If you’ve decided to work with your own WordPress installation, rather than WordPress.com, there are some simple plugins and steps it would be wise to take care of.
I’m going to focus on the few plugins you’ll actually need (and that will probably end up in a version of WordPress some day, but at the moment they aren’t). These suggestions tend to be (a) simple and (b) extremely stable. They’re least likely of most comparable plugin selections to break on WordPress upgrades due to their very direct (yet adequate) approaches to the jobs they do.
Note: This article isn’t for WordPress.com users, since WordPress.com has fixed plugins.
This is the simplest and least problematic of the various WordPress backup plugins out there. It’s never gone wrong for me and has never eaten up all the space at my hosting provider, and it always reliably emails me an archive of the backup to GMail, thus giving me a reliably backed up list of archives. ((And with GMail filters, I can just reroute them into a folder and have them skip the inbox, although I like simply seeing them in my inbox and manually archiving them myself, just to make sure that a backup was made at all.))
While WP-DBManager is limited to a backup of the database, and doesn’t include all your WordPress files (such as plugin files or theme files), nevertheless this is the most important part of backing up, since plugins can be reinstalled but plugin settings, which are part of your database, will already be saved.
You’ll find its settings in its own Database menu item (not part of the normal Settings group).
You’re most interested in the DB Options sub-menu item.
On the DB Options page, the default settings for Paths is likely good, because most hosting providers provide sane default paths for the various executables, and the plugin will create directories it needs.
At the bottom of the DB Options page is the Automatic Scheduling section. You’re most interested in the frequency of automated backups (I suggest: Every 1 days, GZip yes) and the email address to send them to.
Simple Feed Copyright
This results in a copyright notice being added to each entry in your RSS feed. It’s hardcoded to say “Copyright © [current year] [Blog name]”, which is usually enough. It has no options to configure, and pretty much just works.
This will harden your WordPress installation somewhat, provide you with a few suggestions, and also can add a token for a WordPress scanner to scan your installation and add even more suggestions, although the latter currently requires you to edit your theme file’s header.php.
Its settings are available under the Settings menu, with menu item name “Secure WP”.
Its directions are very clear, which is nice. My suggestions for ticked items are below.
This helps fight brute-force password crackers that rely on error messages to tell whether they’ve gotten in or not, and whether it’s the user name or the password that’s wrong.
- WordPress Version
Many WordPress attacks look for specific WordPress versions in order to efficiently apply their cracking/hacking. This hides your WordPress version, providing it as simply a random number—by default, the version of your installation appears both in your blog’s HTML code AND in your RSS feed. “Not in admin” simply means that there isn’t a way to turn it off in the normal admin section of a WordPress blog.
Hides what plugins you’re specifically using from attackers. Again, helps prevent targeted attacks.
- Really Simple Discovery
WordPress inserts extra information, by default, into the HTML of your blog, so that external blogging tools (MarsEdit, Ecto, Windows Live Writer, ScribeFire, etc) can determine your blog type.
If you’re not using these tools, check the box to turn to turn this off. (I use these tools right now, so it’s not off for me.)
- Windows Live Writer
Windows Live Writer likes a special link that WordPress automatically generates, which allows it to know how to access your blog so that it can, for instance, add new posts, edit categories, delete posts, etc.
If you’re not using Windows Live Writer, check the box to turn this off.
- Core Update, Plugin Update, Theme Update
For non-admin users, turns off access to these pretty much admin-level features. Really only useful if you have non-admin accounts for some reason.
- WP Scanner
Allows you to temporarily add information to your blog, if you edit your theme, so that the wpscan tool has permission to scan your blog and find exploits.
General Headers and Footers
Once installed, settings are available under Settings &rarrow; General Header, even though it does both headers and footers.
With this plugin installed, your iPhone visitors (and, I think Android) will have a very nice, iPhone-orientated interface to your website. Given that the iPhone can save bookmarks to the Home Screen as app-like items, this more or less eliminates the need for an iPhone app specific to your web serial. ((A nasty detail of the iPhone App Store is that it randomly censors applications that can display naughty words. An iPhone-friendly website view, on the other hand, avoids the App Store. This is the main reason why there are so many ebook reading apps in the App Store that are hard-coded for specific books, with words censored as appropriate.))
The options are long, but very simple and illustrated and explained (!) which is something of a rarity in the WordPress plugin world.
I suggest adding an icon of your own, and selecting particular pages for the iPhone readers to see (they all default to off), and then the rest generally takes care of itself automatically.
While WPTouch is generally very stable, and the plugin authors handle upgrades relatively well for a complex plugin, it’s less stable than the rest. But I think it’s nice enough for a mention as a very-nice-to-have plugin for a web serial.