A few things can be done in order to install WordPress securely. Such things include setting a username and choosing a strong password. You can also change the table prefix and delete files that may serve as a backdoor. Before you install WordPress, install an SSL certificate and redirect from HTTP to HTTPS.
Please note that this tutorial is part of a series to help secure a WordPress blog. Some of these tips might not apply depending on the hosting environment. The following topics are covered:
- Setting up an SSL certificate
- Redirecting users to HTTPS
- Installing WordPress securely
- .htaccess for WordPress security
- php.ini for WordPress security
- Security plugins
- Security maintenance
Set a username
Most hackers first try WordPress’s default configuration settings. “admin” is the default WordPress username and it cannot be changed once the installation is complete. Using the default setting solves half of the hacker’s puzzle, it is therefore important to set the username to something other than “admin”.
Choose a strong password
It is recommended that passwords:
- Contain lowercase letters, capital letters, numbers and special characters;
- Are between 10 to 50 characters in length; and
- Are unique (you haven’t used the password anywhere else).
You can find a password generator at generators.page/password-generator.php.
Change table prefix
A database and database tables are created during the installation. By default, these tables start with
wp_ (table prefix). Set a different table prefix to make it harder for attackers to filter their way in.
Once the install is complete, delete the files listed below. They may contain information about your WordPress installation, serve as a backdoor or be completely unnecessary.
In short, to install WordPress securely, set a username and choose a strong password. Also change the table prefix and delete readme.html, license.txt, wp-config-sample.php, install.php and upgrade.php.