it.
  • % New sessions – gives you an idea of how many people are brand new vs returning visitors. This is also shown in the new/ return visitor circle. You don’t see the circle in the image above, but it will appear on the right side of your dashboard once you start getting some traffic.

Once you start getting some visitors, your flatline will turn into a graph of your visitors over the selected time period. The default date range period for stats shows the past month, but you can select a custom range from the drop down calendar in the top right hand corner. This means you can track stats on a certain week or even a certain day.

Just be aware that if you change that date range, it also changes stats through all the other panels as well.

Now, none of this probably makes sense to you right now. So, what I’d recommend is that you bookmark this tutorial and once you go through the setup and start getting more traffic and stats, you can refer back to all this info for the details.

Inside Google Analytics you can make special dashboards, shortcuts, or look at intelligence events, there’s tons of stuff you can explore in your own time. But, let’s cut straight to the important stuff, the audience, where they are coming from, and what they are doing on our site.

That’s really what you really want to know.

Understanding Your Audience

One amazing thing about the web is that Google knows all.

Google tracks all of our information, how old we are, what we like based on sites we visit, where we’re located, and what technology we use.

While that might seem scary in some ways, for tracking and stats it’s perfect.

So here’s what you can find out about your audience by clicking on the different panels.

Demographics – age, gender, and interests.

Geography – find out which part of the world your audience comes from.

Behavior – new vs returning – this converts our basic stats into numbers, showing us how many people are new vs returning.

Frequency recency/ engagement – these stats break down those numbers even further and show us how long people stay on our site. For example, I might find out that most of the people only come to my site once and browse a few pages. This is fairly common, but what these numbers also show is our loyal reader stats. Our goal is always to try to increase engagement on our site, so these numbers help us monitor this at the numbers level.

Technology/ Mobile – yes Google tracks what browser our users are using and if our readers are coming from mobile devices.

All of these stats help to give us a deeper insight into our audience. And often it can come as a surprise that our audience is quite different to what we imagined.

For example, I could be fooling myself thinking my audience is only women from Australia, but when I look at my stats I know they are about 50/50 men and women. And my primary source of traffic is the US, followed by Canada, the UK, and then Australia. This helps inform me about things like time to send newsletters, make posts live, activity on social media, what type of content to share, and even the style of writing to be used.

Three Ways You Can Utilize Audience Intel

  1. Take a look at your audience geographically and think about if that impacts what you share and when. For example, my site is a nutrition/food blog so I have to be aware that the majority of my audience is in the opposite season to me. Depending on your niche, this can make a big difference to the type of content you share.
  2. If your bounce rate is high take a look at your audience age, gender, and interests and think about your message to market match. Meaning is the message you’re sharing matching the market you’re sharing to? Chances are if your bounce rate is high, you could work on improving it.
  3. Are people visiting your site from mobile devices? Do you have a mobile friendly site? What you will likely find is that a large majority of your site visitors visit via mobile, so I think it goes without saying that mobile friendly is a must.

Acquisition: Where Our Traffic Is Coming From

Now we know a bit more about who our site visitors are, we can turn to learning about where they are coming from. So go ahead and click on ‘Acquisition’, you’ll see quite a few sections listed here but all we need to delve into right now is the ‘Overview’ section.

You can find everything you need from this section, and though you can explore some other sections, you’ll find there is a lot of overlap. So for simplicity sake, let’s just stick with the overview.

Traffic Sources within Google Analytics

As you can see from the image above, this is where we will start to see where our traffic is coming from, and it will be broken down into four sections: Direct, Referral, Social, and Organic.

So let’s break these down a little more.

Direct – direct users of your site have no recorded browser history and come from typing your site link directly into a search engine. Some of these stats can also be you visiting your own site, which is likely the case with my stats above. You can use a filter to exclude internal traffic, junk and bots, which is recommended, but it’s a bit too technical for this tutorial. If you don’t do it for now, it won’t make a ton of difference anyway. Direct traffic also includes traffic that Google can’t track in any of the other categories.

Referral – referrals from other sites that are linking to or sharing your content.

Social – shows you which social sites your traffic is coming from – Pinterest, Facebook, Twitter etc.

Organic – the keywords people are using to find your site via search engines such as Google, Yahoo, Bing, and so forth.

I really like the ‘Acquisition’ section because just digging into these four sections a little more closely can really help us in lots of ways. And when you get a bit more skilled you can track a little closer by setting specific goals.

Three Ways We Can Utilize Acquisition Info

  1. Open up the ‘Social’ section and you’ll see a breakdown on where your traffic is coming from socially. You can find out which one is the most popular referrer for your niche, and spend more of your time working on that specific social platform rather than waste your energy elsewhere. For example: I discovered that Pinterest was great for sharing nutrition/ food content, so I stopped spending so much time on Facebook and concentrated on building my Pinterest profile instead. You can also rediscover posts that are popular on social media and reshare them. If you want to you can create segments to track specific social media stats, it’s not essential but can help you track a little closer.
  2. Take notice of your ‘Referral’ traffic and connect with the people who are sharing your stuff. For example: You can go thank them for sharing it, share their stuff back, build great relationships, and see if you can work together in mutually beneficial ways.
  3. Open up the ‘Organic’ section and see what kind of search terms your site is being found for and think about how you can use this in creative ways.

Using Acquisition To Grow Your Email List

Let’s drill down into point #3 a little more and I’ll share one method I’ve used on Diabetes Meal Plans to grow my email list, even though it’s only a new blog.

Once you have some posts published and you start seeing ‘Organic’ search terms appear, open them up and see what you can discover.

I wanted to create a lead magnet to help increase subscribers, so I turned to my ‘Organic’ search terms to discover what I could find.


When you open up your ‘Organic’ search terms you will see the top 10 search terms, so think about how you can use this info.

As you can see from the search terms it was ‘blood sugar level chart’. It’s been at the top from day 1 and lots of the other terms starting to pop up now are also directly related to this search term – ‘blood sugar levels chart’, ‘diabetes blood sugar chart’, ‘diabetes sugar levels chart’. Take a look for any patterns like this that might help give you some ideas and inspiration.

DMP-BS-levels-chart-ecoverThis inspired one of my lead magnet ideas and I decided to put together a ‘downloadable blood sugar levels chart’ for my new readers. In this instance it was pretty easy. I just took the content from a post I’d already written on the subject over here.

If you have a post like this yourself, all you have to do is copy that info, paste it into a word document, convert it into a pdf, make a good image for the cover, create an eBook cover, and set up an opt in box to put on your posts.

Then you can instantly start collecting subscribers and building your list.

Think about your own acquisition stats. Is there a popular search term or set of search terms? Can you use this to write more content around that topic? Since this content is popular and being found via search engines, can you develop your ‘opt-in’ lead magnet to giveaway and encourage more subscribers?

These are just a few ideas, and as you can see there are lots of creative ways you can use your stats to help guide the actions you take to develop your blog.

Behavior: What Are Our Web Visitors Doing?

The last section we’re going to learn about today is the ‘Behavior’ section. If you click on that from the Google Analytics sidebar you will again see a long list of things from ‘Overview’ through to ‘In-page Analytics’.

In time you can delve deeper into all these sections, but for simplicity we’re only going to focus on ‘Site content’, so let’s explore that now and how you can use it.


When you click on ‘All Pages’ it will open the list of pages being visited on your site, from most amount visited to least. So from this panel you will see what your top 10 most popular posts/ pages are on your website. You can use the arrows from the bottom right hand corner of the page to scroll through subsequent pages. Or if you want the stats on one particular page, use the search bar to find it.

That’s the great thing about these numbers, is you can be as broad or as specific as you need to be.

Using Behavior Statistics To Grow Your Blog and Business

As I mentioned at the beginning of this article, I identified the number one traffic page on my Good Food Eating blog to grow my list, and I did this using ‘Behavior’ stats.

It was a post about ‘How to boost weight loss’. So, I took a fresh look at the post and noticed it had no call to action and no opt-in incentive.

I added a simple eBook download and embedded that into the post by adding a call to action.

Example of a Blog Post Free Download Call To Action

The opt-in offer is related to the content in the post.

Seven days later, 129 people joined my list from that one blog post alone.

It’s been about eight weeks now and I have added 1,329 new subscribers on that list that I wouldn’t have had before.

If you find your top ten to twenty popular posts and do this, you will soon see your email list grow quite rapidly.

Worth the effort of a little detective work? Yes.

Worth installing Google Analytics? Absolutely!

This is just another example of how you can use your numbers to inform your actions and reap the benefits.

So there you have it.

Your guide to getting started with Google Analytics, with lots of ideas that I hope will get your creative stats juices flowing.

Closing Thoughts

Tracking your stats and using them helps you work smarter, not harder.

So if you haven’t setup your Google Analytics account yet, make a commitment to follow this tutorial from start to finish. Your numbers will be tracking in the background and you will be glad that you did spent the time to implement this, as this data will be essential to the growth of your blog.

If you do have it all setup but haven’t spent some time thinking about your numbers, now could be the perfect time to do that.

So now that you’ve read this post, are you looking forward to tracking your stats (maybe even excited about the possibilities)? Have you had some inspiring thoughts? Or do you have a few stats we can brainstorm together?

Leave your thoughts and comments below.

11 Steps to Secure Your WordPress Site and Deter Those Nasty Hackers

** Note from Matt **

Recently, our site was hacked. We were being told by customers and readers that our site was redirecting them to “adult” sites. We were losing sales, we were losing visitors, and we just generally looked bad to any new visitors coming to our site…

We panicked a little and hunted for a solution to this. We couldn’t find any articles or information about this issue. Then, due to the amazing power of Facebook groups, a magician named Chris Moore popped up to save the day.

Chris quickly cleaned up our sites and put some security measures in place to prevent these types of issues from happening again in the future.

Seeing as we couldn’t find a solution to this problem through our own searches, we begged Chris to write an article for our readers on how to solve and prevent this issue.

So, without further ado, here’s Chris’s (insanely in-depth) solution. Make sure you follow along and implement everything he recommends on your site!

** Enter Chris Moore **

Your super awesome, highly targeted, and hyper-clicked ads are running on Facebook and Twitter. Tons of people are visiting your site. All seems to be going well. Except that conversions are kind of low. “Hmmm… My ads don’t normally have this lackluster response, what’s going on?”

And then it gets worse, now you have angry visitors beating down your inbox door with outrageous claims that your links are redirecting them to porn sites! “What? How did this happen? What’s going on? Did I get hacked?”

You fire up your browser, click on your link, and… nothing. It just goes right to your site. So you scratch your head thinking, “Oh well, maybe it was just a coincidence.”

But it wasn’t. Another email or Facebook message comes in, and then another… Now they’re saying it only happens on mobile devices. So you crack out your iPhone and sure enough, straight to porn! “Ah man… I’ve been hacked!”

So how did you get here?

Well, there are a ton of ways: being victim to SQL injections; using weak passwords, which lead to a brute force login; having themes or plugins with vulnerabilities (it even happens to experienced developers!); not updating the WordPress core (especially when security issues are patched); and being the target of a hacker who has your site on their mind (and honestly, there isn’t much you can do there, especially if they are really good).

But more important than knowing the causes and methods, the real question is this: how can you prevent this from happening in the future? That’s what this post hopes to enlighten you on.

The 11 Steps Along the Path to Security Bliss

Here are a series of steps that you should take to protect yourself from a future hacking or malware infestation. Please note that these are not all the steps you can take, but these are very good ones, and will have you headed in the right direction.

You should also take these steps before you contact your host, or a professional, to help you to clean up your sites from a prior hacking. If possible, you should aim to complete these steps in the course of one day. If that simply isn’t possible (due to the number of sites you have), consider hiring some help, or set yourself a schedule by which you can complete these steps as soon as humanly possible.

And of course, if any of these steps feel too daunting or intimidating, or you just want things to be cleaned up and locked down for you, please feel free to get in touch with me here: I would be happy to serve you further!

And with that, on to the 11 steps!

1.) Backup, Backup, and Backup Again

If you don’t already have a backup routine, let’s make sure you have one starting now. Some hosts are kind enough to do daily backups for you (such as SiteGround and a number of other hosts, sometimes depending on which plan you have), but even if they do, you should never rely on just that.

I personally like to have 3 main locations for my backups at all times: my host’s backup (which is already on my server); an Amazon s3 backup; and a DropBox backup. You can of course use any service you want (and there are many, both free and paid), but the bottom line is you need to have multiple backups, in multiple locations. Just trust me on this.

Additionally, you should download any cloud-based backups to your desktop computer at least once every week or two, just in case. Paranoid, you say? Possibly, but it’s always better to be safe than sorry. (Remember that paper you wrote back in high school, the night before it was due? You were right about to finish it, and then, at the worst possible moment, the power went out, and you hadn’t saved it yet! Well, that happened to me a few decades ago and from that day forward I was never the same! Let us learn from our mistakes (or mine, in this case)).

(We use BackupBuddy for backups at Learn To Blog)

2.) Clean Up Yo Mess!

You will see a theme throughout this entire post, namely, we should try to keep our sites and servers as lean and clean as possible. Start by getting rid of all unnecessary clutter and stuff just lying around. For this step, I would like you to completely delete and remove any and all WordPress sites (the entire folders!) that you do not actually use or need. Just remove them completely. If you would like to keep them for the future, just go into your cPanel (specifically your host’s Control Panel > File Manger), then ZIP the folder associated with that site, download the ZIP, and then delete the original folder and the ZIP. This will save you from a lot of the work to follow below.

3.) Purge Unneeded Users and Demote Others

Delete all unused administrator level user accounts. This includes anyone with administrator privileges that doesn’t need them anymore: previous developers, former colleagues, etc. Also consider demoting anyone that doesn’t actually need administrator level access. Just go to WordPress > Users > Edit > Role, and then change the user role to either Editor, Author, or even Contributor (you can find out more about WordPress user capabilities and roles by clicking here).

4.) Delete the User with the Username “Admin”

“Admin” is the most common username, and it is also the most commonly attempted username in brute force login attempts. And although it isn’t difficult for someone to find out your username, why give it to them on a silver platter or expose yourself to the more bot-drive, automated attacks?

So, if you have a user with the username “admin”, login with another administrator account and delete that user. When you delete this user, it will ask you to assign all content to another user. Make sure to do so or you will lose all content created by that user! This is a very important step, so please don’t miss it! Again, make sure to assign the content created by that “admin” user to another user, or you will lose everything! Okay? Okay.

5.) Get Rid of Keepsakes

Human beings seem to have a tendency to hold on to things they don’t actually need. Well, with your WordPress site, this can be deadly (especially if you don’t have a backup). In this step, you should proactively delete any and all unused or deactivated plugins or themes on all of your sites. Get rid of the clutter. (Some choose to leave the Twenty Twelve theme as a backup theme, just in case, but that is up to you).

6.) Update, Update, and Update Again

This is probably the number one cause of your site getting hacked: not keeping up to date with WordPress, theme, and plugin updates. Almost every day new vulnerabilities are being discovered in WordPress themes and plugins (mainly plugins). Responsible and engaged developers are quick to patch these issues (sometimes even before the vulnerability is publicly known), and so we should be vigilant to update as soon as a new update arrives. I appreciate that sometimes updates can mess up your site (and I have dealt with this on my own sites at times), but please don’t let that stop you from updating, especially if the update concerns a security issue.

So, in this step, you should update all WordPress installations on your entire server, as well as all themes and plugins, to the latest versions. Yes, do this for every single WordPress site on your server. This step is absolutely essential, and as I said above, it’s probably the cause of most hacking and malware related issues in the first place!

7.) Change All Your WordPress Passwords

If your site was compromised, chances are that the hacker was able to get your password (either by a brute force attack, or after-the-fact, through other means). Regardless, it is a good habit to update your passwords every 3 – 6 months (I know, I know, it’s a hassle, but we want to be safe, right?).

So, in this step, change all the passwords for all of the remaining administrator or editor level users on all of your WordPress sites. Passwords, as a rule, should be “strong”, which means they should be unique, long, and obscure. Resist the urge to use short or duplicate passwords across your sites. Use programs like “1Password” or “LastPass” to manage all your passwords. You will thank me later for that suggestion. 🙂

8.) Limit the Doors of Entry

As you can see, there’s a theme developing here: if you don’t need it, get rid of it! In this step, I’m asking you to delete all FTP user accounts that are not needed. I personally only keep the main one and any accounts that are being used by a developer (which I will delete when the job is done).

However, when you do this, please make sure to keep the FTP content folders for any FTP users that you delete. The system should prompt you to keep the content and folders, so make sure you do so. I repeat, only delete the user itself, and not the content folders, or you will lose your content!

9.) Change Your Remaining FTP, cPanel, and Hosting Passwords

Now that you’ve gotten rid of the unnecessary clutter in your FTP accounts, you should change all the passwords for all the remaining FTP accounts, as well as the passwords for your main hosting account and cPanel. As mentioned above, passwords should always be unique, long, and obscure. Again, “1Password” and “LastPass” are your friends here.

10.) Ensure that File and Folder Permissions are Correct

If your host is worth being hosted with, they will do this for you. I have seen cases (a few, unfortunately), where the host will tell you you have to do this yourself. But since this is a really simple thing to do, I can’t image that a good host would push this task back on you. If that does happen though, even after you call and tell them you can’t figure it out, I would seriously consider changing hosts. But hopefully they will cooperate with you on this.

So, in this step, please call your host (or submit a support ticket) and ask them to verify the permissions for all files and folders on your server. Files should be set to 644 permissions and folders should be set to 755 permissions. This is the WordPress default and standard. You would be surprised how many insecure and crazy permissions I have seen while cleaning up hacked sites. Just double-check and be on the safe side.

11.) Install the Free WordFence Security Plugin

This step is probably one of the most critical in this entire series of steps, and that’s why I’ve saved it for last. WordFence Security is a godsend and a truly wonderful tool. Yes, there are many security plugins out there, and some may actually do more and have a fancier interface, but WordFence is not only free and effective, it is also fairly easy to use. Bottom line is, it gets the job done. Install it now.

Once you’ve installed it, please take the following steps (and this is the whole point of installing WordFence right here):

Go to WordFence > Options and set all your settings like the following screenshots (feel free to customize, but I would select all of the scan settings for sure though):

WordFence Basic Options
WordFence Basic Options
WordFence Alerts
WordFence Alerts
WordFence Scan Settings
WordFence Scan Settings
WordFence Login Security Settings
WordFence Login Security Settings
WordFence "Other" Options
WordFence “Other” Options

Once you have mimicked those settings, go to WordFence > Scan > Start a WordFence Scan.

The scan will take some time, but will yield some very useful information. Once you get the report, you may want to click on “Restore the original version of this file” for any warning that WordFence gives you, or you may just want to delete the plugin/theme in question altogether and reinstall it. It is entirely up to you and depends on your site and setup. Good thing you have backups though, right?

12.) 3 Powerful .htaccess Rules (for Advanced Users)

Yeah, I know, there are only supposed to be 11 steps, but I felt it would be a disservice to not include these powerful .htaccess rules that will further lock down your site from attacks. If you don’t feel comfortable doing this, please don’t. Reach out for help from a professional instead. If you do feel comfortable though, then dive on in, because these 3 rules alone will do wonders for your WordPress site’s security.

In the root folder of every WordPress installation you have, you should find an .htaccess file. If you don’t see it, it’s probably because your FTP client or cPanel settings aren’t configured to show “hidden” files. Ask your host about this. Once you find the .htaccess file, open it, and add the following lines to it (at the very bottom or very top should be fine):

# protect wp-config.php file
<files wp-config.php>
order allow,deny
deny from all

Those lines of code will protect your “wp-config.php” file, which is one of the most commonly hacked files that we see in the WordPress world.

# disable directory browsing
Options All -Indexes

That code disables the ability to browse website directories directly, which hackers may use to find exploits to help them get into your system. Can they still find other ways of getting information? Of course they can, but again, why make it easier for them to do so?

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

This last bit of somewhat complex code helps to prevent database script injections. Every little thing we can do helps.

If any of these three code snippets mess up your site in any way, just simply go back to your .htaccess file and delete the code. Chances are that you put it in the wrong place, or that your theme or plugins don’t want to play along. That’s okay, but definitely give these snippets a try nonetheless!

If any of this is over your head, or if your site was already hacked, please feel free to get in touch with me here: I usually get sites cleaned up within 24 hours of being contacted, and you get some free tips, tricks, and consulting along the way.

Let the Comments Begin!

If you have any questions or comments, please do leave them below. I know that this is a hot topic, and people have tons of opinions on security. Please realize that this post does not mention everything, and does not claim to be the ultimate solution to WordPress security. It is simply a step in the right direction and will help greatly. With that in mind, comment away!

Learn How To Get Your First Website Online In A Matter Of Minutes

Most people seem to think that it’s extremely complicated to get their first website online… You have to deal with hosting, domain names, coding (or hiring coders), and on and on…

The truth is that it really isn’t that difficult to get your website online and running. In fact, you can literally have a website online in about 15 minutes from right now if you wanted to… No programming needed, no hiring coders… In fact, there’s really nothing that technical about it at all.

Watch this quick video and follow along with me as I show you exactly how to get your website online right now. It’s simple.

So it’s really that simple.

1. Create an account with Hostgator (Coupon code “LearnToBlog1” gets you 30% off)

2. Install WordPress through Quickinstall

3. Pick your favorite WordPress theme

4. Start writing your blog posts

Anyone can have a blog online within minutes.

Share your stories and tips in the comments below!

Choosing the Right Options and Settings for Your WordPress Blog

Do you want your blog to be indexed by search engines or you simply want to keep it as a private affair? Wanna add www to your site or rather prefer to use a non-www version? Well, the requirements and preferences of all of us vary and a self-hosted WordPress blog gives you plenty of options to fine-tune your site as per your choices. But at times, especially for a beginner, these options can be quite overwhelming and you may find yourself scratching your head trying to figure out the right setting for your blog. So, if you are wondering if you are choosing the right settings for your WordPress blog and how they impact your site, this guide will help you…

Search Engine Visibility

Ok, first things first. By default, your blog is set to be found and indexed by search engines. After all, that’s what most of the bloggers want: to be found and read by others. But in case you don’t want search engines to index your site (e.g. if yours is an invite only, paid membership, or any other type of blog with restricted access) then you should change the search engine visibility settings of your site. To do this:

  • Go to Settings > Reading
  • Check the checkbox for Discourage search engines from indexing this site
  • Save Changes


Though this will put up a request before search engines to leave alone your site, you can’t completely rely on it; it depends upon to what extent the search engines honor your request.

www. in the Blog URL

Having www. in your site URL or steering away from it is just a matter of choice. There does not seem to be any particular reason attached to it other than your personal preference. But once you choose one over the other, make sure you stick to it. Here is how you can make these changes:


  • Go to Settings > General
  • Add or remove (as you want) www. from WordPress Address (URL) and Site Address (URL) boxes
  • Save Changes

Permalinks or the Blog Post URL

Permalinks give you the flexibility to decide how the URLs of your blogposts look. This applies to all of the existing and future blogposts on your site. The default URL is based on the post ID (which is auto generated) and is probably the shortest among all. There are various other options that enable you to choose your URL structure based upon date, archive, and post name. Apart from these, you can also design your own custom structure. You can choose these by just selecting the appropriate radio button (and of course, saving your preference).

If your blog is based on events, news or other time sensitive posts, then you may want to go for date or archive based structure. And if you want to keep it short yet fancy, then the post name structure would make a good choice. If the categories are important and you want to include them too, you can do that using the custom structure. Just to give you an idea, here is how to make a structure based on category and post name:

  • Go to Settings > Permalinks > Common Settings > Custom Structure
  • Enter this in the box: /%category%/%postname%
  • Save Changes


As per this custom structure, if you have a post named WordPress Setting Tips under the category Blogging, then your post URL would look something like this:

Again, while actually writing the post, you can further edit the post name part in the URL to anything of your choice. So, you can even make it to look like this:

Category Slugs

If you want to have control over what name should appear in the URL of a particular category archive, then this where you ought to make the changes. For example, if a category name is social media marketing and you want to display only social media in the category URL, then you can simply edit the slug for that category.

  • Go to Posts > Categories
  • Hover over the category name you want to edit and click on Quick Edit
  • Just edit the slug and click on Update Category


Now, wasn’t that simple?

Enable or Disable Comments?

WordPress comes with a built-in commenting system in order to promote interaction between the author and their readers. But there are situations when a blogger may not like to use it on their blog; for instance, when they use WordPress to create a non-blogging site, or when they prefer to use some external blogging system (like Facebook comments), etc. In addition to just enabling or disabling comments, there are a whole lot of options to manage them on your site. You can see them all under: Settings > Discussion


After you set the universal discussion settings for your blog, you can still enable/disable comments on individual posts and pages.

Display Name of the Author

This is the name that you wish your readers to see as the author of the posts on your blog. You can choose to have it same as or different from your real name, user name or nickname:

  • Go to Users > Your Profile
  • Select the appropriate option from the drop down menu in the Display name publicly as box
  • Click on Update Profile at the bottom of the page


If you are not getting the desired name in the dropdown menu, check whether you have left blank any of the fields under the Name section.

Media Settings

Media settings may not be that important most of the times but they can really make your life easy if you run an image based blog, or your blog requires images of a standard size. You can set thumbnail, medium and large sizes for your images here: Settings > Media

If you need thumbnail images of exactly the same dimensions that you specify, then you should check the box for this, in the Thumbnail size section.


Apart from the image sizes, you can also choose/change the folder to store the images. Also, your media uploads would be automatically organized into month and year based folders by default. I personally prefer to disable this feature by unchecking the relevant box, so that all my images are uploaded in a single folder. This provides for easy replacement of linked images whenever required.

Menu Structure

With the introduction of Menu in WordPress, it has become very convenient to include and exclude items from your navigation. It has also facilitated building of drop down menus. Now you can include pages, categories and individual links, and that means almost anything. You can also choose to automatically add new pages in the menu as and when you publish them; all you need to do is check the box for Auto add pages.

For creating a drop down menu:

  • place the items of the dropdown menu right under the main item you want them under
  • one by one, drag the drop down menu items towards little right, so that they are created as submenu of the main item
  • Click on Save Menu


But before you can start using the menu feature, you need to create a new menu, give it a name and assign it a theme location. Be it while creating a new menu or making any changes in an existing menu, don’t forget to save the Menu, else your changes will not take effect.

Theme Settings

Apart from the WordPress settings, you also need to set your theme settings right. What and how many options you get actually depends upon the theme you use. But almost all modern themes allow you to upload a header image, change the background color or upload a background image, edit your footer, choose which side you want to have the sidebar, etc.

Here is what the theme settings for the twenty fourteen default theme would look like:


Right File Permissions for Security

This one is not typically a WordPress setting but given the importance it holds, it makes up to the list.  From the point of security, it is imperative that you check the file permission settings of some important files, especially wp-config.php and .htaccess files. But remember you won’t find them in your WordPress login; they would be there inside your web hosting control panel.


  • Login to your web hosting control panel
  • Click on the File Manager
  • Go to the public_html directory (or further down to your blog folder if it is not installed in the root domain).
  • Look out for the wp-config.php and .htaccess files.
  • To check the file permissions you’ve currently given them, right click on the file and click on Change Permissions in the pop-up menu that appears.
  • These two files should have read only permission under all the 3 modes: user, group and world. If there are more permissions assigned (Write or Execute), reduce them to read only, so that the digits in the Permission boxes read 444
  • Click on Change Permissions to save the changes.

So, these are some of the core settings of your WordPress site and choosing them right is just a one-time process. You need not, or rather should not, keep them changing every now and then; since that’ll have a negative impact on your site. Apart from these, you should also ensure that the settings of any plugin that you install are optimized for your site.

Blog Security 101 – Part 2

The first part of this article covered some of the basics when it comes to WordPress security. This installment will focus on some of the basic steps you can take to address some of the vulnerabilities that are common to web applications and those that are unique to WordPress itself.

A Foundation in Good Security

Before we start with installing plugins or changing file and folder permissions we need to start with you and your computer.

Think about it, you are the Admin of your blog; you have control over everything and you use your computer to access that blog. If these two things are not secured then it doesn’t matter what else you do as far as security is concerned, your blog will be easy to compromise.

Is your computer malware free?

Before you install WordPress onto your server, before you create the database before you do anything related to your blog make sure that you computer is free of viruses, worms, Trojan Horses, spyware, etc. Malware that resides on your computer has the ability to log every action you take and report it back to another computer. If it sees you login to your bank, it can capture your account and password information; likewise if it sees you login to it can capture your username and password. If the bad guys have this information then they own your site. Make sure that you update your anti-virus software and run it frequently. If you already have a blog set up, take this precaution anyways. If you find malware on your computer clean it off and change your password immediately. Check to see if there have been any additional admin accounts created as well; if they are not ones you recognize then you should think about deleting them.

Speaking of passwords…

Are you one of those people who use a strong password? That’s good, as long as you use different strong passwords for all of your different accounts. People who use the same password over multiple accounts run the risk of that password being compromised somewhere. If an attacker has that and it works on all of your accounts then they have access to everything. Instead of just password complexity, think password diversity. If you have trouble remembering all of those passwords then use a piece of software known as a password safe to store them in.

Stay up to date

One final word on security fundamentals; stay up to date. It was mentioned that your anti-virus software should be up to date at all times. This is so it can identify all of the latest malware that is out there. Likewise, your WordPress installation should be up to date and all of your plugins should be as well. These updates usually address any known vulnerabilities in the code itself.

The Plugins

One of the easiest ways to add functionality to any blog is by using a plugin. Plugins, however, can be a way for you to better secure your blog but they can also be a way for someone to breach it as well.

Plugins contain code, and it is that very code that may be vulnerable to an attack so it is important that you keep your plugins updated but that you also remove any plugins you are not using on your blog. While you are at it, remove any themes that are not being used as well as these may contain vulnerabilities also. For this reason you should only install themes and plugins that come from reliable, trusted sources.

As previously stated, plugins can also be used to help secure your blog. At a minimum, you should install plugins to handle the following:

  • System hardening
  • System scanning
  • File monitoring
  • Firewall tasks
  • Backup and recovery

One plugin, Better WP Security, takes care of most in the aforementioned list. It will help hide essential information from potential attackers by taking steps like changing the URLs for the dashboard, renaming the admin account, changing the database table prefixes and much more. It will also protect the application itself by forcing strong passwords, limiting file editing and scanning a site to find vulnerabilities among other things. Other features included in this plugin are the ability to monitor the file system for changes, schedule backups of your database and look out for automated attacks from bots.

The drawback to this plugin? It isn’t fully functional for blogs that have WordPress installed on Windows IIS server; it will only work to its fullest on Apache, LiteSpeed or NGINX web servers (NGINX servers will require you to manually edit your virtual host configuration). If you are unsure which operating system your server runs, check with your hosting provider to make sure.

If Better WP Security isn’t the plugin you want to go with, there are others that can handle different aspects of security for your blog. One of the most highly regarded plugins is Acunetix WP Security. Created by a leader in the web application security space, this plugin will do many of the same things that Better WP Security does to obscure information from attackers, harden the system and backup your blog. What it does not do is monitor files to see if anything has been changed and it does not have the same ability to thwart attacks from bots and other agents. There are some other features that it does not have that can be found in Better WP Security, however Acunetix does work on Windows IIS web servers as well as Apache, LiteSpeed and NGINX. It will also scan your blog and provide a security overview report with information any vulnerability it finds. This alone makes WP Security worth a look as Acunetix sells professional vulnerability scanning tools to many leading security firms.

Your blog should also run a web application firewall in front of it to protect against any outside attacks. Plugins like NinjaFirewall for WordPress will protect against threats like cross-site scripting, brute-force scanners and shell scripts. If will also sanitize input to guard against attacks like SQL injections and block attackers from scanning your site for vulnerabilities. These tools are so important that the credit card companies strongly suggest they be used on any e-commerce site. This one is for free and provides a solid barrier of protection for your blog.

There is one other plugin that needs to be mentioned as it takes the place of all three of the ones mentioned here and that is the Sucuri WordPress plugin. Not only is it the most comprehensive security plugin you will find, customers also have access to a great support team if they run into any configuration or management problems. Unlike the others, Sucuri does come with a yearly subscription fee but if your blog is part of your business it might just be worth the $90.

Using the .htaccess file

Many security checklists will tell you to change file and folder permissions and this is a good thing because it helps prevent access to your site. That isn’t covered here too much because the plugins that were mentioned will take care of this. If you want to do this yourself then you can do this using any FTP program and following the guidelines under the File Permissions section here

While file permissions will not be looked at, making some changes to the .htaccess file will be. This file defines access control to certain areas of your web site, and in this instance your WordPress site.

In order to edit the .htaccess file you will need to use an FTP program. Most web hosting companies offer this as part of their management console so this will do for making changes to the file.

Once opened you should see something that looks like this:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]


# END WordPress

We are going to add some things after the # END WordPress so that when you update WordPress your changes will not be overwritten.

The first file to protect is wp-config.php that stores information about the database and the site itself. To the .htaccess file add:

<Files wp-config.php>
order allow,deny
deny from all

Once saved, this will deny outside access to wp-config.php.

You can also add a snippet of code to this file to protect the .htaccess file as well. Using:

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

will do just that.

Securing a WordPress site means being constantly vigilant. The methods attackers use to compromise sites is always evolving. They discover new vulnerabilities every day so staying on top of things is paramount.

While no site will ever be 100% secure against attack, these tools will certainly help keep most of the bad guys out and will alert you to any that do make their way past your defenses.

Beginner’s Guide to Setting up a Self-hosted WordPress Blog

Over the last decade or so, blogging has emerged as a promising career option and many bloggers have adopted it as a full time profession making a decent living out of it. Business entities big and small alike are integrating blogs into their website for better engagement and conversion. From blogging for hobby on a free platform like Blogspot to setting up a full-fledged self-hosted blogging site on CMS like WordPress, blogging for sure has come a long way.

So, what does it take to set up a professional looking blog that you can call your own in the real sense and take with you from one webhost to another, whenever you feel like? Well, the answer is – nothing much. All you need is a domain name for your website and a hosting service to keep it live 24×7. The installation process is no rocket science either. If you are comfortable running a PC, you are good enough to set up your own blog.

In the tutorial below, we walk you step by step through the process of setting up a self-hosted WordPress blog.

Step 1: Register a domain name

Before you begin setting up a blog, you need to decide upon an address with which people can access it from their web browser. It is called domain name and it forms a major part of your blog URL. For example, in the URL, is the domain name.

You can buy a domain name from a domain name registrar for a particular period of time (usually a year and in multiples thereof) and then continue to renew it so long you intend to keep it with you. There are a lot of domain registrars you can register a domain name with; here is how you can do it with Godaddy, one of the popular domain registrars:


  • Visit their website:
  • Using the search box on the homepage, check out the availability of the domain name you want. You can check for different extensions but .com, .net and .org are among the most popular domain extensions, in that order.
  • Once the domain name you want to go with is available, add it to the shopping cart and click on Continue
  • They will try to cross-sell various other products/services along with the domain name, but you can ignore all of them and Continue to Cart
  • This will take you to the order review page. Once you are sure of the order summary, you can Proceed to Checkout
  • If you have not registered with them earlier, click on New Customer and fill in all the details. You will also have to select a payment method and enter the necessary details. Once ready click on Continue.
  • Once the payment is processed successfully, the domain will be in your account. You can login to your Godaddy account using your username and password, and manage your domain.

Step 2: Buy a web hosting account

Next you will require a web server where you can install the blogging software and upload your blog files. But you don’t have to buy yourself a physical server for this. There are a number of webhosts that offer this service. So, all you have to do is buy a web hosting service from some reliable provider like HostGator:

  • Click on View Web Hosting Plans


  • Select the plan you want to go with and click on Order Now. For beginners intending to set up only 1 blog, Hatchling Plan should be sufficient. If however, you want to set up multiple blogs, then you should go with the Baby Plan.
  • In the order form that comes next, select the radio button I already own this domain (since you will have already bought a domain name in Step 1). Now enter your domain name in the box just below that. Remember, it’s just the domain name (without http:// or www).


  • Fill up the rest of the form with your desired Username, Security Pin (password), Billing Information, Payment Information and other details.
  • See the Hosting Addons section in the form carefully. If some items are checked and you don’t need them, just uncheck them.
  • Below the Hosting Addons section, you will see a box to enter a Coupon Code. Enter the code: LearnToBlog1 to get a discount of 25%. If there is already some default code in the box, you can replace that with this code and you’ll see your total due amount come down substantially.


  • Check the terms and conditions acknowledgement check box and click on CREATE ACCOUNT.
  • Now the system will start processing your payment and on successful processing, you will receive your hosting account details at the email address that you mentioned in the order form. Don’t forget to check your junk or spam folder if you don’t see it in your inbox.

Step 3: Point the domain to your nameservers

Now that you have a domain name and a hosting account, the next step is to link these two. This too is fairly easy:

  • Check the account information mail that you received from your webhost (HostGator). Note down the nameservers. There will be 2 nameservers and you’ll need both of them. It will look something like this: and
  • Now login to your domain account (Godaddy)
  • Hover on: Products > Domains and click on Manage Now. You will see a list of all the domains in your account.


  • Click on the domain name you want to set up your blog on.
  • You will see the default nameservers under the settings tab which would be something like: NS67.DOMAINCONTROL.COM and NS68.DOMAINCONTROL.COM. Just below that, you will see a link to Manage your nameservers. Click on it and a small Nameserver Settings window will pop up.


  • Select the Custom radio button and click on Enter custom nameservers. Enter both the nameservers that you got from your hosting provider, one each in a box. Click on OK and Save the settings.


This will link your domain name with your hosting account. But remember, the settings will not come into effect immediately since they will have to spread all over the World Wide Web. This process of domain name server (DNS) propagation usually happens in a few hours but can take as long as 72 hours to complete.

Step 4. Install WordPress

Ok, now the real action begins. We will start installing WordPress, the most popular blogging software, on our server. Here we go:

4.1 Uploading and extracting of files:

  • Go to
  • Download WordPress. You will get the option of downloading it as .zip or .tar.gz compressed file; the choice is yours.
  • Now login to your webhosting control panel (cPanel) using the username and password you got from your web hosting provider. Your cPanel login URL would be: where you need to replace domainname with your actual domain name. But if your DNS has not yet resolved (not propagated on the web), this URL will not work. In such case, use the temporary cPanel URL that your webhost has provided.
  • Click on File Manager under the ‘Files’ section. In the ‘File Manager Directory Selection’ popup that appears, select the radio button for Web Root (public_html/www) and click on Go. This will take you to your root directory public_html.


  • Now upload the WordPress compressed file to your root directory. For this, click on the Upload button from the menu at the top, and choose the file to be uploaded. You can see the upload progress in the bottom right corner. Once the upload is complete, you can come back to your root directory by clicking on the link that appears in the center of the upload page. If however you want to install your blog in a subdirectory instead of the root directory, then you should create a new folder first and upload the WordPress file in that folder. The name of that folder will become a part of your blog URL. For example, if it is named ‘blog’, then your blog URL would be similar to:



  • Since we have uploaded a compressed file, the next step would be to extract it. For this, select the compressed file and click on Extract from the top menu. Select the path as the root directory (/public_html) or the subdirectory (/public_html/blog, etc.) depending upon where you want to install the blog, and then click on Extract File(s).
  • Now if you observe properly, you will see that a new folder called ‘wordpress’ is created and all the extracted files are placed inside that folder. We need to bring the content of this folder directly under the root directly or the subdirectory where we want to install the blog. So, go to this ‘wordpress’ folder and select all the content of this folder using shift key and mouse. Files being selected, click on the Move File icon in the top menu. Select the correct destination path in the pop-up and click on the Move File(s) button. This should make the ‘wordpress’ folder empty which may now be deleted.

4.2 Creating a database and user:

WordPress installation runs on a MySQL database. So, let’s get creating one:

  • Close the File Manager (to avoid any likely confusion) and come back to the cPanel homepage.
  • Under the Databases category, click on MySQL Database Wizard.


  • You will see that your cPanel username is prefixed to your database name by default. Complete your database name by adding up preferably 6-7 characters in the box provided, and head on to Next Step, which is to create a database user.


  • Just like the database name, fill up the box for username as well in order to create a database user. For ease of identification, you can keep it same as your database name. But remember, you can enter only upto 7 characters.


  • Use the Password Generator to generate a strong and safe password. Make note of the password; we will need it soon. Now, check the checkbox to acknowledge that you have copied the password and then click on Use Password.
  • Everything filled in, click on Create User.
  • Next is the step for adding the user to the database. But before this, note down the complete name of the database as well as the user. Now check the checkbox for ALL PRIVILEGES and hit on Next Step.


With this, we have created a database, a database user, and added the user to the database too.

4.3 Editing the wp-config.php file:

For the database to become functional, we’ll have to link it to WordPress. Here is how we do this:

  • Once again, go to the File Manager and look out for a file named wp-config-sample.php. Rename it to wp-config.php (double clicking on the file name will change it to edit-mode).
  • Now start editing the renamed wp-config.php file. You can do this by selecting the file and clicking on the Edit icon in the top menu.
  • Enter your database name, database username and database password.


  • Save Changes and close the file.

4.4 Running the installation script:

Almost there! Just one more step to go:

  • Open your blog URL in a web browser. It would be similar to: or depending upon where you installed WordPress.


  • Fill up the installation form with your desired details like site title, username, password, email ID, etc. Don’t forget to check the checkbox saying Allow search engines to index this site unless and until you want your blog to be a secret affair hidden from Google and other search engines. As a final step, click on Install WordPress. That’s it. Your blog is ready to rock!

4.5 Installation using auto-install script, Fantastico:

If you don’t want to go through the manual installation process of uploading files, creating database, editing wp-config.php file and all, there is an easier alternative available. The auto-install script called Fantastico can do it for you:

  • Go to your cPanel homepage and click on Fantastico De Luxe under the Software/Services category.
  • Click on WordPress from navigation menu on the left side and then on New Installation.


  • Fill in the details and hit the Install WordPress button.

That’s all you got to do. Everything else will be taken care of by the auto-install script.

4.6 Logging in to your WordPress site:

You can login to your WordPress site using the login URL which would be like:


It will ask for your username and password. These would be the ones that you used while running the WordPress installation script or the ones you filled up in Fantastico, as the case may be. Note that your domain login credentials, cPanel login credentials and MySQL database credentials have NOTHING TO DO HERE.

4.7 Adding www. in the URL:

By default, your blog URL would be like:

What if you want to add www. to it in order to make it look like:

No worries, this part is easy too:


  • Login to your WordPress site
  • Go to Settings > General
  • Add www. in the WordPress Address (URL) as well as in the Site Address (URL). Click on Save Changes and you are done. As you save this, you will be automatically logged out of your site. Don’t worry, it just happens because your URL is changed. You can login again using the new URL with www.

Step 5. Install a suitable theme

Design and looks of your blog depends upon the template that you use. A WordPress template is popularly known as a theme. The WordPress blog you install comes with a default theme. You can change this theme anytime you want to change the looks of your site; and you can do this without affecting the content of your site.

5.1 Installing a free theme from WordPress repository:

WordPress has a huge collection of free themes to choose from. You can see them all here:

You can access and install any of these themes directly from your admin panel:


  • Login to your site
  • Go to Appearance > Themes and click on Add New.
  • You will be taken to an interface where you can search for a theme either using a keyword or a specific set of features. You can also get the list of Featured, Newest and Recently Updated themes.
  • Click on the theme that you like. This will give you preview of the theme as well as an option to install it. Click on the Install button if you like the preview and want to proceed with installation. Now the theme is added to your blog’s collection but remember – it is not live yet.
  • To make your theme live, click on Activate. Or before doing that if you want to see how it looks on your site, click on Live Preview.

While browsing through WordPress themes repository, if you happen to like a theme, you can download and install it by following the below method as well.

5.2 Installing a theme from outside WordPress repository:

Sometimes, you may want to go with a premium theme. Or it may be just that you found a great theme from somewhere outside the WordPress repository and want to install it. Well, even that’s possible; just see to it that the theme is a WordPress theme and follow the below process:


  • Download the theme that you want to install. This should be a compressed, .zip file.
  • Login to your site
  • Go to Appearance > Themes and click on Add New.
  • Click on Upload
  • Choose the file (theme in .zip format) and click on Install Now.
  • Click on Activate and there you are!

All the themes that you upload or install will be available in Appearance > Themes. You can activate any of them any time you like.

Step 6. Start writing your blog post

Now that you have installed your blog, you are ready to begin writing your first blog post; or should I say, you’ve already done that! Yes, your default ‘Hello world’ post goes live as soon as you install a blog. You can choose to edit it, ignore it or delete it.


  • Login to your site and click on Posts in the left panel. This will take you to the list of existing posts.
  • Hover over the default post and you will see the options to edit or trash it.
  • If you want to add a new post, click on Add New button either at the top or in the left panel under ‘Posts’
  • Add the post title at the top and write the post in the main body.
  • Should you need to add any image, click on Add Media, upload the image file and then click on Insert into post. When you upload an image, you also get to choose its alignment, link it to a URL and optimize it by means of Alt Text, Description, etc.
  • You will also need to select a category for your post. Since the only category by default would be uncategorized, you may want to add a new category. You can easily do this by clicking on + Add New Category.
  • You can also add some tags to the post if you feel like.
  • If you want to see how it would look when the post goes live, you’ve got a preview button for that.
  • Once everything ready, hit the Publish button and your post is live. If you want to leave the post half way for now and continue with it later, you can save it as draft.
  • For scheduling a post to a future date, click on the small Edit button just beside ‘Publish immediately’. Enter the date and time you want to schedule for and click on OK. This will change the Publish button to Schedule button. Now click on that as a final step.

Once you set up your blog and continue to write more blog posts, you will keep learning more things. Writing static pages, inserting videos, adding plugins, creating users for co-blogging… there are loads of other features and options to explore. We will be covering them separately on our blog, stay tuned!