Most non-developers have to rely on automated software/web browsers to install WordPress. If you’re not a website developer and you don’t know how to manually install WordPress, you’re probably going to use your web host’s quick install software solution.
Different web hosts use different versions of this software, but the result is the same: a fast and easy WordPress site set up in minutes.
This sounds great – who wouldn’t love having a WordPress website in minutes? The faster you install WordPress, the faster you can build and officially launch your website.
While fast installations certainly save time, they can be security breaches risk. Here’s why it’s better to hire a professional to install WordPress manually and skip the quick installation software.
Several years ago, quick install software inside of cPanel failed to add salts and keys to WordPress installations. Not having salts and keys creates a massive security flaw in a WordPress installation process.
While it appears that this vulnerability has been fixed in updated versions of quick install software, you’re still vulnerable if your web browsers/web host hasn’t upgraded their software.
WordPress salts and keys are one of the most important security measures that keep your website secure.
In short, salts cryptographically hash your WordPress site passwords inside your database to make them unreadable. Keys are stored in cookies and allow your password to be decoded when you log in to your account.
Hashed passwords prevent hackers from seeing and using your login credentials if they gain unauthorized access to your WordPress database. When someone accesses your database, they can see your username, but not your password. Your password is completely hidden – you can’t even see your own password when viewing your database.
WordPress websites passwords are hashed with an algorithm called MD5, which stands for “message-digest algorithm.” Techtarget defines MD5 as a “one-way cryptographic function that accepts a message/digital signatures of any length as input and returns as output a fixed-length digest to be used for authenticating the original message.”
MD5 hashed passwords appear as a string of random letters and numbers, digital signatures inside your database. While it is possible to change your password inside your WordPress site database, as long as a hacker is only able to read your database, your account will be protected.
Inside of your website’s wp-config.php file, you’ll find eight lines of code that looks like this:
define('AUTH_KEY', '.w`Cg-n|pP7(0*So&*IqFJ[:G-C&lT,{(nm+4d0,a]TAkNrFW^%gxQV1)ZADRZFB');
define('SECURE_AUTH_KEY', '^Ve9qCg5!R|~Q;x)5zd,Ti)LFr6+GhJ+.4DJ:j0m{rn$9n9I If1mrh&wjeM%(vL');
define('LOGGED_IN_KEY', 'a-Mx0rfDeO>60,[{-z)|.p9DpA3GmF(LF[5?guS6a+J!zx2Cc|(+lb wW@dKOth5');
define('NONCE_KEY', 'BrD2s: N_.9o!O5{YrUrrE>ArLf*Q0+n!kDF/G >3Nbc*Nlb 20>4?DN<Dl^Yi|o');
define('AUTH_SALT', '{~)[|-1@{/{$`,3:lct%B*x.4(Y-KMswlgC<giN-=e5p4SG~HW9K&/wm<z~<mT^g');
define('SECURE_AUTH_SALT', ']/]=-w*]Ul}Gid}]`|EHZ0NxyXkUS2- B]]*qBa+oKuFcI%vV+$~*mh&>FDU{oZ#');
define('LOGGED_IN_SALT', 'WYAC^/oHt|rEM|F#Dqe<$w>J}e:]n,@=s3@9`O2/hT+~=l:P&u4Nj6L` 8k1G5$G');
define('NONCE_SALT', 'u*o%C*;-aUbUZ>2P(m1LH=V.^ul9eme+IcQ;2n3E55P<{CWO,EHTnYR!W0[ *2h2');
These are your WordPress salts and keys. The first four lines contain your security keys, while the last four lines contain your salts.
If hackers get ahold of your salts and keys, they can potentially use the information to gain access to your website. That’s why it’s also important to secure your wp-config.php file.
Securing your configuration file requires a multi-faceted approach to security, which we discuss in this article. Normally, nobody can download this file from your WordPress installation. However, new software/former vulnerabilities in popular plugins like ‘Duplicator’ and ‘Slider Revolution’ allowed this file to be downloaded.
Is your configuration file missing salts and keys? You can generate salts and keys directly from WordPress. Each time you reload the page you’ll get a new set. (click on the link above for related topics)
Once you use the generator, copy and paste the salts and keys into your configuration file and you’re done.
Changing your table prefix is just one more security measure to protect your data. When you install WordPress sites manually, you get to set your table prefix. When you install WordPress with quick install software, your table prefix will be the default.
Unless specified otherwise, all WordPress installations use the default table prefix: ‘wp_’. Changing your table prefix makes it harder for hackers to access your database. Hackers expect and look for databases that begin with ‘wp_’, but if that prefix doesn’t exist, they won’t be able to find your database easily.
The problem with Quick Install software is that you can’t define your table prefix. It doesn’t matter if you’re installing WordPress from cPanel, Plesk, or a popular hosting company’s proprietary control panel. There might be some obscure control panels with installation software that allows you to set the table prefix, but most don’t.
If you’ve already installed WordPress, it’s not too late – you can change your table prefix in your configuration file and in your database, but you’ll also need to change all references to the old prefix in your database.
If you’ve never done this before, WPBeginner.com published a thorough guide on how to change your WordPress table prefix.
Instead of using quick install software, try installing WordPress manually. It’s not as hard as you might think.
Download the latest version of WordPress and unzip the file to your computer.
Connect to your website through FTP and upload the WordPress files to the directory where you’d like your installation to exist. For example, if you want WordPress to show up as your main website, you’ll upload the files to your main directory. The main directory on a web server is usually titled public_html.
Otherwise, create a new directory or subdomain where you’d like your installation and then upload your files there.
It’s easier to use FTP for uploading files when you have more than a few files to upload.
If you’re using cPanel, you’ll want to head over to the ‘MySQL database wizard.’
Create a database by choosing a name for your database. Make it simple and recognizable. Something like, ‘wpsite.’
Next, create a user and password. Keep the username simple and the password complex. When asked to assign privileges to your user, assign all privileges.
Copy your database (including the prefix), user, extra junk and password to a text document temporarily for easy access. You’ll need the information for the next step.
To edit your configuration file, you can use your file manager or keep using FTP.
Navigate to your main WordPress installation directory and locate the file named ‘wp-config-sample.php.’ Open the file to edit the contents and look for this section:
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
Replace ‘database_name_here’ with the database name you just created, including the prefix provided by your web hosting account.
Replace ‘username_here’ with the username you just created.
Replace ‘password_here’ with the password for the user you just created.
Save your file, then rename your file to ‘wp-config.php.’
Visit the URL for the main directory where you uploaded your installation on web browsers. You should see a prompt to begin the WordPress installation to run apps. From there, just follow the prompts.
On the second screen, you’ll be asked to enter some information and run apps.
For “Site Title” enter the title of your website . You can change this later.
For “admin username” enter the username you want for your admin account. For security purposes, avoid using the word “admin,” since that will only give hackers an advantage in hacking your site.
Choose a password, enter your email, and click “Install WordPress.”
It’s possible you might run into some errors while installing WordPress sites manually. One of the most common errors is a PHP version error. If you get this error, you’ll need to update your version of PHP in your hosting account.
The process for updating your PHP version will vary depending on your web host’s control panel, but here are instructions for cPanel and WHM. If you can’t figure it out, you’ll need to contact your web host. You can probably get someone to do it for you through a live support chat session.
If the installation can’t access your database, you might be asked to enter your database and username information. You only need to enter your database name, username, password, and table prefix. The “Database Host” section should remain ‘localhost.’
Do you need a new software to secure WordPress website, but you don’t want to figure out all the technical details? Contact us and we’ll install, and run apps, design WordPress for you. At Dev.co , our team of professional developers are WordPress experts who can get your site up and running quickly.
We can help you with multiple devices or anything you need, whether you need an installation, a simple theme, or if you’d like a custom website, we can do it all.
Contact us today for a free quote. We’re looking forward to working with you.