Why installing WordPress manually is more secure

Have you ever watched Restaurant Impossible or Kitchen Nightmares?

Where you shocked to see some chefs merely reheating food in a microwave, using canned soup, and other prepackaged or precooked items rather than the chefs being chefs — cooking using fresh ingredients, and making meals from scratch?

A lot of the excuses from the owners, managers, and chefs focused around saving time, and what amounted to being penny wise and dollar foolish.

I guess after seeing those shows, I shouldn’t be surprised by how many WordPress users want a control panel or means to auto install WordPress for them in the fewest clicks possible with one click being optimal.

What’s wrong with an automated installation of WordPress?

 

Strong security starts with the foundation.  Would you build your home on quicksand?  Hopefully, you are answering with a resounding, NO!

 

There are several areas of the WordPress installation that most automated tools do not cover adequately.  Those areas are as follows:

 

  • mySQL database password.  Is the password at least 12 wide, alphanumeric, containing uppercase and lowercase letters whose combination of letters does not form any dictionary word in any language?
  • WordPress mysql database table prefix – are you using the widely known default of “wp_” or are you going to change it to more secure, known only to parties you authorize?
  • PHP error logging — is it set up and enabled?
  • Temporary directory for PHP sessions — WP_TEMP_DIR — do you have it specified in your wp-config.php file and does it have the correct permissions?
  • Do you salt your cookies with https://api.wordpress.org/secret-key/1.1/salt/ in the wp-config.php file?
  • Does your .htaccess file contain security measures as recommended by the Hardening WordPress Codex?
  • Are you using the default “admin” user that hackers know is the most likely user id for WordPress dashboards?
  • Is your admin password at least 12 wide, alphanumeric, containing uppercase and lowercase letters whose combination of letters does not form any dictionary word in any language?

 

Automated installation systems typically do not give you the control over having a secure mySQL database password, most do not turn on PHP error logging, most may not set up the proper temporary directory for PHP sessions, most use a stock .htaccess file if they create one at all, some may use salt and others may not, and so on.

I don’t know about you, but I want to know about the material going into the foundation of a site or blog I’m going to be working on and maintaining.

If you want the best foundation for your WordPress site or blog, be sure to take the time to do it correctly and securely.

Managed hosting customers of Dynamic Net, Inc. can ask our support department to manually install WordPress for them at no charge.

Contact us if you have any questions.

About the author: Peter Abraham