How to set up a WordPress site from scratch (the 2026 stack)
The exact hosting, theme, plugin and configuration stack we use for new WordPress builds — chosen for speed, security and minimum maintenance.
WordPress still powers ~43% of the web, but the stack around it has changed dramatically in the last three years. Page builders are out (for serious sites); block themes and the Site Editor are in. PHP 8.3 is the new minimum. Managed hosting has replaced shared hosting for any site that wants to rank.
This guide is opinionated. There are 50,000 themes and 60,000 plugins; we'll pick the ones that work and skip the rest.
- A registered domain
- A budget of ~$25–40/month for managed hosting (worth every cent)
- Basic comfort with admin dashboards (no coding needed)
Hosting: don't cheap out
$3/month shared hosting (Bluehost, Hostgator, HostMonster) is the single biggest reason WordPress sites are slow and get hacked. The 'unlimited everything' tier puts your site on a server with 2,000 other sites, all competing for CPU.
Managed WordPress hosts (Kinsta, WP Engine, Rocket.net, Cloudways) cost $25–50/month and handle: automatic backups, security, PHP version, server-level caching, CDN, and uptime monitoring. The performance and time saved pays for itself within the first month.
The 2026 plugin stack (under 10 plugins)
Every plugin is technical debt — more code, more attack surface, more conflicts. Aim for fewer than 10 plugins on a content site.
Our default: Rank Math (SEO), Wordfence or Solid Security (security if host doesn't include it), WP Rocket (caching, skip if managed host has it), UpdraftPlus (backups, skip if host includes), Contact Form 7 or WPForms Lite (forms), Yoast Duplicate Post (only if you publish a lot), and the theme's required plugins.
Step by step
- 01
Buy a domain at a registrar, not at your host
Use Cloudflare Registrar or Porkbun — at-cost pricing, no upsells, easy DNS management. Your host can technically register domains but lock-in is a hassle when you switch hosts.
- 02
Pick a managed WordPress host
Kinsta and WP Engine for premium sites. Rocket.net for best price/performance. Cloudways for flexibility (you pick the underlying cloud).
- 03
Install WordPress via the host's one-click installer
All managed hosts do this. Pick your domain, admin username (not 'admin'), and a strong password.
- 04
Update WordPress, themes and plugins immediately
A fresh install often has updates pending. Dashboard → Updates → Update All.
- 05
Set permalinks to 'Post name'
Settings → Permalinks → /%postname%/. Default 'plain' URLs (?p=123) are bad for SEO and shareability.
- 06
Pick a block theme
GeneratePress, Kadence, Blocksy, or the default Twenty Twenty-Five. Avoid heavy multipurpose themes (Avada, Divi, BeTheme) — they're slow and tightly coupled to their own page builders.
- 07
Use the Site Editor, not a page builder
Appearance → Editor. The built-in block editor and Site Editor are powerful enough in 2026 to replace Elementor for 95% of sites. Skip page builders unless you have a specific reason.
- 08
Install only the plugins you need (see list above)
Add one at a time. Test the site after each. Plugin conflicts are the #1 cause of mystery WordPress problems.
- 09
Configure Rank Math (or Yoast)
Run the setup wizard. Connect to Search Console. Enable XML sitemaps. Set the default schema type (Article for blogs, LocalBusiness for service businesses).
- 10
Set up daily backups
If your host doesn't include them: UpdraftPlus → Settings → Daily → Send to Google Drive or S3. Off-site backups only — backups on the same server are useless if the server is compromised.
- 11
Enable HTTPS and HSTS
Most managed hosts auto-provision Let's Encrypt SSL. Force HTTPS in Settings → General by setting both URLs to https://. Enable HSTS via your host's dashboard or Cloudflare.
- 12
Submit sitemap to Search Console and Bing
Rank Math generates /sitemap_index.xml. Add the property in both Search Console and Bing Webmaster Tools, verify, submit.
- 13
Set up GA4 and (optionally) Plausible
Site Kit plugin connects GA4 in two clicks. If you want cookie-free analytics, use Plausible or Fathom in parallel.
- 14
Pre-launch checklist
Test forms; check 404 page exists; confirm favicon; preview on mobile; run PageSpeed Insights (target 90+ mobile); test signup/contact funnel end-to-end.
Key takeaways
- Managed hosting is the single highest-leverage decision. Don't use $3/month shared hosting for a real site.
- Under 10 plugins. Every plugin is technical debt.
- Block themes + Site Editor have replaced page builders for most use cases.
- Daily off-site backups, HTTPS, and security are non-negotiable.
- WordPress in 2026 is excellent if configured right, miserable if configured wrong.
Troubleshooting
Frequently asked questions
+WordPress.com vs WordPress.org?
WordPress.org is the open-source software you install on your own hosting — full control. WordPress.com is a hosted SaaS by Automattic — easier but more restricted (plugins/themes only on Business plan and above). For serious sites, .org is almost always the right choice.
+Do I need Elementor or Divi in 2026?
No. The Gutenberg block editor and Site Editor have matched 95% of page-builder functionality, without the performance penalty. Use page builders only for sites that already have them and you're not rebuilding.
+Can I move from Wix/Squarespace to WordPress?
Yes. Squarespace exports to WordPress XML format directly. Wix requires a third-party importer (CMS2CMS or manual). Designs don't migrate — you rebuild the visuals.
+What about headless WordPress?
Use it only if you have a developer team and a specific reason (custom frontend in React/Next, multi-channel publishing). For a marketing site, vanilla WordPress with a good theme is faster to launch and cheaper to maintain.
+Is WordPress secure?
WordPress core is secure. WordPress sites get hacked because of: outdated plugins, weak passwords, no 2FA, cheap shared hosting. A managed host + Wordfence + 2FA + monthly updates eliminates 99% of real-world risk.
We build sites on Squarespace, Wix, WordPress, Shopify, Webflow and Framer — from blank canvas to live domain.
Book a website call