So you decided to start blogging, you already have a wordpress template ready for your new blog, so you upload the files try to install and realize that the “famous 5 min installation” doesn’t work because of your Plesk settings.

Keep in mind that you can always manually create the conf.php file that wordpress needs to access the database, if you do not want to do this.

The first thing you need to do is to upload all the wordpress files into your preferred installation directory. Then log into your plesk account and select the domain under which you want to install wordpress. Then go to File Manager. Inside file manager browse until you get to the installation folder, in this case httpdocs. Now selected it and click on the “permissions” link on the forth column. This should take you to the permissions page, in here you need to add the option “write” to group. So they should like something like this.

Add write permissions to group in Plesk v9

This tells the server that you should let other people from the owners group to write. This other “people” is the php module.

Now, this should take care of the configuration file. However there are still a few adjustments that you need to do. First, if you control the domain and trust your users,  then you need to make php NOT to run on safe mode. Running php on safe mode “secures” your files by not letting other people (php users) to write your files. So this somehow poses a security thread, so WHEN YOU ARE DONE MAKE SURE TO SET IT BACK TO SECURE MODE.

Change this back one you are done installing WordPress

In order to make php run on secure mode, go back to your domain panel and go to Web Hosting Settings under “Web Site”, you will be presented a list of options. Towards the end of the list you will php under services. Uncheck the box that says “Run in safe mode” Then save your changes.

Once you have done this you will be able to install WordPress without any problems in Plesk V9.

However if you want to be able to upload files through the Flash uploader sometimes (depending on your Plesk configuration) you will need to change something else. For this you will need to login as root via ssh to your server and change the file /var/www/vhosts/your.domain.tld/conf/http.include. In this file make sure that all your open_base dir argument is correct. Meaning that you can access your temporary upload folder, and that you can access wherever is that you are going to save those images.

Let us know if you find this useful, and remember if you are looking for a great wordpress template let us know, we can sure help you with that.

Your wordpress installation may not be secure

Once an open source system becomes so popular as wordpress very often it becomes vulnerable to attacks. I wonder why the folks at wordpress have not done anything to enhance the security of the admin site, which, by default, you can access by going to /wp-admin.

The problem is that if you rename the directory then your wordpress installation becomes broken. I’ve looked and I could not find a plug-in that would let you change the wp-admin folder to something else, or at least conceal it. The only result that I found about how to do this is by Michi Kono. However the solution proposed has a few drawbacks like some links no longer working. Of course you have the option of restricting access to selected IP addresses via .htaccess but if you are like most non-commercial internet subscribers you don’t have a static IP, which makes things more complicated.

So here is another solution to make wordpress more secure while keeping all wordpress functionality.

The first thing we need to do is to pick what “name” we want for your admin section. For purposes of this “tutorial” we will call it “secure-login”.

Note: You are about to modify crucial files in your wordpress installation. So do this at your own risk, and please, please backup your files before you do this.

Now, open your .htaccess file and add the following line after the “RewriteBase ” line.

RewriteRule ^secure-login$     wp-login.php [L,NC,QSA]

so your .htaccess should look something like this.

# BEGIN WordPress
<IfModule mod_rewrite.c>

RewriteEngine On
RewriteBase /
RewriteRule ^secure-login$ wp-login.php [L,NC,QSA]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . /index.php [L]

</IfModule>

# END WordPress

This tells your server that when you ask for “secure-login” you should be taken to wp-login.php

Now we need to edit wp-login.php which is located at the root of your installation. Add this before anything else.

 session_start();
 
//See what file is being requested by the web client, also store the arguments just in case.
list($file,$arguments) = explode("?", $_SERVER['REQUEST_URI']);
 
//if the user just logged out, destroy this session and redirect them to root
if("/wp-login.php?loggedout=true" == $file ."?" .$arguments || "action=logout" == substr($arguments, 0, 13))
{ session_destroy(); header("location: /"); }
 
//If our sentinel variable is set and true do nothing, allow normal script execution
if(isset($_SESSION['valid_entrance']) && $_SESSION['valid_entrance'] == true) { /* As they say, "Silence is golden" */ }
 
//Now if the user is requesting wp-login.php and our sentinel is not true, redirect the "attacker" to root.
elseif(stripos($file, 'wp-login') && !isset($_SESSION['valid_entrance']))
{  header("Location: /"); exit(); }
 
//If the user is requesting the right login entrance set the sentinel to true
elseif ($file == "/secure-login")
{  $_SESSION['valid_entrance'] = true; }

That’s all you need to do. Your wordpress installation just became more secure. Don’t forget to upload your updated files to your server.

I may do a plug-in whenever I find the time.

I would also recommend using Login Lockdown by Michael VanDeMar.

Let me know if you have any questions or recommendations for this