You’re now at the WordPress installer UI, which means:
- Web server ✅
- PHP-FPM ✅
- DB connection ✅
- Permissions ✅
- DNS ✅
All core layers are functioning correctly.
Now proceed carefully—this step defines your application-level configuration.
1. Installation Screen Flow
Step 1: Language
You already see this.
- Select:
English (United States)(or your preference) - Click Continue
Step 2: Site Configuration
You will get a form with these fields:
1. Site Title
- Example:
Pravesh Garnu Blog - This is not permanent; can be changed later.
2. Username (IMPORTANT)
- Do NOT use:
admin root wordpress - Use something non-trivial:
pravesh_admin wp_mgr_01
Reason: Prevents brute-force attacks.
3. Password
- WordPress suggests a strong password—keep it.
- Store it securely (password manager)
4. Email
- Use a valid email (used for password recovery)
5. Search Engine Visibility
- For now:
✔️ Check it (discourage indexing)
Reason:
- Site is not production-ready
- Prevents accidental indexing by Google
Click: Install WordPress
2. After Installation (Critical Immediate Actions)
Once installed, you’ll be redirected to:
/wp-login.php
Login using the credentials you just created.
3. Post-Install Hardening (Do This Immediately)
3.1 Fix File Editing in Admin
Edit wp-config.php:
define('DISALLOW_FILE_EDIT', true);
Why:
- Prevents attackers from editing PHP files via dashboard
3.2 Set Correct URL (Avoid Future Redirect Issues)
Go to:
Settings → General
Ensure:
WordPress Address (URL): https://yourdomain.com
Site Address (URL): https://yourdomain.com
3.3 Permalinks (VERY IMPORTANT)
Go to:
Settings → Permalinks
Select:
Post name
Save.
This enables SEO-friendly URLs.
3.4 Verify Upload Permissions
Go to:
Media → Add New
Try uploading an image.
If it fails → permissions issue (but yours likely correct).
3.5 Remove Default Content
Delete:
- Sample Post
- Sample Page
- Hello Dolly plugin
4. NGINX-Specific Adjustment (Often Missed)
Ensure this is working:
try_files $uri $uri/ /index.php?$args;
Why:
- Required for permalinks to work
Test:
- Create a post → open
/sample-post/ - If 404 → NGINX misconfiguration
5. TLS Validation
Check:
https://yourdomain.com
Ensure:
- No browser warnings
- Certbot auto-redirect working
Optional improvement:
return 301 https://$host$request_uri;
6. Basic Security Plugins (Optional but Recommended)
Install:
- Wordfence OR
- iThemes Security
Do NOT install too many plugins.
7. Backup Strategy (Often Ignored)
At minimum:
- DB dump:
mysqldump -u wpuser -p wordpress > backup.sql
Better:
- Use plugin (UpdraftPlus)
- Or automate via cron
8. What You Should Validate Now (Checklist)
| Layer | Check |
|---|---|
| Web | Site loads |
| PHP | Pages render |
| DB | Posts save |
| FS | Media uploads |
| DNS | Domain resolves |
| TLS | HTTPS works |
| NGINX | Permalinks work |
9. Common Mistakes at This Stage
- Using
adminusername ❌ - Leaving file permissions as 777 ❌
- Not setting permalinks ❌
- Not enabling HTTPS redirect ❌
- Not securing wp-config.php ❌
10. Next Step (Recommended)
Now that base is working, the most valuable next evolution is:
Option A (infra focus):
→ Convert this into Terraform-managed EC2 + SG + Route53
Option B (app reliability):
→ Add:
- RDS
- EFS (shared uploads)
- ALB + Auto Scaling
Option C (DevOps maturity):
→ Add:
- Git-based deployment
- CI/CD pipeline
If you want, I can now:
- Audit your current setup (based on configs)
- Or evolve this into production-grade architecture step-by-step
Leave a Reply