Installing WordPress with Security in Mind

[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]

We have to, of course, start at the beginning and as you all know the beginning is just as important as the end!

Installing WordPress has become incredibly easy – in fact, sometimes I believe it’s become too easy because it creates a “path of least resistance” and doesn’t help educate a new user with all of the other options that exist for installing it to maximize security settings and the like.

But it is what it is, right? I’m very thankful that the installation process for the average user is near-dummy proof, especially if you’re hosting provider has a 1-click install process! But, you’re not the “average” user, right? (Or you don’t want to stay an “average” user for very long!)

So let’s get started.

A Few More Assumptions:

Sorry! But, to make it to this point I assume that you have the following:

Of course, if you need any other help the WordPress Codex has nearly all the information that you’d ever want! Check it out here.

TentBlogger’s Secure WordPress Install Process:

For the most part I suggest that people follow the famous “5 Minute Installation” process but with a few more steps that I’ve added for security purposes. It is vital that you keep your installation safe and secure from hackers and malicious bots!

There’s no reason not to do this!

Ready? Here we go:

1. Download WordPress:

Download and unzip the WordPress package, if you haven’t already.

2. Upload WordPress to Server:

What you’ll do next is upload the WordPress folder contents to your domain. You can use any tool you’d like to do this (check out the FTP tools I use here).

There’s a few things to do here to maximize security though:

  1. Put it in a sub-folder instead of the root directory. Name it something somewhat obscure and unrelated to anything “admin”. For example, you could do something like http://john.do/icecream
  2. Move the index.php and the .htaccess files from the “icecream” folder and into the root.
  3. Open up the index.php file and change the line that says ” require(‘./wp-blog-header.php’); ” to this ” require(‘./icecream/wp-blog-header.php’);
  4. Once you install WordPress then you’ll have to go to your Admin area in the back admin and change the General Settings so that the “WordPress Address (URL) points to http://john.do/icecream and have the “Blog Address” point to http://john.do (in this example).

Check out the following screenshots to see what the above 4 bullet points look like:

Example Secure WordPress File Structure

Expand it you’ll see that the folder icecream has the WordPress core files (except index.php and .htaccess):

Expanded view

Changing the index.php line:

Before...

and…

After...

Finally check the General Settings after you install:

Don't forget to do this step!

As a result of all this you’ll have the most secure folder structure available!

In the above example I’d have to login here now: http://john.do/icecream/wp-admin

Congratulations my friend!

3. Create MySQL Database, Username:

Setting up your MySQL database is entirely dependent on your existing hosting provider. For many it’s a few clicks and you’re done.

Here’s how I do it in MediaTemple (which hosts TentBlogger) as well as Dreamhost (another great and simple hosting provider for new blogs and one that I use for clients):

Media Temple Setup:

Login to MediaTemple:

Heading toward the Control Panel:

Log into Plesk:

Head to the domain that you’re going to install a MySQL database:

Create a new database. Two things to do here to maximize security:

  1. Name it something complex.
  2. Name it something completely unrelated to the domain and URL.

For example, I might name TentBlogger.com’s MySQL database something like “iL1Xtto723”. Pretty hard to guess, right?

Then we can add a username. Make sure you follow the same convention above and make it a bit complex and perhaps unrelated. Of course the caveat is forgetting your unique username and password, but you’ll have to write it down and secure it safely!

If you need a good password get one here.

Now that you’ve created the MySQL database you’ll use this information to install WordPress!

Dreamhost:

Login to Dreamhost:

Create a new MySQL Hostname for the database:

Create the hostname:

And then you can create the username:

Remember the aforementioned thoughts about the naming conventions for your database and your username/password!

4. Run the WordPress Install Script:

Now just head to where you installed the WordPress files (in this case http://john.do/icecream) and walk through the guided instructions.

Then input your “crazy” information:

And then you’re done! Remember that if you’ve installed it in a different folder then it would look like this:

[cc]http://example.com/blog/wp-admin/install.php[/cc]

Finally you’ll want to make sure you do two things:

  • Change the Table Prefix to something other than “wp_” since most hacks will try to attack this prefix because most people don’t change it from the default.
  • Do not use ‘admin’ as the default username. Change this!

Great!

5. Check It Out, Publish Something:

The next step is quite simple – check everything out! Just start clicking around the admin panel after you login and make sure nothing “breaks”. I’ve never had an installation break right out of the box but you don’t want to be using a broken system to it’s worth checking things out.

The next step is also quite simple; publish something! Just go to Posts >> Add New and type in a Title, some random copy in the content area, choose (or add) a category, and then hit the big blue “Publish” button! If anything breaks it’ll break here as well.

Sweet! You’ve got a secure installation of WordPress installed and you’re ready to start customizing it for awesomeness!

[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]

Comments are closed.