There are two ways to install WordPress and the difference between them is simple. One way is secure and the other is not. Adding all of the plugins in the world won’t make up the security gap between them. Discover the elements that make for a secure site installation and why you want to think twice before using the 1-click installation.
5 Levels of Security
There are five levels of a fully secured WordPress installation that start with the database and go all the way up to your site login. They are listed below, along with the difference in a manual or 1-click installation.
Database Setup
All of the content on a WordPress site is held in a database. When a visitor views a page, most everything they see is the result of a query to that database. So, it’s very important that the database is set up, connected to WordPress, and secured properly. If a hacker gets into your database, they have complete access and control to every other part of your site.
Manual Installation
- Setup database with extremely strong password.
- Create and connect database user with extremely strong password.
- Customize table prefix.
1-Click Installation
- Setup database with strong password.
- Create and connect database user with strong password.
- Use default table prefix.
Core WordPress File Installation
Once the database is setup, the core WordPress files can be installed and connected to the database. The core contains two files that tell search engine and hackers what they can and cannot access. It also contains one configuration file that has all of the installation security keys and passwords to your database and site. Plus, there are several folders for things like your theme and plugins.
Manual Installation
- Coding of .htaccess and robot.txt files that deny search engines and hackers access to other sensitive files and folder.
- Set up of security keys in configuration file (wp-config).
- Installation of special file in every folder to deny access to search engines and hackers.
- Connection to database using custom table prefix.
1-Click Installation
- Standard .htaccess and robot.txt files that leave sensitive files and folders open to search engines and hackers.
- Set up of security keys in configuration file (wp-config).
- Installation of special file in every folder to deny access to search engines and hackers.
- Connection to database using default table prefix.
WordPress Login
Your WordPress login is like a split door on an old country house. It has a top half and a bottom half, being your username and password respectively. It really doesn’t matter if you lock one half and leave the other unsecured, but that’s exactly what a lot of people do.
Manual Installation
- Choose extremely strong username.
- Choose extremely strong password.
1-Click Installation
- Uses default username of admin.
- Creates strong password that owner usually changes to something easy to remember, and unfortunately, easy to hack.
Security Plugins
There aren’t enough security plugins in the world to make up for an unsecure installation. But, even a manual installation needs at least one plugin to help put a deadbolt on the front door, and it’s called Login Lockdown. After three failed attempts, it locks the IP address out for about an hour. That makes hackers with high-speed password breaking algorithms move along to another site.
Extra Security
No matter how secure an installation is, there is no such thing as a bullet-proof site. Every core file, theme, and plugin offers a potential security hole, and several thousand sites may get hacked before it’s discovered. Once there is a fix, an update is issued.
The great thing about WordPress is that it notifies you if any updates are available. The sad thing about many site owners is that they fail to install them, which creates security holes on their site that hackers can and do exploit.
Set Up Your Site the Right Way the First Time
Look back through the bullet points above.
Every one that is red is a security hole that is created by the 1-Click installation.
You’ll find a few decent tutorials and videos around the web that tell you how to install WordPress yourself. The problem is, each host is slightly different and a generic set of instructions won’t work on all of them. Plus, this is a one-time thing and not an activity that site owners do enough to learn and feel comfortable with it. Plus, most site owners simply don’t feel good about dealing with the kind of crazy looking code they have to create for some of the files.
This is also way you will not find any tutorials on BlogAid for installing WordPress.
Get a Geek
Hire a professional to set up your site. Be sure to properly vet them before you hand over your hosting information. Ask if they do each of the things in this list. Better yet, have them name the things they do and see if they match this list.
Beware of Free Installation Offers
Be careful of free WordPress setup offers, even from a professional. Most of them, including all hosting companies, use the 1-click installation.
Get the Real Deal
BlogAid offers fully secure, turn-key, manual WordPress site installation for free if the site owner uses one of my two preferred vendors, which are HostGator and BlueHost. These are affiliate links. So, it’s free to the site owner because the hosting company pays me a commission. It’s win-win-win for everyone. The hosting company gets a client, I get paid for my service, and the site owner gets more value than just hosting. They get peace of mind knowing their site is on a secure foundation.
If you used the 1-click installation, there’s still hope. Get the 20-point Site Evaluation and Review. Let’s have a look together and see what needs to be done.