Before installing WordPress, you need the following:
- A domain name and web hosting.
- An SSL certificate for your domain.
- The WordPress-recommended version of PHP and MySQL or MariaDB DBMS is installed on your server.
- Access to a database on MySQL or MariaDB DBMS.
I use a simple text file to keep all the information about a WordPress installation.
What is an SSL certificate and how can I get one for my domain?
An SSL certificate is a digital certificate that establishes the identity of a website. It is issued by a trusted third party, called a certificate authority (CA). When a user visits a website that has an SSL certificate, their browser will verify the certificate with the CA. If the certificate is valid, the browser will create a secure connection between the user’s computer and the website’s server.
SSL certificates do two things:
- They verify the identity of the website. This helps to protect users from visiting fraudulent websites.
- They encrypt the data that is transmitted between the user’s computer and the website’s server. This helps to protect the data from being intercepted by unauthorized third parties.
You can purchase SSL certificates from a domain name registrar or a website hosting provider. Some website hosting providers offer free SSL certificates. You can contact your web hosting support to find out if they have such an offer. They may also be able to help you with installing the SSL certificate.
How can I be sure that my password is strong?
Your password should be easy for you to remember but difficult for others to guess. For example, This-is-Worth-12$-only.
A strong password must have the following characteristics:
- It must be at least 12 characters long.
- It must not be a single word that can be found in a dictionary or the name of a person, fictional or non-fictional character, or organization.
- It must be a combination of uppercase letters, lowercase letters, numbers, and symbols.
If you are going to install WordPress manually, you must use the WordPress secret key to harden password protection. WordPress authentication unique keys are used to secure information stored in browser cookies. Cookies are vulnerable to attack, so it is essential to encrypt any sensitive information in them. You can generate unique keys from this link. Copy and store the generated unique keys key somewhere and use it during the installation process.
WordPress Database Names and Table Prefix
To install WordPress, you need a database on a running MySQL or MariaDB database server. WordPress uses database names to identify the database for storing data. When choosing a database name, choose a name other than “wordpress”.
WordPress database table names have a common prefix. During installation, WordPress lets you decide which prefix to use. The default WordPress prefix is “wp_”. You should change the default prefix.
Which WordPress Version to Install?
For better security, you should always install the latest stable release of WordPress. You should also use the recommended versions of PHP and MySQL/MariaDB. You can get information about the latest WordPress version and recommended PHP and MySQL/MariaDB versions by following this link
Which plugin should I use for enhancing WordPress security?
After installation, you should install plugins for spam protection and two-factor authentication. You can search the WordPress plugin repository for suitable plugins. When choosing a WordPress plugin I recommend you put emphasis on the number of active installations and its rating.
Setting up WordPress
The following steps guide you to setting up WordPress securely:
Step 1: Downloading WordPress
- Go to the WordPress Download page: https://wordpress.org/download/ and download the latest version of WordPress.
- Take note of the WordPress version, and recommended PHP and MySQL versions.
Step 2: Purchasing Domain
- Go to the website of a domain registrar, such as Google Domains, Namecheap, or GoDaddy.
- Choose an available domain name of your liking.
- Make a note of the domain registrar name, domain name, and renewal date.
Step 3: Purchasing Web hosting Plan
- Choose a web hosting provider that supports the PHP and MySQL versions recommended by WordPress.
- Purchase a web hosting plan that meets your needs, such as the amount of storage space, bandwidth, and email accounts.
- Make a note of the web hosting provider name, web hosting plan name, and renewal date.
Step 4: Obtain SSL Certificate
- Choose an SSL certificate provider. There are many different providers available, such as Let’s Encrypt, Comodo, and DigiCert.
- Purchase an SSL certificate for your domain and subdomain.
- Install the SSL certificate on your web server.
- Make a note of the SSL certificate provider and renewal date.
Step 5: Database Creation
- Log in to your web hosting account.
- Find the database manager. This is usually located in the control panel or the dashboard.
- Create a new database.
- Enter a database name, username, and password.
- Make a note of the database information.
Step 6: Upload WordPress Files
- Upload the downloaded WordPress .zip file to the /tmp directory of your hosting server.
- Extract the files from the .zip file into a folder called wp.
- Move the wp folder to the public_html directory.
- Create a file called .htaccess in the public_html directory and add the following directives to rewrite all requests that do not start with /wp/ to /wp/:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/wp/
RewriteRule ^(.*)$ /wp/$1 [L]
Step 7: Configuration of wp-config.php File
- Open the wp directory and make a copy of the wp-config-sample.php file and rename it wp-config.php.
- Find the line with a comment like this: “// ** Database Settings **”
- Put your database connection data that you saved earlier in the following variables:
define( ‘DB_NAME’, ‘your_database_name’ );
define( ‘DB_USER’, ‘your_database_username’ );
define( ‘DB_PASSWORD’, ‘your_database_password’ );
define( ‘DB_HOST’, ‘localhost’ );
define( ‘DB_CHARSET’, ‘utf8mb4’ );
- Find the line with the following comment: “// Authentication unique keys and salts”
- At the end of the comment section, put the WordPress secret keys. You can generate these keys using the WordPress Salt Generator: https://api.wordpress.org/secret-key/1.1/salt/.
- Find the line with the comment: “// WordPress database table prefix”
- At the end of the comment section, put the table prefix. This is a string that will be prepended to all of the tables in your WordPress database. For example, if you set the table prefix to myprefix_, then your WordPress tables will be named myprefix_posts, myprefix_comments, etc.
- Once you have made these changes, save the wp-config.php file.
Step 8: Installing WordPress
- Open your browser and enter your web address (for example https://my-domain-name) into the address bar.
- The WordPress installation process will begin.
- Select your language and click Continue.
- If you have not created the wp-config.php file and put database-related information, you will be taken to a page that will inform you what database-related information is required to install WordPress. Click the Let’s Go button.
- A form will appear asking you to enter database information. Enter the information requested and click the Submit button.
- If WordPress can successfully connect to the database using the provided information, it will inform you by showing the following page. Click the Run the Installation button.
- The Welcome page of the installation process will appear. Now put the necessary information from the WordPress Credentials and Info file you created earlier. Click the Install WordPress button.
- At this stage, the Success page will appear.
Step 9: Securing WordPress by Changing the Directory and File Permissions
- Log in to your web hosting account.
- Find the public_html directory.
- Change the permissions for the public_html directory and any sub-directories to 755. This will allow the owner account to read, write, and execute files in the directory, and it will allow others to read and execute files in the directory.
- Change the permissions for any files in the public_html directory and sub-directories to 644. This will allow the owner account to read and write files, and it will allow others to read files.
- Change the permissions for the wp-config.php file to 400. This will prevent anyone from viewing the file contents.
WordPress installation Directory Structure
public_html/ # all directory permission 0755
|
|__.htaccess
|
|__ wp/
|
|__.htaccess
|
|__ wp-login.php
|
|__ wp-config.php # permission 0400
|
|__ wp-admin/
|
|_ wp-includes/
|
|_ wp-content/
|
|_ .htaccess
|
|_ debug.log
|
|_ plugins/
|
|_ themes/
|
|_ cache/
|
|_ upgrade/
|
|_ uploads/
|
|_ .htaccess
Step 10: Securing WordPress by Adding Server Directives
- Open the public_html/.htaccess file in a text editor.
- Add the following directives to the file:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/wp/
RewriteRule ^(.*)$ /wp/$1 [L]
These directives will tell the webserver to rewrite all requests that do not start with /wp/ to /wp/.
- Create a .htpasswd file somewhere outside of your public_html directory. You can use a free online service to generate the formatted string for digest authentication, or you can use the htdigest command if you have Apache installed on your local development environment.
- Once you have generated the formatted string, copy it and paste it into the .htpasswd file.
- Open the publid_html/wp/.htaccess file in a text editor.
- Add the following directives at the beginning of the file:
<Files “wp-login.php”>
AuthType Digest
AuthName “Realm Name”
AuthDigestDomain /wp-login.php https://mydomain.com/wp-login.php
AuthUserFile /home/username/domains/my_domain.com/.htpasswd
Require valid-user
Satisfy All
</Files>
These directives will protect the wp-login.php file using Apache’s mod_auth_digest module.
- Open the public_html/wp/wp-content/.htaccess file in a text editor.
Add the following code to the file:
<Files debug.log>
Order allow,deny
Deny from all
</Files>
This code will deny all requests for the debug.log file.
- Open the public_html/wp/wp-content/uploads/.htaccess file in a text editor.
Add the following code to the file:
Order Allow,Deny
<FilesMatch “\.(jpe?g|png|gif|webp)$”>
Allow From All
</FilesMatch>
This code will allow all clients to access image files only.
Leave a Reply