Fantastico Security Vulnerabilities
When installing WordPress on your own domain, avoid using auto installers that come with your hosting account, such as Fantastico. Auto installation scripts come with security risks.
Avoid unnecessary security vulnerabilities and malicious hackers by doing a manual installation of WordPress.
Why install WordPress manually?
Because you control what and how things are installed.
Installing WordPress manually is a breeze. It only takes a few minutes longer than auto-installers and it's well worth your time to do it right.
Recently, a reader of our blog asked…
What security issues have you seen with installing WP with software installers like Fantastico, SimpleScripts, Softaculous, etc?
~ Roy Randolph
Roy, thanks for your question. Although auto installer scripts are quick and easy, they do put your website in harms way by not implementing security measures from the start.
For example, I just installed WordPress using Fantastico Deluxe on HostGator shared hosting. I found several key security elements that I was unable to add/change during the installation.
Fantastico security vulnerabilities found installing WordPress…
- An outdated version of WordPress. It installed WP version 3.0.3. The current version today is 3.0.4. Not good to start out with outdated WordPress since 3.0.4 was a important security update.
- Created database name of wrdp1. This is standard. If I created another one it would be wrdp2. Malicious hackers know this is how they're created and it gives them more ammo.
- Created a database username the same as my database name. Why make it so easy for evil doers? They just need to guess my password now.
- The database password is 12 characters long and contains upper and lowercase letter and numbers. Not too bad, but I prefer 14 characters minimum and some symbols too.
- The table prefix created was wp_. I was given no option to choose the table prefix. Crackers know this is standard. You should use something other than wp_.
- Created a file named fantversion.php, which is common for all auto installers. This is a security risk if crackers know how to break into it.
- After I installed, I got this note… We only offer auto-installation and auto-configuration of WordPress but do not offer any kind of support. For the WordPress beginner this would have them confused as to where to find help if it didn't install properly.
- I've read online that there have been times during upgrades that they stall or have conflicts and at times break websites.
It's always best to customize what you can during installation to make it as secure as possible.
How to install WP manually?
An easy to follow, step-by-step guide can be found on WordPress.org Codex called “Installing WordPress.” If you get confused or need help, just let us know.
We can install WordPress securely with our Done For You services. It's inexpensive, quick and secure! And if you used Fantastico or another auto-installer, we can delete the associated files that may leave your site at risk!
Leave your feedback
Do you install your WordPress manually or do you find it too difficult? What do you think of auto installers? Have you had any problems with Fantastico, SimpleScripts, Softaculous? What about other security vulnerabilities with auto installation scripts? Share your thoughts by leaving your comment below.