PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

Why installing WordPress manually is more secure

Author: ; Published: Mar 19, 2012; Category: Managed Hosting, Security, Small Business, WordPress; Tags: , ; 2 Comments

Have you ever watched Restaurant Impossible or Kitchen Nightmares?

Where you shocked to see some chefs merely reheating food in a microwave, using canned soup, and other prepackaged or precooked items rather than the chefs being chefs — cooking using fresh ingredients, and making meals from scratch?

A lot of the excuses from the owners, managers, and chefs focused around saving time, and what amounted to being penny wise and dollar foolish.

I guess after seeing those shows, I shouldn’t be surprised by how many WordPress users want a control panel or means to auto install WordPress for them in the fewest clicks possible with one click being optimal.

What’s wrong with an automated installation of WordPress?

 

Strong security starts with the foundation.  Would you build your home on quicksand?  Hopefully, you are answering with a resounding, NO!

 

There are several areas of the WordPress installation that most automated tools do not cover adequately.  Those areas are as follows:

 

  • mySQL database password.  Is the password at least 12 wide, alphanumeric, containing uppercase and lowercase letters whose combination of letters does not form any dictionary word in any language?
  • WordPress mysql database table prefix – are you using the widely known default of “wp_” or are you going to change it to more secure, known only to parties you authorize?
  • PHP error logging — is it set up and enabled?
  • Temporary directory for PHP sessions — WP_TEMP_DIR — do you have it specified in your wp-config.php file and does it have the correct permissions?
  • Do you salt your cookies with https://api.wordpress.org/secret-key/1.1/salt/ in the wp-config.php file?
  • Does your .htaccess file contain security measures as recommended by the Hardening WordPress Codex?
  • Are you using the default “admin” user that hackers know is the most likely user id for WordPress dashboards?
  • Is your admin password at least 12 wide, alphanumeric, containing uppercase and lowercase letters whose combination of letters does not form any dictionary word in any language?

 

Automated installation systems typically do not give you the control over having a secure mySQL database password, most do not turn on PHP error logging, most may not set up the proper temporary directory for PHP sessions, most use a stock .htaccess file if they create one at all, some may use salt and others may not, and so on.

I don’t know about you, but I want to know about the material going into the foundation of a site or blog I’m going to be working on and maintaining.

If you want the best foundation for your WordPress site or blog, be sure to take the time to do it correctly and securely.

Managed hosting customers of Dynamic Net, Inc. can ask our support department to manually install WordPress for them at no charge.

Contact us if you have any questions.

Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham

@

Peter Abraham

2 Responses to “Why installing WordPress manually is more secure”

  1. Total Bounty says:

    I actually agree with what you said about installing WordPress manually and doing all these username and password change/customization thing. Quick install can save you a lot of time especially if you’re a web developer trying to setup your clients’ account but you’d later realize that going manual can save your client in terms of getting hacked into especially when the site goes live and open to the public to see.

    – Jules Mariano of Total Bounty

Leave a Comment


9 − three =