DRAFT
After my WordPress website was hacked into, I began to look into all the options and advice for setting it up securely.
http://codex.wordpress.org/Installing_WordPress
Step 1: Getting the Latest WordPress Version
I like to use the shell for this since it saves on downloading it on one of my computers and then transferring it onto a remote server. Login to your file hosting server with the shell account you assigned to your domain. Navigate to a directory where you want to work from, keeping in mind that it doesn’t have to be the directory that is set to be public on the Internet (i.e. where the files placed here can be reached via a browser). At the prompt, run: wget http://wordpress.org/latest.tar.gz
The above link will always download the latest release. Now you need to decompress this archive, run: tar -xzvf latest.tar.gz
In your current directory, you should now have a directory called wordpress that you can rename to anything. You will be pointing your URL address to this folder as your root.
Delete readme.html from the wordpress root directory as this will tip off the exact version you have installed to possible attackers.
Step 2: Changing the wp-config.php File
Fill in the information related to the database you’ll be using in the following defines: DB_NAME, DB_USER, DB_PASSWORD, DB_HOST
You should always change the default database table prefix from wp_ to something a bit harder to guess. In most installations, people will have one database devoted strictly to WordPress, so you don’t even have to prefix the tables with wp_; just create a random alphanumeric string (about 4-6 characters long) and use that as your prefix.
$table_prefix = 'wp_'; $table_prefix = 'rRe342_';
Pay attention to the Authentication Unique Keys section and be sure to get a new generated set from the WP secret-key service https://api.wordpress.org/secret-key/1.1/ as it says in the comments area.
A good discussion of other wp-config.php options is found here: http://codex.wordpress.org/Editing_wp-config.php
Step 3: Creating Directory-Level Password Checks
htpasswd -cm /home/<username>/<website>/.htpasswd <new username you want to create a password for>
use the -m for MD5
Step 4: Changing the DreamHost Server Settings to Point to Your New WordPress Installation
To run the WordPress install script, you will need to change the settings of the server to point to your WP root directory (the one created during the decompressing of the archive in Step 1). For DreamHost Web Panel users, head to Manage Domains found either through the Toolbox shortcut or under the Main Menu Domains heading. Find the domain (or sub-domain) name you want WordPress to be shown from and click on its Edit button. Now fill out the Web Directory textbox to map onto the WP root directory.
It may be handy to have phpMyAdmin open and ready for the database you’ll be using as you’re going to want to modify a few things.
Authentication Loop with .htaccess Protected Pages
DRAFT
After trying out my .htaccess scheme to protect my WordPress installation I was running into an endless pop-up of authentication pop-ups.
I searched around and found a post by DianeV on the WP forums: http://wordpress.org/support/topic/113881#post-546028
She links to a post she made back in 2007 (yikes) entitled:
WordPress admin password protection 404 http://developedtraffic.com/2007/05/27/wordpress-admin-password-protection-404/
She points to a support issue with the TextPattern CMS http://textpattern.com/faq/173/password-protected-directories-with-htaccess which happens to give a solution.
It turns out that some servers need to be told explicitly where the error pages are, especially those for 401 and 403 errors, in order for .htaccess authentication to work properly.