I always set a scheduled reload of the remote device just-in-case there's a chance of breaking it (I'm still learning). 10 mins should give you enough time to implement your changes, test it and save it. Depending on the site and how many admins touch the device you could in theory leave your changes unsaved for a few days just to be sure, then get an onsite person to power cycle it if problems occur.
reload in 10
config t
# config the ssid and map it to a vlan, 1 per vlan.
dot11 ssid YOUR_SSID
vlan YOUR_VLAN
authentication open
authentication key-management wpa
wpa-psk ascii 0 YOUR_PASSWORD
# assign encryption to ssid
interface Dot11Radio0
encryption vlan YOUR_VLAN mode ciphers aes-ccm
ssid YOUR_SSID
# config the sub interfaces for dot11 radio and ethernet
interface Dot11Radio0.YOUR_VLAN
encapsulation dot1Q YOUR_VLAN
no ip route-cache
bridge-group YOUR_VLAN
bridge-group YOUR_VLAN subscriber-loop-control
bridge-group YOUR_VLAN block-unknown-source
no bridge-group YOUR_VLAN source-learning
no bridge-group YOUR_VLAN unicast-flooding
bridge-group YOUR_VLAN spanning-disabled
interface FastEthernet0.YOUR_VLAN
encapsulation dot1Q YOUR_VLAN
no ip route-cache
bridge-group YOUR_VLAN
no bridge-group YOUR_VLAN source-learning
bridge-group YOUR_VLAN spanning-disabled
# happy?
reload cancel
# not happy?
wait 10 mins
# want to undo some stuff manually? use the "no" form.
interface Dot11Radio0.YOUR_VLAN
interface FastEthernet0.YOUR_VLAN
# or
no bridge-group YOUR_VLAN subscriber-loop-control
There's great article here that talks about bridge groups and bvi.