Web Applications
How to Install WordPress Securely
WordPress powers a huge share of the web, which also makes it a constant target. This guide installs it on Ubuntu 24.04 with a database user limited to the WordPress database, correct file ownership and permissions, unique secret keys, and HTTPS. Locked-down permissions and HTTPS are what separate a safe install from a hacked one.
Install the LAMP Stack
Install Apache, MySQL/MariaDB, PHP, and the PHP extensions WordPress needs.
sudo apt update sudo apt install -y apache2 mariadb-server php libapache2-mod-php \ php-mysql php-curl php-gd php-mbstring php-xml php-intl php-zip
Create a Dedicated Database User
Create the WordPress database and a user with privileges on that database only. Use a strong unique password and never reuse the root account.
sudo mysql CREATE DATABASE wordpress; CREATE USER 'wordpressuser'@'localhost' IDENTIFIED BY 'CHANGE_ME_long_random_password'; -- Privileges scoped strictly to the wordpress database GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpressuser'@'localhost'; FLUSH PRIVILEGES; EXIT;
Download WordPress
Fetch the latest release and place it in the web root.
cd /tmp wget https://wordpress.org/latest.tar.gz tar -xzvf latest.tar.gz sudo cp -r wordpress/* /var/www/html/
Configure Credentials and Unique Salts
Copy the sample config, enter your database credentials, and replace the placeholder secret keys with unique salts generated by the official WordPress API. Unique salts invalidate stolen session cookies.
cd /var/www/html sudo cp wp-config-sample.php wp-config.php # Fetch fresh, unique authentication keys and salts from the official API: curl -s https://api.wordpress.org/secret-key/1.1/salt/ # Paste that output into wp-config.php, replacing the existing 'put your unique phrase here' lines sudo nano wp-config.php # also set DB_NAME=wordpress, DB_USER=wordpressuser, DB_PASSWORD=...
Set Correct Ownership and Permissions
Give the files to the web server user, set directories to 755 and files to 644, and lock wp-config.php down to 640 so its database password is not world-readable.
sudo chown -R www-data:www-data /var/www/html
# Directories 755 (rwxr-xr-x)
sudo find /var/www/html -type d -exec chmod 755 {} \;
# Files 644 (rw-r--r--)
sudo find /var/www/html -type f -exec chmod 644 {} \;
# wp-config.php holds the DB password: tighten to 640 (no access for 'other')
sudo chmod 640 /var/www/html/wp-config.phpSecure with HTTPS
Issue a free Let's Encrypt certificate so logins and admin sessions are encrypted, with an automatic HTTP to HTTPS redirect.
sudo apt install -y certbot python3-certbot-apache sudo certbot --apache -d yourdomain.com -d www.yourdomain.com --redirect sudo certbot renew --dry-run # confirm auto-renewal works
Finish Setup and Harden
Complete the browser installer, then keep core and plugins updated and disable xmlrpc.php if you do not use it, since it is a common brute-force and DDoS vector.
# Visit https://yourdomain.com in a browser and complete the install wizard. # If you do not use the XML-RPC API (most sites do not), disable it in Apache: sudo tee /etc/apache2/conf-available/block-xmlrpc.conf > /dev/null <<EOF <Files xmlrpc.php> Require all denied </Files> EOF sudo a2enconf block-xmlrpc && sudo systemctl reload apache2
WordPress is installed with a least-privilege database user, correct 755/644 permissions, a 640 wp-config.php, unique salts, HTTPS, and xmlrpc disabled. Keep core, themes, and plugins updated, since outdated code is the number one cause of WordPress compromises.