17 Aug 2016
WordPress Installation Security
If you haven’t read my first post in this series, The Basics of WordPress Security, read it now then come back here.
The second line of defense is your installation of WordPress. I’ll get into the nitty-gritty of the installation in this post. You all know about those easy-to-use install services on your hosting platform for installing WordPress. Where you put in the directory, the name of the site, the username and password, and you’re done under five minutes. Those services, if used, are not providing you with a secure install. They are not using multiple passwords for all doors, they are leaving some settings insecure. Most WordPress installs are found in the root, the public folder, instead of in a nondescript subfolder.
I learned first about using a nondescript subfolder for WordPress installs from Digging Into WordPress’ ebook. And most recently it was reinforced after listening to a security podcast on WordPress Chick. There are three benefits to this method that come to mind now. The first, I generate the folder names like passwords. The second, the WordPress files are not mixed in with any root files. The third, when my clients followed all security recommendations that I put in place not one of them were hacked.
If you fix broken WordPress sites and always backup your work to recover from a user glitch or a hack, then the five-minute installation is for you. If you’re just getting started or you’ve been installing Content Management System (CMS, WordPress is one) for a long time, I encourage you to put this method into practice if you want an edge to knowing that all your bases are covered. In a way you are employing yourself as the security guard of the house and the first thing a guard does before acting as an external visible protection is to go throughout and make sure all the doors are locked and windows are secured. Then if and when something bad does happen, they know full well what was secured, what needs to be re-checked and where the problem exists.
Before these steps, make sure that your operating system (Windows, Linux, or macOS) is completely free of viruses, trojans and malware. Now here are the steps to a secure install. First, generate a STRONG password with a minimum of 16 characters and the first character starts with a letter; you’ll use this for the folder that contains WordPress within the public_html or root folder on your server. Secondly, create the database for WordPress manually or with the cPanel wizard and enter in the database name, user and password as randomly generated STRONG passwords all starting with a letter and minimum of 20 characters. Third, download the ZIP from WordPress.org and unzip it, then move all its contents to your server’s custom folder. Fourth, in the wp-config.php file, add the generated SALT from the provided link, change the database prefix from wp_ to a few letters and numbers (no spaces), followed by an underscore that has no association to your website’s purpose or name. Then add in your database credentials and save the file. Next you’ll visit yourdomain.com/custom-folder/wp-admin/install.php and follow the steps to set up the site and create your administrator account. Here too, you will create a new combination of alphanumeric characters and some symbols with the exception of the ampersand and question mark for your username and another STRONG password. Make sure to save all these creations in a secure location such as a password manager that is encrypted and elsewhere in at least locations separate from your computer where they are offsite and local. Keep a backup of the wp-config.php file too.
If you need help with your WordPress sites, I’m available for hire.