20 Steps to a Flexible and Secure WordPress Installation

A comprehensive WordPress installation, albeit simple to produce, often requires multiple steps — many of which can easily be omitted accidentally. How many times have you forgotten to customize your permalink structure? How about adding in a sitemap plugin? What about changing your timezone? If you’ve installed WordPress more than once, chances are you’ve missed something. Take the following steps and you’ll never miss anything again.

Step 1: Get WordPress from SVN

The number one mistake for a flexible WordPress installation happens right from the get-go. I’ve seen numerous developers manually download, unzip, and upload WordPress to their site. This is not only a waste of time, but it also reduces flexibility.

If you download WordPress from SVN, all you need to do is run the following in command-line:

svn co http://core.svn.wordpress.org/tags/3.0 .

Maybe you want the latest developer version. That’s even simpler:

svn co http://core.svn.wordpress.org/trunk/ .

Why is this so useful? For starters, all it takes is one command. Looking at WordPress in a long-term perspective reveals that SVN also provides the simplest, hassle-free way to update to a new stable version (or even downgrade). For example, let’s say you want to update to version 3.0. All you need to do is run the SVN switch command:

svn sw http://core.svn.wordpress.org/tags/3.0/ .

How easy was that? Note that if you’re using the developer version, updating is even easier:

svn up

That’s all it takes. If you ever need the URL to a new stable version repository, visit the WordPress Codex. You can also find full instructions on using SVN there.

“Looking at WordPress in a long-term perspective reveals that SVN also provides the simplest, hassle-free way to update to a new stable version (or even downgrade).”

Step 2: Secure .svn Directories

Now that you’re using SVN, you must ensure that your .svn directories are protected from the public. One main reason lies in the .svn/entries file, which can give out sensitive information to attackers. For further information regarding this subject, please take a look at Smashing Magazine’s article on the SVN server admin issue.

To secure .svn directories using .htaccess, just apply the following redirect rule:

RewriteRule ^(.*/)?.svn/ - [F,L]

Step 3: Create wp-config.php

As outlined in the famous 5-minute WordPress installation, you’ll need to rename wp-config-sample.php to wp-config.php and add in your database information.

Step 4: Add a Unique Database Prefix and Authentication Keys

Leaving your wp-config.php file only with database information and no other configuration is a security issue. Make sure to generate authentication keys, as outlined in the comments. To do so, visit https://api.wordpress.org/secret-key/1.1/salt/ and copy-paste the randomly-created keys into the file.

Note that you should also change the default WordPress database table prefix. This is to secure your installation against hacks, such as the recent outbreak of the Pharma Hack. Visit random.org to generate a random prefix string which you’ll need to set as the $table_prefix in wp-config.php. In addition, make sure to add an underscore at the end of the prefix.

Step 5: Install Using wp-admin/install.php

As usual, visit wp-admin/install.php in your browser and follow the instructions. When filling out the form, change the default administrator username (“admin”) in order to increase security. Note that most attackers will target a WordPress installation with default settings. Thus, changing this username is a must.

“Note that most attackers will target a WordPress installation with default settings.”

Step 6: Remove wp-admin/install.php

This is a commonly-omitted step which only takes a few seconds to execute. Simply remove the wp-admin/install.php script after installing WordPress for further security.

Step 7: Login to the Dashboard and Complete User Profile

Login to your WordPress installation at http://example.com/wp-admin, click your username in the top-right corner, and fill out your user profile.

Step 8: Edit Tagline and Timezone

Under the Settings > General tab, make sure to edit your blog’s timeline as well as timezone.

Step 9: Review Writing, Reading, and Discussion Settings

Although you might not have to change anything, looking over Settings > Writing, Settings > Reading, and Settings > Discussion is always a good idea. Ensure that the configuration meets your standards.

Step 10: Change Permalink Structure

A default WordPress installation comes with query-string permalinks that look like http://example.com/?p=1 for each article. Not only is this not search-engine friendly, but it’s also not even human-friendly. Change this to a permalink structure that contains the title of the post (%postname% if you’re using a custom configuration).

Step 11: Add .htaccess Rules

An .htaccess file is necessary for your WordPress site to function correctly. To begin, turn on the RewriteEngine:

RewriteEngine On

Disable directory listings for security purposes:

Options -Indexes

Add/Remove www to prevent content duplication (replace example.com with your domain):

# Add www (change www.example.com to example.com to remove www)
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

WordPress requires you to redirect all non-files and directories to index.php:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [PT]

Disable ETags:

Header unset ETag
FileETag None

Suppress PHP errors (note that this might not work on all hosts):

php_flag display_startup_errors off
php_flag display_errors off
php_flag html_errors off
php_value docref_root 0
php_value docref_ext 0

Control caching on files to speed up your site:

ExpiresActive On
ExpiresDefault A0
<FilesMatch ".(gif|jpg|jpeg|png|swf)$">
# 2 weeks
ExpiresDefault A1209600
Header append Cache-Control "public"
</FilesMatch>
<FilesMatch ".(xml|txt|html)$">
# 2 hours
ExpiresDefault A7200
Header append Cache-Control "proxy-revalidate"
</FilesMatch>
<FilesMatch ".(js|css)$">
# 3 days
ExpiresDefault A259200
Header append Cache-Control "proxy-revalidate"
</FilesMatch>

Secure the .htaccess file:

<Files .htaccess>
 Order Allow,Deny
 Deny from all
</Files>

Secure the wp-config.php file:

<Files wp-config.php>
 Order Deny,Allow
 Deny from all
</Files>

Secure .svn directories, as explained in step #2:

RewriteRule ^(.*/)?.svn/ - [F,L]

If you would like to add more configuration for your website and are looking for a general tutorial, consider Nettuts’ Ultimate Guide to htaccess Files or Stupid htaccess Tricks on Perishable Press.

Step 12: Use gzip

Applying gzip can compress text files up to 80% and greatly save bandwidth. Making it active on your site only requires a PHP file and a bit of .htaccess. Note that the following code is referenced from a gzip tutorial on Lateral Code.

PHP (gzip.php):

<?php
	if( isset( $_SERVER['HTTP_ACCEPT_ENCODING'] ) && substr_count( $_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip' ) && !preg_match( '/(load-styles|load-scripts).php/', $_SERVER[ 'SCRIPT_NAME' ] ) )
		ob_start( 'ob_gzhandler' );
	else
		ob_start();
?>

This may look a bit daunting at first, but it really isn’t too bad. The large boolean expression checks whether gzip is available and, if so, it’s applied. Unfortunately, I have found that this gzip method doesn’t function well with WordPress’ load-styles.php and load-scripts.php. As a result, the preg_match is used to exclude them.

.htaccess:

<FilesMatch ".js$">
AddHandler application/x-httpd-php .js
php_value default_mimetype "text/javascript"
</FilesMatch>
<FilesMatch ".css$">
AddHandler application/x-httpd-php .css
php_value default_mimetype "text/css"
</FilesMatch>
<FilesMatch ".(htm|html|shtml)$">
AddHandler application/x-httpd-php .html
php_value default_mimetype "text/html"
</FilesMatch>
php_value auto_prepend_file /absolute/path/to/gzip.php

This snippet adds the php handler to .html, .css, and .js files so that they can be gzipped. It also prepends the previously mentioned gzip.php file. Make sure to change /absolute/path/to/gzip.php to the correct path.

Step 13: Apply the 4G Blacklist

Perishable Press’ 4G Blacklist will prevent numerous attacks on your website through .htaccess. I’ve included the code below (edited for WordPress). You can learn about how it works by reading the article on Perishable Press:

### PERISHABLE PRESS 4G BLACKLIST ###

# ESSENTIALS
RewriteEngine on
ServerSignature Off
Options All -Indexes
Options +FollowSymLinks

# FILTER REQUEST METHODS
<IfModule mod_rewrite.c>
 RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
 RewriteRule ^(.*)$ - [F,L]
</IfModule>

# BLACKLIST CANDIDATES
<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 75.126.85.215   "# blacklist candidate 2008-01-02 = admin-ajax.php attack "
 Deny from 128.111.48.138  "# blacklist candidate 2008-02-10 = cryptic character strings "
 Deny from 87.248.163.54   "# blacklist candidate 2008-03-09 = block administrative attacks "
 Deny from 84.122.143.99   "# blacklist candidate 2008-04-27 = block clam store loser "
 Deny from 210.210.119.145 "# blacklist candidate 2008-05-31 = block _vpi.xml attacks "
 Deny from 66.74.199.125   "# blacklist candidate 2008-10-19 = block mindless spider running "
 Deny from 203.55.231.100  "# 1048 attacks in 60 minutes"
 Deny from 24.19.202.10    "# 1629 attacks in 90 minutes"
</Limit>

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} ../    [NC,OR]
 RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
 RewriteCond %{QUERY_STRING} tag=     [NC,OR]
 RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
 RewriteCond %{QUERY_STRING} http:    [NC,OR]
 RewriteCond %{QUERY_STRING} https:   [NC,OR]
 RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
# RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
# RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
 RewriteRule ^(.*)$ - [F,L]
</IfModule>

# CHARACTER STRINGS
<IfModule mod_alias.c>
 # BASIC CHARACTERS
 RedirectMatch 403 ,
 RedirectMatch 403 :
 RedirectMatch 403 ;
# RedirectMatch 403 =
 RedirectMatch 403 @
 RedirectMatch 403 [
 RedirectMatch 403 ]
 RedirectMatch 403 ^
 RedirectMatch 403 `
 RedirectMatch 403 {
 RedirectMatch 403 }
 RedirectMatch 403 ~
 RedirectMatch 403 "
 RedirectMatch 403 $
 RedirectMatch 403 <
 RedirectMatch 403 >
 RedirectMatch 403 |
 RedirectMatch 403 ..
# RedirectMatch 403 //
 RedirectMatch 403 %0
 RedirectMatch 403 %A
 RedirectMatch 403 %B
 RedirectMatch 403 %C
 RedirectMatch 403 %D
 RedirectMatch 403 %E
 RedirectMatch 403 %F
 RedirectMatch 403 %22
 RedirectMatch 403 %27
 RedirectMatch 403 %28
 RedirectMatch 403 %29
 RedirectMatch 403 %3C
 RedirectMatch 403 %3E
# RedirectMatch 403 %3F
 RedirectMatch 403 %5B
 RedirectMatch 403 %5C
 RedirectMatch 403 %5D
 RedirectMatch 403 %7B
 RedirectMatch 403 %7C
 RedirectMatch 403 %7D
 # COMMON PATTERNS
 Redirectmatch 403 _vpi
 RedirectMatch 403 .inc
 Redirectmatch 403 xAou6
 Redirectmatch 403 db_name
 Redirectmatch 403 select(
 Redirectmatch 403 convert(
 Redirectmatch 403 /query/
 RedirectMatch 403 ImpEvData
 Redirectmatch 403 .XMLHTTP
 Redirectmatch 403 proxydeny
 RedirectMatch 403 function.
 Redirectmatch 403 remoteFile
 Redirectmatch 403 servername
 Redirectmatch 403 &rptmode=
 Redirectmatch 403 sys_cpanel
 RedirectMatch 403 db_connect
 RedirectMatch 403 doeditconfig
 RedirectMatch 403 check_proxy
 Redirectmatch 403 system_user
 Redirectmatch 403 /(null)/
 Redirectmatch 403 clientrequest
 Redirectmatch 403 option_value
 RedirectMatch 403 ref.outcontrol
 # SPECIFIC EXPLOITS
 RedirectMatch 403 errors.
# RedirectMatch 403 config.
 RedirectMatch 403 include.
 RedirectMatch 403 display.
 RedirectMatch 403 register.
 Redirectmatch 403 password.
 RedirectMatch 403 maincore.
 RedirectMatch 403 authorize.
 Redirectmatch 403 macromates.
 RedirectMatch 403 head_auth.
 RedirectMatch 403 submit_links.
 RedirectMatch 403 change_action.
 Redirectmatch 403 com_facileforms/
 RedirectMatch 403 admin_db_utilities.
 RedirectMatch 403 admin.webring.docs.
 Redirectmatch 403 Table/Latest/index.
</IfModule>

A few of these rules are commented out or edited because they interfere with WordPress. If you are having problems with certain URLs, fix them by prepending a “#” (comment) to the corresponding rule.

Step 14: Activate Akismet

“Activating Akismet is a must in order to prevent comment spam.”

Activating Akismet is a must in order to prevent comment spam. Do so by registering for an API key at akismet.com. Note that a WordPress.com account API key will also work.

Once you obtain a key, visit Plugins > Akismet Configuration in your dashboard and paste it in the corresponding box.

Step 15: Download Plugins

The following plugins are a great help to any WordPress blog:

• All in One SEO Pack
• Google XML Sitemaps

For further security, these plugins, referenced from DigWP’s WordPress lockdown article, are also important:

• WordPress File Monitor
• WP Security Scan
• Ultimate Security Check
• Secure WordPress

To make installation easy, you can run the following in command-line under your plugins directory:

wget http://downloads.wordpress.org/plugin/all-in-one-seo-pack.zip 
wget http://downloads.wordpress.org/plugin/google-sitemap-generator.3.2.4.zip
wget http://downloads.wordpress.org/plugin/wordpress-file-monitor.2.3.3.zip
wget http://downloads.wordpress.org/plugin/wp-security-scan.zip
wget http://downloads.wordpress.org/plugin/ultimate-security-check.1.2.zip	
wget http://downloads.wordpress.org/plugin/secure-wordpress.zip
find . -name '*.zip' -exec unzip {} ;
rm *.zip

This will retrieve zip files for the plugins, unzip them, and delete the .zips

These download links may not be correct later on due to plugin updates. As a result, you can visit the wordpress.org plugin pages listed above in order to find the updated links.

After you finish installing the plugins, make sure to enable them through the WordPress dashboard.

Step 16: Configure All in One SEO Pack

Before All in One SEO Pack becomes active, you’ll need to configure it. Go to Settings > All in One SEO to do so. Make sure to mark the “enabled” radio button. In addition, add in a home title, description, and keywords. Finally, set the rest of the options to your liking.

Step 17: Generate a Sitemap

Visit Settings > XML-Sitemap to generate your first sitemap that will be sent to search engines. Before doing so, ensure that the options on the page are what you desire. For example, I often edit the change frequencies, as my posts are modified quite often.

Once you are ready, scroll to the top of the page and click the build link (“Click here”). You might have to create two blank files—sitemap.xml and sitemap.xml.gz—in your root directory depending on the directory permissions. Nevertheless, once you finish building it for the first time, it should automatically update as long as you have “Rebuild sitemap if you change the content of your blog ” checked.

Step 18: Add Security

At this point, you’ve already installed four security plugins. You should now put them into use.

Visit Settings > WordPress File Monitor and add wp-content/uploads in the exclude path. Change the other information if necessary. Note that this plugin will inform you whenever it notices a change in your file system.

Under Settings > Secure WP, check Error Messages and Windows Live Writer for extra protection.

Note that there is a new “Security” tab created by WP Security Scan. Fix items in red under Security > Security and Security > Scanner. When you visit Security > Scanner, make sure to chmod all of your individual plugins with 755 as well. Furthermore, you can use the password tool to generate a strong password.

Finally, fix the errors under Tools > Ultimate Security Check and ensure your site receives an A.

Step 19: Customize Theme and Sidebar

Now that you’ve setup a flexible, secure WordPress installation, you’ll need to make it comprehensive by customizing the theme and sidebar to fit your site’s needs. Of course, there is no set method to accomplish this; each site is unique in it’s own way. Make a theme that appeals to both you and your readers.

Step 20: Write Content

All that’s left now is to write genuine content that appeals to your user base. You now have a flexible, secure, and comprehensive WordPress installation. Use it wisely.

Congratulations! You now have a flexible, secure, and comprehensive WordPress installation. Use it wisely!