Support » Installing WordPress » Security questions

  • I’ve just set up WordPress on a public site hosted by Dreamhost. I did this by unzipping the relevant files on my machine, setting up the MySQL connection details, SCP-ing the WordPress directory from my machine to the remote site and then browsing to the install page. All very nice and smooth. However, I’m worried about two things:
    i) The MySQL account I put in the configuration file has fairly wide-ranging privileges (create and drop tables, users etc). Now that the site tables have been created and the installation is complete, I’d like to restrict that account so that it can only do the things WordPress needs to be able to do. What is the minimal set of privileges WordPress requires?
    ii) For future reference: is there a way to set up WordPress on a remotely-hosted site that does *not* involve exposing the install process on the live internet for the thirty seconds or so it takes to click through it after it’s finished uploading? I know it’s unlikely that an attacker would have jumped in during that window of vulnerability, but it’s still a window of vulnerability – during that time, anyone browsing to the site can potentially get an admin password for a web application that has access to a highly-privileged MySQL account. Can this be avoided?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Just to answer the second of my own questions: I think the WordPress directory can be protected by a .htaccess file on Apache until it’s ready to be seen by the outside world. That would also make it possible to spend some time customising the site before it becomes publicly visible.

    Moderator James Huff


    I highly doubt that any such problems would have occurred and I’m sure your MySQL database is fine the way it is. I’m using multiple WordPress blogs with DreamHost right now (with unlimited MySQL databases, it’s almost a dream for WP users) and haven’t had nor worried about any such problems. Don’t worry, when you’re installing your blog for the first time, no one knows it exists, so no one will be waiting for that “window of opportunity”. Not to mention the fact that I’m sure these developers have installed some sort of defensive measure during the install process.

    Thanks, I’m just aware that best practice in general is to limit privileges to the minimum required – it might seem like paranoia, but it’s really a good habit of mind to get into when thinking about security especially in relation to the web (I’m a developer, and whilst my personal blog doesn’t really *matter* from a security standpoint some of the other things I work on do; sometimes it’s good to think about security issues when you have the luxury of *not* having to worry about them too much).

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Security questions’ is closed to new replies.