Instructions for Building a WebSite Using WordPress.org

>>, WordPress>>Instructions for Building a WebSite Using WordPress.org

Instructions for Building a WebSite Using WordPress.org

Step by Step Instructions for Building a WordPress Website With the Avada Theme


If you’ve read my post: Building a WordPress Website: Pre-Build Considerations and have decided to build a website using WordPress, here are my step-by-step instructions.  Note: these instructions are for building a website using the WordPress.org platform.  I’m sure there are other good step-by-step instructions out there somewhere, but I didn’t ever find what I needed; most of what I found was full of fluffery and common sense stuff and all the important information was left out.  I ended up searching for information piece-meal, at each step.  These instructions describe how to set up a WordPress website using the specific products and providers that I used.  If you use different suppliers, the steps might be a little different, but this should provide sufficient background for you to figure out what to do.

In This Article

1. Purchase the Domain Name

2. Purchase Web Hosting

3. Point Your Domain Name to Your Home Server

4. Buy a premium theme from Themeforest

5. Download Your Theme

6. Set Your Domain Name With Your Web Hosting Company

7. Set up your security certificate

8. Install WordPress

9. Check if your website is up and running

10. Log into your WordPress Dashboard

11. Inspect the WordPress Dashboard

12. Configure your Loginizer

13. Set up your email

14. Configure SG CachePress

15. Install your theme

16. Set Up a Child Theme

17. Register your Avada theme

18. Decide if You Want to Install the Full Demo

19. Set up Auto Updates

20. Setting Backups for Your website

21. Additional Backups

22. My other plugins

23. Configure Your Permalinks

24. Install TinyMCE

25. Adjust the General Settings

26. Create a Site Title and a Tagline

27. A Note on Options to Add Content

28. Make your First Page

29. Add Content Using the Fusion Builder

30. Configure the Footer

31. Install and Verify Google Search Console

32. Check that Your Site is Indexed by Google

33. Important Tools for Researching your Website 

34. SEO Plugins

35. Cloudflare: Optional Security and Performance Enhancement

36. How to Use Cloudflare to Block a Brute Force Attack

37. How to Use htaccess to Block a Brute Force Attack

38. How to Block a Brute Force Attack By Disabling XML-RPC

39. How to use Password Protect in cPanel to Block Brute Force Attacks

40. List of WordPress Plugins for Blocking a Brute Force Attack

40. How to Block Individual IP addresses from Accessing Your Website

1. Purchase the Domain Name

This will cost anywhere from $2-$100 per year, a .com is $15 per year).  Note: if you go with SiteGround as you web hosting company, they will provide one free domain with each account.  You can buy your domain name from your web hosting provider, however, if you choose to switch web hosting providers, it may become a hassle to also transfer your domain.  Note: I use NameCheap to purchase my domain names because I own several and I like to keep them organized by buying them all from the same supplier.  Some hosting companies only sell the most popular top level domains (like .com and .org), but there are hundreds of others (for example: .tech and .io) that you may wish to use.  You will have to decide whether you can/want to purchase your domain from your web hosting company.


2. Purchase Web hosting

I  recommend SiteGround.  After purchasing a plan, your account will be set up immediately.  Log into your account from the main SiteGround.com page.  Choose the My Accounts tab, then click the Go to cPanel button.  This is where you get started installing WordPress and setting things up.


3. Point Your Domain Name to Your Home Server

If you bought your domain name from NameCheap, or somewhere other than your web hosting company, you will need to point your domain to the web host’s servers.  Note that you get a free domain with each hosting plan, when you go with SiteGround.  I’m not sure if they allow top level domains other than .com and a few other common ones (.org, etc.).  For my websites, I use NameCheap, so I need to provide NameCheap with SiteGround’s nameservers.  You don’t need to know what this all means.  Just do the following:

  1. Find your web hosting company’s name servers. There should be at least 2.  You should be able to find them pretty easily, by searching the company’s pages, .
  2. SiteGround has 2, they are:
    1. ns1.us10.siteground.us
    2. ns2.us10.siteground.us
  3. Now go to NameCheap (or whoever you bought your domain name from) and sign in.
  4. For NameCheap: hover over account from the menu along the top and select domain list
  5. Find the domain name you’re interested in using and click manage
  6. Where it says nameservers, select: Custom DNS and paste in the two hostnames, provided above.
  7. Save this setting by clicking the checkmark (this is the save button).
  8. Now you’ll have to wait. It may take up to 24 hours, but it has always occurred in a few minutes for me, I’m not sure if I’ve just been lucky.  You can check to see if you’re domain name has propagated at whatsmydns.

4. Buy a premium theme from Themeforest 

I recommend using a premium theme, or one of the free WordPress supported themes like twenty sixteen.  The Avada theme ($59) comes with a built in page builder, which alone, is worth the price of the theme.  If your theme doesn’t come with a page builder, I recommend using Beaver Builder, it is very highly rated and the plugin is free.  I have used Beaver Builder to modify the twenty sixteen WordPress theme and it works  well. WordPress has now released it’s own page builder called Gutenburg. It’s in beta and not very good yet, but it’ll get better and it might get you by, if you aren’t worried about modifying your website’s appearance much beyond the default look. It is best to use one of the free WordPress themes, or a very well supported theme from a well established company, because you know it will be stable and will be updated with security and other bug fixes for life.  This website was built with Avada (A premium theme) and at the time I first wrote this, I preferred premium themes to the other options. However, I now lean  toward using one of the default WordPress themes (Twenty Sixteen, Twenty Seventeen, etc). These are free, they don’t bloat your website with wasteful code, they load fast and they are stable. If you need to do a lot of customization to make your website look a certain way, you might be able to do it with one of the default WordPress themes and beaver builder, but you may have to use something like the Avada theme because it does offer more customization potential. If you are planning to do eCommerce, I recommend using WooCommerce and one of their themes, or look into Shopify, instead of WordPress.


5. Download Your Theme

Right after you buy the theme, the page will say payment complete. There should be a download button somewhere, click on that to download your theme.  Save it on your computer to whatever folder you want.


6. Set Your Domain Name With Your Web Hosting Company

  1. Log into cPanel: Log into to SiteGround >> my accounts tab, then look for the cPanel button.  It’s near the top left corner.
  2. Add your domain: At this step, I must apologize because I’m not positive if this is correct (I already have an account set up), but I think you need to find the section called Domains and click the “Addon Domains” icon.
  3. Fill out the form:
    1. New Domain Name: Enter your domain name: for example: yourwebsite.com (note: leave out the www. and http)
    2. Subdomain or FTP Username: this fills out automatically
    3. Document Root: this fills out automatically
    4. Password: choose your password
    5. You’re now finished setting up the domain name, but you may still have to wait for the domain name propagation that you set up in the previous step

7. Set up your security certificate

If you are using the free Let’s Encrpt option through SiteGround (as I recommend), do the following:

  1. Log into your cPanel
  2. Under the security section, click let’s encrypt
  3. Choose the domain you want to install SSL on and click install: it’ll do it’s thing, then it should say: success when it’s done.
  4. That’s it, you’re done!  It is much easier to set up the free SSL from Let’s Encrypt, than it is to set up the SSL certificates that you have to pay for!

If you have purchased a security certificate:

  1. Log into your webhosting account
  2. Click My Account
  3. Find the icon that says Simple CSR request for 3rd Party SSL
  4. Click request a CSR
  5. Fill out the rest of the information and click the button to submit the CSR request
  6. You now have to wait for your hosting company to email you the CSR (it is a long stretch of encrypted text) and they will tell you where to paste it. The wait time is variable, but a ballpark guess would be 24 hours.  There will be more instructions in your email

8. Install WordPress

  1. Log into SiteGround: click “my account” and go to cPanel
  2. In the Auto Installers section of cPanel, click WordPress and install now
  3. Fill out the form as follows:
  4. Choose protocol: If you are following my instructions, your security certificate was already installed in the last step, so select https://.  Note: if you’re not using a security certificate, or if you’re planning to but it’s not installed yet, select http. Note: if you select http and then you subsequently install an SSL, youll need to switch to https for the SSL to take effect.  To switch to https at a later date: log into WordPress, then from the dashboard select: settings >> General.  Now change from http to https.  Note: if you know you’re going to use https, you should set it up as soon as you can after creating your website.  A couple of days is fine, no one is likely to see your website and no one will create links to it.  However, once people start visiting your website and creating links to it, their links will be to the http address.  When you change to https, those links won’t work anymore.  You can get around this by setting up a 301 redirect (not a big deal, if your web hosting company will do it for you), but it will be easier for you to just install the security certificate before your website starts getting any traffic.
  5. Choose domain: Select your domain from the dropdown menu. If it’s not there, something is wrong
  6. In directory: leave blank
  7. Site name: For now, just use the same as your URL, but with spaces between words. I think this will appear at the top of your new website when you first create it.
  8. Site description: whatever you want, not sure what this is for (perhaps it helps Google to categorize your site).  I just used the same words as the previous step.
  9. Enable Multisite (WPMU): leave unchecked
  10. Admin Username: your choice
  11. Admin Password: your choice
  12. Admin Email: your choice (but probably just use the default, which is admin, followed by your domain name)
  13. Under select plugins: I recommend checking: limit login attempts
  14. Leave defaults: Leave the rest of the settings as they are, if they are not self-explanatory to you.
  15. Click install

9. Check if your website is up and running

Click on the link to your website that will appear after the previous step is completed, or open a new tab and type your website into the address bar (Note: you may have to type in https:// before your URL, like this: https://yourwebsite.com).  You should see the basic WordPress website, it’ll have the name you chose for your website as the title, a side bar and a few other things.


10. Log into your WordPress Dashboard

Type in your web address, then add the following to the end: /wp-admin.  For example: https://mywebsite.com/wp-admin.  This will take you to the login page.  Enter the username and password that you choose when you installed WordPress.


11. Inspect the WordPress Dashboard

Once you login, you’ll see a bunch of options along the left side of the screen (Home, Posts, Media, Pages, Comments, etc.). This is called your WordPress Dashboard.  When you install a theme, or a plugin, additional options may be added to your dashboard.  There are a lot of options and sub-options and it can be a bit overwhelming at first.  I’d suggest taking a few minutes to just browse around the various options.  Below, I have provided a brief overview of each option in the dashboard.  Note: Many of the WordPress options are found in the dashboard, however, with the Avada theme, there are a number of options at the bottom of individual pages and posts.  For example, after you have created a page (explained further below), you can access that page by going to: Dashboard >> pages >> all pages, then select a page of interest.  Now scroll to the bottom of the page.  You should see a section with the title: Fusion Page Options.  This section contains options that apply to the specific page you are working on.  These options include: adding slide shows (sliders), adding a side bar to the page, and many others.  All of those options will apply to the one specific page you are working on at that time.  Conversely, the options in the Dashboard will generally make changes to your entire website.  Below is a list of the options found in the WordPress dashboard.

  1. Dashboard: Tells you what updates are available
  2. Avada: This option appears if you install the Avada theme.  It’s used for product support, product registration among other things.
  3. Posts: Add, edit, or delete a post.
  4. Media: Add pictures, videos, etc. to your media library. From this link, you can upload media to your server (ie. your web hosting account).  You can then insert these images/videos/etc. into pages and posts on your website.  Note: you probably won’t need to access your media library from this link very often because there’s also a link to add media in the editor that you use to build pages and posts.  So you’ll usually just add images to your library on the fly, while you’re writing a page or a post.
  5. Pages: Add, edit, or delete a page.
  6. Comments: This is the link that gives you administrative control over comments that people leave on your pages or posts.
  7. Portfolio: This is added if you install the Avada theme.  Options here allow you organize your blog posts by categorizing them using tags and categories, among other things.
  8. FAQs: This is added if you have the Avada theme installed.  I’m not sure what this is for. It appears to be a way to add an FAQ page to your website.
  9. WooCommerce: This will be in your dashboard if you install Avada demo content that contains WooCommerce.
  10. Products: This option also gets installed when you install Avada demo content. It lets you tag and organize the products that you are selling on your website (if you are selling something).
  11. Appearance: The appearance tab is where most of the options to customize your site are. Note that these are site-wide settings, so anything you change here will apply to your entire website.  There are many options under appearance and if you are a beginner, it would be wise to browse through them to get an idea of what’s there.  Many of the options for you to customize your site are under: Appearance >> Theme options.  You will need to access these settings frequently when you are first getting set up.  Things like font color, the look of your menu, mobile responsive settings, and many other things are found here.  Another important thing to be aware of is; occasionally you’ll want to make some custom changes that aren’t accessible through the Avada options.  To do this, you’ll need to add a little CSS code.  To start, you’ll probably just want to ask Avada tech support for help and they’ll send you the snippet of code you need, if code is in fact needed.  All you have to do then is paste that code here: Dashboard >> Appearance >> Theme options >> Custom CSS.
  12. Plugins: Options for searching for, installing, and removing plugins.
  13. Users: This option is used if you want to set up multiple administrators of your website
  14. Tools: I’m not sure what this option is for, I’ve never used it
  15. Settings: Contains an assortment of settings for WordPress.  Also, if/when you install a plugin, options for that plugin may appear here.
  16. Fusion Slider: This is added if you have the Avada theme installed.  It contains options for the fusion slider plugin.  A slider is a box on one of your pages that shuffles though different images.  Fusion is Avada’s plugin for making sliders, there are several other plugins for this purpose.
  17. Elastic Slider: This gets added if you have the Avada theme installed: It’s another option for creating sliders.
  18. Loginizer Security: This plugin comes pre-installed if you use SiteGround for web hosting.  The plugin limits the number of login attempts that someone trying to access your WordPress dashboard can make before they get locked out.
  19. SuperCacher: This plugin will be automatically installed if you use SiteGround for web hosting.  It has settings for caching your website (this helps pages load faster).

12. Configure your Loginizer 

This plugin limits the number of attempts someone can make to try to log into your WordPress account, before they are temporarily locked out.  This prevents bruteforce attacks by hackers.  This plugin comes pre-installed if you use SiteGround for web hosting.

  1. Dashboard >> Loginizer Security >> brute force
  2. Optional: Change max retries. The default is 3 which I think is a little low.
  3. Optional: change the other settings as you wish.

Consider choosing to be notified by email after 1 lockout (the default is zero, so you will not be notified if someone tries a brute force attack and gets locked out, unless you change this).


13. Set up your email

Optional: You can set up an email address to be associated with your website, so you can receive emails from people visiting your site (through contact forms, etc.). You may also want to set up an email account so you can get notifications from plugins; for example to tell you that your files were successfully backed up.  You can access your admin email directly from cPanel, or set up a forwarder, so any admin email you get is sent to your preferred/primary email address.  To create an account, and or access access your email account:

  1. Login to SiteGround >> my accounts tab >> cPanel button >> in the mail section click the email accounts icon.
  2. Note: you will have one default email address for your SiteGround account and you can set up one or more email accounts for every website you have.  You can create or delete email accounts here.
  3. Creating a new email is self-explanatory, just fill out the top section.
  4. To check your email, scroll down and find your email address.  To the right of your email address there will be a button that says more.  Click it, then click access webmail

To set up a forwarder (so emails sent to your website’s email account are forwarded to your main/preferred email account)

  1. Go to: cPanel >> in the mail section choose forwarders >> the rest is self-explanatory. NOTE: if you are testing to see if the forwarder is working, you will need to send your test email from a different email address than the one being forwarded to.  For example, this will work: you@hotmail.com sends an email to admin@yourwebsite.com, the email is then forwarded to you2@gmail.com.  The following will not work (the email will not be forwarded): you@gmail.com sends an email to admin@yourwebsite.com, which forwards it back to you@gmail.com.  I guess there’s a filter somewhere that won’t let an email that is sent out, bounce back to the same address.

14. Configure SG CachePress

Assuming you’re using SiteGround, you will notice that all the pages in your WordPress dashboard will have a note along the top saying: SG CachePress: Your site is not cached!. You will want to set this up so that your website loads faster.  This is a proprietary feature of SiteGround.  The plugin SG CachePress should come bundled with your WordPress installation, so you shouldn’t have to install it, but you will have to turn it on in your cPanel:

  1. Go to your cPanel and under the site improvement tools section select SuperCacher.
  2. Click the tab that says: Level 1 Static Cache
  3.  You can turn static cache on (or off) by clicking the on/off button. Note: I would probably wait until your website is built before turning the static cache on.  Otherwise, you will have to flush/renew the cache every time you want to see your updates.  Or wait an hour or two for the server to automatically update.
  4. Click the Level 2: Dynamic Cache tab
  5. Below where it says manage application cache click the on/off button to turn it on.
  6. Further below on the page, in the Google Page Speed section, click the On/Off button to turn it on.

15. Install your theme

Note: the following are instructions for installing the Avada Theme using a Windows PC.  Other themes and Mac systems will be similar enough for you to figure out what to do:

  1. Login into your WordPress account, go to: Dashboard >> Appearance >> Themes >> Add New button >> Upload a Theme button.  Now find the folder containing your Avada theme.  If you are using a PC, youll have to right click on this folder and choose extract all before you choose it.  Save the extracted files in the same folder.
  2. Now, in the folder you just extracted, find: Avada_Full_Package >> Avada_Theme >> Avada.  After you select the folder that says Avada, it should say Avada.zip beside the choose file button.  If it does, you’re all set and you can click the Install Now button.  Note: you need to use the .zip file, not the unzipped file, so don’t try to unzip it.
  3. When the install is complete, Go to: Dashboard >> Appearance >> Themes.  Find the Avada theme and click activate.
  4. If you are using Avada, you will now need to install a plugin called Fusion Core. If you’ve just completed the previous step, you’ll see a button that says Go Install Plugin, click that.  Otherwise, Go to: Dashboard: Avada >> click the go install plugin button >> Install

16. Set Up a Child Theme

First, decide if you want to use a child theme.  Using a child theme provides a way to modify your theme, without making changes to the original files.  If you attempt to modify your parent theme directly, then your changes may be lost when a new update for the theme comes out because the new updated theme will overwrite the old theme.  Making changes to the parent theme also creates the a risk of making your site unstable and is more difficult to undo if you have problems.

Most users (especially beginners) won’t need to use a child theme because they won’t be making manual changes to the original theme files.  Many custom changes to your website can be made by simply adjusting the settings in your theme.  Your theme will provide an interface with drop down menus that allows you to make these changes in a user friendly way, you generally don’t have to touch any code.  In some cases you may wish to make a change to your website that your theme does not provide a setting for.  You will most likely be able to make these changes by pasting in some custom CSS in: Dashboard >> Appearance >> Theme Options >> Custom CSS.  This is not overwritten by theme updates, so again, you won’t need to install a child theme if you’re just pasting some code into the custom CSS section.  For most people, this is all you’ll ever need to do, so a child theme is often unnecessary.  However, if you end up needing to modify the core theme files, and you think you will need to install a child theme, you can always add one.

To create a child theme if you are using Avada, you just repeat the process that you followed to install the original theme (see above), except select the Avada-Child-Theme.zip file instead of the Avada.zip file.  Don’t worry, you won’t overwrite the original parent theme when you install the child theme.  If you’re not using Avada or some other premium theme that supplies a child theme, then creating a child theme will be a little more difficult, but it’s still not hard.  You will just have to go into your cPanel and create a couple of folders and paste in a bit of code, I’ll leave that to you to Google search the instructions.

Once you install and activate a child theme with Avada then you will be able to see the two folders that it adds by going to: Dashboard >> Appearance >> Editor.  To the right of this screen, you’ll see a drop down menu where you can choose to view files related to the child theme, or the parent Avada theme.  There are two folders in the child theme:

  • Functions.php
  • Style.css

If you click on one of those files, you’ll be able to add some custom code, if you wish.


17. Register your Avada theme

Registering your Avada theme is necessary for you to get automatic updates and technical support.  It’s not well explained in their instructions, so I’ll write out the steps here:

  1. In the WordPress dashboard, click: Avada >> product registration.
  2. In the section where it says: Step 1: sign up for technical support, find where it says Click here and click it.
  3. It will take you to the Theme Fusion website (this is a parent company of Avada).
  4. Click the my account tab.  You’ll probably have to create an account here, mine was already set up because I’ve gone through these steps previously.
  5. Go to your email inbox and find the purchase conformation from Envato (the number of companies is a bit confusing, note that Envato is the market place where you bought your Avada theme, theme forest is part of Envato.  In that email, there should be a purchase code.  It’ll be long (about 30 characters with some dashes).  Copy the purchase code.
  6. Go back to your Theme Fusion page (that you just signed up for) and click the My Account tab. Find the second row of tabs, click purchase codes.  Paste the code in the spot that’s provided.  It should say congratulations.
  7. Now sign into your Envato account.  After loggin in, click on the Themeforest link
  8.  Find your username in the top right corner and hover over it. A drop down menu should appear, find settings and click it.
  9. Find the link that says API keys and click it (left side of the page)
  10. In the box below where it says: Generate another API Key, paste in your purchase code and click the button.  It will give you an API key and will also list your previous API keys if you have any.  The API key has 32 digits.
  11. Go back to your WordPress dashboard: Avada >> Product Registration.  Scroll down and paste in your Envato/Themeforest User Name, the purchase code and the API key.  You should get a message: Registration Complete!

18. Decide if You Want to Install the Full Demo

You can either: install a full demo, install pages one at a time, or build all pages from scratch.  When I built my first website, I started by installing a demo.  However, if you do that, you’ll have to delete a lot of stuff (library images, pages, posts, comments, etc.) and some settings may be made, which you don’t like.  The benefit is you’ll have demo content to work with, which is nice for a beginner because you get an idea of how things look when they are set up, but overall, I don’t think it’s worth it.  I recommend installing pages individually.  This is explained in the section on custom templates, further below.  If you’d rather install a full demo, here are the instructions:

  1. Choose from the available Avada demo websites and pages here.  To see demo content, hover over home, or pages from the main menu along the top.
  2. To install a full demo website, go to: Dashboard >> Avada >> Install Demos.  Choose a demo that you like and install it.  Note: in Avada, you may get a warning that you need to install certain plugins first, in order for the related demo content to install.  To install plugins, follow the links (if given), or do it manually: Dashboard >> Plugins >> Add new >> type the name of the plugin of interest and click “search”.
  3. After you install the plugin, make sure you click activate plugin.  If you didn’t activate it, just go back to: WordPress Dashboard >> Plugins >> Installed Plugins, then find it and click activate.
  4. Now if you open a separate window in your browser and go to your website, you’ll see what your website looks like with all the Avada demo content.

19. Set up Auto Updates

There are 3 separate things that need regular updating: the Avada theme, WordPress and plugins.  You will be notified in your WordPress dashboard when updates are ready.  To get to the updates section go to: Dashboard >> hover over dashboard >> updates.  You can manually check for and install updates, but I prefer to have things update automatically.  Unfortunately, you can not set the Avada theme to auto update, but you can set it to notify you when an update is ready.  You can set WordPress and plugins to auto update:

  1. To set WordPress and plugins to update automatically: Go to your cPanel >> find the WordPress tools section click WP Auto Update (I’m assuming you’re using SiteGround) >> make sure the status says Enabled and the Update Plugins dropdown says Yes. It should be set to auto update by default.
  2. Set Avada to automatically update: It does not appear to me that you can set your Avada theme to update automatically, so you’ll have to log in to your WordPress dashboard from time to time to check for updates.  However, you can set Avada to send a notice to your WordPress dashboard when a new update is ready, using the automatic theme updater (Note: this only puts a notification on your WordPress Dashbord, it does not actually perform the update).  Note that the auto notification that an update is ready will happen automatically once you register your Avada theme (as you did in a previous step).  To see if you have a theme update ready, go to: Dashboard >> updates.  Now just select the theme update and click update.

20. Setting Backups for Your website

Note: SiteGround automatically backs up your website for you by default.  You can turn the auto backups off (if you’re crazy) but the default should be set to back up your site daily.  You can check this by going here: Login to SiteGround >> My Accounts tab >> extra services tab >> then beside where it says Basic backup service, it should say: Status Active.  Here are some more questions about backups from SiteGround’s FAQ that you may be wondering:

  • How often does SiteGround backup my site? Is it daily?
    • Yes, the backup is daily.  There are 30 backup copies on the shared servers – a copy for each day, for 30 days back.  There are 7 copies for the Cloud accounts (for 7 days back).
  • What types of things are backed up? Are plugins, themes backed up as well? What are considered to be account files?
    • All files within your account are being backed up.
  • Does everyone receive the backup service or is it only available for some plans?
    • We backup all our accounts

21. Additional Backups

If you want an additional backup copy, you can install a plugin, I recommend the UpdraftPlus backup plugin, it is the highest rated and has the most installs. It has a free version, which is all you need to start.  It also has paid upgrade options – this is good because it means the developers are likely to continue to maintain this plugin.  Here is the UpDraftPlus plugin.

  1. Go to: Dashboard >> Plugins >> Add New. Search for UpdraftPlus.  Install it.  Wait for it to say successfully installed.  Click Activate.
  2. You can access the plugin settings in 2 ways:
    1. Dashboard >> Settings >> UpdraftPlus Backups
    2. Dashboard >> Plugins >> Installed plugins. Click settings option under UpdraftPlus
  3. Once you are in the plugin settings, go to: Settings tab >> Set the files and database backup schedule (I chose weekly, but it’s up to you)
  4. Choose the place you will store your backups. Note there are several options with pros and cons.  Dropbox seems to be the simplest of the options and it’s free. There are other free options.  You’ll have to sign up for a free Dropbox account if you don’t already have one and you’ll have to install the dropbox software on your computer.  To use Dropbox:
    1. Go to the Dropbox website and install Dropbox on your computer and activate your account (by clicking the link they send to your email)
    2. Go back to the UpdraftPlus settings page in WordPress.  Continue selecting the options you want – I left all the defaults and just clicked the box to send basic reports to my admin email.
    3. Click save changes at the bottom of the page.
    4. Go back to the top of the page and click the link to authenticate your dropbox account.
    5. After authenticating your dropbox account, the first backup will initiate.  You can do a manual backup at any time by going to the plugin settings: Dashboard >> Settings >> UpdraftPlus Backups, and choose backup now.

22. My other plugins

  1. Collapse-O-matic: Lets readers expand (or collapse) a section of text by clicking on the text. There is an expand text option in the Avada builder elements that is also good.  This one just has a little bit different look.
  2. Contact Form 7: Lets you insert a contact form for visitors to fill out if they want to send you an email.  Note: this seems to be the preferred plugin for contact forms, but it is a pain to configure and get the hang of.  This This website shows how to fix configurations when you are getting error messages.
  3. Loginizer: Limits the number of login attempts that can be made per day in order to prevent brute force attacks from hackers trying to guess your password.
  4. TinyMCE Advanced: Adds functionality to the default WordPress text editor, such as allowing you to change the text size and text colour.  This is a necessary plugin in my opinion, as there is a surprising lack of funtionality in the default WordPress editor.
  5. UpdraftPlus: Let’s you set up free (or paid) automatic backups
  6. WooCommerce: Platform for eCommerce
  7. Zopim Live Chat: Put’s a little chat window on your webpage so visitors can chat with you, or send you an email.

23. Configure Your Permalinks

If you are going to write a blog and you want the URL of the blog post to look a certain way:

  1. Go to Dashboard >> settings >> permalinks:
  2. Change to your preferred setting.

24. Install TinyMCE

This plugin is necessary in my opinion, so I’ll mention the installation here.  Note that TinyMCE adds some very useful features, like changing text color.  For some reason (mysterious to me) this is not an option in the default WordPress text editor.  Go to: Dashboard >> Plugins >> Add new >> type TinyMCE into the search bar >> The rest is fairly self-explanatory.  You’ll have to configure this plugin to provide the features of interest in the WordPress editor.  To do this, go to: Dashboard >> Settings >> TinyMCE Advanced.  There will be a section at the bottom that says “Unused Icons”.  Drag the icons that you want to appear in your editor, into the window above.


25. Adjust the General Settings

Go to: Dashboard >> Settings >> General. Fill out your preferences (Time Zone, language, etc.)


26. Create a Site Title and Tagline

Go To: Dashboard >> Appearance >> Customize >> Site Identity

or Go To: Dashboard >> Settings >> General

Enter a site title for you website and a tagline, then click: “Save and Publish”.  This is what I used for this website:
Site Title: Web Design Guelph
Tagline: Learn to Build a WordPress Website

You can find more information on how to choose a site title and tagline here.


27. A Note on Options to Add Content

To start adding content to your website, you have several options:

  1. Do everything manually in WordPress: this will take some learning and I wouldn’t recommend it for beginners unless you’re just planning to add mostly text and a few pictures and you’re not very concerned about layout and or having any fancy design elements.
  2. Use SiteGround’s Page builder (I don’t recommend it): This page builder is a version of Weebly, which is supposed to be easy to use.  I tried it and hated it.  Also, in order to get some of the desirable features, you’ll have to upgrade and pay a monthly fee, and it’s quite expensive.  Note also that once you publish anything with Weebly you’re stuck with it, unless you delete your whole website and start again.  I had to do this.  Here is how you delete a website:
    1. To uninstall WordPress: Go to cPanel >> under the Autoinstallers section, find Softalicious and click it >> In the top right corner there is a wooden box icon, when you hover over it, it says all installations, click it >> Chose the domain you want to remove and click the red X. Then delete it.
  3. Buy the Avada Theme and use their Fusion builder: This is the option I recommend for beginners. It’s fairly easy to use and you can customize to almost any look you want.
  4. Pay for a 3rd party builder, such as Beaver Builder: I haven’t tried Beaver Builder, but the reviews are good.

28. Make your First Page

The first step, before adding content is to generate a new page.   This will be your landing page, we will call it HOME:

  1. Go to: Dashboard >> Pages >> Add new button.
  2. Write HOME in the empty bar along the top.  Note: decide if you want capital letters or lower case.  What you write here is what will appear in your main navigation menu, when you add this page to the main menu.  The navigation menu is also called a nav bar.  It refers to the drop down menu that’s usually found across the top of webpages (or sometimes along the side of the page).
  3. Just below where you wrote “HOME”, there are buttons for “Default Editor” or “Fusion Builder”.  Make sure Default Editor is selected (we’ll use the Fusion Builder soon).
  4.  The big empty box below is the editor, just write content coming soon for now.
  5. In the page attributes section in the side panel at the right, choose 100% width from the drop down menu.
  6. Click the publish button
  7. Go to: Dashboard >> Appearance >> Menus.  Where it says: Menu Name, write Main Menu, then click the Create Menu button
  8.  In the box at the left called Pages, you will see the HOME page you just made. Select it and click the Add to Menu button.  Now click the Save Menu button.
  9. Click Publish
  10. Now, while still in Dashboard >> Appearance >> Menus: Find that tab at the top that says Manage Locations. Beside where it says Main Navigation, select Main Menu from the drop down menu.
  11. Click save changes.
  12. Go to: Dashboard >> Settings >> Reading:
  13.  Beside where it says: Front Page Displays, choose: a static page, then select HOME as your Front Page.

29. Add Content Using the Fusion Builder

NOTE: Avada has released a new version of their Fusion Builder.  It has many improvements, including some changes to the user interface.  I have stripped out my old instructions whihc are outdated, but this leaves it up to you to figure some stuff out.  Don’t worry, the Fusion Builder is pretty intuitive.

  1. Go to: Dashboard >> Pages >> All Pages. Select a page of interest.
  2. Near the top of the page, there will be buttons for you to select between the “Fusion Builder” and the Default Editor.  If you are just planning to write a bit of text without any images, video, buttons, flip boxes, etc. and you don’t have any specific page layout needs, then you could just use the default editor.  Note that if you installed and activated TinyMCE, you will now have additional functionality in this editor.  If you want to add formatting, such as: separating the page into columns and rows, adding different backgrounds colors, adding images, parallax scrolling, etc. you’ll need the fusion builder. To activate the fusion builder, click the button that says “Fusion Builder” near the top of the page.

Add a container, then when you hover over a container, you will see 4 symbols.  The pen symbol allows you to adjust the properties of that container (things like background image and border size, etc.).  The  second symbol is a clone tool, if you click it, it will put a copy of that container immediately below.  The third symbol is a save button which allows you to save the formatting of the container, so you can easily use it again.  The fourth and last symbol is a trash can, this lets you delete the container (and it’s contents).

If you add a new text box to your container, then hover over it, you’ll see a pen icon.  Click it and the editor will pop up and you can start writing text.  The features under the pen icon will vary according to the type of builder element you have added.  For example, if you add the Maps builder element, a map will appear and you can adjust the map settings.  For example, map settings include the region the map will show and where the pin is located.  Here is a list of what all the Avada builder elements look like.


30. Configure the Footer

The footer is the section along the bottom of each of your pages and posts.  It typically has a copyright statement, contact information, a site map, a link to your privacy policy, etc.  It is totally up to you what you put in your footer.

Configure the Footer Settings

To select the desired settings for the footer, go to: Dashboard >> Appearance >> Theme Options >> Footer.  Adjust the settings as you wish.  Note: An important setting is: Number of Footer Columns.   This setting determines the number of columns that your footer will be divided into.  The default is set to 4 columns.  When you add content to the footer (explained below), you’ll be able to configure separate widget sections and each widget section you create will correspond to one of the 4 footer columns.

Add Content to the Footer

To add content to the footer, you’ll have to configure the footer widget.  Go to: Dashboard >> Appearance >> Widgets.  You should see a section that has 4 footer widgets already started, they will all be empty.  Note if you changed the default setting in the previous step to something other than 4, then that’s how many empty footer widgets youll see here.  These 4 footer widgets correspond to the default 4 footer columns.  For example, the content you add to footer widget 1 will appear in column 1 of your footer.

In order to add content to the widget, click and drag one of the Available Widgets from the left side of the screen into one of the footer widget sections.  After you drag the widget into one of the footer sections, you can click on it and adjust the various settings.

Note: let’s say you drag the horizontal menu widget into Footer Widget 2.  This will result in your menu of choice (often people select the main navigation menu) being placed into column 2 of your footer.  In this example, a list of all of your website’s pages will now appear in the footer of each page of your website.


31. Install and Verify Google Search Console

Google Search Console is a tool that allows you to optimize the visibility of your website, see what keyword searches you’re ranking for, remove spam links to your site (that may negatively impact your Google rank), create a site map and many other things.  See the Wikipedia entry on Google Search Console here.

In order to use Google Search Console, you need to create an account and verify that you own your website.  To do this, follow the instructions on how to add your website to the google search console here:

Once you have verified your account, make sure the 3 possible versions of your URL are also verified:

www.yourwebsite.com

https://yourwebsite.com (or use http:// if you’re not using https encryption)

yourwebsite.com (without https or www.)


32. Check that Your Website is Indexed by Google

Open your web browser and type site: followed by the name of your website (without https), like this: site:example.com.  It will bring up a list of all the pages of your website that Google has indexed.  If your site does not appear, it may be that Google hasn’t found it yet, or it is in violation of Google’s webmaster guidelines.  Information on how to submit your website to Google and their webmaster guidelines can be found here.


33. Important Tools for Researching your Website 

Here is a list of tools that you will want to know about:

  1. Google Trends: Learn what is currently trending and view changes in relative search volume over time for your keywords of interest
  2. Google AdWords: Set up a Google advertising campaign and view statistics.  Note: even if you aren’t planning to advertise on Google, AdWords is an important resource, especially the keyword planner tool.  You will have to sign up and provide a credit card number to get an account, but you won’t be billed unless you set up an advertising campaign.
  3. Google Analytics: If you have installed Google Analytics on your website, you can investigate search volume reports of the keywords of interest and learn about who is visiting your site and how they are interacting with it.
  4. Google Search Console: This is a must-have resource. It allows you to optimize the visibility of your website with Google and has many tools, for example, you can see the keywords that Google has ranked you for.
  5. Tools used to investigate your competitors: You can learn about your own web traffic as well as your competitors. See Google rankings, backlinks, etc.  Here are a few examples, note: most of these have some free features and paid upgrade options.
    1. SEMrush
    2. MAJESTIC
    3. MOZ
    4. SpyFu
    5. SpyOnWeb

34. SEO Plugins

You will probably want to install a plugin to help you set up your site and view statistics on your visitors.  Some of the features of these tools may be more user friendly than the products from Google (Analytics, etc.), mentioned above.  I have not used these plugins yet, but the following are the most popular, there are many others:

  1. All in One SEO Pack
  2. Yoast SEO
  3. Jetpack

35. Cloudflare: Optional Security and Performance Enhancement

Cloudflare provides a service that can enhance your website’s security and improve your page’s loading speed significantly.  There are paid upgrade features available, but the free option will be all you need in most cases.  There are two ways to set it up:

  1. If you are using SiteGround for web hosting, I recommend you sign up through your cPanel account.  Just log in and under the “Site Improvement Tools” section, find the Cloudflare logo.  Double click  on that and follow the instructions, its very easy because SiteGround and Cloudflare are partners.
  2. Go to the Cloudflare website, click sign up and follow the instructions.  This is very easy as well.

In addition to security and speed enhancements, Cloudflare allows you to create “Access Rules” under the “Firewall” section of your Cloudflare dashboard, which may be desirable in some cases (see below).

There does not appear to be any downside to using CloudFlare and I recommend it for most users!

A note on the importance of securing your website:

Paying attention to maintaining your website’s security is not an optional activity when running a website.  Even if you just have a small website, with only a few visitors, you will still likely be targeted by hackers.  Starting within about a month of operating this website, I have had ongoing brute force password hack attempts, from somewhere in the Ukraine and the Russian Federation.  If I had not set up my Loginizer plugin to limit login attempts and notify me, a computer bot would have kept on attempting to guess my password until it got it right and I would not have known.  Furthermore, if you study your website’s user logs, you may find that a surprising percentage of visitors come from the Ukraine, China and Russia.  These visitors may be trying to hack your website and in doing so, they can consume a significant amount of bandwidth.  Blog spammers also tend to come from China and Russia.  This is a lose-lose situation.

You may have content that is only relevant to users in a specific country, or region, however, unfortunately, there is no easy way allow only certain countries access to your website (edit – the paid version of the WordPress plugin Wordfence apparently lets you do this.  The downside is it will probably slow down your website to all visitors as the plugin checks through a long list of IPs to make sure that each visitor’s IP is not blacklisted.  I’m only guessing, but I presume this is the case).  You can block specific IP addresses, but the hackers will just change them.  You can block regions and countries, but it is technically difficult, will slow your computer down, and hackers can use VPNs to circumvent this.  Cloudflare will help a lot to improve your website’s security by tracking and blocking a lot of the nefarious activity.  Here is a good post on how to block entire countries from accessing your website, the difficulties with it and a discussion of Cloudflare.

https://www.sitepoint.com/how-to-block-entire-countries-from-accessing-website/


36. How to Use Cloudflare to Block a Brute Force Attack

Here’s what I did, these things didn’t do anything to slow down the brute force attack, but they are supposed to work, so I thought I’d share them.  Cloudflare has an “I’m under attack mode” that’s supposed to validate browsers that visit your site.  Apparently when this mode is turned on, visitors will have to wait a few seconds for the validation process for the first page they visit on your site.  In order to turn this option on, do the following:

  1. Log into your Cloudflare account
  2. In the main page, you should have the overview tab selected.  Beside status, simply change the drop down menu to: “I’m under attack”

This will increase page load times for all your visitors (the 1st page they load).  In order to circumvent this wait time, you can limit the “I’m under attack” mode to only be active on the log in page.  To do this, do the following:

1. Log into Cloudflare
2. Go to the page rules tab
3. Click “create page rule”
4. In the box where it says: “If URL Matches”, type in your website’s login URL, for example: https://mywebsite/wp-admin.  You will probably be best to use the asterisk option format like this: *.mywebsite/wp-admin*
5. Then click “add a setting”
6. Then from the drop down menu, click: “Security Level”
7. Then in the dropdown menu beside it, choose: “I’m under attack”
8. Click: “Save and Deploy”

Note: you can also add additional security to force certain countries that are accessing your website to have to go through a CAPTCHA step.  Here’s how you do this:

  1. Log into Cloudflare
  2. Go to the Firewall section
  3. Below where it has the dropdown menu for: “security level”, you’ll see a section for: “access rules”, type in the name of the country where the attack is coming from and in the dropdown menu, select: captcha.
  4. Note: you can find the name of the country where the attack is coming from by Google searching the IP address that is trying to hack your website.  Just paste the IP address in Google and you’ll be able to find information about it what country it is in.  There are two easy ways to find the IP address of the attacker:
    1. If you have Logonizer installed, go to WordPress Dashboard >> hover over Logonizer >> select brute force and you’ll see a list of the latest IP addresses that accessed your login page and failed to enter the correct password.
    2. Log into SiteGround (or your web hosting company) and go to cPanel >> Scroll to the visitor Stats section >> Click the error Log icon.

37. How to Use htaccess to Block a Brute Force Attack

As I mentioned above, the Cloudflare strategy did not seem to prevent the brute force attack as I continued to get hammered with login attempts from my Ukranian friends.  The next thing I tried was using two htaccess strategies.  These limit the ability for people to access the WordPress login page, except those coming from IP addresses that have been permitted.  So all IPs are blocked from your login page, except those that you have allowed.  There are ways around everything, but this is one of the most effective ways to block brute force attacks from anywhere in the world because it makes it harder for hackers to attempt to log into your WordPress website, but note, it is still not impossible for them to do so.  Also, these strategies do not consume resources like some of the other strategies because hackers are blocked before they even access your login page.  These strategies are also very easy to implement.  The only downside is anytime you want to work on your WordPress website from somewhere other than your usual IP addresses, you’ll have to log into cPanel and add that IP address to your htaccess file.  Here’s the steps to implement this strategy:

Option 1: Deny,Allow

  1. Log into cPanel
  2. On the main page, with all the options, find the files section
  3. Click the file manager icon
  4. Navigate to: public_html >> yourwebsite.com >> wp-admin
  5. Find the file that says: htaccess
  6. Right click on that file and select: edit
  7. Select ok to the default options
  8. The htaccess file will now open in new tab
  9. The file should be blank, but regardless, write the following at the very top of the page, then click save.  Note: replace 123 with the IP addresses that you want to allow, see my other notes below.

order deny,allow
deny from all
allow from 123.123.123.123
allow from 123.123.123.123

Note 1: fill in the 123 with the values for your IP address. You can find your IP address with a google search, just search for: “what’s my IP address”. You may get a result that looks like this: 1234:fea3:2303:9fe:y009:4ef2:2353:1238. This is not what you want, you’ll need it in a format that looks something like this: 123. 123. 123.123
Note 2: you will have to add a new IP address to this htaccess file anytime you try to log into your WordPress dashboard from a new location because your IP address will be different
Note 3: Your IP address can and will change, even at your home location. For example, if you restart your modem, your IP address will change. In this case you’ll have to modify your htaccess file to include the new IP address
Note 4: There are 3 htaccess files, as follows, be careful which you modify:
1. Home >> Public_html >> htaccess
2. Home >> Public_html >> mywebsite >> htaccess
3. Home >> Public_html >> mywebsite >> wp-admin >> htaccess

If you select the wrong htaccess file (for example, the one that is found one level up in the folder for your website: public_html >> yourwebsite.com then you will block all visitors to your whole website (not just your login page). Make sure you modify the htaccess folder that is in the wp-admin folder.

Option 2: Create an htaccess rule – This one worked finally worked to stop the brute force attack.  

Here’s what to do:

  1. Log into cPanel >> Select the File Manager Icon >> Navigate through files at the left of the screen to find the htaccess file of interest, here’s the path: Home >> public_html >> yourwebsite >> wp-admin  
  2. Right click on the htaccess folder and select edit
  3. Paste the following code at the bottom of the file, below everything else.  Note that you will need to fill in your IPs where you see the 1’s and two’s in red.  These are the IPs that you want to give permission to access your wp-admin login page (use your home and / or work IPs and any other IPs you want).  When you’re done, click save.
<IfModule mod_rewrite.c>

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^12.123.12.12
RewriteCond %{REMOTE_ADDR} !^22.222.22.22
RewriteRule ^(.*)$ – [R=403,L]

</IfModule>

38. How to Block a Brute Force Attack By Disabling XML-RPC

XML-RPC is a protocol necessary for something called pingbacks.  Pingbacks are comments that are automatically created when one person creates a link in their blog post to another person’s blog post.  The blog post that was linked will have a comment appear in their comments section.  Do a Google search for: “pingback” to learn more.  Most people prefer to have pingbacks enabled, but some don’t, for reasons other than security.  If you think you can live without pingbacks, then blocking them will close another door that hackers can use to try to get into your website.  Pingbacks are automatically enabled in WordPress and the option to block them through the WordPress admin panel was removed some time ago.  You will need to use a plugin to disable them.  The plugin is called Disable XML-RPC.  The plugin is simple to use; install and activate it and pingbacks will be blocked, deactivate the plugin and pingbacks will be allowed again.  I have not tried this, but it will be my next strategy if the login attempts continue.  Note that I also put this in the list of plugins that can be used to block brute force attacks (see below), but I also included it here as a separate entry because it does different things than those plugins.


39. How to use Password Protect in cPanel to Block Brute Force Attacks

This strategy also did not work, but I’m including it as it may work for you.  Do the following:

  1. Go to cPanel >> Security section >> Click Password Protect Directories >> select your website and click “go” >> select the wp-admin folder >> you can add a user, or modify existing password here.
  2. When you log into your WordPress dashboard, a small window should pop up and ask you for the additional log in information.  This apparently stops the login attempts before the user reaches your wp-admin page.

40. List of WordPress Plugins for Blocking a Brute Force Attack

I have not tested any of these and this is far from a comprehensive list, but here are a few you might want to try:

  1. Wordfence
  2. WP fail2ban
  3. iThemes Security (formerly Better WP Security)
  4. WPS Hide Login
  5. Unauthorised Login Redirect
  6.  Disable XML-RPC

41. How to Block Individual IP addresses from Accessing Your Website

When I experienced my first brute force attack, all the login attempts came from  the same IP address.  I therefore just blocked that IP address from accessing my website and I’ll explain how to do that below.  However it is only a matter of time before a more sophisticated hacker comes along and uses multiple and ever changing IP addresses to access your site.  Therefore, I recommend setting up Cloudflare and htaccess rules as described above for anyone with a WordPress website.  That notwithstanding, here’s how you can block individual IP addresses from viewing or attempting to log into your website.  There are two ways:

1. Block IP addresses through cPanel: 

  1. Log into your cPanel with SiteGround (or whatever web hosting company you use, note, some web hosting companies don’t use cPanel)
  2. Scroll down to the Security section
  3. Select: IP Deny Manager
  4. Paste the IP address that you want to block into the box and click add.  Note, you can also block a range of IP addresses, however, that’s not usually useful because similar IPs don’t necessarily have a similar geographical location.
  5. Note: in order to find the IP addresses that have tried to access your site and been blocked, go to the visitor stats section of cPanel and click the Error Log icon.  You can also see a list of the latest IP addresses to try to log into your website using the Logonizer plugin (see below)

Block IP addresses through Logonizer

  1. Assuming you have already installed the Loginizer plugin: Log into WordPress and go to Dashboard >> hover over Logonizer Security >> select Brute Force.  You will see a list of the IP addresses that have tried to access your website and the count of the number of times that the failed and were locked out.
  2. Scroll down and you will see an option to blacklist certain IPs, or a range of IP addresses.
By |2018-10-09T01:22:42+00:00July 13th, 2016|web design, WordPress|1 Comment

About the Author:

One Comment

  1. […] certificate because that is done for you.  However, if you follow the instructions in my post: Instructions for Building a WordPress Website using WordPress.org, you’ll find that it’s not hard at all to install WordPress.  Furthermore, since you […]

Leave A Comment