Skip to main content
HashnodeFyrePressFyrePress

Command Palette

Search for a command to run...

The WordPress Developer Setup Checklist for 2026 (With Free Tools for Each Step)

Updated
10 min read
F
Fasih Ud Deen
Founder of FyreHost, AwakeHost and Fyrepress

If you've been building WordPress sites professionally for more than 12 years, you already know the frustration.

Every new project starts with the same setup ritual: writing wp-config.php from scratch, figuring out the right .htaccess rules for this particular hosting environment, setting security headers, configuring your server block, building out Custom Post Types. You've done it all before — dozens of times — yet somehow it still eats the first half of your project day.

The tasks aren't hard. They're just repetitive, error-prone, and scattered across documentation pages, Stack Overflow answers, and browser bookmarks you last updated in 2022.

After years in the web hosting industry — running FyreHost and AwakeHost, where I've watched thousands of WordPress deployments — I got tired of the fragmentation. So I built FyrePress: a free, browser-based toolkit of 130+ tools purpose-built for the WordPress developer workflow.

This post is the setup checklist I wish existed when I started. Each step pairs with a free tool that eliminates the manual work.

1. Build your wp-config.php properly from the start

Most developers hand-write wp-config.php or copy it from a previous project. Both approaches lead to the same problem: missing constants, stale security keys, and debug settings left enabled in production.

A production-ready wp-config.php should cover:

  • Database credentials and table prefix

  • Authentication keys and salts (regenerated fresh for each project)

  • Debug configuration (WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG)

  • Memory limits (WP_MEMORY_LIMIT, WP_MAX_MEMORY_LIMIT)

  • File editor and file modification locks (DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS)

  • SSL enforcement (FORCE_SSL_ADMIN)

  • Auto-update policy (WP_AUTO_UPDATE_CORE)

  • Cron configuration (DISABLE_WP_CRON when using server-side cron)

  • Post revisions (WP_POST_REVISIONS)

  • Trash interval (EMPTY_TRASH_DAYS)

define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', false );
define( 'WP_MEMORY_LIMIT', '256M' );
define( 'DISALLOW_FILE_EDIT', true );
define( 'FORCE_SSL_ADMIN', true );
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
define( 'DISABLE_WP_CRON', true );
define( 'WP_POST_REVISIONS', 5 );

Tool: wp-config.php Builder on FyrePress — 60+ configurable options, outputs a complete, environment-specific file. Your credentials never leave your browser.

2. Write your .htaccess rules for the full environment

The WordPress default .htaccess only covers rewrite rules. A properly configured file for a production site does a lot more.

At minimum you should be handling:

  • HTTPS redirects — force all traffic to SSL

  • www canonicalisation — pick one and redirect the other

  • Hotlink protection — prevent bandwidth theft on media files

  • File access restrictions — block direct access to wp-config.php, readme.html, xmlrpc.php, and .htaccess itself

  • Directory listing — disabled by default

  • PHP version pinning — if your host supports it via .htaccess

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Block access to sensitive files
<FilesMatch "^(wp-config\.php|readme\.html|license\.txt|\.htaccess)">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Disable directory browsing
Options -Indexes

Tool: .htaccess Generator on FyrePress — toggle what you need, outputs clean Apache directives specific to your setup.

3. Set your HTTP security headers

Security headers are one of the most commonly skipped steps in WordPress setup, and one of the most valuable. They protect your users against XSS, clickjacking, MIME-type sniffing, and data leakage — without any plugin needed.

The headers every WordPress site should have:

Header What it does
Content-Security-Policy Controls which resources the browser is allowed to load
X-Frame-Options Prevents your site being embedded in iframes (clickjacking)
X-Content-Type-Options Stops MIME-type sniffing
Referrer-Policy Controls what referrer info is sent to third parties
Permissions-Policy Restricts browser features like geolocation and camera
Strict-Transport-Security Enforces HTTPS at the browser level 
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Tool: Security Headers Generator on FyrePress — configure each header through a UI, outputs Apache .htaccess blocks or Nginx add_header directives.

4. Configure your Nginx server block correctly

If you're on Nginx (increasingly common on modern VPS hosting), your server block config matters for performance, security, and correct WordPress routing.

A well-configured WordPress Nginx block handles:

  • PHP-FPM socket configuration

  • try_files for WordPress routing

  • Static file caching headers

  • Gzip compression

  • Hiding server version information

  • Blocking access to sensitive paths

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    root /var/www/example.com;
    index index.php;

    location / {
        try_files \(uri \)uri/ /index.php?$args;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME \(document_root\)fastcgi_script_name;
        include fastcgi_params;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}

Tool: Nginx Server Block Generator on FyrePress — generates environment-aware blocks for WordPress, WooCommerce, and multisite configurations.

5. Register your Custom Post Types from a template

Hand-writing CPT registrations is one of those tasks where it's very easy to forget show_in_rest => true (breaking the block editor), miss the has_archive argument, or write verbose labels arrays from memory.

function register_portfolio_cpt() {
    register_post_type( 'portfolio', [
        'labels' => [
            'name'          => __( 'Portfolio Items' ),
            'singular_name' => __( 'Portfolio Item' ),
            'add_new_item'  => __( 'Add New Portfolio Item' ),
            'edit_item'     => __( 'Edit Portfolio Item' ),
        ],
        'public'       => true,
        'show_in_rest' => true,  // Required for block editor support
        'has_archive'  => true,
        'supports'     => [ 'title', 'editor', 'thumbnail', 'custom-fields' ],
        'rewrite'      => [ 'slug' => 'portfolio' ],
        'menu_icon'    => 'dashicons-portfolio',
    ]);
}
add_action( 'init', 'register_portfolio_cpt' );

Tool: Custom Post Type Generator on FyrePress — fill in your post type details, get a complete, copy-paste-ready registration block including all labels.

6. Use WP-CLI for setup and maintenance tasks

WP-CLI is the fastest way to handle bulk operations, but the documentation is dense and the flag syntax isn't always obvious. For tasks like exporting posts, bulk updating options, running search-replace on a migration, or scaffolding a new plugin, it saves significant time.

# Search and replace domain on migration
wp search-replace 'https://staging.example.com' 'https://example.com' \
  --skip-columns=guid --report-changed-only

# Export all published posts as JSON
wp post list --post_status=publish --fields=ID,post_title \
  --format=json > posts.json

# Flush and regenerate all image thumbnails
wp media regenerate --yes

Tool: WP-CLI Command Architect on FyrePress — build complex WP-CLI commands through a UI, without memorising the full flag reference.

7. Add schema markup to key page types

WordPress SEO plugins generate decent schema for standard post types, but they often fall short on custom content types, FAQ pages, Local Business listings, or non-standard article structures.

Handcrafted JSON-LD ensures your schema is exactly right:

<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "FAQPage",
  "mainEntity": [
    {
      "@type": "Question",
      "name": "How do I reset my WordPress password?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "You can reset your password from the login page using the 'Lost your password?' link, or directly via WP-CLI with: wp user update 1 --user_pass=newpassword"
      }
    }
  ]
}
</script>

Tool: Schema Markup Builder on FyrePress — generates valid JSON-LD for Articles, FAQs, Local Business, Products, Breadcrumbs, and more.

8. Configure your robots.txt for WordPress specifically

The default WordPress robots.txt is minimal. A properly configured file for a production WordPress site should:

  • Disallow admin, login, and feed paths from indexing

  • Block access to theme and plugin directories where appropriate

  • Point to your XML sitemap

  • Handle WooCommerce checkout and account paths if relevant

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-login.php
Disallow: /feed/
Disallow: /trackback/
Allow: /wp-admin/admin-ajax.php

Sitemap: https://example.com/sitemap.xml

Tool: robots.txt Builder on FyrePress — includes WordPress-specific directives pre-configured, with toggles for WooCommerce, membership plugins, and multisite.

9. Have a database cleaning query set ready

Over time, WordPress databases bloat with post revisions, spam comments, expired transients, and orphaned metadata. A regular cleaning routine keeps queries fast and backups small.

-- Remove post revisions
DELETE FROM wp_posts WHERE post_type = 'revision';

-- Remove orphaned post meta
DELETE pm FROM wp_postmeta pm
LEFT JOIN wp_posts p ON p.ID = pm.post_id
WHERE p.ID IS NULL;

-- Remove expired transients
DELETE FROM wp_options
WHERE option_name LIKE '%_transient_%'
AND option_name NOT LIKE '%_transient_timeout_%';

-- Remove spam and trashed comments
DELETE FROM wp_comments WHERE comment_approved = 'spam';
DELETE FROM wp_comments WHERE comment_approved = 'trash';

Tool: Database Optimization SQL on FyrePress — generates safe, targeted SQL for common WordPress database cleanup tasks.

10. Keep an error log decoder bookmarked

When something breaks on a production site, the error log is your first stop. But raw PHP/WordPress error log entries are not easy to read quickly under pressure.

PHP Fatal error: Uncaught Error: Call to a member function get_permalink()
on null in /var/www/html/wp-content/themes/mytheme/functions.php:247
Stack trace:
#0 /var/www/html/wp-content/themes/mytheme/functions.php(180): theme_build_menu()
#1 /var/www/html/wp-includes/class-wp-hook.php(324): theme_setup_nav()

Tool: WP Error Log Decoder on FyrePress — paste the log entry, get a structured breakdown: error type, file path, line number, stack trace, and a plain-English explanation of the likely cause.

The full toolkit

The ten tools above cover the most common setup tasks, but FyrePress has 130+ tools in total across five categories:

  • Server & Core — wp-config builder, .htaccess generator, Nginx config, PHP.ini reference, cron builder

  • Security — security headers, SSL configuration, two-factor auth setup, XML-RPC disabler, login hardening

  • Frontend — theme.json builder, Gutenberg block templates, meta tags generator, Open Graph builder

  • Backend & DB — CPT generator, WP-CLI architect, database SQL tools, error log decoder, plugin boilerplate

  • SEO & Content — schema markup builder, robots.txt builder, sitemap generator, redirect rules, canonical tag builder

Everything runs locally in your browser. No login, no account, no server-side processing. Your configuration data and credentials never leave your device.

Browse all tools at fyrepress.com →

What's coming next

The next tools in development based on early user feedback:

  • WordPress REST API Endpoint Tester — test WP REST API routes with authentication, directly in the browser

  • PHP Compatibility Checker — paste a snippet, check it against PHP 7.4 through 8.3

  • Core Web Vitals Audit Scorecard — structured checklist mapped to real WordPress performance levers

  • WordPress Docker Compose Generator — spin up a local WP dev environment without memorising the syntax

  • WooCommerce Product Schema Builder — handcrafted JSON-LD for product pages beyond what SEO plugins generate

A note on why I built this

I run two web hosting companies — FyreHost and AwakeHost — so I've had a front-row seat to how WordPress developers actually work. The setup friction I've described in this post isn't a skill gap. It's a tooling gap. Developers are fast and competent; they just shouldn't need to Google the same config patterns on every project.

FyrePress is my attempt to fix that, one tool at a time. It's free, it's not going anywhere, and I'm actively adding to it.

If you find a tool that's generating incorrect output, or if there's something missing from your workflow that should be here — leave a comment. That's exactly the kind of feedback I'm building on.

Written by Fasih ud din — Founder of FyreHost, AwakeHost, and FyrePress. Based in Lahore, Pakistan.

#wordpress#wordpress-development#productivity#development-tools
3 views

Comments

Join the discussion

No comments yet. Be the first to comment.