1. Code
  2. Security

20 Steps to a Flexible and Secure WordPress Installation

Read Time:12 minsLanguages:

A comprehensive WordPress installation, albeit simple to produce, often requires multiple steps -- many of which can easily be omitted accidentally. How many times have you forgotten to customize your permalink structure? How about adding in a sitemap plugin? What about changing your timezone? If you've installed WordPress more than once, chances are you've missed something. Take the following steps and you'll never miss anything again.

Tutorial now on WptutsTutorial now on WptutsTutorial now on Wptuts

Step 1: Get WordPress from SVN

The number one mistake for a flexible WordPress installation happens right from the get-go. I've seen numerous developers manually download, unzip, and upload WordPress to their site. This is not only a waste of time, but it also reduces flexibility.

If you download WordPress from SVN, all you need to do is run the following in command-line:

Maybe you want the latest developer version. That's even simpler:

Why is this so useful? For starters, all it takes is one command. Looking at WordPress in a long-term perspective reveals that SVN also provides the simplest, hassle-free way to update to a new stable version (or even downgrade). For example, let's say you want to update to version 3.0. All you need to do is run the SVN switch command:

How easy was that? Note that if you're using the developer version, updating is even easier:

That's all it takes. If you ever need the URL to a new stable version repository, visit the WordPress Codex. You can also find full instructions on using SVN there.

"Looking at WordPress in a long-term perspective reveals that SVN also provides the simplest, hassle-free way to update to a new stable version (or even downgrade)."

Step 2: Secure .svn Directories


Now that you're using SVN, you must ensure that your .svn directories are protected from the public. One main reason lies in the .svn/entries file, which can give out sensitive information to attackers. For further information regarding this subject, please take a look at Smashing Magazine's article on the SVN server admin issue.

To secure .svn directories using .htaccess, just apply the following redirect rule:

Step 3: Create wp-config.php

As outlined in the famous 5-minute WordPress installation, you'll need to rename wp-config-sample.php to wp-config.php and add in your database information.

Step 4: Add a Unique Database Prefix and Authentication Keys


Leaving your wp-config.php file only with database information and no other configuration is a security issue. Make sure to generate authentication keys, as outlined in the comments. To do so, visit and copy-paste the randomly-created keys into the file.

Note that you should also change the default WordPress database table prefix. This is to secure your installation against hacks, such as the recent outbreak of the Pharma Hack. Visit to generate a random prefix string which you'll need to set as the $table_prefix in wp-config.php. In addition, make sure to add an underscore at the end of the prefix.

Step 5: Install Using wp-admin/install.php

As usual, visit wp-admin/install.php in your browser and follow the instructions. When filling out the form, change the default administrator username ("admin") in order to increase security. Note that most attackers will target a WordPress installation with default settings. Thus, changing this username is a must.

"Note that most attackers will target a WordPress installation with default settings."

Step 6: Remove wp-admin/install.php

This is a commonly-omitted step which only takes a few seconds to execute. Simply remove the wp-admin/install.php script after installing WordPress for further security.

Step 7: Login to the Dashboard and Complete User Profile

Login to your WordPress installation at, click your username in the top-right corner, and fill out your user profile.

Step 8: Edit Tagline and Timezone


Under the Settings > General tab, make sure to edit your blog's timeline as well as timezone.

Step 9: Review Writing, Reading, and Discussion Settings

Although you might not have to change anything, looking over Settings > Writing, Settings > Reading, and Settings > Discussion is always a good idea. Ensure that the configuration meets your standards.

Step 10: Change Permalink Structure


A default WordPress installation comes with query-string permalinks that look like for each article. Not only is this not search-engine friendly, but it's also not even human-friendly. Change this to a permalink structure that contains the title of the post (%postname% if you're using a custom configuration).

Step 11: Add .htaccess Rules

An .htaccess file is necessary for your WordPress site to function correctly. To begin, turn on the RewriteEngine:

Disable directory listings for security purposes:

Add/Remove www to prevent content duplication (replace with your domain):

WordPress requires you to redirect all non-files and directories to index.php:

Disable ETags:

Suppress PHP errors (note that this might not work on all hosts):

Control caching on files to speed up your site:

Secure the .htaccess file:

Secure the wp-config.php file:

Secure .svn directories, as explained in step #2:

If you would like to add more configuration for your website and are looking for a general tutorial, consider Nettuts' Ultimate Guide to htaccess Files or Stupid htaccess Tricks on Perishable Press.

Step 12: Use gzip


Applying gzip can compress text files up to 80% and greatly save bandwidth. Making it active on your site only requires a PHP file and a bit of .htaccess. Note that the following code is referenced from a gzip tutorial on Lateral Code.

PHP (gzip.php):

This may look a bit daunting at first, but it really isn't too bad. The large boolean expression checks whether gzip is available and, if so, it's applied. Unfortunately, I have found that this gzip method doesn't function well with WordPress' load-styles.php and load-scripts.php. As a result, the preg_match is used to exclude them.


This snippet adds the php handler to .html, .css, and .js files so that they can be gzipped. It also prepends the previously mentioned gzip.php file. Make sure to change /absolute/path/to/gzip.php to the correct path.

Step 13: Apply the 4G Blacklist

Perishable Press' 4G Blacklist will prevent numerous attacks on your website through .htaccess. I've included the code below (edited for WordPress). You can learn about how it works by reading the article on Perishable Press:

A few of these rules are commented out or edited because they interfere with WordPress. If you are having problems with certain URLs, fix them by prepending a "#" (comment) to the corresponding rule.

Step 14: Activate Akismet

"Activating Akismet is a must in order to prevent comment spam."

Activating Akismet is a must in order to prevent comment spam. Do so by registering for an API key at Note that a account API key will also work.

Once you obtain a key, visit Plugins > Akismet Configuration in your dashboard and paste it in the corresponding box.

Step 15: Download Plugins


The following plugins are a great help to any WordPress blog:

For further security, these plugins, referenced from DigWP's WordPress lockdown article, are also important:

To make installation easy, you can run the following in command-line under your plugins directory:

This will retrieve zip files for the plugins, unzip them, and delete the .zips

These download links may not be correct later on due to plugin updates. As a result, you can visit the plugin pages listed above in order to find the updated links.

After you finish installing the plugins, make sure to enable them through the WordPress dashboard.

Step 16: Configure All in One SEO Pack

Before All in One SEO Pack becomes active, you'll need to configure it. Go to Settings > All in One SEO to do so. Make sure to mark the "enabled" radio button. In addition, add in a home title, description, and keywords. Finally, set the rest of the options to your liking.

Step 17: Generate a Sitemap

Visit Settings > XML-Sitemap to generate your first sitemap that will be sent to search engines. Before doing so, ensure that the options on the page are what you desire. For example, I often edit the change frequencies, as my posts are modified quite often.

Once you are ready, scroll to the top of the page and click the build link ("Click here"). You might have to create two blank files—sitemap.xml and sitemap.xml.gz—in your root directory depending on the directory permissions. Nevertheless, once you finish building it for the first time, it should automatically update as long as you have "Rebuild sitemap if you change the content of your blog " checked.

Step 18: Add Security


At this point, you've already installed four security plugins. You should now put them into use.

Visit Settings > WordPress File Monitor and add wp-content/uploads in the exclude path. Change the other information if necessary. Note that this plugin will inform you whenever it notices a change in your file system.

Under Settings > Secure WP, check Error Messages and Windows Live Writer for extra protection.

Note that there is a new "Security" tab created by WP Security Scan. Fix items in red under Security > Security and Security > Scanner. When you visit Security > Scanner, make sure to chmod all of your individual plugins with 755 as well. Furthermore, you can use the password tool to generate a strong password.

Finally, fix the errors under Tools > Ultimate Security Check and ensure your site receives an A.

Step 19: Customize Theme and Sidebar

Now that you've setup a flexible, secure WordPress installation, you'll need to make it comprehensive by customizing the theme and sidebar to fit your site's needs. Of course, there is no set method to accomplish this; each site is unique in it's own way. Make a theme that appeals to both you and your readers.

Step 20: Write Content


All that's left now is to write genuine content that appeals to your user base. You now have a flexible, secure, and comprehensive WordPress installation. Use it wisely.

Congratulations! You now have a flexible, secure, and comprehensive WordPress installation. Use it wisely!

Extra Resources

If you're new to WordPress development, then you may also be interested in our WordPress Theme Installation information in Envato Studio where we have a wide variety of WordPress resources, as well.

Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.