How to Install WordPress Securely

Installing WordPress SecurelyPhoto by Mike Baird on Flickr

Most of my clients are looking for the easiest way to install and setup WordPress. It can be as easy as clicking a button but if it leaves our site vulnerable to attack – the ease of setting it up quickly fades.

Here are a few steps we can do that aren’t too technical to tighten up the security for our WordPress websites.

Always, Always, Always Upgrade to the Latest Version

WordPress popularity makes it a big target for the bad guys. At the same time, its popularity ensures security gets better and better. Upgrade WordPress as soon as possible when new versions come out.

Install WordPress to a Subdirectory

Since WordPress installs are so common, the default naming convention for files/folders/databases, etc are well known. One way to make your install different from the guy next door is to install your WordPress into a subdirectory off your root directory. This can be done without exposing the name of your subdirectory to the general public.

After installing WordPress to this subdirectory, move the index.php file from inside this subdirectory to the root directory. This makes it appear that everything is installed at the root directory. This also keeps your root directory clean.

Use Obscure Database Name and Table Names

The other way to make things less obvious is to name your database something besides wordpress or wp. Call it sometopic_wp, or wp_somenumbers, or somethingmoreobscure. Along the same lines, give the prefix for your database tables something else besides wp_. Try wp_2a05 or wp2a05.

If you are using a self-installer, you will be prompted for this information. Plug in your obscure names.

If you are not using a self-installer, set these parameters inside the wp-config.php file.


$table_prefix = 'wp_'


$table_prefix = 'wp_2a05'

Use Obscure Database User Name

In carrying through with the idea security through obscurity idea, use an obscure database user name, too.  A unique combination of letters and numbers hides the obvious.

Disabling Directory Views

If directory views are enabled the contents of your website directories will be listed when a visitors accesses that directory if that directory does not have an index file. Not good! If someone has access to your wp-config.php file, they could quickly compromise your site. Many hosts already disable directory view, but if it hasn’t been disabled, you can take care of it rather quickly.

In the htaccess file of our root directory add this line near the top of the file

Options -Indexes

If htaccess is not an option, you can add a blank index.htm or index.php into each of your WordPress directories. Instead of seeing a directory listing, a blank page will appear (the index file).

Protect wp-config.php File

WordPress uses the wp-config.file to connect to the database and set various preferences. Valuable information is contained within this file. At a minimum, set the permissions of the wp-config.php file to 644 (read and write for the owner, read for group, read only for the world).

To further secure the file, you could update the htaccess file and limit the IPaddress that can access the file. Here is an example:

# Secure wp-config.php
 <Files wp\-config\.php
 Order Deny,Allow
 Deny from all
 Allow from 123.456.789

You can allow multiple IP address by duplicating the Allow from line multiple times with different IP addresses. Or, if it’s a range of addresses you only need to include the first two octets of the address (123.456).

Permissions for File and Directories

It’s likely that your web host has already set up optimal permission settings and access rights. Directory permissions should be set to 755, file permissions to 644.  You might run across exceptions to this when configuring files or directories with plugins, but for the most part these settings should work across the board.

Change Admin Username

Most self-installers let you specify an admin name and password upon installation. Never use ‘admin’ as the user name. Be a bit more creative! If the install automatically adds the admin user, update this immediately after installation to a different username.

This gives you a good foundation in securing down your site. What are some of the steps you’ve taken to keep your site secure from the bad guys?

3 thoughts on “How to Install WordPress Securely”

  1. Super Tips ! However, i find newbie bloggers may find it much easier to make use of a service such as to help them securely install their WP blogs as this could turn out to be a rather daunting task on their side.

Leave a Comment

Your email address will not be published. Required fields are marked *