Author’s Note: This page is a collection of all the posts for my free ebook “Create Your Business Website With WordPress.”
Table of Contents
About The Author
Hello, I’m Brittany Gates! I’m a data center aficionado and creative writer. For the past fifteen years I worked in the IT Industry in various roles. Eventually, I grew to love working in data centers and focused my IT career on that path. Currently, I work for Google as a Data Center Technician. After my shift ends I work on my first love: Writing! I self-publish books on Amazon and upload short stories onto Wattpad. And I find the time to maintain two websites I built with WordPress: bcgates.com (my personal site) and letsallmeat.com (my Ecommerce store).
That’s a great segue into my history with WordPress. I started using WordPress around 2007 because it was an easier way to create blogs. And at that time blogs were popular and I wanted my own. As the years passed WordPress improved in features, and moved beyond blogging. Those improvements allowed me to enhance my website’s appearance, what media I could display, and how I could protect my site from hackers. And those experiences built a level of knowledge within me that I shared with others. I recommended WordPress to anyone seeking to build a website. And in some cases I helped those individuals build their website.
Now I want to help others on a grand scale. That’s the reason I wrote this guide: To help individuals – such as entrepreneurs, freelancers, and small business owners – build their own website with WordPress. While building a website is a long and arduous process, you can do this with my guide. I’ll explain how to find the right type of web hosting so your business website will perform properly, how to secure your website against hackers, how to install and use WordPress, test your website, and publish it for the world to see.
Why do I choose WordPress to build my websites? There are many other choices one can choose from to build their website. There are cloud-based website development companies like Wix and Squarespace. Those companies make website creation easy with its drag-and-drop system. While I have nothing against companies like Wix and Squarespace I rather not use their closed-source systems.
WordPress is open source software. That means the source code of the software is available for anyone to download and modify for their own use. So a Web Developer could modify WordPress’ code to fit the needs of their client. Or that developer could use the code as-is. As the tagline states on WordPress’ website: “Create a place for your business, your interests, or anything else—with the open source platform that powers the web.”
WordPress was created in 2003 by Mike Little and Matt Mullenweg, and operated by Automattic. While WordPress was originally created for blogging, the creators improved the software to allow the creation of various types of websites. And this versatility makes it a great choice for businesses.
At its core, WordPress is a Content Management System (CMS). This system allows individuals to not only create digital content (like blog posts, music files, or videos) but modify them. Also, WordPress can also be considered a Web Content Management (WCM) system because it provides the ability for individuals to create and/or add images, photos, music, videos, and much more.
A Content Management System is broken up into two parts:
- Content Management Application (CMA)
- Content Delivery Application (CDA)
The CMA allows inexperienced users to create, update, or delete content from a website without the aid of experienced professional. Years ago you would have to hire a Webmaster or a Web Developer for this type of work.
The CDA does all the heavy lifting in the background because it takes all the pictures, text, and other media and puts it all together. Thus, it creates everything the visitor sees on the website. Finally, the CDA has the job of updating the website.
Its Popularity Created A Vast Ecosystem
WordPress is the market leader out of all website-building software available to currently use. At the time of this guide’s publication 43% of all the websites on the Internet use WordPress according to W3Techs.
Due to its popularity WordPress Developers came into existence. These individuals and/or companies created a vast ecosystem to extend the capabilities of the software. Those capabilities were in the form of themes or plugins. Some of those themes or plugins are free, while others have a monthly/yearly subscription cost or a one-time fee.
These themes or plugins transform WordPress into a retail online store or a membership website. Because these developers see success from their labors they continue to improve WordPress. And everyone benefits from their efforts.
Automated Installation Simplifies The Installation Process
When I started using WordPress back in 2007 the installation was difficult. I followed the “Basic Instructions” which could be difficult for non-tech savvy individuals to follow. Thus, many installed the software improperly onto their website, or connected their database incorrectly. Which meant deleting everything and starting over (which was the easier option), or paying a developer to fix it.
In addition, if one needed to edit the core WordPress files, and did so incorrectly, their site crashed.
Then came the Automated Installation. Depending on the web hosting company, all an individual had to do to install WordPress was access a script (like WP Toolkit or Softaculous). The script asks a few simple questions, and a few minutes a basic WordPress installation is ready for use. All one has to do after that point is customize the site.
The WordPress User Interface Is Intuitive
WordPress’ User Interface (UI) is intuitive now. The side menu has all of the functions users need, such as “Posts” and “Media.” In addition, each name tells users what it exactly does. “Posts” allow users to create a blog post. “Pages” is when users want to create a page on their site. “Media” contains pictures, videos, music, and other media. And “Comments” allows users to read and maintain comments.
Enhanced Blogging & Content Creation Capabilities
WordPress is still the best CMS to use for blog creation. Yes, there sites like Medium and Tumblr (which is now owned by Automattic), but those sites don’t offer the plugins or configurations this software offers.
Even though you can create websites with WordPress, its focus was and is blogging. And that’s improved drastically over the years. Writing posts is a breeze! I can add animated GIFs with a few clicks. When I want to slip in headings and sub-headings those are also just a few clicks of my mouse. Finally, when I want to add a “Featured Image” (the image that shows up above the blog post) or an image within the body of my text, I can upload one and then insert it in under a minute.
Finally, if I want to add a file for download, like a PDF file, all I have to do is upload the file and create the link to it in the particular post or page.
Purchase A Domain Name & Web Hosting
The first step in creating the business website with WordPress is to purchase a domain name and the appropriate web hosting company and plan.
If the reader doesn’t know what a domain name is, how to buy one, or how to choose the proper web hosting provider for their website, don’t worry as I’m going to explain it in easy-to-understand terms. This step can take a considerable amount of time because choosing a domain name requires planning and flexibility. A good domain name is easy to remember and isn’t too long. As for the web hosting company, again this will take some time due to comparing companies, their plans, their prices, and their customer service options.
I highly recommend users do not skimp on the costs when it comes to choosing web hosting. Although the reader shouldn’t choose the most expensive hosting plan, just remember people get what they pay for. Either the hosting plan will have slower performance, or those individuals won’t have enough storage for their files, or the web hosting company will have subpar customer service.
How To Purchase A Domain Name
What Is A Domain Name?
According to Wikipedia : “A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain, or it represents an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, a server computer hosting a web site, or the web site itself or any other service communicated via the Internet.”
In simpler terms a domain name is a phrase that allows people to access websites easier, as the other way requires people tying in the IP address into their browser. Now, that way works but people remember words easier than numbers.
Here are some examples of domain names:
Create An Original Domain Name
For the business website owners should create an original domain name. A problem I see some business owners have is creating a domain name too similar of another company. This is a mistake to avoid because it causes confusion. And that can dilute the business’ brand.
Unoriginal domain names can lead to legal trouble. Let’s say an individual has a new business called Goog. And that person register s the domain name goog.com. This name is too similar to google.com. And this name could confuse some of Google’s customers to think that person’s website is related to Google’s products and services. Because of this Google decides to send their Legal team after that individual because people are infringing on their trademark.
This sounds far-fetch, right? Nope. Google has done exactly that in the past as Google sued the owner(s) behind oogle.com in 2012 .
If people think that domain names can’t get a trademark Nolo discusses how these can . T o learn more about this so a business doesn’t infring e on another company’s trademark, Donut has a great FAQ section about this topic. Also, The Internet Corporation for Assigned Names and Numbers (ICANN) has a page devoted to this too. ICANN coordinates the domain names, among other things, of the Internet.
There are a couple ways to create an original domain name. Using the name of one’s business is a good option. Other use the name of their business and the business’ industry. Both options work well if the individual sell services. Let’s say a person’s name is Robert Johnson and Robert runs a HVAC company. He could create a domain name like “johnsonhvac.com” or rjohnsonhvac.com” or johnsonheatingandair.com.”
However, if another person (let’s call her Sharon) operates a business selling goods then Sharon may want to create an original name along whatever goods she’s selling. Let’s say Sharon sells health and beauty products using organic coconut oil. She could create a domain name based around her product line name.
Use Business Name Generator To Create A Domain Name
A different option to create an original domain name for the business is to use a business name generator. These websites generate a list of business names after the user enters words or phrases about their business or industry.
Using BusinessNameGenerator here are the domain names I got for the following industries:
Food & Drink
- Smack Burgers
Choose A Generic Top-Level Domain
Before the business owner searches to see if a potential domain name is available, that person first must decide which generic top-level domain (TLD) to use. Here’s a short list of generic TLDs currently available from various domain registrars:
Most people choose the .com TLD because it’s the most popular. Due to that, sometimes it’s difficult to use a specific name for a website because it’s already taken. If that happens, and if a person really wants the name, it could be for sale. One way to check to see if a “Make Offer” or something similar button. This will start the process of offering to purchase the domain name but be warned: The current owner may want an exorbitant amount.
Purchasing Multiple TLDs For A Domain Name
Once an individual buys their domain name, next comes the question of whether that person should buy the other TLDs available for that domain name.
Let’s use example.com for this scenario. The domain registrar shows various other TLDs available for example.com:
- So on …
The person thinks: “Should I buy those other names? Why would I buy them? What’s the reasoning behind that?”
One reason to purchase the other TLDs is to protect the trademark for their business, or protect the company’s brand.
Google, and other major companies, do so. B ecause if they waited to purchase the other TLDs someone else could buy that TLD. People do this because they’re hoping those businesses will want to purchase it later. This is called Cybersquatting (also called Domain Squatting), and there are laws about this in America and in some countries.
Finally, I highly suggest owners don’t buy some non-popular TLDs like example.golf or recently launched TLDs. Mostly because they don’t have the name recognition like a .com or a .net.
When To Purchase A Domain Name
I suggest purchasing the business’ domain name a head of creating the website. Because building the website will incorporate the domain name into its branding. So it’s best to have that settled before the website development happens .
I understand there’s the possibility a business owner changes their business name after purchasing the domain name. Thus, that individual won’t use the previously-purchased domain name and is out some money. However, domain names aren’t expensive (unless users purchase a Premium Domain Name, which I will discuss later in this chapter). Most domain names range in price from $8 to $50, depending on the registrar and the Top Level Domain (TLD) chosen.
Domain Name Ownership Length
When it’s time to purchase a domain name the registrar will offer a length to own said domain name. The default length one year. However, many domain registrars allow individuals to add years for an additional cost.
The benefit of this is to:
- Save money
- Don’t forget to renew the name
Yep, owners have to renew their domain names every year. I used to only purchase one-year terms for my domain names but I’ve recently switched to multi-year terms because the cost savings are better. Yet, it’s perfectly fine to accept the standard one-year length.
Finally, I have my domain names set to auto-renew and keep a valid credit card on file. I highly suggest others do the same. This is to avoid the possibility of missing the email from the domain registrar prompting the individual to renew their domain name. If the person forgets to renew their website stops working. Then the domain name moves back into the pool of availability for others to purchase. And if someone else buys it then then the original owner will have to buy it from new owner (if that’s possible).
When To Purchase A Premium Domain Name
During the search the reader is bound to come across a Premium domain name. What are those? According to Namecheap Premium domain names “are short domains, often made up of just one word or 3-5 letters. They are also known as ‘aftermarket’ or ‘pre-registered’ domains.” Good examples of these types of names:
These names are catchy and short, which is gold when it comes to marketing. That’s why I suggest users consider one if they can:
- Afford the cost
- It advertise s the company’s brand well
Namecheap wrote a blog post about several companies spending $10,000+ for their premium domain names. While this price tag is expensive for many individuals or small businesses , some look at the investment as part of building their company’s brand.
The Domain Registrar I Recommend
When it comes to purchasing a domain name I only use Namecheap . I’ve used them for 16 years now, and always get great support from them.
Namecheap has great prices for domain name registration. They usually sell a .com TLD for $8.88 a year! In addition, the company runs sales regularly, and I’ve seen .com TLD as low as $5 a year.
How To Purchase Web Hosting
In this section I’ll explain how to choose the proper web hosting company and package for a business website. There’s so many companies and plans to choose from. And reviews alone aren’t enough to make a decision. I’ll discuss the differences between the four plans hosting companies offer for WordPress installations:
- Managed WordPress Hosting
- Shared Web Hosting
- Virtual Private Server (VPS)
- Dedicated Server
Finally, I’ll show the pros and cons of each of those plans, and explain when to choose that particular plan for a business website.
What Is Web Hosting?
According to Wikipedia : “A web hosting service is a type of Internet hosting service that allows individuals and organizations to make their website accessible via the World Wide Web. Web hosts are companies that provide space on a server owned or leased for use by clients, as well as providing Internet connectivity, typically in a data center.”
Web hosting companies have servers in a data center and rent those for customer use. What are servers ? Think of them as bigger and more power ful computers. Servers have higher-end CPUs, more memory, larger capacity storage disks, and high-bandwidth network ports to allow multiple users access it at once.
When a customer purchase web hosting, the company takes one of the servers they own and prepares a portion of it for the customer to use. (Unless that customer chooses the Dedicated Server plan, then that person gets to use the entire server.)
Managed WordPress Hosting
Managed WordPress Hosting is an inexpensive package available at web hosting companies. Some companies may advertise it as “WordPress Hosting.” Here are the pros and cons of this hosting package:
- Inexpensive price.
- Great for personal blogs or small websites.
- Web hosting company performs server updates.
- WordPress core updates happen automatically.
- Daily backups.
- Servers offer basic hardware technical specifications.
- Usually no access to Plesk or cPanel.
- Secure File Transfer Protocol (SFTP) may not be available.
- Database access may not be available.
Let’s go through the pros and cons in more detail. Managed Web Hosting is inexpensive because the web hosting company uses basic servers to hosts the customers’ websites. Now basic doesn’t mean bad. Instead, think of it like a car with the base package. These servers don’t have any frills. That why these are a great option for a blog or a basic website. A good reason to choose this hosting because the hosting company handles all server updates. That way their customers don’t have to worry about applying security updates in a timely fashion. And that includes WordPress core file updates. The hosting company will handle that too. Finally, the company will automatically backup the website’s files.
As for the cons these basic servers aren’t a good choice for Ecommerce business websites, or websites selling services requiring heavy database usage. Some web hosting companies may have a more expensive Managed WordPress Hosting package which could handle those websites. If the individual wants Plesk or cPanel access this plan won’t usually offer it. (I’ll explain what Plesk and cPanel are in the Shared Hosting section.) That also goes for SFTP or database access. However, some companies may offer limited SFTP and database access if one chooses a more expensive plan.
Shared Web Hosting
This hosting is usually the cheapest plan offered by web hosting companies. Yet, this hosting also gives access to Plesk and cPanel, which are website control panels. These control panels allow users to manage various parts of the back-end of their website, like PHP version and email accounts to name a couple. Here are the pros and cons of this hosting package:
- Cheapest price.
- Great for small & medium-sized business websites.
- Web hosting company performs server updates.
- Access to Plesk, cPanel, SFTP, and database access.
- The cheapest packages can have sparse features.
- Free services can become non-free after a period of time.
Now to review the pros and cons in more detail. Regarding the pros the cheap price is a great option for those with limited budgets. Shared Hosting does use basic servers on the cheapest plans, however. Yet, this is still a great choice for small and medium-sized websites. And since there is access to control panels, SFTP, and the database it’s a better option for more demanding websites.
The downsides to this plan are the cheapest packages can have limited features. Thus, if a business owner needs a server that is PCI-compliant for their Ecommerce store that person will have to choose a more expensive plan. Finally, some free services can become non-free after a period of time. I see this most often with Secure Socket Layer (SSL) certificates, which secures the site from hackers and other bad actors. Users should read the Terms and Conditions regarding any free services to see if those will become non-free in the future.
Virtual Private Server (VPS)
With this hosting pricing becomes more expensive. Because VPS give users more control over the server, and offer more power hardware running the server. Her e are the pros and cons of this hosting package :
- Users can choose the server’s operating system and hardware specs.
- The server’s hardware is more robust, offering better performance.
- Users total control over the server’s hardware and software.
- VPS plans are more expensive.
- Users are responsible for server updates.
- Users may have to hire outside technical support for some issues.
Now to review the pros and cons in more detail. As for the price, VPS are more expensive and the previous two web hosting packages I discussed earlier in this chapter. The higher price is due to the features VPS offers. Customers can choose the server’s operating system and the hardware specifications. With this comes root access, meaning the customer has total control over the server. VPS offers better hardware than the other two web hosting packages, which is great for demanding websites.
With all these benefits come some big downsides. The first being the price. VPS are more expensive than other hosting plans. I found VPS plans starting at $4 a month to more than $60 a month. In addition to the price, the user is now in charge of server updates and many technical support issues. And if that user doesn’t know how to apply server updates properly, or doesn’t at all, that could lead to a hacked server. And if that happens the user is on the hook for paying for remediation as web hosting companies usually don’t offer malware cleanup.
I saved the most expensive for last. Purchasing a Dedicated Server to host the website is expensive. And most business websites won’t need a dedicated server unless that website has tens of thousands of visitors each day. Here are the pros and cons of this hosting package:
- Users can build their own server hardware configuration.
- Provides the be st performance for demanding websites.
- Users total control over the server’s hardware and software.
- The server has only one user on it.
- Is the most expensive hosting.
- Users are responsible for server updates.
- Users are responsible for all technical support.
Now to review the pros and cons in more detail. Dedicated Servers allow customers to build their own server hardware configuration. Meaning they can choose the type of hard drive, the hard drive size, the number of hard drives in the server, the amount of memory, and so on. Just like the VPS, this hosting gives the best performance for demanding websites, and gives customers total control over every part of their server. Finally, with a Dedicated Server there is only one user on it.
All this comes at a high price. Dedicated Servers are usually going to cost at least $100 dollars a month. At the time of this guide’s publication I found many plans ranging in price of $120 to $200 a month. Just like the VPS, users are responsible for all server updates. And with Dedicated Servers, users are usually responsible for all technical support issues. Some web hosting companies will offer technical support but at a price. It all depends on the web hosting company.
The Web Hosting Package I Recommend
After reading all of that I know there are some confused readers right now. They’re thinking: “Which hosting package should I choose?” While I can’t tell everyone which hosting plan is going to totally fit for their situation I can offer some tips.
Managed WordPress Hosting is great for those individuals who do not want to deal with updating their server or WordPress installation. This is also a good choice for those starting with web hosting and aren’t sure of how everything interacts with each other, and what they are responsible for.
If a business owner needs access to the control panel (Plesk or cPanel), SFTP, or the database and wants to keep costs low then Shared Hosting is the best option.
VPS is a great choice for websites getting thousands of visitors per day, and the business owners wants more control over the server’s hardware and software.
Finally, Dedicated Servers are the choice for business owners who have a complex website, and need total control over the server. Plus, Dedicated Servers offer better performance for websites receiving tens of thousands of visitors per day.
Consider Using WordPress.com
This guide focuses on building a business website with the self-hosted WordPress because that version gives users the most flexibility in creating their websites. However, there is an option for those individuals who would rather not have to deal with finding web hosting, installing WordPress, and managing it: wordpress.com. This option is Automattic’s version of Managed WordPress Hosting. Let’s take a look at the pros and cons of using wordpress.com:
- Automattic handles all website maintenance.
- Simple website creation via drag-and-drop.
- Thousands of free plugins available to use.
- Marketing and website analytics tools are built-in.
- Free SSL certificate.
- Their plans are more expensive than other companies.
- Additional features cost money.
- Priority technical support requires a more expensive plan.
Now to review the pros and cons in more detail. This hosting is great for those individuals who don’t want to worry about website maintenance because Automattic does it for them. In addition, creating a website is easy because of the WordPress Block Editor, which allows users to click or drag-and-drop elements like text or media onto a page or blog post for easy configuration. In addition, there are thousands of free plugins to use, along with various free themes to make a website stand out. Finally, wordpress.com gives users a free SSL certificate.
As for the downsides to wordpress.com there are a few. The pricing for their plans is more expensive then purchasing Managed WordPress Hosting from another company. And if one needs more features than what their current plan provides then that person has to upgrade to a more expensive plan. Finally, the cheaper plans come with slower technical support via email.
Built By WordPress
Automattic does offer a service called Built By WordPress. The tag of this service is: “You want the website of your dreams. Our experts can create it for you.” And their experts definitely can.
Automattic will collect information from a customer regarding their business and what that individual wants in their website. Then the company pairs that customer with a website design agency who are experts in using WordPress. From there, the agency will build the website and work with the customer.
This option is great for business owners who don’t want to go through the time to build their own website, but don’t know how to find a reputable website design agency. However, convenience costs money.
The “Express” plan, according to the site, is “perfect for content creators, small businesses, and professional bloggers on a budget.” The price starts at $499, and the customer has to purchase the wordpress.com Premium plan (additional $96 a year).
The second and final plan provides “premium website design services for custom sites, redesigns, custom development, or migrations.” The price starts at $5000, and the customer has to purchase the wordpress.com Business plan (an additional $300 a year).
So do I recommend Built By WordPress? Only if a business owner desires Automattic to do all the work and find a website design agency that fits their needs. Frankly, a business owner would be better off for that amount of money finding a WordPress freelancer on Fiverr or Upwork. There are plenty of freelancers with great reviews and completed websites a potential client can visit before paying any money. I think Built By WordPress is too expensive for what the client receives at the end.
WordPress’ Recommended Hosting Partners
What if a person doesn’t know how to start looking for a web hosting provider? What if reading reviews isn’t enough? How can that individual choose a reputable company and get a guarantee WordPress will work well? That person can choose to use one of WordPress’ recommended hosting partners. WordPress recommends the following web hosting companies:
Let’s look into each company in more detail.
Bluehost is a popular web hosting company that has thousands of great reviews and satisfied customers. Although I don’t use Bluehost I heard great things about them from others.
As for their WordPress plans there are several to choose from:
- Choice Plus
- Online Store
The Basic plan is just that: Basic solutions for one website or blog. Choice Plus is the Basic plan with more privacy and security features. As for the Online Store plan that’s great for Ecommerce stores as the company will install the Woocommerce plugin. Finally, the Pro plan is for users wanting to improve their website’s performance.
Prices for a 12-month term range from $36 a year for the Basic plan to $168 a year for the Pro plan. Bluehost offers 36-month term which reduces the prices further. However, the entire 36-month term amount is due up-front.
Depending on the chosen plan, customers receive a free SSL certificate, free domain name for the first year, and daily website backup to name a few features. In addition, Bluehost will apply all WordPress updates and get the business website verified on Google My Business.
Finally, Bluehost has 24/7 technical support via phone or chat.
DreamHost is also a popular web hosting company with great reviews and happy customers. I haven’t used this company either, but I’ve heard of them. Yet, I can’t personally say I know of anyone who actually used DreamHost.
As for their WordPress plans there are several to choose from:
- WordPress Basic
- Woocommerce Hosting
- VPS for WordPress
- Dedicated for WordPress
The WordPress Basic plan is great for those getting started with WordPress. DreamPress is Managed WordPress Hosting with daily backups and caching features to name a couple of benefits. Woocommerce Hosting is for Ecommerce websites. VPS for WordPress is great for running multiple websites on a single server. Finally, Dedicated for WordPress provides a dedicated server for those wanting full control.
Prices for a 12-month term range from $36 a year for the WordPress Basic plan to $1800 a year for the Dedicated for WordPress plan. And just like with Bluehost, if a person signs up for a 36-month term there’s a bigger price discount.
Depending on the chosen plan, customers receive a free SSL certificate, free domain name, email accounts, and daily website backup to name a few features.
DreamHost’s technical support looks to have more limitations than Bluehost. It is 24/7 but only live chat is available all the time. If a customer wants to speak to a technical support agent via the phone that person will have to schedule a callback. Finally, priority support that provides more in-depth technical support is only available for the more expensive plans.
Install The SSL Certificate
The second step in creating a business website with WordPress is to install the proper Secure Sockets Layer (SSL) certificate onto the website. This step can be completed without the website being fully functional yet.
If the reader doesn’t know what a SSL certificate is, or how to find the proper one for a business website, because I will explain the process in this chapter. Depending on the needs of the website, individuals can use free SSL certificates or will have to purchase one.
I’ve met some business owners who think they do not need to secure their entire website, but only the login page or the cart/checkout page. That line of thinking is wrong. The entire website needs protection.
What Is An SSL Certificate?
A Secure Socket Layer (SSL) Certificate encrypts website traffic, transforming it from HTTP (unsecured) to HTTPS (secured). Also, this certificate protects sensitive information (like credit card numbers or protected health information) from bad actors like hackers.
This certificate protects websites from bad actors through Public-key cryptography. Think of this protection as house addresses. These are public information and anyone can come to those houses. That is the public key in Public-key cryptography. However, there are locks on those houses’ doors, which keeps strangers from entering those houses. Only those individuals with the proper key can enter. That’s the private key used in Public-key cryptography.
When a person obtains a SSL certificate there is a public and private key with it. A web browser receives the public key upon connecting with the website, which allows it to create an encrypted connection. If the browser isn’t able to receive the correct public key then the encrypted connection won’t occur.
Finally, a SSL certificate proves the domain name actually belongs to the website. This is done through domain validation, which I will discuss later in this chapter.
This is a quick overview about SSL certificates. To learn more I suggest reading this knowledge article from Cloudflare. It explains the technology in more detail, and it’s easy to understand.
Install A SSL Certificate For The Entire Website
The entire business website needs a SSL certificate because not having one affects the following:
- Search Engine Optimization (SEO) ranking.
- Visitors’ trust.
Google, Bing, Duck Duck Go, and other search engines takes web security seriously. They don’t want to provide their customers search results that lead them to dangerous sites that may install malware on their computer or steal their data. Thus, search engines give websites with better security higher rankings in their searches over insecure websites. Neil Patel did an extensive write-up on his website showing the data proving Google favors websites employing entire website security. If a business owner only secures parts of their website instead, that will hurt the site’s SEO rankings. In turn, that will hurt the business’ profits because it’s not going to reach as many customers.
Finally, having a SSL certificate installed for the entire website puts visitors’ minds at ease. If someone visits a website and sees the homepage isn’t secure that visitor may leave the site immediately. Or that visitor could stick around but choose not to purchase any product or service from the site.
Types Of SSL Certificates
There are three types of SSL certificates:
- Domain Validated (DV)
- Organization Validated (OV)
- Extended Validation (EV)
While each certificate provides the same type of encryption, they differ on how the Certificate Authority (CA) verify the website’s owner before they issue the certificate. The CA is the company generating and granting SSL certificates.
Domain Validated (DV)
DV certificates have the least checks done as the CA only checks if the owner has the right to use a specific domain name. This is usually done by having the owner add a specific record to the Domain Name System (DNS) settings at their web hosting company. The CA doesn’t check to make sure the owner is the actual owner, or checks the owner’s identity.
The reason websites use DV certificates because they are inexpensive, good for simple websites (like personal blogs), and have quick delivery.
Organization Validated (OV)
The CA does more checks on OV certificates, verifying the owner has the right to use the domain name. In addition, the CA verifies some of the information about the organization or business. Visitors can view that information by viewing the security icon in their browser.
Unlike DV certificates, OV certificates have a longer delivery time due to the checks the CA has to perform. These certificates are great for Ecommerce sites, or any website accepting sensitive customer data like credit cards.
Extended Validation (EV)
As for EV certificates the CA performs an extensive verification process for the website’s owner. They check the legal, physical, and operational existence of the business. Then the CA verifies the identity the owner provides to what is on official records. Finally the CA checks the owner or organization initiated the certificate issuance. Like OV certificates, EV are great for Ecommerce sites, or a website accepting sensitive customer data.
SSL Certificates Do Expire
Just like domain names, SSL certificates do expire after a set period of time. Usually that period of time is one year after electing or purchasing the certificate. Also like domain names, users will get several notifications from their web hosting company regarding the upcoming expiration date. If the user doesn’t renew the SSL certificate in time the website will show as insecure. Also, the site will show a message in the browser before loading that the SSL certificate is either expired or doesn’t match what’s on file with the CA.
Customers can purchase multi-year SSL certificates. However, the certificates still usually expire each year, but a new certificate may install automatically until the multi-year duration ends. It depends on the web hosting company, and if the reader has any questions about that procedure I suggest reaching out to technical support for assistance.
Free SSL Certificates
Many web hosting companies offer free SSL certificates when customers sign up for a web hosting plan. Depending on the company, the free SSL could be for the life of the plan, or only for the first year. Yet, there is a CA offering forever free SSL certificates: Let’s Encrypt.
According to its homepage Let’s Encrypt is a nonprofit CA providing SSL certificates to 300 million websites. The organization receives it funds from major Technology companies, which is why it is able to provide forever free SSL certificates. The group’s mission is to to secure the Web and provide more privacy to the Web’s users.
Here’s how this service works:
- If the user’s web hosting company already has Let’s Encrypt enabled on the hosting plan then the user has to opt into the service.
- One can check the web hosting companies using Let’s Encrypt here.
- The software installs a SSL onto the website and it’s valid for 90 days.
- Every 90 days the software renews the certificate automatically.
Now, if the user’s web hosting company doesn’t have Let’s Encrypt enabled on the hosting plan the user may be able to install it if the user has root access on the server. If that’s not the case then that person can’t use Let’s Encrypt.
This service is good for personal blogs or simple websites as this CA can only issue DV certificates. And the service has no plans to offer OV or EV certificates.
Non-Free SSL Certificates
The reader can purchase SSL certificates from their web hosting company, but they can also purchase them directly from the CA. Which option is best? I suggest purchasing the certificate from the web hosting company if possible because the following reasons:
- Easier installation procedure.
- Certificate Authority certificates are more expensive.
This company the largest Certificate Authority in the world, as 36% of Fortune 1000 companies purchase their SSL certificates from ComodoCA. The CA sells all three types of certificates and provide the following:
- 24/7 customer service.
- 30-day money back guarantee.
- $1,000,000 warranty.
- Trusted seal to put on the website.
With all these benefits comes a hefty price tag. An OV SSL certificate for a single domain costs $179 per year. Yet, on Namecheap (the web hosting company I personally use) I can purchase a similar certificate for $79 per year. The only difference is the warranty, which is $250,000 instead of $1,000,000.
How To install The SSL Certificate
Once the individual has the proper SSL certificate for their site, the next move is to install it. The procedure for this action depends on whether the user bought the certificate from their web hosting company or from an outside CA.
If it’s the former then the person should follow the instructions from their web hosting company. Those instructions are usually available on the hosting company’s Help Page or their Knowledge Base. Sometimes those instruction also come via email. Finally, some web hosting companies will automatically install the SSL certificate so the user doesn’t have to do anything.
If the person bought the certificate from an outside CA usually the CA will provide some basic instructions on how to install it. However, it’s best to check with the web hosting company for the proper installation procedure.
Secure The WordPress Installation
With the domain name, web hosting, and SSL certificate in hand, now it’s time to secure WordPress from bad actors like hackers. Unfortunately, it’s too easy for beginners to install WordPress using its default settings which can leave it vulnerable for a security breach. In this section I will explain how to avoid using the default settings, and the available options to secure the WordPress installation.
Security Starts At The Web Hosting Company
The first place everyone should start when it comes to protecting their website is securing their web hosting account. If hackers are able to get control over it, they can do all types of damage:
- Delete the website.
- Hold the website for ransom.
- Use the account to make additional purchases.
- Send spam mail.
- Use the server to attack other websites.
So how can users protect their web hosting account? Here are a few options:
- Use an original password.
- Enable Two-Factor Authentication (2FA)
- Enable Security Alerts
- Keep the number of admins to a minimum.
How To Develop An Original Password
An original password is one a person hasn’t used on any website. The reason reusing a password lowers security because hackers have access to password lists from previous security breaches. They try these credentials at other websites hoping to get access to the account there. Unfortunately, they are able to because too many people reuse the same username and password.
A great way to develop an original password is to use a password manager. I use 1Password, which not only saves and manages my passwords, but also generates an original password at the click of a button. While I highly recommend 1Password I understand that some people may not have the money to purchase it. In that case I suggest using Bitwarden as it’s free.
Enable Two-Factor Authentication (2FA)
The web hosting company should have the ability to enable two-factor authentication (2FA) on the account. This adds another layer of protection because if a hacker happens to steal the user’s credentials, that hacker wouldn’t be able to log into the account because 2FA requires a code. And that code changes constantly. There are several types of 2FA methods like the following:
Let’s review the pros and cons of each 2FA method.
SMS Text Message
SMS text message is commonly used by many companies because it works on both dumb and smart phones. Plus, SMS doesn’t require a data plan, which helps individuals with limited income who may only have a text-and-talk cell phone plan. Unfortunately, SMS text message is a basic form of 2FA protection and SIM swapping can defeat it.
SIM swapping is when a fraudster contacts a mobile phone company pretending to be the customer. The criminal hopes to trick the phone representative into activating a SIM card the fraudster has. If that happens then the bad actor has access to the customer’s phone number, and all phone calls and texts come to the fraudster’s phone, including any 2FA SMS text messages.
With that information the bad actor can successfully log into the customer’s account on a particular website. A good way to protect against SIM swapping is to place a pin code on file with the mobile phone provider. If any major changes must happen to the account, the representative will need the pin code to proceed.
I recommend only using SMS text message as a 2FA method if there is no other option available.
A better option than using text messages is an authentication programs like Authy or Google Authenticator. Both are free apps for iOS or Android. Once a person enables and configures the app on their account, that person will have to provide the code displayed in the app to successfully log in. That code constantly changes, however. That way bad actors can’t look over someone’s shoulder and grab the code that way.
While I do use authentication programs myself, they are vulnerable to SIM swapping just like SMS text messages. Yet, I recommend people use them because Authy and Google Authenticator works well.
The best 2FA protection is a security key. Two popular brands are YubiKey and Titan Security Key. Usually large corporations invest in security keys because they offer the best protection. However, they aren’t that expensive that regular people or small business owners can’t afford them. The YubiKey starts at $25 and the Titan Security Key starts at $30. While some people say you can’t put price on security, it’s also true that money is finite. So it’s always best to choose the best return on investment. And a security key does just that.
The only downside to these, however, is that some web hosting companies may not offer the ability for their customers to register a security key to their account. It’s best to check before purchasing one.
Enable Security Alerts
Some web hosting providers offer the ablity for their customers to create security alerts when a certain action happens. When one of those actions occurs the customer will get an email detailing what happened. I have this enabled on my web hosting account to receive an email whenever one of the following happens:
- I log into my account, change my password, or request a password reset.
- My primary email or physical address changes.
- I make changes to my Whois contacts or DNS host records.
Creating security alerts helps secures web hosting accounts because hackers are going to change the password and the email address. They may also change the physical address to cement their control. Thus, if the user has alerts enabled they will get an emai no matter if they made those changes or not. If the case is the latter, then those users know something bad happened and can jump into action to resolve the issue.
Keep The Number Of Admins To A Minimum
The final security move to protect the web hosting account is to keep the number of admins to a minimum. Administrators have full access of the hosting account, which allows them make additional purchases to delete websites. That’s why bad actors seek to hack those account. Yet, when I provided web hosting technical support I would see business owners create admin accounts for their Web Developer all the time.
Instead of creating additional admin accounts business owners should create the least privileged account needed for a person to accomplish their task. To determine what role to give to that account I suggest also checking with technical support. Those representatives will help determine the proper role given the requirements, while helping to keep the web hosting account secure.
Lastly, never allow multiple people to use one account. This doesn’t allow for accountability, which can become an issue if there is a security breach in the future.
Security Ends At The WordPress Installation
Security on the website’s WordPress installation requires additional steps outside of securing the web hosting account. Users should complete some of these steps while installing WordPress onto their website, while others can be done after installation. However, I suggest not to delay applying the additional security features. Here are the following actions to make:
- Avoid use of the default admin credentials.
- Install a Web Application Firewall (WAF) and enable 2FA.
- Change the default WordPress login website address.
- Enable admin account login email notifications.
Avoid Use Of The Default Admin Credentials
This step to secure WordPress must be done while installing WordPress onto the website because that is the only opportunity to avoid using the default admin username.
Like many software applications, WordPress provides users with a default user name for easy login access. That default username is “admin.” While this improves the ease of use, it also creates a security issue because hackers already know many users choose the “admin” username.
Instead of using “admin” the user should delete it from the text box and type in a new username. Do not use one of the following:
These are well-known hackers too. So what username can an individual use instead? Here are some options I recommend:
- A combination of the person first and last name.
- The person’s nickname.
- A person’s name and title.
Install a Web Application Firewall (WAF) & Enable 2FA
This step to secure WordPress can be done after installing WordPress, or during the installation process. The latter can be done by some Automated Installation scripts allowing plugins installation.
A Web Application Firewall (WAF) is software that protects a website from malicious traffic by filtering those requests. One I use and recommend is Wordfence. The plugin has a Free and a Premium version. The major difference between the two is the Premium version provides priority technical support and the latest malware protection updates. The Free version receives those updates after 30 days. Yet, that delay shouldn’t keep users from installing the plugin. However, if the website handles sensitive data I recommend purchasing Wordfence Premium.
Now Wordfence isn’t just a WAF. It provides a malware scanner and login brute force protection to name a couple of features. Finally, the plugin provides 2FA. And users should enable that feature immediately.
Change The Default WordPress Login Website Address
This step to secure WordPress should be done after installing WordPress. Just like the default “admin” username, the software has a default login website address: wp-login.php. One can also use the “/wp-admin/” address to login in.
The reason I suggest to not use these addresses because hackers know about them and will try to hack into the site via brute force. I use a plugin (Change wp-admin login) to change the login address to one only I know. The plugin also has the setting to choose what happens when a person access the default login website. I configured the setting to send the visitor to my website’s homepage.
Enable Admin Account Login Email Notifications
This step to secure WordPress can be done after installing WordPress and Wordfence. There is a setting in the Wordfence plugin that allows for email notifications when certain users log into WordPress. By default it does so for the Admin role. The email notifications will contain the following information:
- The website’s name.
- Date and time of the login.
- The account’s username.
- IP address of the user.
- The user’s ISP hostname.
- The user’s location.
If any of the information in the email appears suspicious the owner can take action immediately. For added security one can enable a setting in Wordfence to receive email notifications whenever someone unsuccessfully logs in. If the site’s owners receives many notifications about unsuccessful logins in a short period of time that means a bad actor is currently attacking the site. From there the owner can take decisive action.
Manage User Roles Properly
WordPress has “Roles” built into the software that allows owners to control what some users can and cannot do. If a site has multiple users logging into the WordPress website to work Roles are incredibly important because depending on the user’s role that individual could write blog posts, moderate comments, or install updates. In short, if you give a specific user too much control that user could use it to create havoc.
WordPress has six pre-defined Roles:
- Super Admin
By default, the new user role is set to Subscriber. This allows the user to access the WordPress dashboard to view their user profile. To learn about the differences in each role review the official WordPress documentation here.
Unsure owners should give a user the least powerful role, as it can be changed (upgraded) later.
Create A Staging Site
With WordPress installed and secured it’s almost time to build the website. I know, I know, many people are ready to start at this point in the guide. Yet, there’s one more step to do before actually developing the website: Create a staging site first.
What Is A Staging Site?
A staging site, sometimes called a staging environment, is a separate website that allows for the following:
- Build the draft version of the website.
- Test out WordPress plugin updates.
- Redesign the website.
This all happens outside of the public’s view because the staging site is not public. It is a private site that only the owner and specific individuals have access to, like a Web Developer or the Web Designer. And this is the perfect option for those individuals to build and design the website.
I use a staging site for my Ecommerce store to test out plugin updates that could possibly break the live (or production) version of my site. This way if I discover a particular plugin does cause problems on the store, I know not to apply them to the live version of my website. Instead, I can roll back those changes (if possible) and wait for the plugin to receive a new update. Users must be careful not to break the live version of their sites because that will cost them time and money to fix.
Finally, a staging site is the best option when it comes time to redesign the website. When I changed the layout and the look of my Ecommerce store I did so outside the public’s view on a staging site. That allowed me to try different themes and ideas without affecting my live site. Thus, I continued to sell product to my customers.
How To Create A Staging Site
This part of the step is probably the most difficult because there are many ways to create a staging site:
- Using the web hosting company’s procedure.
- Using a WordPress Automated Installation script.
- Installing a WordPress plugin.
- Creating the staging site manually.
Let’s review those options in more detail.
Using The Web Hosting Company’s Procedure
Some web hosting companies have a procedure in place to create a staging site. Users can either search the Help Section at their hosting company for the instructions. Or they can contact the hosting company’s technical support for assistance.
Doing a quick search through Google I came across the procedure from popular web hosting companies:
If the hosting company doesn’t have a procedure in place try the next option.
Using A WordPress Automated Installation Script
This option is available to use if the person used one of the Automated Installation scripts to install WordPress through the control panel (either Plesk or cPanel). There are various types of scripts available depending on the web hosting company. Here’s a collection of the most popular ones:
Unfortunately, if one choose to use WP Toolkit it requires a possibly paid upgrade to create a staging site. I say “possibly paid” because it depends on the control panel and the web hosting company. From my experience web hosting companies install the free version of the script. It’s up to the user to pay for the upgraded version for the additional features.
Yet, for Softaculous it doesn’t require a paid upgrade. I use Softaculous to create staging sites because I chose cPanel when I purchased my hosting packages.
If this method isn’t going to work then let’s try the next option.
Installing A WordPress Plugin
Unfortunately, I don’t know much about this option because I never had to use a WordPress plugin to create a staging site. Upon researching this topic, however, I found this article from BlogVault providing the six best plugins.
Creating The Staging Site Manually
Creating a staging site manually isn’t a topic for beginners so I won’t cover it in this guide.
Build The Website
With the staging site ready to go the time to build the website is now! In this chapter I will explain how to build the site using a website-builder plugin, where to find a template fitting the business website’s industry, and what WordPress plugins to install to make the site successful!
Start With A Website Builder Plugin
Just a few years ago I was against website builder plugins. I thought using those to build a WordPress site was lazy because the software gave one all the tools to develop a site. I was wrong.
Using a website builder plugin improves upon the power within the WordPress code. It allows me and other individuals to create beautiful and sleek pages that rival sites built by major companies. And we didn’t have to spend thousands of dollars on our websites unlike those major companies. Finally, we don’t need to modify the core WordPress code, which means we don’t need to know how to write PHP (the programming language powering WordPress).
With that said: What website builders do I recommend? These two:
Let’s review these two in more detail below.
Elementor states on its homepage it is the number one website builder for WordPress. The plugin allows for full website editing through drag-and-drop functionality. The company even provides website hosting now but I’m not going to discuss that service. My focus is only on their website building plugin.
Elementor comes in a Free and Pro version. I suggest trying out the free version before paying for the Pro version to get the free of the platform. I do use Elementor Pro because the Free version is quite limited. It’s great for a simple blog, simple small business, or a resume website. Yet, if a person needs an Ecommerce store or a site selling memberships/subscriptions then the Pro version is the way to go.
The plugin makes website creation easy because it offers layouts and designs for various types of business industries and/or services. After applying one of those designs, all the user has to do is add their content, images, and media.
The biggest downside to Elementor is its learning curve. Actually, that’s the biggest downside to any website builder plugin. The best way to use Elementor is to go through Elementor Academy. It’s a series of video divided up by topic teaching users how to build a website or add a popup step-by-step. I used these videos myself to learn how to use the plugin’s features, and I highly recommend them to beginners.
Divi states on its homepage it takes WordPress to another level. Like Elementor, Divi allows for full website editing through a visual editor, and it provides website hosting services. Again, I will only focus on the plugin.
Divi comes in a Free and Non-Free version. I suggest to start with the Free version to learn how to the platform works, and then pay to upgrade. Just like with Elementor, Divi Free version limits what features the user can access. Once a person decides to upgrade Divi does offer a one-time free for lifetime access. This will save a business owner money because there’s no need to pay a yearly free to continue to receive updates or technical support.
Divi offers various layouts and designs for different business types and/or services. Installing one of those layouts if easy. Afterwards, all the user has to do is add their content, images, and media.
Like Elementor, a big downside to Divi is its learning curve. I suggest watching the videos for the different topics on the company’s Documentation page to build the website. Especially since Divi includes their own theme and modules one can elect to use.
Choose A Template For The Site
Each of the website builder plugins comes with their own theme. Elementor has the Hello Theme, and Divi has the Divi Theme. These theme work best with their specific plugin because they integrate perfectly with the visual design editor.
Now, what business owners can choose from is a collection of templates, or the layout and design. Both building platforms have templates for all types of services, like Photography to Law Firm. There’s also templates for Ecommerce sites. I suggest going this route because a template includes the following:
- The pages one includes normally with a website.
- About The Company page
- Contact The Company page
- Help page
- A complete layout with images and text placeholders.
All the user has to do is modify the image and text placeholders with their content. Finally, if the template the user chooses doesn’t work out it’s not difficult to delete the pages and choose another to install. I went through a few templates before I found one that fit my needs.
Build The Website & Install The WordPress Plugins
WordPress’ functionality is good right after installation but it improves dramatically after installing particular plugins. There are thousands of plugins available. Basically, whatever you want to do with a WordPress site there is probably a plugin ready to accomplish that. Yet, that plugin may or may not be the best one for that task. Which is why I will provide the must-have plugins for every business website. I will provide a suggestion for the following categories:
- Contact Form
- Website Analytics
The comment system built-into WordPress is basic, doesn’t offer any spam protection, and doesn’t integrate with any social media account. Thus, it’s pointless. Since comments and/or discussions are crucial for some business websites I suggest installing the wpDiscuz plugin.
I use this plugin on all of my sites. It has spam protection, users from various social media accounts can log in with those accounts to leave a comment, and commenters and upvote or downvote responses.
The developers state on the plugin’s home wpDiscuz is WordPress #1 comment plugin. It has large install base (over 90,000) and is highly rated. In addition, plugin provides simple commenter engagement features and looks pretty snazzy.
This plugin provides 100 core features for free. However there are additional extensions at a cost to extend the software’s functionality. Although I continue to use the free version, the bundle price is a great way to get all the additional features for a good price.
The contact form plugin I use and recommend is WPForms. Over six million sites use this plugin with its templates to create a contact form or a survey. The plugin uses a visual editor with a drag-and-drop feature.
Although the Free version of the plugin will work for some, others may want the additional features and will have to spend the money to get them. Especially if those individuals would like to accept payments in their forms using WPForms.
The main plugin to build a full-fledged Ecommerce store is WooCommerce. This is the plugin I use to run my online store, Let’s All Meat. And WooCommerce can create just about any online store.
WooCommerce is free to download and it comes with the Storefront theme. However, like others plugins I discussed in this section, users will find themselves wanting the additional features of the non-free version of the plugin. With the Storefront theme then I suggest purchasing the Storefront Extensions Bundle. That bundles allows users to customize the theme without any coding knowledge.
When it comes to marketing there are many plugins to choose from. Most, if not all, business websites are going to do some type of email marketing so downloading the Mailchimp plugin is one option. I know other owners who use HubSpot and there is a plugin for that service.
There are are social media plugins to either connect the business’ social media accounts to the website, or show updates from those accounts on the website. There are plugins for the various popular social media platforms available to install.
I’ll keep this short and simple: Install Yoast SEO. It’s the most popular SEO plugin and it’s easy to configure and use. I use the Free version and it works for me. However, if one really wants to make sure their site’s SEO is top-notch then purchase the Pro version.
And I’ll keep this short and simple: Install Site Kit by Google. It connects to Search Console, Analytics, PageSpeed Insights, and AdSense.
Test & Publish The Website
After building the website it’s time to test it. There are a few tests to run to make sure of the following:
- Functionality: Do the links work? Does the contact form work?
- Responsiveness: Does the website display properly on desktop and mobile devices?
- Performance: Does the website load fast or slow?
I’ll explain how individuals can accomplish each test successfully.
Testing the functionality of a website requires going through every part of the site to make sure it works properly. To make sure a person doesn’t miss anything, I suggest using a “Website Launch Checklist.” WebsiteSetup has a thirty step checklist here, while HubSpot has a eighty step checklist here. Don’t rush through the checklists, and notate anything that doesn’t work properly or any typos.
This test is to verify the website displays properly on multiple types of devices. Back before smartphones were a thing, individuals built websites to fit a computer monitor’s screen. Yet, as smartphones became more and more popular, website layout had to adapt. It needed to shift its layout automatically depending on the device screen size. That’s where responsiveness came in.
While WordPress and its website builder plugins include responsiveness in their themes and templates by default, it’s always best to check to make sure responsiveness works properly. One can do this manually by using various mobile devices, tablets, laptops, and desktops to check the site. Or use a responsiveness test website to perform those checks:
This final test verifies if the site loads fast or slow. Everyone wants their site to load fast because slow sites cause visitors to bail. And that will cost the owner money. There are several websites one can use to test website performance:
These sites will notate what’s causing the site to be slow, and possible resolutions. Fix whatever is slowing down the website and then text the performance again.
Publish The Website
With the testing finished, and the website working correctly and loading fast, it’s time to push the staging site to the live site. To do this follow the instructions from the web hosting company, the automated installation scrip, or the WordPress plugin.