WordPress Security — How to Install WordPress Securely

WordPress SecurityWordPress without a doubt is the most popular blog software exists on the market right now and recently people have been using it not only to setup a blog but also manage web site content. WordPress comes with the popular 5-minute installation process and that partly contributes to the success, I believe.

However, out of the box, WordPress installation can do much better when it comes to WordPress security. I suppose they have to limit the number of options available during installation to avoid confusing their users. The famous 5-minute install would not exist if otherwise.

At the very least, the random password generation for admin user makes your password hard to guess.

If you think about it, to be fair, much of the problem with security is due to lack of understanding on the user part.

Many people leave wp-config.php file world writable after installation. That means if they are on a shared hosting environment, with the wrong permission, their blog may be at risk.

Most bloggers only care about the ease of installation and only seek for help after an incident because there is lack of organized information on how to securely install WordPress or harden existing WordPress installation.

This article strives to fill the gap on the first part, i.e. installing WordPress in a secure manner. I’ll update this document regularly as I find new things. If your blog security is of importance to you, make sure you go through this carefully because security is like a chain. It is only as good as its weakest link.

Note that this setup doesn’t involve auditing or modifying WordPress core. You should think of these tips as workarounds or additional layer of security on top of your blog. Some of them use the principle of security through obscurity, which I recommend against for host-based security, but hopefully that discourages intruders and make them think your blog is not worth their efforts.

Disclaimer: There is no guarantee that by implementing these tips your blog will be immune. If your system is still vulnerable, and if crackers find new exploits through your blog or any other web apps, your blog may still be at risk. This article is written for educational purpose only.

1. Review Your MySQL Server Installation

Morning Mist

First and foremost, if at all possible, you should bind your MySQL database only to localhost. Of course, you can’t do that if you have to serve your data outside of local machine.

By binding to loopback interface, only services on localhost will be able to connect to it. Alternatively, you may choose to communicate via UNIX domain socket.

This doesn’t prevent modification of your data through vulnerable web applications. You only prevent direct access to the database.

Shared hosting users won’t be able to modify server configuration used by their hosting company, but if you are on a VPS or dedicated server, this is something you should consider.

To apply this, you need to add or change the following line in my.cnf, specifically in the [mysqld] section. Location varies based on Linux distribution, but in Ubuntu it resides in /etc/mysql/my.cnf.


2. Create Your Database and Database User Properly

Let’s start from the beginning. Obviously many bloggers name their WordPress database wordpress or simply ‘wp’.

Although it doesn’t improve security that much, changing this name may obfuscate it a bit, so while you are at this just pick a name that is obvious to you but not to a complete stranger.

After all, you only need to know what it does, not what it is.

$ mysql -u root -p
Password: Enter your password
mysql> CREATE DATABASE example333;

The SQL command above creates a database with the name example333. You may name it to your domain or something else and add random numbers to it.

As part of the database creation process is to create a unique user for WordPress. Only that user (and of course root) is able to access that database with limited privilege to let WordPress operate properly.

The following SQL commands should allow WordPress to function and interact properly with MySQL.

mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON example333.* TO 'exuser129'@'localhost' IDENTIFIED BY 'yourpassword';

Note that I add random numbers to the database user and choose a strong password. You don’t have to remember either of these data once you hand them over to wp-config.php.

3. Configure wp-config.php Correctly

Morning Mist

WordPress is now able to create and prompt for your database configuration during installation, if it possesses enough permission to do so.

While it is certainly an option, a few variables are leaved untouched, so in my opinion an easier way is to avoid it at all. Out of the box, WordPress includes a sample configuration file named wp-config-sample.php. You may copy or move the file over to wp-config.php and edit that.

This command presumes that your WordPress core files reside in your blog directory.

$ cd /your/path/to/wordpress
$ cp wp-config-sample.php wp-config.php
$ vi wp-config.php

Of course, change vi to your favorite text editor. You may also edit it on your desktop computer and upload it to your web server, or use the editor that comes with your hosting control panel.

The wp-config.php file looks like the following:

// ** MySQL settings ** //
define('DB_NAME', 'example333');    // The name of the database
define('DB_USER', 'exuser129');     // Your MySQL username
define('DB_PASSWORD', 'yourpassword'); // ...and password
define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
// Change each KEY to a different unique phrase.  You won't have to remember the phrases later,
// so make them long and complicated.  You can visit http://api.wordpress.org/secret-key/1.1/
// to get keys generated for you, or just make something up.  Each key should have a different phrase.
define('AUTH_KEY', 't0L3ORtzCQ(JR!hj6H1SWT-2W[>B?bf,)Cxz ]`x`)<j^}qH%Pks]nVbJyPl!miA');
define('SECURE_AUTH_KEY', 'q=\'|)\'GtsM[dE[I5~M3T`Y;xjm?Rhv4Qslkk|zq$r*kk@Z( ^(pha{]pqR(3g=yX');
define('LOGGED_IN_KEY', ')x=cc*FnmUkC;#idXzBFWq.SVSeCua-P||xhCF[fUb&/US6jW$*\"[|Snj31Cw[wI');
// You can have multiple installations in one database if you give each a unique prefix
$table_prefix  = 'ex3321j_';   // Only numbers, letters, and underscores please!

I’ve changed a few things there. In the first block, I modified the definition of various constants to match database and user that I created in the second step above. The second configuration block requires that you have three unique phrases. These will be used as salt for your blog cookies. Since WordPress 2.6, there are 3 unique phrases, used in different situations.

You may enter a few simple words here, but randomness may help. You can generate random phrases, including proper syntax for constant definitions by using WordPress secret key generation tool.

Finally, the third block allows you to define table prefix used by this WordPress installation within the database. With this option, you will be able to change the prefix so it is unique to this blog.

Some people have access to only one database and this option lets them have more than one WordPress blog inside a database.

In this demonstration, that is not our purpose though. Public exploits on the Internet often assume that the prefix of your WordPress table is wp_ so changing it may help.

Adding random characters and numbers as suffix is enough. I have purposefully leave ex intact because that is what I use for the database name. You may also use keep wp so you know they are WordPress tables.

4. Change Permission and Ownership for wp-config.php

Morning Mist

If you copy wp-config.php, by default the permission of wp-config.php may be different from wp-config-sample.php.

Just to make sure, you should change it to 644 — read and write for owner, read for group, read for the world. Ownership of the file should be your username. In VPS or dedicated server, change it to root.

5. Check Permissions for Files and Directories

Especially if you copy your WordPress files from your other blog installation. Some bloggers may do this to copy the themes and plugins over to the new blog.

Make sure that your directory permission is not group or world writable. Use 755 as the permission for directories and 644 for files. If your web server, like Apache, supports suEXEC or similar, 644 is enough privilege for WordPress to change your files, so .htaccess and theme files may be modifiable already.

Otherwise, change the permission for certain set of files you want to grant write ability to 666. Don’t make this default permission though.

Once you’ve done this, go to your browser and start the installation process.

WordPress installation starts in


Of course, change example.com and blog appropriately.

Return to How to Blog for Fun and Profit.

Return to Blog Tips for a Better Blog — Blog Building University.

Blog Building University features tips, techniques and strategies on starting and growing your moneymaking / business blog. Subscribe to get fresh content delivered to you daily!

Blog Building University Full Content Feed


One Response to “WordPress Security — How to Install WordPress Securely”

Blogging is Web Publishing 2.0.
BlogBuildingU.com solves your web publishing puzzles, one piece at a time.