© Nead, LLC

Menu Close
Close

Why Quick Install Software Puts Your WordPress Website at Risk

Most non-developers have to rely on automated software to install WordPress. If you’re not a website developer and you don’t know how to manually install WordPress, you’re probably going to use your web host’s quick install software solution.

Different web hosts use different versions of this software, but the result is the same: a fast and easy WordPress website set up in minutes.

This sounds great – who wouldn’t love having a WordPress website in minutes? The faster you install WordPress, the faster you can build and officially launch your website.

While fast installations certainly save time, they can be a security risk. Here’s why it’s better to hire a professional to install WordPress manually and skip the quick installation software.

Problem #1: Quick install software might not add salts and keys

Several years ago, quick install software inside of cPanel failed to add salts and keys to WordPress installations. Not having salts and keys creates a massive security flaw in a WordPress installation.

While it appears that this vulnerability has been fixed in updated versions of quick install software, you’re still vulnerable if your web host hasn’t upgraded their software.

What are WordPress salts and keys?

WordPress salts and keys are one of the most important security measures that keep your website secure.

In short, salts cryptographically hash your WordPress passwords inside your database to make them unreadable. Keys are stored in cookies and allow your password to be decoded when you log in to your account.

Hashed passwords prevent hackers from seeing and using your login credentials if they gain unauthorized access to your database. When someone accesses your database, they can see your username, but not your password. Your password is completely hidden – you can’t even see your own password when viewing your database.

WordPress uses MD5 hashing

WordPress passwords are hashed with an algorithm called MD5, which stands for “message-digest algorithm.” Techtarget defines MD5 as a “one-way cryptographic function that accepts a message of any length as input and returns as output a fixed-length digest to be used for authenticating the original message.”

MD5 hashed passwords appear as a string of random letters and numbers inside your database. While it is possible to change your password inside your WordPress database, as long as a hacker is only able to read your database, your account will be protected.

Where are WordPress salts and keys stored?

Inside of your website’s wp-config.php file, you’ll find eight lines of code that looks like this:

define('AUTH_KEY', '.w`Cg-n|pP7(0*So&*IqFJ[:G-C&lT,{(nm+4d0,a]TAkNrFW^%gxQV1)ZADRZFB');

define('SECURE_AUTH_KEY', '^Ve9qCg5!R|~Q;x)5zd,Ti)LFr6+GhJ+.4DJ:j0m{rn$9n9I If1mrh&wjeM%(vL');

define('LOGGED_IN_KEY', 'a-Mx0rfDeO>60,[{-z)|.p9DpA3GmF(LF[5?guS6a+J!zx2Cc|(+lb wW@dKOth5');

define('NONCE_KEY', 'BrD2s: N_.9o!O5{YrUrrE>ArLf*Q0+n!kDF/G >3Nbc*Nlb 20>4?DN<Dl^Yi|o');

define('AUTH_SALT', '{~)[|-1@{/{$`,3:lct%B*x.4(Y-KMswlgC<giN-=e5p4SG~HW9K&/wm<z~<mT^g');

define('SECURE_AUTH_SALT', ']/]=-w*]Ul}Gid}]`|EHZ0NxyXkUS2- B]]*qBa+oKuFcI%vV+$~*mh&>FDU{oZ#');

define('LOGGED_IN_SALT', 'WYAC^/oHt|rEM|F#Dqe<$w>J}e:]n,@=s3@9`O2/hT+~=l:P&u4Nj6L` 8k1G5$G');

define('NONCE_SALT', 'u*o%C*;-aUbUZ>2P(m1LH=V.^ul9eme+IcQ;2n3E55P<{CWO,EHTnYR!W0[ *2h2');

These are your WordPress salts and keys. The first four lines contain your security keys, while the last four lines contain your salts.

If hackers get ahold of your salts and keys, they can potentially use the information to gain access to your website. That’s why it’s also important to secure your wp-config.php file.

Securing your configuration file requires a multi-faceted approach to security, which we discuss in this article. Normally, nobody can download this file from your WordPress installation. However, former vulnerabilities in popular plugins like ‘Duplicator’ and ‘Slider Revolution’ allowed this file to be downloaded.

How to get WordPress salts and keys

Is your configuration file missing salts and keys? You can generate salts and keys directly from WordPress. Each time you reload the page you’ll get a new set.

Once you use the generator, copy and paste the salts and keys into your configuration file and you’re done.

Problem #2: You can’t change your table prefix with Quick install software

Changing your table prefix is just one more security measure to protect your data. When you install WordPress manually, you get to set your table prefix. When you install WordPress with quick install software, your table prefix will be the default.

Unless specified otherwise, all WordPress installations use the default table prefix: ‘wp_’. Changing your table prefix makes it harder for hackers to access your database. Hackers expect and look for databases that begin with ‘wp_’, but if that prefix doesn’t exist, they won’t be able to find your database easily.

The problem with Quick Install software is that you can’t define your table prefix. It doesn’t matter if you’re installing WordPress from cPanel, Plesk, or a popular hosting company’s proprietary control panel. There might be some obscure control panels with installation software that allows you to set the table prefix, but most don’t.

Changing your table prefix in an existing installation

If you’ve already installed WordPress, it’s not too late – you can change your table prefix in your configuration file and in your database, but you’ll also need to change all references to the old prefix in your database.

If you’ve never done this before, WPBeginner.com published a thorough guide on how to change your WordPress table prefix.

How to install WordPress manually (it’s easy!)

Instead of using quick install software, try installing WordPress manually. It’s not as hard as you might think.

1. Download the WordPress core files

Download the latest version of WordPress and unzip the file to your computer.

2. Upload the WordPress core files to your website

Connect to your website through FTP and upload the WordPress files to the directory where you’d like your installation to exist. For example, if you want WordPress to show up as your main website, you’ll upload the files to your main directory. The main directory on a web server is usually titled public_html.

Otherwise, create a new directory or subdomain where you’d like your installation and then upload your files there.

It’s easier to use FTP for uploading files when you have more than a few files to upload.

3. Create a MySQL database and user

If you’re using cPanel, you’ll want to head over to the ‘MySQL database wizard.’

Create a database by choosing a name for your database. Make it simple and recognizable. Something like, ‘wpsite.’

Next, create a user and password. Keep the username simple and the password complex. When asked to assign privileges to your user, assign all privileges.

Copy your database (including the prefix), user, and password to a text document temporarily for easy access. You’ll need the information for the next step.

4. Edit the wp-config-sample.php file

To edit your configuration file, you can use your file manager or keep using FTP.

Navigate to your main WordPress installation directory and locate the file named ‘wp-config-sample.php.’ Open the file to edit the contents and look for this section:

define('DB_NAME', 'database_name_here');

/** MySQL database username */

define('DB_USER', 'username_here');

/** MySQL database password */

define('DB_PASSWORD', 'password_here');

Replace ‘database_name_here’ with the database name you just created, including the prefix provided by your web host.

Replace ‘username_here’ with the username you just created.

Replace ‘password_here’ with the password for the user you just created.

Save your file, then rename your file to ‘wp-config.php.’

5. Visit your website to run the installation

Visit the URL for the main directory where you uploaded your installation. You should see a prompt to begin the WordPress installation. From there, just follow the prompts.

On the second screen, you’ll be asked to enter some information.

For “Site Title” enter the title of your website. You can change this later.

For “Username” enter the username you want for your admin account. For security purposes, avoid using the word “admin,” since that will only give hackers an advantage in hacking your site.

Choose a password, enter your email, and click “Install WordPress.”

6. Troubleshoot errors

It’s possible you might run into some errors while installing WordPress manually. One of the most common errors is a PHP version error. If you get this error, you’ll need to update your version of PHP in your hosting account.

The process for updating your PHP version will vary depending on your web host’s control panel, but here are instructions for cPanel and WHM. If you can’t figure it out, you’ll need to contact your web host. You can probably get someone to do it for you through a live support chat session.

If the installation can’t access your database, you might be asked to enter your database and username information. You only need to enter your database name, username, password, and table prefix. The “Database Host” section should remain ‘localhost.’

Need to install WordPress? We’ll do that for you!

Do you need a secure WordPress website, but you don’t want to figure out all the technical details? Contact us and we’ll install and design WordPress for you. At website.design, our team of professional developers are WordPress experts who can get your site up and running quickly.

We can help you with anything you need, whether you need an installation, a simple theme, or if you’d like a custom website, we can do it all.

Contact us today for a free quote. We’re looking forward to working with you.

Ryan Nead

Leave a comment:

Top