CHAPTER 1 • The Anatomy of a WordPress Install 21
However, you may not be able to re-create the environment in exactly the same way. If this is the
case, just alter wp-config.php accordingly; most likely, it is the database name, username, and
password, as well as possibly the need for an external database server, that you’ll have to edit.
Moving WordPress from one server to another may seem scary at first, but it isn’t as bad as it
once was. Sure, if you’ve got a big blog and aren’t comfortable doing stuff in database admin
interfaces such as phpMyAdmin, then this may be a bit much. Get help, or give it a go
yourself. Just make sure that you have all the backups you could possibly need, and don’t mess
things up on your old (current) server, but rather on the new one. After all, you can always
just create a new database and WordPress install there and give it another go.
HOW TO MAKE YOUR WORDPRESS
INSTALL MORE SECURE
There are a few simple things you can do to make your WordPress install more secure, and a
few that are pretty much hardcore. The first and foremost task, however, is to keep WordPress
up to date. What each new version really does depends, but it could possibly remove security
holes, bugs, and other exploits that can make your install vulnerable, and not updating
regularly means that you won’t get these fixes.
You should also make sure that you’ve got your secret keys set in the wp-config.php
file. Those make the install more secure. See the installation process earlier in this
chapter in the section “The Basic Install” for more on this. Usually they’re set, but if
you used an installer, they might not be, so it doesn’t hurt to check in wp-config.php
and add them if needed.USERS AND PASSWORDS
The first thing I do after having installed WordPress is create a new user with admin privileges
and log in with that user instead of the previously default “admin” user. Why? Because
everyone knows that if there is a user named admin, then that account has full admin
capabilities. So if you wanted to hack your way into a WordPress install, you’d start by looking
for the admin user to try to brute force a login. After you’re in via this method, you can do
anything you want. So it’s worth getting rid of the admin user after you have logged in for the
first time and created a proper account because it has fulfilled its purpose.
That being said, deleting the admin user won’t guarantee that hackers won’t find another user
to build their attempts on. If you have user archives on your blog, those will give you away.
One solution would be to not display these or any links to an author page (other than ones
you’ve created outside of WordPress’s own functionality), but what do you do if you feel you
need them? All in all, there are tons of places where usernames could be obtained within an
install, and most themes use them in some fashion, which makes it even easier. That being
said, there really is no reason to have a user such as admin that everyone will know has
administrative rights lying around.