Please ask your host/web hosting provider about account security so that your website won’t get compromised or hacked easily. Once you are satisfied and fulfills the requirements for WordPress hosting, lets begin with WordPress Installation.
Where to Install WordPress
Lets Assume that at domain xyz. com there is live website and you do not want to take it down before preparing your new WordPress website. Even If there is no current live website, follow this step for better security. So to prevent long downtime it is highly recommended to Install WordPress in a Folder under the domain. eg: xyz. com/newsite OR xyz. com/manage OR xyz. com/wpxyzadmn
Consider naming the folder appropriately, as we will use this installation as an administration login, even after the new WordPress website goes live. It should not be guessable, keep it unique. Avoid using Admin, Administration or domain name in folder.
Secure the User ID
Lets assume that you are now installing your WordPress at xyz. com/”wpxyzadmn” folder. During installation, you will be asked to choose your 1st user id which will be Administration level access, do not use user name as Admin, Administrator or Domain Name
. Most hacker attempts to login using Admin or Administrator, Webmaster, domain name too. Once installed, now your current website is live at root xyz. com and your new WordPress website will be at xyz. com/wpxyzadmn. Read about installing WordPress at WordPress.org. (you can do standard install known as Famous 5-minute Installation or one click installation if you web hosting provider provides installation tools.)
Secure your website
Now, login to your WordPress Admin Panel xyz. com/wpxyzadmn/wp-admin After login immediately we recommend to disable comments (if you are not running a blog or do not want comments on blog posts), spammers try to send many unwanted comments on the open posts which results in increase in database size and if you have outdated installation then hacker can attempt SQL injection to hack in your website too. Also you can disable registrations (disabled by default). Most of the websites do not need new user registrations.Install security plugin right away or later as you go live: We recommend install security plugin before beginning your website designing, Many security plugins supports changing default wp-content folder name and location, this is good in terms of security, if you do this later, you will end up in broken images or broken theme. So it is best practice to change the name before you begin designing your website.Change the Administrator user ID “1”, supported by many security plugins, and ban user immediately who try to login as Admin ID. You can change admin default ID 1 to 2 or anything above 1 directly in Database. Also, as you are not using user id as admin, so you can set to ban user IP who try to login as admin.Change the Login page, most security plugin support changing login page name, you can change wp-login.php or wp-admin to different name, unauthorized users will get 404 not found error if they try to open default login. You can use any security plugin like “iTheme security” or “theme my login”. So your website will be safe from most of the hackers.Enable two factor authentication, SMS OTP or Email code, without it anyone won’t be able to login. Code is generated randomly for unique login once correct user id and password is entered.This is the optimal security settings needed before you being designing, you can configure more security once you complete your work and make the website live, else you may end up banning yourself time and again. At this point you can start doing your other settings like remove default page and default blog post, rename category, setup theme settings then create your nice home page and other pages.Let’s assume you have completed your website and want to make it live.
Backup First. It is always recommended and best practice for any development or designing tasks. Back up old website files and SQL if any, Backup your current WordPress installation as well. Now to quick backup and clear root folder go to your FTP root i.e. public_html or www (the domain default) create a new backup folder name it appropriately backup-oldsite OR backup-oldsite-2018 or something familiar so you can remember that it is backup of old website. Move your Old website files to backup folder OR you can delete your old website files if you do not need them. Make sure you do not have index.php and .htaccess in root. Analyse if you are on Windows server and old site is .net or another platform OR in Linux Server default document is not index.php but .html or default.aspx you can avoid any downtime here. But if there is already any index.php and .htaccess file present in domain root then there will be short downtime, depends on how fast you can act to copy and paste. Now once you have analysed you can move your OLD website files from root to the backup folder you have created OR if there is no conflicting files you can skip moving for now.
3 Step to Make your New WordPress Website Live
Remember your WordPress installation is in a folder. Now login to your WordPress admin go to Settings->General –> Change the website URL ONLY to the root i.e. change from xyz. com/wpxyzadmn TO xyz. com DO NOT change WordPress URL, it will be administrator login. Now save your settings and head over to FTP or File manager in your web hosting control panel. COPY, NOT Move two files index.php and .htaccess from xyz. com/wpxyzadmn folder (make sure there is no old files with same name in root) copy and paste both files in root, you will have same files in your folder and root xyz. com.NOW EDIT the index.php in root only -> go to last linerequire( dirname( __FILE__ ) . ‘/wp-blog-header.php’ );Change to
require( dirname( __FILE__ ) . ‘/wpxyzadmn/wp-blog-header.php’ );Just add the folder name with starting “/”. Define the path of the wp-blog-header.php file which is in folder. Now go to WordPress Admin Panel and reset permalink, set the permalinks to default and save, then again Set the permalinks of your choice or set to posts and Save. All done
at this point. Your WordPress website should be live now and secured as well, you can test your home and other pages, they must open correctly and logout and login to admin panel again to ensure everything is working fine.
Installing WordPress Best Practices Points to remember
Check with you hosting provider about security of your account. Install WordPress in a Folder. Do not use login id or folder name as admin, administrator, webmaster. Disable comments if not needed. Install Security Plugin of your choice. Change the WordPress wp-content folder name before you begin design work. Change default administrator level user ID from 1. Supported by security plugin. Change the Login Page name. Backup OLD and NEW website files and associated databases. For making new website Live, go to general settings–> change Site Address to root. Do not change WordPress Address (URL). It must point to domain.com/folder Copy index.php and .htaccess from folder to root. Copy only, do not move, do not cut. Edit Index.php and change the blog header path require( dirname( __FILE__ ) . ‘/wp-blog-header.php’ ); Change to require( dirname( __FILE__ ) . ‘/wpxyzadmn/wp-blog-header.php’ ); Update / Reset your permalinks