Skip to main content

Installing WordPress with WP-CLI

In this lesson you will install WordPress with WP-CLI. This is the fastest and most reliable way to set up WordPress, and it avoids the risky web-based installer. You'll download the core files, create a configuration file, run the installation, and then make the site public.

Security

WP-CLI is the fastest way to install WordPress. Arguably it's the most secure one too, especially compared to installing WordPress through the usual web-based interface. However, there are still a couple of very critical mistakes to avoid.

A WordPress site that hasn't been configured and installed yet is in its most vulnerable state. If the site in this state is exposed to the Internet, it will soon be found by bots, and bots will inevitably run through the installation process, fully compromising the site before the installation is even completed.

My latest experiment revealed this can happen in as little as 12 seconds. Newly registered domains and domains with recently issued SSL certificates from public authorities such as Cloudflare or Let's Encrypt are a huge target, since they are more likely to have an unfinished WordPress install.

For these reasons you should never expose an unfinished WordPress installation to the Internet. Luckily with WP-CLI you can fully complete an installation inside a private directory before moving it to public_html. If, however, you rely on the web-based installation, make sure all access is restricted to your IP address and/or is under Basic Authentication.

Downloading WordPress

Our site will live in the /sites/uncached.org/public_html directory, but to avoid immediately exposing our freshly downloaded WordPress files, let's run the installation in a separate install directory that is not publicly available:

mkdir /sites/uncached.org/install
sudo chown www-data:www-data /sites/uncached.org/install
cd /sites/uncached.org/install
wp core download

We'll also need to make sure that the new install directory is owned by the www-data user, otherwise our call to wp core download will fail to write the downloaded WordPress application files to this new directory.

Creating wp-config.php

Let's create a new configuration file using WP-CLI. This will require our database credentials, for which we'll use the MariaDB user created in an earlier lesson.

wp config create \
    --dbname=uncached \
    --dbuser=uncached \
    --dbhost=localhost \
    --dbpass=secure-password

Instead of providing a --dbpass in the shell, you can also use --prompt=dbpass for an interactive prompt. This will keep your password out of your shell history and won't require escaping quotes or other symbols.

WP-CLI will verify the database credentials and return an error if the connection fails. Upon success, you will have a freshly baked wp-config.php file with the correct database credentials, as well as unique authentication salts.

This article is for premium members only. One-time payment of $96 unlocks lifetime access to all existing and future content on wpshell.com, and many other perks.