This checklist establishes the initial user role configuration and applies basic security‑related WordPress settings immediately after baseline core setup.
Its purpose is to ensure administrative access is intentional, identifiable, and that default WordPress behaviors do not introduce unnecessary risk.
Checklist Objective
Confirm administrator identity, limit user access, and apply baseline security‑related settings before installing plugins.
Scope Boundary
This checklist covers:
- Administrator account verification
- Removal or restriction of unintended users
- Comment and discussion security settings
- Basic admin‑level hygiene
This checklist does not cover:
- Advanced security plugins or hardening
- Firewall or server‑level security
- Custom role creation
- SEO or content permissions
Checklist Steps — User Roles & Security Basics
1. Log in as primary administrator
- Log in to WP‑Admin using the primary admin account
- Confirm this account is intended to be the long‑term administrator
2. Dismiss non‑critical admin notices
- Dismiss welcome banners and notices as desired
- Do not install suggested plugins or themes
3. Users → All Users
- Review the list of existing users
- Confirm only intended administrator accounts exist
- If unexpected users are present:
- Remove them or reduce privileges appropriately
4. Verify administrator identity fields (EEAT)
- Navigate to Users → Profile
- Confirm the following values:
- First Name: Site
- Last Name: Admin
- Nickname: Site Admin
- Display name publicly as: Site Admin
- Confirm the admin email address is correct
- Tap Update Profile if changes are made
5. Settings → Discussion (security review)
- Allow people to submit comments: unchecked
- If comments are intentionally enabled later, confirm at minimum:
- Comment author must fill out name and email
- Comment must be manually approved
- Comment cookies allowed
- Break comments into pages: enabled
- Top level comments per page: 5
- Comments page to display by default: last page
- Tap Save Changes
6. Verify search engine visibility (sanity check)
- Navigate to Settings → Reading
- Confirm “Discourage search engines from indexing this site” remains checked
- Tap Save Changes only if modified
7. Log out and re‑log in
- Log out of WP‑Admin
- Log back in as administrator
- Confirm no access or permission issues appear
Required Output
- Administrator account verified and stable
- No unintended users with elevated access
- Public display name configured correctly
- Comment system secured or intentionally disabled
- Baseline admin security posture confirmed
Pause & Lock
User roles and basic security settings are now locked. Do not install plugins until proceeding to the next checklist.
Proceed to: WordPress Setup 03 — Plugin Installation Baseline