Quick and Reasonably Secure Wordpress install
Rather than relying on the security provided by the default Wordpress install, we have utilized some other security measures. We changed the prefix to the wordpress table names so zero-day SQL exploits which depend on default installations will not work. Defeating zero day exploits is significant because new Wordpress vulnerabilities emerge often, and exploits may be released on a large scale before being reported and patched. We have created the Wordpress database user with only the necessary permissions to do its job. We have changed the name of the admin account to something difficult to guess. We have enabled the Akismet plugin to defeat spam in the comments. We have also employed an .htaccess file in the wp-admin directory to add another layer of password protection.
1. Create mysql database.
mysql> create database wp;
2. Give appropriate grants to wordpress user.
mysql> grant select, insert, update, delete, create, drop on wp.* to 'wordp_user'@'localhost'
identified by 'PASSWORD';
3. Install wordpress files. They are available packaged as a zipped archive or tarball.
root@srv-01 [/home/blogger/public_html]# unzip wordpress-2.7.1.zip
root@srv-01 [/home/blogger/public_html]# chown -R monkeygo:monkeygo wordpress
Copy wp-config-sample.php to wp-config.php. This is your configuration file.
4. Edit the configuration file. Database information needs to be defined:
Then, follow the instructions in the file to generate authentication unique keys and paste them into the file. Wordpress has a service that will generate them for you.
Scroll down to $table_prefix and set the prefix to something more random. This will mean that automated exploits won't be able to run against the wordpress tables because the table names will be incorrect. We're going to set ours to za398_.
5. Point your browser to your wordpress installation. It will redirect to the installation page. eg. http://myblog/wordpress/wp-admin/install.php
Fill in the information, take note of the admin password which is generated for you. This will install the database and set up the basic blog. It will use the table prefix value you specified in the config when it creates the tables.
7. Change the admin login. In this example we change it to tito. Note the non-standard prefix on the table name.
mysql> update za398_users set user_login='admin',user_login='tito';
8. Put an .htaccess file in the wp_admin directory to protect it. We'll use the tito user for this, too, to minimize confusion.
AuthName "Admin Area"
require user tito
And use htpasswd to create a password for the tito user, something like this:
root@srv-01 [~]# /usr/local/apache/bin/htpasswd -cb passwd tito secretword
8. Activate Akismet plugin to catch spam comments.
After you activate it, go to the Akismet configuration link in the plugins area, and enter a Wordpress API key which is available if you sign up for a wordpress.com account.
There's lots more great information about securing blogs at blogsecurit.net, including a great whitepaper that goes into depth about securing WordPress.