Why Install WordPress Manually?

Originally designed as a blogging platform, WordPress has become widely used as a content management system (CMS) for the web.

You may have automated installation of popular web applications, including WordPress, available through your webhost – Fantastico and Scriptaculous are common examples of these services. I recommend not using these, for two main reasons.

  • Security – the default settings of the automated installer will be known and exploitable
  • You won’t learn as much as you will be choosing to manually install.

So installing manually brings the benefit of empowerment, and with WordPress, the manual procedure’s well documented: just refer to the first port of call for WordPress, the documentation, known as the ‘codex’.

If you need more, read on for my companion tutorial.

Installing WordPress: a companion to the codex instructions


You’ll need:

  • Basic tools like a good text editor, ftp program and a web browser.
  • Access to a webserver
  • The codex instructions
    The following must be pre-installed on the webserver:

  • PHP version 5.2.4 or later (note)
  • MySQL version 5.0 or later

Your web host’s control panel should include the information on php and MySQL. Alternatively, you can ask them. To find out what version of php is running it may however be more satisfying to use the following line of php code.

<?php phpinfo(); ?>

This line of code may often be encountered in early php lessons: beginners should note the php opening and closing tags surrounding the function. Type the command exactly as above, inside those opening and closing tags. Save it as foo.php, save to your web server (possibly password protected) and load it up in the browser. Its function: to output all the info about your php installation you are ever likely to need. This comes with some security risk – see note

Set up

After verifying your requirements are up to scratch, download the latest version of WordPress from wordpress.org.

Make a database and user

But before doing anything else, we create a MySQL database and database user on the server. We’re just creating an empty database: after install, WordPress will use this db to store content and settings.

Your webhost control panel may provide various ways to create MySQL databases. The first time I did this, I used an interface which looked like this:

Note this web host uses a special url as the databases’ host name, as opposed to the more normal ‘localhost’ prefix. That’s useful to know as we will need to enter the host name later when configuring WordPress, so props to this particular shared host for making this clear.

After creating the database and user, link the user to the database – you’ll need to enable all permissions.

Tell WordPress about the database

Uncompress the WordPress download locally. Find the file wp-config-sample.php in the root folder and rename it wp-config.php instead. Open it in a text editor and you’ll find the code has helpful comments.

We need to edit this file to configure WordPress to use the MySQL database we just created on our web host server. The wp-config file, amongst other things, acts as our interface between the database and WordPress’s php core, allowing the two to interact. It’s like joining up two separate systems – WordPress core and our MySQL database – to act as one beast.  Referring to the codex and our MySQL details as required, enter in the database name, username, password, and hostname where indicated in the file.

That alone, technically constitutes all the needed actions on this file before saving and uploading it, but to do so would be a gross security risk. For the bare minimum security, we need to add some secret keys to the file – as always, see the codex.

Then save the file.

We can also, if we choose, change the prefix for the tables WordPress will add to the database, from the default ‘wp_’, if we want a bit of security through obscurity. One downside of this is that some plugin or theme developers might assume the default prefix, causing compatibility issues.

Whatever you decide, upload the contents of the entire wordpress folder to the web server in the desired location for your WordPress site, either in the root or in a sub-folder.

As a further security tip here, you should check the file permissions on your server are appropriate.


If all the files have uploaded, navigate in your web browser of choice to http://example.com/[wordpressroot]/wp-admin/install.php and the installation will run.  If the installation goes well you should get a cute message telling you so, and what to do next.

A very simple process, quick and friendly. This is a good beginning. But are we secure? At this point you will be assigned a default username and password. Of course you should enter a new password, and it has long been known you should change the default username.

Karthik Viswanathan argues threats often attempt to compromise your site using known default settings like the username. Karthik also recommends removing wp-admin/install.php after installation, amongst other tips comprising 20 steps to a flexible and secure WordPress installation . Well worth checking out, as is Jeff Starr, on digging into wordpress: suggestions for a WordPress Security Lockdown, developed through experience.

This tutorial is available as a live demo or training session.

View Slides, or contact me for more information.