Security options for new WordPress install

Protection Requirement:

BASIC

Skills/Resources:

> Edit files
> File Manager or FTP

THE THREAT
The default settings for a new installation are not secure

THE OBJECTIVE
Change the default settings during installation

PROPOSED SOLUTION
New installation of WordPress changing a number of the defaults to make WordPress more secure.

Install WordPress either manually or using the application installer that is bundled with the Control Panel.

MANUAL INSTRUCTIONS

Create a sub-directory to install WordPress into and then follow the instructions here:

https://codex.wordpress.org/Installing_WordPress

When selecting the installation options refer to the video.

INSTALLATION USING APPLICATION INSTALLER

Follow instructions in this Guide.

In directory ( Installation directory )

We will be changing the default installation directory ‘wp’.

Many people just remove the default ‘wp’ directory and leave this option blank to install in the root of the domain.

We will create out own custom sub-directory and install WordPress there. Later we will make changes so that WordPress appears to be installed in the domain root.

In this guide I changed it to ‘secret’ – not recommended – just what I used for this demonstration.

Table prefix ( Database Table prefix )

Most people leave the default prefix of ‘wp-‘

We will be changing this to something else. I have again used ‘secret’ changing the prefix to ‘secret-‘

Admin Username ( administration login account name )

Most people leave this set to the default ‘admin’

You need to change it to something that is not related to you or the website. Again for this demonstration I have used ‘secret’

Admin Password

I have generated a 16 character random password using a combination of letters, numbers and special characters.

WordPress reports on the strength of your password when you enter it. You should aim for a score of 100/100

Go ahead and complete the WordPress installation.

We now have a new installation of WordPress in the sub-directory.

Now we want to make WordPress appear to be installed in the root of the domain.

Log in to WordPress and go to SETTINGS | GENERAL

Site Address ( URL )

Edit this field removing the sub-directory

Save Changes

Go to SETTINGS | PERMLINKS

Change to your preferred settings.

Next use File Manager or an FTP client and connect to the site.

Navigate to the new sub-directory and copy the index.php into the root domain.

Edit index.php and edit the last line which points to where to load WordPress. Edit the page adding the sub-directory.

SUMMARY OF SECURITY MEASURES IMPLEMENTED

  • Installed WordPress into a custom hidden sub-directory
  • Changed prefix on WordPress tables
  • Changed default admin account name
  • Implemented a strong password for admin account

We have also moved the WordPress file system to a location where it would not normally be located. This improves security by changing the location of sensitive system files from the default.

It is also a much cleaner way of organising the file system.

MORE ADVANCED
none

NEED HELP?
If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services

RESOURCES
none