I really, really want it to be easy for you to install WordPress, but I’ve heard too many horror stories about hacked WordPress sites to let you go down that path.
Here’s why a manual install, following the Famous 5 Minute Install instructions, is usually better than a 1-click install. Of course, not all hosts are the same, and your host may not make these mistakes, but here are six security mistakes that many 1-click installs make:
Mistake #1) They use the same pattern of database name and database username for everyone. For example, one host I looked at used “myblog_wrdp1” as both the MySQL database name and the database username (where “myblog” was the first 5 letters of the domain name). If the bad guys can just guess your database and username, it is very easy to hack your site. Professionals use long, obscure names for the database, database user, and database password.
Mistake #2) They use the exact same salts for everyone. Your salts should be unique for each site. Do not reuse them. WordPress even provides an easy way to generate them here.
Mistake #3) They use the “wp_” table prefix for your MySQL database. Don’t do it! Much of the WordPress documentation assumes that your table prefix is wp_ but if you do your own install, you can makeup a completely unique preface, like “ad22g34h_” or “jda23s_”. If the bad guys can easily guess the names of your tables, it makes it easier for them to hack your site. I must confess, however, that I continue to use the underscore as the last character of my prefix because it aids in readability of the table names. But there is no hard and fast requirement that you do so.
Mistake #4) They use the “admin” username. My advice? Just say “NO!” to the “admin” username.
Mistake #5) The passwords they create for the database and WordPress login username are NOT long enough. I like to use 14 mixed characters that include letters, numbers, and symbols. Ask me next year, I’ll probably be using 20 mixed characters. Every year I seem to be making my passwords longer and longer. Here are two more password tips: don’t use any words that can be found in a dictionary, and never use the same password twice.
Mistake #6) And last, but not always least, these 1-click installs often bloat your install with extra plugins, themes and files you may never use and never update. Remember a theme or plugin that is not kept up-to-date is a security risk.
So those are the six reasons I prefer a manual install to a one-click install. If you work for a hosting company, and know that your company does NOT make these common 1-click install mistakes, I’d love to know about it. Just leave me a comment below.