How to install WordPress securely

A few things can be done in order to install WordPress securely. Such things include setting a username and choosing a strong password. You can also change the table prefix and delete files that may serve as a backdoor. Before you install WordPress, install an SSL certificate and redirect from HTTP to HTTPS.

Please note that this tutorial is part of a series to help secure a WordPress blog. Some of these tips might not apply depending on the hosting environment. The following topics are covered:

Set a username

Most hackers first try WordPress’s default configuration settings. “admin” is the default WordPress username and it cannot be changed once the installation is complete. Using the default setting solves half of the hacker’s puzzle, it is therefore important to set the username to something other than “admin”.

Choose a strong password

It is recommended that passwords:

  • Contain lowercase letters, capital letters, numbers and special characters;
  • Are between 10 to 50 characters in length; and
  • Are unique (you haven’t used the password anywhere else).

Change table prefix

A database and database tables are created during the installation. By default, these tables start with wp_ (table prefix). Set a different table prefix to make it harder for attackers to filter their way in.

Delete files

Once the install is complete, delete the files listed below. They may contain information about your WordPress installation, serve as a backdoor or be completely unnecessary.

  • readme.html
  • license.txt
  • wp-config-sample.php
  • wp-admin/install.php
  • wp-admin/upgrade.php


In short, to install WordPress securely, set a username and choose a strong password. Also change the table prefix and delete readme.html, license.txt, wp-config-sample.php, install.php and upgrade.php.

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top