
Monday, July 26, 2010

20 Steps to a Flexible and Secure WordPress Installation

A comprehensive WordPress installation, albeit simple to produce, often requires multiple steps — many of which can easily be omitted accidentally. How many times have you forgotten to customize your permalink structure? How about adding in a sitemap plugin? What about changing your timezone? If you’ve installed WordPress more than once, chances are you’ve missed something. Take the following steps and you’ll never miss anything again.

Step 1: Get WordPress from SVN

The number one mistake for a flexible WordPress installation happens right from the get-go. I’ve seen numerous developers manually download, unzip, and upload WordPress to their site. This is not only a waste of time, but it also reduces flexibility.
If you download WordPress from SVN, all you need to do is run the following in command-line:
  1. svn co .  
Maybe you want the latest developer version. That’s even simpler:
  1. svn co .  
Why is this so useful? For starters, all it takes is one command. Looking at WordPress in a long-term perspective reveals that SVN also provides the simplest, hassle-free way to update to a new stable version (or even downgrade). For example, let’s say you want to update to version 3.0. All you need to do is run the SVN switch command:
  1. svn sw .  
How easy was that? Note that if you’re using the developer version, updating is even easier:
  1. svn up  
That’s all it takes. If you ever need the URL to a new stable version repository, visit the WordPress Codex. You can also find full instructions on using SVN there.
“Looking at WordPress in a long-term perspective reveals that SVN also provides the simplest, hassle-free way to update to a new stable version (or even downgrade).”

Step 2: Secure .svn Directories

Now that you’re using SVN, you must ensure that your .svn directories are protected from the public. One main reason lies in the .svn/entries file, which can give out sensitive information to attackers. For further information regarding this subject, please take a look at Smashing Magazine’s article on the SVN server admin issue.
To secure .svn directories using .htaccess, just apply the following redirect rule:
  1. RewriteRule ^(.*/)?\.svn/ - [F,L]  

Step 3: Create wp-config.php

As outlined in the famous 5-minute WordPress installation, you’ll need to rename wp-config-sample.php to wp-config.php and add in your database information.

Step 4: Add a Unique Database Prefix and Authentication Keys

Leaving your wp-config.php file only with database information and no other configuration is a security issue. Make sure to generate authentication keys, as outlined in the comments. To do so, visit and copy-paste the randomly-created keys into the file.
Note that you should also change the default WordPress database table prefix. This is to secure your installation against hacks, such as the recent outbreak of the Pharma Hack. Visit to generate a random prefix string which you’ll need to set as the $table_prefix in wp-config.php. In addition, make sure to add an underscore at the end of the prefix.

Step 5: Install Using wp-admin/install.php

As usual, visit wp-admin/install.php in your browser and follow the instructions. When filling out the form, change the default administrator username (“admin”) in order to increase security. Note that most attackers will target a WordPress installation with default settings. Thus, changing this username is a must.
“Note that most attackers will target a WordPress installation with default settings.”

Step 6: Remove wp-admin/install.php

This is a commonly-omitted step which only takes a few seconds to execute. Simply remove the wp-admin/install.php script after installing WordPress for further security.

Step 7: Login to the Dashboard and Complete User Profile

Login to your WordPress installation at, click your username in the top-right corner, and fill out your user profile.

Step 8: Edit Tagline and Timezone

Under the Settings > General tab, make sure to edit your blog’s timeline as well as timezone.

Step 9: Review Writing, Reading, and Discussion Settings

Although you might not have to change anything, looking over Settings > Writing, Settings > Reading, and Settings > Discussion is always a good idea. Ensure that the configuration meets your standards.

Step 10: Change Permalink Structure

A default WordPress installation comes with query-string permalinks that look like for each article. Not only is this not search-engine friendly, but it’s also not even human-friendly. Change this to a permalink structure that contains the title of the post (%postname% if you’re using a custom configuration).

Step 11: Add .htaccess Rules

An .htaccess file is necessary for your WordPress site to function correctly. To begin, turn on the RewriteEngine:
  1. RewriteEngine On  
Disable directory listings for security purposes:
  1. Options -Indexes  
Add/Remove www to prevent content duplication (replace with your domain):
  1. # Add www (change to to remove www)  
  2. RewriteCond %{HTTP_HOST} !^$ [NC]  
  3. RewriteRule ^(.*)$$1 [R=301,L]  
WordPress requires you to redirect all non-files and directories to index.php:
  1. RewriteCond %{REQUEST_FILENAME} !-f  
  2. RewriteCond %{REQUEST_FILENAME} !-d  
  3. RewriteRule . index.php [PT]  
Disable ETags:
  1. Header unset ETag  
  2. FileETag None  
Suppress PHP errors (note that this might not work on all hosts):
  1. php_flag display_startup_errors off  
  2. php_flag display_errors off  
  3. php_flag html_errors off  
  4. php_value docref_root 0  
  5. php_value docref_ext 0  
Control caching on files to speed up your site:
  1. ExpiresActive On  
  2. ExpiresDefault A0  
  3. "\.(gif|jpg|jpeg|png|swf)$">  
  4. # 2 weeks  
  5. ExpiresDefault A1209600  
  6. Header append Cache-Control "public"  
  8. "\.(xml|txt|html)$">  
  9. # 2 hours  
  10. ExpiresDefault A7200  
  11. Header append Cache-Control "proxy-revalidate"  
  13. "\.(js|css)$">  
  14. # 3 days  
  15. ExpiresDefault A259200  
  16. Header append Cache-Control "proxy-revalidate"  
Secure the .htaccess file:
  2.  Order Allow,Deny  
  3.  Deny from all  
Secure the wp-config.php file:
  2.  Order Deny,Allow  
  3.  Deny from all  
Secure .svn directories, as explained in step #2:
  1. RewriteRule ^(.*/)?\.svn/ - [F,L]  
If you would like to add more configuration for your website and are looking for a general tutorial, consider Nettuts’ Ultimate Guide to htaccess Files or Stupid htaccess Tricks on Perishable Press.

Step 12: Use gzip

Applying gzip can compress text files up to 80% and greatly save bandwidth. Making it active on your site only requires a PHP file and a bit of .htaccess. Note that the following code is referenced from a gzip tutorial on Lateral Code.

PHP (gzip.php):

  1.     if( isset( $_SERVER['HTTP_ACCEPT_ENCODING'] ) && substr_count( $_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip' ) && !preg_match( '/(load-styles|load-scripts)\.php/'$_SERVER'SCRIPT_NAME' ] ) )  
  2.         ob_start( 'ob_gzhandler' );  
  3.     else  
  4.         ob_start();  
  5. ?>  
This may look a bit daunting at first, but it really isn’t too bad. The large boolean expression checks whether gzip is available and, if so, it’s applied. Unfortunately, I have found that this gzip method doesn’t function well with WordPress’ load-styles.php and load-scripts.php. As a result, the preg_match is used to exclude them.


  1. "\.js$">  
  2. AddHandler application/x-httpd-php .js  
  3. php_value default_mimetype "text/javascript"  
  5. "\.css$">  
  6. AddHandler application/x-httpd-php .css  
  7. php_value default_mimetype "text/css"  
  9. "\.(htm|html|shtml)$">  
  10. AddHandler application/x-httpd-php .html  
  11. php_value default_mimetype "text/html"  
  13. php_value auto_prepend_file /absolute/path/to/gzip.php  
This snippet adds the php handler to .html, .css, and .js files so that they can be gzipped. It also prepends the previously mentioned gzip.php file. Make sure to change /absolute/path/to/gzip.php to the correct path.

Step 13: Apply the 4G Blacklist

Perishable Press’ 4G Blacklist will prevent numerous attacks on your website through .htaccess. I’ve included the code below (edited for WordPress). You can learn about how it works by reading the article on Perishable Press:
  4. RewriteEngine on  
  5. ServerSignature Off  
  6. Options All -Indexes  
  7. Options +FollowSymLinks  
  10. <IfModule mod_rewrite.c>  
  12.  RewriteRule ^(.*)$ - [F,L]  
  13. IfModule>  
  16. <Limit GET POST PUT>  
  17.  Order Allow,Deny  
  18.  Allow from all  
  19.  Deny from   "# blacklist candidate 2008-01-02 = admin-ajax.php attack "  
  20.  Deny from  "# blacklist candidate 2008-02-10 = cryptic character strings "  
  21.  Deny from   "# blacklist candidate 2008-03-09 = block administrative attacks "  
  22.  Deny from   "# blacklist candidate 2008-04-27 = block clam store loser "  
  23.  Deny from "# blacklist candidate 2008-05-31 = block _vpi.xml attacks "  
  24.  Deny from   "# blacklist candidate 2008-10-19 = block mindless spider running "  
  25.  Deny from  "# 1048 attacks in 60 minutes"  
  26.  Deny from    "# 1629 attacks in 90 minutes"  
  27. Limit>  
  30. <IfModule mod_rewrite.c>  
  31.  RewriteCond %{QUERY_STRING} \.\.\/    [NC,OR]  
  32.  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]  
  33.  RewriteCond %{QUERY_STRING} tag\=     [NC,OR]  
  34.  RewriteCond %{QUERY_STRING} ftp\:     [NC,OR]  
  35.  RewriteCond %{QUERY_STRING} http\:    [NC,OR]  
  36.  RewriteCond %{QUERY_STRING} https\:   [NC,OR]  
  37.  RewriteCond %{QUERY_STRING} mosConfig [NC,OR]  
  38. # RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|'|"|;|\?|\*).* [NC,OR]  
  39. # RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]  
  40.  RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]  
  41.  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]  
  42.  RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]  
  43.  RewriteRule ^(.*)$ - [F,L]  
  44. IfModule>  
  47. <IfModule mod_alias.c>  
  49.  RedirectMatch 403 \,  
  50.  RedirectMatch 403 \:  
  51.  RedirectMatch 403 \;  
  52. # RedirectMatch 403 \=  
  53.  RedirectMatch 403 \@  
  54.  RedirectMatch 403 \[  
  55.  RedirectMatch 403 \]  
  56.  RedirectMatch 403 \^  
  57.  RedirectMatch 403 \`  
  58.  RedirectMatch 403 \{  
  59.  RedirectMatch 403 \}  
  60.  RedirectMatch 403 \~  
  61.  RedirectMatch 403 \"  
  62.  RedirectMatch 403 \$  
  63.  RedirectMatch 403 \<  
  64.  RedirectMatch 403 \>  
  65.  RedirectMatch 403 \|  
  66.  RedirectMatch 403 \.\.  
  67. # RedirectMatch 403 \/\/  
  68.  RedirectMatch 403 \%0  
  69.  RedirectMatch 403 \%A  
  70.  RedirectMatch 403 \%B  
  71.  RedirectMatch 403 \%C  
  72.  RedirectMatch 403 \%D  
  73.  RedirectMatch 403 \%E  
  74.  RedirectMatch 403 \%F  
  75.  RedirectMatch 403 \%22  
  76.  RedirectMatch 403 \%27  
  77.  RedirectMatch 403 \%28  
  78.  RedirectMatch 403 \%29  
  79.  RedirectMatch 403 \%3C  
  80.  RedirectMatch 403 \%3E  
  81. # RedirectMatch 403 \%3F  
  82.  RedirectMatch 403 \%5B  
  83.  RedirectMatch 403 \%5C  
  84.  RedirectMatch 403 \%5D  
  85.  RedirectMatch 403 \%7B  
  86.  RedirectMatch 403 \%7C  
  87.  RedirectMatch 403 \%7D  
  89.  Redirectmatch 403 \_vpi  
  90.  RedirectMatch 403 \.inc  
  91.  Redirectmatch 403 xAou6  
  92.  Redirectmatch 403 db\_name  
  93.  Redirectmatch 403 select\(  
  94.  Redirectmatch 403 convert\(  
  95.  Redirectmatch 403 \/query\/  
  96.  RedirectMatch 403 ImpEvData  
  97.  Redirectmatch 403 \.XMLHTTP  
  98.  Redirectmatch 403 proxydeny  
  99.  RedirectMatch 403 function\.  
  100.  Redirectmatch 403 remoteFile  
  101.  Redirectmatch 403 servername  
  102.  Redirectmatch 403 \&rptmode\=  
  103.  Redirectmatch 403 sys\_cpanel  
  104.  RedirectMatch 403 db\_connect  
  105.  RedirectMatch 403 doeditconfig  
  106.  RedirectMatch 403 check\_proxy  
  107.  Redirectmatch 403 system\_user  
  108.  Redirectmatch 403 \/\(null\)\/  
  109.  Redirectmatch 403 clientrequest  
  110.  Redirectmatch 403 option\_value  
  111.  RedirectMatch 403 ref\.outcontrol  
  113.  RedirectMatch 403 errors\.  
  114. # RedirectMatch 403 config\.  
  115.  RedirectMatch 403 include\.  
  116.  RedirectMatch 403 display\.  
  117.  RedirectMatch 403 register\.  
  118.  Redirectmatch 403 password\.  
  119.  RedirectMatch 403 maincore\.  
  120.  RedirectMatch 403 authorize\.  
  121.  Redirectmatch 403 macromates\.  
  122.  RedirectMatch 403 head\_auth\.  
  123.  RedirectMatch 403 submit\_links\.  
  124.  RedirectMatch 403 change\_action\.  
  125.  Redirectmatch 403 com\_facileforms\/  
  126.  RedirectMatch 403 admin\_db\_utilities\.  
  127.  RedirectMatch 403 admin\.webring\.docs\.  
  128.  Redirectmatch 403 Table\/Latest\/index\.  
  129. IfModule>  
A few of these rules are commented out or edited because they interfere with WordPress. If you are having problems with certain URLs, fix them by prepending a “#” (comment) to the corresponding rule.

Step 14: Activate Akismet

“Activating Akismet is a must in order to prevent comment spam.”
Activating Akismet is a must in order to prevent comment spam. Do so by registering for an API key at Note that a account API key will also work.
Once you obtain a key, visit Plugins > Akismet Configuration in your dashboard and paste it in the corresponding box.

Step 15: Download Plugins

The following plugins are a great help to any WordPress blog:
For further security, these plugins, referenced from DigWP’s WordPress lockdown article, are also important:
To make installation easy, you can run the following in command-line under your plugins directory:
  1. wget  
  2. wget  
  3. wget  
  4. wget  
  5. wget  
  6. wget  
  7. find . -name '*.zip' -exec unzip {} \;  
  8. rm *.zip  
This will retrieve zip files for the plugins, unzip them, and delete the .zips
These download links may not be correct later on due to plugin updates. As a result, you can visit the plugin pages listed above in order to find the updated links.
After you finish installing the plugins, make sure to enable them through the WordPress dashboard.

Step 16: Configure All in One SEO Pack

Before All in One SEO Pack becomes active, you’ll need to configure it. Go to Settings > All in One SEO to do so. Make sure to mark the “enabled” radio button. In addition, add in a home title, description, and keywords. Finally, set the rest of the options to your liking.

Step 17: Generate a Sitemap

Visit Settings > XML-Sitemap to generate your first sitemap that will be sent to search engines. Before doing so, ensure that the options on the page are what you desire. For example, I often edit the change frequencies, as my posts are modified quite often.
Once you are ready, scroll to the top of the page and click the build link (“Click here”). You might have to create two blank files—sitemap.xml and sitemap.xml.gz—in your root directory depending on the directory permissions. Nevertheless, once you finish building it for the first time, it should automatically update as long as you have “Rebuild sitemap if you change the content of your blog ” checked.

Step 18: Add Security

At this point, you’ve already installed four security plugins. You should now put them into use.
Visit Settings > WordPress File Monitor and add wp-content/uploads in the exclude path. Change the other information if necessary. Note that this plugin will inform you whenever it notices a change in your file system.
Under Settings > Secure WP, check Error Messages and Windows Live Writer for extra protection.
Note that there is a new “Security” tab created by WP Security Scan. Fix items in red under Security > Security and Security > Scanner. When you visit Security > Scanner, make sure to chmod all of your individual plugins with 755 as well. Furthermore, you can use the password tool to generate a strong password.
Finally, fix the errors under Tools > Ultimate Security Check and ensure your site receives an A.

Step 19: Customize Theme and Sidebar

Now that you’ve setup a flexible, secure WordPress installation, you’ll need to make it comprehensive by customizing the theme and sidebar to fit your site’s needs. Of course, there is no set method to accomplish this; each site is unique in it’s own way. Make a theme that appeals to both you and your readers.

Step 20: Write Content

All that’s left now is to write genuine content that appeals to your user base. You now have a flexible, secure, and comprehensive WordPress installation. Use it wisely.

Congratulations! You now have a flexible, secure, and comprehensive WordPress installation. Use it wisely!


Seo | Web Design | Web Development | Link Building | Web Maintenance | CMS | Shopping Feeds | E-commerce | Corporate Identity | Web Application Solutions | Web Programming | Web Marketing | Flash Design | Brochure Design | Content Writing | Ultimate Solution | Content Identity | Support | Outsourcing | Portfolio | Testimonials | SEO Plans | SEO Packages | Internet Marketing Strategy | Site Optimization & Maintenance | PPC Management Services | Web Design Company Chennai | Privacy Policy | Term of Service | Copyright

Ultimate Creators is an innovative web design Company Chennai Specializing in Web Designing, Logo Branding,Search Engine Marketing, Search Engine Promotion and Search Engine Ranking Services

Ultimate creators is the height of creativity when it comes to web designing, logo branding with a touche of excellence added to your product you can be assured of the ultimate creation in the World Wide Web. If you wish to market yourself in the web you can opt for the seo package which provides you with the options of search engine marketing, search engine promotion and search engine ranking services. For ultimate creations look no further than ultimate creators