[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]
We have to, of course, start at the beginning and as you all know the beginning is just as important as the end!
Installing WordPress has become incredibly easy – in fact, sometimes I believe it’s become too easy because it creates a “path of least resistance” and doesn’t help educate a new user with all of the other options that exist for installing it to maximize security settings and the like.
But it is what it is, right? I’m very thankful that the installation process for the average user is near-dummy proof, especially if you’re hosting provider has a 1-click install process! But, you’re not the “average” user, right? (Or you don’t want to stay an “average” user for very long!)
So let’s get started.
A Few More Assumptions:
Sorry! But, to make it to this point I assume that you have the following:
- A Domain Name (Do you have the very “best” domain name? Some things to consider when picking the best domain name here.)
- A Hosting Provider
- Access to the Server via FTP (Check out the tools that I use here!)
Of course, if you need any other help the WordPress Codex has nearly all the information that you’d ever want! Check it out here.
TentBlogger’s Secure WordPress Install Process:
For the most part I suggest that people follow the famous “5 Minute Installation” process but with a few more steps that I’ve added for security purposes. It is vital that you keep your installation safe and secure from hackers and malicious bots!
There’s no reason not to do this!
Ready? Here we go:
1. Download WordPress:
Download and unzip the WordPress package, if you haven’t already.
2. Upload WordPress to Server:
What you’ll do next is upload the WordPress folder contents to your domain. You can use any tool you’d like to do this (check out the FTP tools I use here).
There’s a few things to do here to maximize security though:
- Put it in a sub-folder instead of the root directory. Name it something somewhat obscure and unrelated to anything “admin”. For example, you could do something like http://tentblogger.com/icecream
- Move the index.php and the .htaccess files from the “icecream” folder and into the root.
- Open up the index.php file and change the line that says ” require(‘./wp-blog-header.php’); ” to this ” require(‘./icecream/wp-blog-header.php’);
- Once you install WordPress then you’ll have to go to your Admin area in the back admin and change the General Settings so that the “WordPress Address (URL) points to http://tentblogger.com/icecream and have the “Blog Address” point to http://tentblogger.com (in this example).
Check out the following screenshots to see what the above 4 bullet points look like:
Example Secure WordPress File Structure
Expand it you’ll see that the folder icecream has the WordPress core files (except index.php and .htaccess):
Expanded view
Changing the index.php line:
Before...
and…
After...
Finally check the General Settings after you install:
Don't forget to do this step!
As a result of all this you’ll have the most secure folder structure available!
In the above example I’d have to login here now: http://tentblogger.com/icecream/wp-admin
Congratulations my friend!
3. Create MySQL Database, Username:
Setting up your MySQL database is entirely dependent on your existing hosting provider. For many it’s a few clicks and you’re done.
Here’s how I do it in MediaTemple (which hosts TentBlogger) as well as Dreamhost (another great and simple hosting provider for new blogs and one that I use for clients):
Media Temple Setup:
Login to MediaTemple:
Heading toward the Control Panel:
Log into Plesk:
Head to the domain that you’re going to install a MySQL database:
Create a new database. Two things to do here to maximize security:
- Name it something complex.
- Name it something completely unrelated to the domain and URL.
For example, I might name TentBlogger.com’s MySQL database something like “iL1Xtto723″. Pretty hard to guess, right?
Then we can add a username. Make sure you follow the same convention above and make it a bit complex and perhaps unrelated. Of course the caveat is forgetting your unique username and password, but you’ll have to write it down and secure it safely!
If you need a good password get one here.
Now that you’ve created the MySQL database you’ll use this information to install WordPress!
Dreamhost:
Login to Dreamhost:
Create a new MySQL Hostname for the database:
Create the hostname:
And then you can create the username:
Remember the aforementioned thoughts about the naming conventions for your database and your username/password!
4. Run the WordPress Install Script:
Now just head to where you installed the WordPress files (in this case http://tentblogger.com/icecream) and walk through the guided instructions.
Then input your “crazy” information:
And then you’re done! Remember that if you’ve installed it in a different folder then it would look like this:
1 | http://example.com/blog/wp-admin/install.php |
Finally you’ll want to make sure you do two things:
- Change the Table Prefix to something other than “wp_” since most hacks will try to attack this prefix because most people don’t change it from the default.
- Do not use ‘admin’ as the default username. Change this!
Great!
5. Check It Out, Publish Something:
The next step is quite simple – check everything out! Just start clicking around the admin panel after you login and make sure nothing “breaks”. I’ve never had an installation break right out of the box but you don’t want to be using a broken system to it’s worth checking things out.
The next step is also quite simple; publish something! Just go to Posts >> Add New and type in a Title, some random copy in the content area, choose (or add) a category, and then hit the big blue “Publish” button! If anything breaks it’ll break here as well.
Sweet! You’ve got a secure installation of WordPress installed and you’re ready to start customizing it for awesomeness!
[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]
I need to start doing it this way!!!
One thing, I may have missed something, but dont you create the db first in order to install wp?
um, yes? follow the steps!
I don’t understand why is the database created after you install wordpress? I mean in step 3 wordpress is already installed and then in the next step you create the database?? Isn’t it the other way around? Cheers
hmm. i create the database first…
(in Toy Story T Rex voice) Ouch!! I have set up three blogs now, and I feel so insecure!
Well, this was an eye opener about security. At least I installed the security keys in my config file.
Now I have to go back and change a lot of things, because I am definitely serious about security. I have already had one website compromised to the point the server had to nuke it. Don’t want to repeat that mistake again.
Thanks John for the warning and good instructions.
By the way, I have all three blogs on one server. Are there any disadvantages to this?
all good! it’s ok to back track a bit!
I’ve read that changing the DB prefix is also a good safety measure. I changed mine for good measure, but still wonder what, if any, security that added. Any insight?
Also, would you consider ‘localhost’ a bad location for your DB even if the MYSQL port isn’t open?
Lastly, as Mutant mentioned, the ‘security keys’ in the wp-config file. What exactly do they do?
kevin, you are absolutely right! i had made a note to mention that as well. I will add that. thanks for the reminder!
You bet!
Another important thing to change is the default username “admin”.
another great reminder since I do that too. dang! i left out a lot! thanks jimmy! adding that.
Any time = )
Tried doing this, but all of the images posted are still trying to point to the old directory so I get a fat red X. Is there a fast way to have all images in the posts point to the new directory, or do I have to go in one by one and change it?
ben,
ah. you’re going to have to redirect your images via .htaccess (one possibility).
you know how to do that?
Negative :/
what is your current file structure and what got changed?
Current file structure = wp install is in a folder in the root, and I want to move it all one level deeper so that instead of site/wp-content/uploads, it’s site/crazyname/wp-content/uploads.
Trying to be more secure.
Got the redirect going, but I can’t figure out how to keep the URL from displaying my super secret folder…yet.
ah. what you can do actually is this: you can change the upload point anywhere you’d like and have the images pull from there.
just goto Settings >> Media
and specify the folder:
http://cl.ly/3i1N0Z0a3E1s0E100I1R
I’m almost there, I have like 3 or 4 redirects in the .htacces which include images in posts, as well as some of the sidebar images but I can’t get the sharing buttons to hide the “icecream” folder in the url for some reason. I didn’t mean to hijack these comments but I feel like I’m just missing something obvious here.
hiding the wp-content folder isn’t an issue from a human perspective.
it’s from an auto-bot perspective. if someone wants to find your login they’ll find it. but taking it outside the default saves your butt!
Yeah I figured, but this kind of thing will now bug me. Dang aut-bots. I must become free of it, because freedom is the right of all sentient beings.
Ok I’m done.
Thanks for the help John!
sure thing ben!
Could you show a screenshot with the filed filled in? So that it stores in “icecream/wp-content/…” but only shows the “wp-content/…” Im confused as to what goes where.
You must enter a folder relative to your WordPress address (URI) folder.
So, not wp-content but something else.
Seems pretty straight forward to do it with a new install. But how big of a headache is it to switch it to the more “secure structure” on a blog already installed with a few years of archives?
not too hard.
Could you do a walk through of this?
Switching to the more “secure structure” on a blog already installed with archives
Much Appreciated!
jason,
i’ll have to queue this up… can you ask it here?
http://tentblogger.com/ask-me/
With a little finagling I was able to make this work on an existing site with archives but I’m using the Thesis theme and when I completed the 4 steps my theme was gone! So I had to go in and add this bit of code to my function.php file right after the <?php
update_option('siteurl','http://Example.com'
;
;
update_option('home','http://example.com/icecream'
PS: Make sure you remove this code after you get the theme up and running
Ummm my code changed when I posted my comment. Not sure why?
eh?
eh? ?
Ok well I get why the smile faces are there but the ' was added to my code for some reason?! I dunno. BTW Do you use a plugin to manage comment email verification? This is a really cool way to automate the comment load and weed out those awful spammers. How the heck did you do that man?
Thanks
http://tentblogger.com/comment-workflow/
So, can you make these changes to existing blogs? Moving files to /icecream and have index and .ht in the root without messing anything up?
yup.
I created a sandbox on one of my EC2 servers, and I have one tiny issue. The super-duper-secret ‘icecream’ folder is visible in the source because of all the theme files…is that normal or can that be changed?
visible. the point is to keep away bots who auto-attack default installations.
There’s a very helpful article in the WordPress codex on Giving WordPress Its Own Directory for those that wish to do this to an existing WordPress installation.
(Related in codex: Moving WordPress.)
yup. love it!
Thanks so much for this series…its really informative.
Any chance you could do a walk through for adding your database recommendations to an existing blog?
can you be more specific here? not sure what you mean…
Just did it for a new install. Pretty smooth. Now to figure out the “salt” options. And if I can do all this retroactively on a WP install that’s been in place a while. It is just a matter of moving things to an “icecream” folder and changing the “general settings” and the line in config.php?
Now with a new install and another that needs an update, time to count my coins to see if Standard Theme is next for me.
sure. you can do it retroactively!
I followed the steps of the installation, but wasn’t able to find the .htaccess file… Is it a hidden file, or am I just looking in the wrong place?
I have the same WordPress version used in the screenshots, and using DreamHost for the hosting…
It’s a hidden file.
So, how do I make it visible?
There’s not really a way to “un-hide” it. Any file starting with a ‘.’ in Linux is hidden. You have to change that setting in your FTP client (something a long the lines of view hidden files)…or use http://webftp.dreamhost.com/
or get sFTP.
I still can’t seem to find the .htaccess file even after showing all the invisible files in Transmit. Is it part of the WordPress download and am I just missing it?
do you have sftp access?
Yes I do. I did find it in my other domain on the server.
sweet!
Can I just copy it over to my new folder?
hmm. no. because it’ll overwrite the existing one.
I found the file buried way up in my local file & brought that in, but nothing seems to be working right – I can’t even get to the install screen. I have opened a ticket w/my hosting company to see where I might have messed up. Thanks.
the .htaccess file needs to be created by wordpress, or you can create it manually if you know what you’d like for the settings to be.
That worked – thanks to both of you!
Awesome! Glad it worked.
yataa!
Maybe that’s my issue. So it gets created when you run the wp-admin/install.php in the browser? Sorry…so many questions. Thanks.
yes. and it changes per permalinks and other settings.
2
3
4
5
6
7
8
9
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
this is what you’d typically see. something like this.
My code had an extra “RewriteRule . /index.php [L]” so I deleted it. Since I haven’t been able to run the install.php yet, should I just delete .htaccess file?
try that!
Nope – no luck. I will wait to see what MT has to say. I think, its probably on that side. Thanks for the help.
what blog is this?
http://everydaysnapshots.com
It got fixed overnight – I was able to do the configuration file. Thanks for your help.
sweet! whew!
Great installation tutorial, but not too up on security. There really is a lot of things people can easily do to “lock down” their wordpress blog or site without compromising speed or quality. From watching for too many logins to making the most out of .htaccess.
There are a number of plugins and other ways to secure wordpress very quickly that anyone hosting the software should look into on day 1.
chris,
that’s great man. i actually created a post just for that: http://tentblogger.com/installing-wordpress/
Great site John. Signed up on your social media. Will do your standard theme shortly. I started with your installing WordPress for security, renamed my file folder, but for the life of me, cannot locate any .htaccess file to move back to the root. I”ve done ‘er 3 times. Where is that file hiding?
If you’re using FTP or SFTP, make sure your software is set to show hidden files (if you’re using Windows, use something like FileZilla or the like. Don’t use Windows explorer.). If you’re connecting to your server via SSH…type in ‘ls -a”‘ to view everything in the directory (hidden files included).
If you still don’t see it after checking your SFTP/FTP software settings, try updating your permalink structure. That will usually generate the .htaccess file as your permalink settings are stored in the .htaccess file.
thanks for your help kevin!
i use these as well: http://tentblogger.com/code-ftp/
Great article, great series. Not sure if someone covered this in a comment, but
doesn’t work. These files should be COPIED into the root and left alone in the “icecream” folder.
Codex reference is here: http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory
Somehow the key line got deleted from the above comment. Again,
“Move the index.php and the .htaccess files from the “icecream” folder and into the root”
is what doesn’t work. Copy the files.
thanks wolf!
I goofed up on step 4 of part 2 above. In the WordPress admin area I changed BOTH the “WordPress Address” and the “Blog” address. Now I cannot access the admin panel to change it back.
PLEASE HELP!
The install directory is http://coveybox.com/birdpress
I changed both to http://coveybox.com.
How can I fix this and what should I have done? The goal is for the blog to be displayed at the root url (http://coveybox.com).
Phew… I got it sorted out. I found the solution here (just in case someone else goofs): http://codex.wordpress.org/Moving_WordPress
NOW, how do I go about having the blog display at the root url even though its installed at http://coveybox.com/birdpress
PS. GoDaddy’s auto-install feature now walks the user through customizing the database names, locations, installs, and admins. I chose to go that route, yet still goofed.
wow. glad you fixed it! you can change the /birdpress to show at the root easily by following the first part of the instructions at the codex link you have!
Hey I was wondering if it would be possible for you to do this with Site5 hosting?
what do you mean?
Ok… great admission… but I’m new to all of this. Once I’ve created the mySQL database… how do I go back to check that I set it up securely? (The joys of starting and then having a break to give birth and coming back to things with a VERY fuzzy brain!)
And now I’ve broken the ENTIRE thing!!!
I was following the steps… At #2.4 it all came unstuck as it says it’s all broken! Site won’t display and can’t login to it 
So I backtracked, reversing each step as I went… but it won’t work now either! What have I done???
oh no…….! how can i help?
I’m starting again… but, WordPress already installed (dreamhost one click install – what I did originally)… I get to the step of “go to general settings”… but I don’t know how to go to general settings – where are they located?
Ok, scrap that… I’ve retraced my steps and started at the beginning… but the .htaccess file isn’t there now??? (The FTP clients I tried weren’t uploading wordpress & I can’t afford to get one of the ones you recommend at the moment, so I used Dreamhosts one click installer again – but this time the .htaccess file doesn’t show up, despite redoing it several times). What do I do now?
It seems to be working fine without the .htaccess file… is that ok? Or will it cause a problem down the line?
it’ll work. it’s still there.
you need to access via SFTP. dreamhost settings will enable your user to be an SFTP user.
this shows you those special files like .htaccess
I am on blogger and bought my domain; but I feel very limited with my template in adding my sponsor buttons, so I think wordpress would be a good switch for me. Do I really need to pay for a host? I am just starting out and not making enough to pay for a host, but I really want to make the switch. What should Id o?
hmm. perhaps you should wait some more then… it’s ok to take your time moving over
Hey John,
I’ve done this a couple times now and I have a suggestion. It doesn’t look like .htaccess is included in the WordPress zip file (I’ve looked a couple times and have shown hidden files on my Mac). That really slowed me down the first time, but I’ve just skipped that step and haven’t had any problems. You might just add a line something like this: (if you don’t see an .htaccess file that’s ok, just continue with the rest of the steps below).
I doubt most first-time installers of WordPress will be dabbling with .htaccess for a long time anyway (I haven’t and I’ve been using WordPress for about 5+ years).
Just a suggestion.
And another suggestion. The install path may have changed. For me, I had to add /install to the path to get to the installation process.
You’re right! The .htaccess file isn’t included in the zip file. It’s not created until you edit the permalink settings. After that, Linux just keeps it hidden because the file name starts with a period.
.htaccess doesn’t appear until you use permalinks or access it directly.
Gotcha. The steps above are seem to be a walkthrough for a fresh install, so that might be helpful to point out in the post?
sure thing. do you need any help? what specifically?
Yes, please make sure to point this out. I spent a while looking for the .htaccess file for the fresh install. FInally, I just did the one-click install through DreamHost and used Coda to move index.php to the root folder and change the setting.
good for you! that’ll work too.
That would explain why I couldn’t find the .htaccess file in SFTP right after I installed it, but then it showed up after I was further along in the process of setting it up! lol
ah. #winning!
Thanks so much for this article! I have been a long time reader/lurker on here since the beginning. I finally took the plunge and set up my own wordpress site. Thanks again for your great articles.
and… thanks for commenting and coming out of the shadows!
I’m having trouble finding the .htaccess file
what app are you using?
Coda
Click View-> Show Invisible Files
Thanks Kevin, that did it.
You bet! Coda rocks
love me some coda…….!
I am new to word press and using your guide…i am using coda and setting up the security like you outline…in my wordpress folder I downloaded and there is no .htaccess file…I found and moved the index.php but there is no .htaccess file? what am I missing?
you need to turn on the abilitiy to see hidden files.
sorry i should have just looked at the above post…im a greenback
sorry still not seeing the .htaccess file…im using coda too
Have you updated your permalink structure yet? If not, change it and check again.
I got it all up and running…was gonna just do the easy install on dream host…but said why not set it up manually…Im trying to learn this stuff
Manual is always better
Makes you feel like you did something awesome.
haha. makes you feel good!
yep…now i’m ready to install Standard Theme
I am not able to run the WordPress installation script because I need to create my own wp-config.php. I do not know how to do this :/
Could you possible help me?
There’s several ways to do it, but one way would be create a new text file on your Desktop, paste everything into it, save it as wp-config.php and upload it via http://FTP…another would be change your directory permissions to 755 and try again.
ah. your so quick around here!
it’s actually included in the wordpress folder… but it’s called wp-config-sample.php
Oh yea! I forgot about that one…renaming things. Clever!
Not sure I understand full how to “hide” the icecream folder as long us the image path still shows it
.
Let’s say I create another folder called myimg in the root directory (public_html) and I want WP to upload my pictures there. What should I put in the Media Settings>Uploading Files settings? There are two fields there: Store uploads in this folder & Full URL path to files…how should I fill in these fields to be able to upload images to http://mywebsite,com/myimg?
Hi John,
I’ve successfully installed WP but there’s a little cosmetic issue that i hope you can address.
Whenever I search for mydomain.com I get directed to mydomain.com/icecream
How do I get rid of the /icecream ?
I’ve look through the WP forum and tried several suggestions (plugins ,etc) but nothing works.
Pls advise.
Thanks Andrew
did you install it at the /icecream? i’ve made mention in this post how to fix that i believe.
yes i set up /icecream with the core files in there and then copied the index.php and .htaccess to the root. amended the index.php and change the delete the /icecream from the site URL.
when i’m at mydomain.com/icecream i can see the blog page but it has a ‘Page Not Found’ at the browser tab.
btw I used softaculous to install.
hmm. can i see a screenshot of your settings? and your config file? send them to me in an email: me@john.do
not sure what i did again but it works now. no more /icecream. thanks.
I’ve messed things up. I went ahead and changed the WordPress URL before I uploaded the new folder. So now when I try and login from either my orginal “theminnesotaman.com/wp-login.php” or from the new one “theminnesotaman.com/coreyspooner/wp-login.php” it fails to work. And I can no longer get into my settings to change it back. Is there any way to save the situation or do I need to create a whole new database?
doh! you could start over if you’d like. some people opt for this instead of trying to rework it.
Any chance you can explain using site5
what do you mean specifically?
well you show how to install media temple and dreamhost, I was hoping you had something similar for Site5. I tried on my own, but get lost easily… so much learn for us newbies.
ah. honestly, i’d start with something that you feel comfortable with…. you can always move and migrate. that might sound weird but the only thing that i measure is momentum… continue moving forward, and forget the rest.
This all started because I wanted to move my blog from blogspot to my own site without loosing my SEO and current traffic. One thing led to another and now I have my domain hosted by site5 and got stuck connecting the how to’s
awesome! great work!
but I’m still stuck, can you help?
you’re on site 5, right?
you know, they can install that junk for you… all you have to do is ask…!
yes
OK! I will do that… thank you
I currently have a development directory set up as I build out my wordpress site. I have a live site at http://www.myurl.com and the dev site is in another directory at dev.myurl.com.
I was just planning on changing the WordPress Address (URL), and Site Address (URL) in the General Settings from http://dev.myurl.com to http://www.myurl.com and have the host point to the new directory.
Are there any issues with this set up before I start messing around with moving the wp-content directory, etc?
hmm. sub-domain mapping can be trickiy, especially with seo. have you looked into that?
The host seems to be pretty good at directing traffic to the right directories and handling the name server stuff.
I’ve decided I’m most likely going to use a Multisite set up so this process is not applicable to and does not work if you have enabled MultiSite according to the Giving WordPress Its Own Directory Codex – http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory
In either case I think I’ll wait to mess with this if I don’t use MultiSite unill I’m up on the main Url.
On a side in regards to security do you plan on posting anything in regards to some of the security plugins out there?
Thanks for all the great info!
sure thing josh!
Thank you for the tutorial. Very helpful.
I was following the example but was confused about one thing. In step 2 you state
“Once you install WordPress then you’ll have to go to your Admin area in the back admin and change the General Settings so that the “WordPress Address (URL) points to http://tentblogger.com/icecream and have the “Blog Address” point to http://tentblogger.com (in this example).”
I’m confused as WordPress has not been installed or activated but according to your instructions I have to login to the admin area.
I might be missing taking a step or something. Please let me know what I’m doing wrong.
For the benefit of others – I have tried the steps and the work.
As far as changing the URL’s is concerned you can change them after the installation. In short just run through the installation and once the installation is done log-in to the back-end and use the General Settings options to change the URL’s.
I have a fairly new blog, less than a month, and so wish I had used WordPress. I did buy my domain. For a noncomputer geek, I think all this may be way too complicated for me but I did enjoy your article. I even got to the part where I did download wordpress but my confidence in following the other steps waned and I turned back
Help! I am very new to this and am trying to be meticulous about following instructions here… I went through my webhost (Site5) and downloaded word press putting it in an “icecream” subfolder. But I can’t seem to figure out how to get to the next step. Could it be because I downloaded wordpress through the webhost instead of uploading it from my computer?
If I use bluehost and dont want to and dont need to download wordpress, what do I need to know about security? It makes a MySQL for you, etc. Do I need to download onto my computer and use a FTP tool to be fully secure? Isn’t the point of Bluehost supposed to minimize all this? I am knew to this, so just send me to a link if its explained already.
Hi, tried the steps three times and it seemed I finally got it right but…
Whenever I want to visit the site the main, sample and a post page I created all display “futuro home of something quite cool”. When I add www. to my domain I get a 404 error.
I ended up putting the installation in a sub-subfolder. mysite/icecream/icecream 2
Could that be the problem?
I did that because I saw in the image in this post that the installation was in tentblogger.com/httpsdocs/icecream
then I moved the index and htaccess files to mysite/icecream wich I guess is a subfolder on the root and not the root itself.
Any idea of what I should do?
Start allover and use just one subfolder?
Thanks
And the fourth time it worked, What I did was install wordpress in a subdirectory and not one level deeper as I did before. Now, I can see my site at example.com but not when I go to http://www.example.com. I’ll try to figure that out, maybe it’s something obvious but if anyone’s got a fast answer? Thanks again
Oh, I think it was the CNMA record www; my domaing was previously directed to a google sites page. I just changed it to @. Now, let’s wait a while and see
Thank you for the detailed instructions.
I wanted to know whether the steps recommended in the blog post at http://tentblogger.com/more-wordpress-security/ can be followed even if the installation has been done as per the process outlined in this post?
Thanks in advance.