Step one – Read

WordPress is a great product. It’s easy-to-use, powerful, and flexible. Creating a website, and maintaining a website, is a science and art that has quickly evolved. In order to fully appreciate this it is important to be well read on the subject. One major thing to keep in mind is your investment of time. Being knowledgeable will without a doubt save you much time in the long run. With that in mind, before you invest your valuable time and energy into installing WordPress, there are some documents you need to read to help you get started.

Suggested reading includes,

• Introduction to Blogging
• WordPress Features
• Before You Install WordPress

Step two – Make a plan

Based upon the information you’ve just read, including instructions on installing WordPress, you should have a list of the things you need and things to do. If not, make that list now. You’ll want to make sure it includes the following information:

• Environment requirements
• Your Website Username and Password
• Text Editor Software
• An FTP Client Software
• Your Web Browser of Choice

The following documents will help you understand more about how WordPress works and how to make a plan for your WordPress site:

• WordPress terminology
• First Steps With WordPress
• WordPress Lessons

It is important to make a plan about how you want to use WordPress on your site. Here are some questions to ask yourself.

• Will you install WordPress in the root directory, subdirectory, or you just want to make a test site to make sure you want to use it?
• Have you made a list of your site categories to organize your content by groups?
• Have you made a list of Pages you may want to add to your site, such as About, Contact, or Events?
• Have you thought about what you want in the header part of the site?
• Have you developed a content strategy and list of topics to help start blogging?
• Have you thought about how to integrate social media into your WordPress site and workflow?

Step three – Install WordPress

With this information and your plan, it’s time to install WordPress. 

• Before You Install WordPress
• Installing WordPress
• Editing the wp-config.php file
• Frequently Asked Questions About Installing WordPress
• Using FTP Clients and Software
• Changing File Permissions
• Updating WordPress
• Common Installation Problems
• Trouble: I Can’t Login

Step four – Set up WordPress

With your installation complete, it’s time to set up WordPress so it will work the way you want it to work.

To help you understand how all the various features and screens on the WordPress Administration Screens work, check out the Administration Screens guide for a detailed walk-through.

For help on creating your user profile information, of which some or all may appear on your WordPress Theme, see the Users > Your Profile pages for guidance.

To set the site name and other information, go to Administration > Settings > General in the dashboard.

After you’ve published a few posts, you can experiment with the full edit or quick edit features in the Administration > Posts > Posts screen.

Add your “About,” “Contact,” and other information Pages by going to Administration > Pages > Add New.

Want to change the look and feel of your WordPress site? Go to Administration > Appearance > Themes.

You’ll find helpful information by reading WordPress Lessons, and these helpful documents:

• Learn WordPress for WordPress.com and beginning self-hosted WordPress tutorials and guides.
• Moderating Comments
• Introduction to Dealing with Comment Spam

Appearance and themes

Changing the look of your WordPress website is easy with just a few clicks.

• Using WordPress Themes Introduction
• The WordPress Theme Directory features thousands of WordPress Themes
• WordPress Widgets can quickly add more information and content to your Theme.

If you want to create a new WordPress Theme from scratch, or do major renovations, or even design WordPress Themes for public release, you should visit WordPress Theme Developer Handbook.

If you want a custom-made WordPress Theme created especially for you by expert web-designers, it is recommended you search for qualified web designers on the Internet, or look in your local community.

Adding WordPress plugins

There are many “add-on” scripts and programs for WordPress called Plugins that add more capabilities, choices, and options to your WordPress site. WordPress Plugins do many things, including customizing the results of your site information, adding weather reports, adding spell check capability, and presenting custom lists of posts and acronyms. For more on how to work with Plugins and where to find WordPress Plugins for your site:

• Managing your WordPress Plugins
• WordPress Plugins
• The WordPress Plugin Directory

As like as Theme, you can create a new WordPress Plugin from scratch, or do major renovations. Please visit WordPress Plugin Developer Handbook for detail. 

Advanced use of WordPress

Now that you are familiar with the basic features and functions of how WordPress works, it might be time for you to plunge deeper into the power of WordPress.:

• WordPress Developer Resources
• Tutorials
• Using Permalinks

Need more help?

As simple and easy as it is to use WordPress, if troubles arise, if something is confusing, if things aren’t working, don’t despair because help is available! Even though WordPress is free and open source, there are literally hundreds of volunteers eager to help you. Here are some helpful official resources for WordPress:

Support Forums

Giving back to WordPress

Now that you’re a full-fledged WordPress user, consider contributing to the WordPress Documentation, Support Forum, Development, and other volunteer efforts that keep WordPress going. WordPress is free and totally supported by volunteers, and your help is needed.

• Using the Support Forums
• WordPress Forum
• Lesson plans
• FAQ

WordPress uses his functionality to trigger scheduled posts, and other scheduled events that plugins or themes may introduce.

They are also used when making changes in the Plugin- or Theme-editor, by connecting back to the website and making sure that the changes made does not break your website.

Troubleshooting loopback issues

If you are having problems with scheduled posts or other timed events not running, or seeing Site Health warnings about loopbacks failing, you may want to troubleshoot these.

The most common cause of loopback failures is a plugin or theme conflict, you should start by following the normal troubleshooting steps:

Common troubleshooting steps

• Deactivating all plugins (yes, all) to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s). If you can’t get into your admin dashboard, try resetting the plugins folder by SFTP/FTP or PhpMyAdmin (read “How to deactivate all plugins when you can’t log in to wp-admin” if you need help). Sometimes, an apparently inactive plugin can still cause problems. Also remember to deactivate any plugins in the mu-plugins folder. The easiest way is to rename that folder to mu-plugins-old
• Switching to the Twenty Nineteen theme to rule out any theme-specific problems. If you can’t log in to change themes, you can remove the theme folders via SFTP/FTP so the only one is twentytwenty. That will force your site to use it.
• If you can install plugins, install “Health Check”: wordpress.org/plugins/health-check. On the troubleshooting tab, you can click the button to disable all plugins and change the theme for you, while you’re still logged in, without affecting normal visitors to your site.

WordPress Plugins are PHP scripts that extend the functionality of WordPress. They enhance the features of WordPress or add entirely new features to your site. Plugins are often developed by volunteers and are usually free to the public.

Plugins are available via the WordPress Plugin Directory. Although plugins you find here are thoroughly tested and considered safe to use, they are of varying quality and are often works in progress.

How do they relate to WordPress core?

The WordPress content management system software, or WordPress core, provides the primary functionality for publishing content and managing users. Each WordPress plugin is an additional piece of software that can be easily installed to extend the functionality of WordPress core.

This allows you to customize your WordPress site with your desired functionality. Since so much functionality is provided through plugins, WordPress core is full-featured and customizable, without having to include everything for everyone.

What are some examples?

Some of the more popular plugins in the WordPress Plugin Directory fall into these categories:

• Spam control
• SEO
• Data import and export
• E-commerce
• Security
• Caching

This is just a small sample. There are thousands of plugins available in the directory, so there’s a good chance you’ll find some that are useful to you.

Finding and Installing Plugins

Finding Plugins

You can browse and search for plugins in the WordPress Plugin Directory. Each plugin listed there is available for download as a zip file you can upload to your WordPress site.

An alternative way to find and install plugins is from within the WordPress admin screens. Navigate to Plugins > Add New, and you can browse and search for plugins from within your dashboard. 

Each plugin listed there has an “Install Now” button so you can easily add it to your site.

Plugin Compatibility

If a plugin hasn’t been updated since the most recent update to WordPress core, it may be incompatible, or its compatibility may be unknown. You can view compatibility information about plugins from the Add Plugins page, or from the Installed Plugins list.

Compatibility of New Plugins

To learn about the compatibility of a plugin before you install it, navigate to Plugins > Add New. Each plugin description on this page includes a note that reads “Compatible with your version of WordPress” or “Untested with your version of WordPress.” You can click the “More Details” link to see information about this plugin’s compatibility.

Compatibility of Installed Plugins

To learn about the compatibility of plugins you’ve already installed, click the “Plugins” link in the left nav of your site’s dashboard. Each item on this list should contain a “View details” link. Click this to see information about this plugin’s compatibility with different versions of WordPress.

Installing Plugins

There are 3 ways to install WordPress plugins.

Automatic Plugin Installation. Any plugin available in the WordPress Plugins Directory can be installed via the built-in plugin installer.

Upload via WordPress Admin. You can easily add a new plugin by uploading a zip archive of the plugin from your local computer.

Manual Plugin Installation. In some cases, you may need to manually upload a plugin directly using an SFTP client.

Automatic Plugin Installation

This is the simplest method of installing a plugin. To add a plugin using the built-in plugin installer:

1. Navigate to Plugins > Add New.

2. Use the search form in the top-right to search by keyword, author, or tag.

3. On the search results that appear, click a plugin’s title or the link ‘More Details’ to read more about it, including installation notes, plugin documentation, or other useful information.
4. Click the Install Now button to install the plugin.
5. Once the plugin installation is complete, click Activate to activate the plugin.

Upload via WordPress Admin

If you have a copy of the plugin as a zip file, you can manually upload it and install it through the Plugins admin screen.

1. Navigate to Plugins > Add New.
2. Click the Upload Plugin button at the top of the screen.

3. Select the zip file from your local filesystem.

4. Click the Install Now button.

5. When the installation is complete, you’ll see “Plugin installed successfully.” Click the Activate Plugin button.

Manual Plugin Installation

In rare cases, you may need to install a plugin by manually transferring the files onto the server. This is recommended only when absolutely necessary, for example when your server is not configured to allow automatic installations.

This procedure requires you to be familiar with the process of transferring files using an SFTP client. It is recommended for advanced users and developers.

Here are the detailed instructions to manually install a WordPress plugin by transferring the files onto the webserver. 

Plugin Favorites

You can add a plugin to your list of favorites, and you can view and easily install another WordPress.org user’s favorite plugins.

Favorite a Plugin

1. Log in to the WordPress Plugins Directory using your WordPress.org ID.
2. Find the plugin you want to like and go to the plugin’s page.
3. Click the heart icon next to the Download button.

4. Once you have favorited a plugin, it will show up in your WordPress.org public profile. If you have published a review of the plugin, your rating of the plugin will also appear here.

View a User’s Favorite Plugins

To see a WordPress.org user’s favorite plugins (including your own):

1. Browse to the Add Plugins admin screen (Plugins > Add New).
2. Click the Favorites tab.

3. Type the user’s name in the “Your WordPress.org username” field.

4. Click Get Favorites.
5. Each of the plugins listed here has an ‘Install Now’ button that you can use to add the plugin to your site.

Updating Plugins

Plugin developers update their plugins occasionally by adding new features, improving code quality, and keeping them secure. To ensure that these changes are applied on your site immediately, you should keep your WordPress plugins up to date. This helps to improve your site’s WordPress security and performance.

Manual Plugin Update From The Dashboard

Your WordPress Dashboard automatically notifies you when a plugin needs to be updated — you can view this notification under the Dashboard->Updates tab. 

1. Scroll down to the Plugins section.

2. Select the checkbox for the plugins you want to update and then click  ‘Update Plugins’ button.

NOTE: Always make sure you have a current backup of your site before updating your plugins. Sometimes problems can happen during the update process.

Manual Plugin Update From The Plugins Page

You can find the plugins that need to be updated on your site’s Plugins page. 

To find any plugins installed on your site that need to be updated:

1. Click the “Plugins” link in the left nav of your site’s dashboard.
2. Look down the list of installed plugins for any that include a line reading “There is a new version…”
3. Click the “View version…” link in that note to view details about the plugin’s update.
4. Click the “update now” link to update the plugin.

NOTE: Always make sure you have a current backup of your site before updating your plugins. Sometimes problems can happen during the update process.

Enable Automatic Plugin Update

WordPress introduced automatic updates for WordPress plugins in WordPress 5.5. This allows you to enable automatic updates for individual WordPress plugins directly from the Plugins Page in the WordPress dashboard.

1. Go to Plugins -> Installed Plugins page inside WordPres Admin area. Here you’ll see the list of all your installed plugins.  Each plugin in the list has a link ‘Enable auto-updates’ in the right-most column (under Automatic Updates).
2. Select the checkbox for the plugins you want to enable auto-update and click the link  ‘Enable auto-updates’ for the selected plugin. This will enable automatic updates for the selected plugin.

 Disable Automatic Plugin Update

  To stop your plugins from updating automatically, do the following:

1. Go to Plugins -> Installed Plugins page inside WordPres Admin area. Here you’ll see the list of all your installed plugins.  
2. Each plugin in the list that has auto-update enabled will have a link ‘Disable auto-updates’ in the right-most column (under Automatic Updates).
3. Select the checkbox for the plugin you want to disable auto-update and click the link  Disable auto-updates’ for the selected plugin. This will disable automatic updates for the selected plugin.

Bulk Update WordPress Plugins

If you have several plugins on your website that need an update, then you can bulk update those plugins.  It is always recommended to do a quick review of all the plugins before updating.

1. Go to the Plugins page and click on the ‘Update Available’ link. This will show you the list of all plugins that have updates available.

2. Click the checkbox to select all the plugins you want to update.

3. From the ‘Bulk Actions’ drop down, select ‘Update’ and click ‘Apply’.

If all goes well with the updates, you will see a message saying that the updates were completed successfully.

Uninstalling Plugins

Plugins have a safe and easy-to-use uninstaller. If that is not available, you can also manually uninstall the plugins.

Automatic Uninstallation

The safe and easy way to uninstall a plugin is via the WordPress admin screen.

1. Navigate to your Plugins admin screen and locate the plugin to be uninstalled.
2. Select the checkbox next to the plugin name and click the “Deactivate” link.

3. Once the plugin is successfully deactivated, click the plugin’s “Delete” link.

Troubleshooting

Occasionally, a WordPress Plugin may not work as expected. This section provides helpful resources and steps you can take for troubleshooting plugin issues.

Resources To Help Diagnose The Issue

• Review the plugin’s documentation to confirm that you’ve followed the instructions. You can find this information in the Plugins page under the name of each Plugin > View details.

NOTE: If you have access to the plugin files, you can also find this information in the Plugin’s folder inside readme.txt.

• Search the WordPress Support Forums for the name of the Plugin and keywords associated with the problem you are experiencing or the specific error message that is displayed.
• Search the WordPress Plugins Directory for the name of the Plugin. On the Plugins page, select the Support tab to read about issues reported in the Support Forums for that plugin.

• Go to the website of the plugin author and check their blog and Plugin page for known issues or advice.

• Search the web with the name of the Plugin and keywords associated with the problem you are experiencing or the specific error message that is displayed.
• Post a question in the WordPress Support Forums with the name of the Plugin and keywords associated with the problem you are experiencing or the specific error message that is displayed. Make sure to include the problem in the title of the question. For advice on how to improve your chances of getting help, see Finding WordPress Help.

Possible Resolutions

Make sure that the plugin is activated after it is installed. 

1. Go to the Plugins > Installed Plugins from the WordPress admin screen.
2. Find the Plugin and click ‘Activate’.

If you know which plugin is causing the issue: 

1. Deactivate that plugin and activate it again to see if this helps.

2. In some cases, the plugin may be buggy or incompatible. Deactivate the plugin. Search for other similar plugins, install and activate it and see it this revolves the issue.

If you don’t know which plugin is causing the issue: 

Sometimes problems may be caused by a conflict with different WordPress plugins. There are a few different ways you can tell which plugin is causing the issue.

• You installed a single plugin and experienced issues with your site soon after that.
• You updated a single plugin and experienced issues with your site soon after that.
• There’s an error message telling you exactly which plugin file is causing the issue. 
• Try deactivating plugins one at a time until you find the one that’s causing the issue. 
• Once you find the plugin that is causing the issue, you can either deactivate and activate it again to see if this helps. Or you can find other similar plugins from the WordPress Plugins Directory, install and activate it and see if this resolves the issue. 

Plugin Management

Plugins are managed from the Plugins admin screen of your WordPress site. 

Here you will find a list of all installed plugins, whether they are active or inactive. From this screen, you can activate, deactivate and delete plugins. 

Plugins listed in bold are currently active.

Each plugin on the list also contains links to further information about the plugin. 

Must-Use Plugins

Must-use plugins (a.k.a. mu-plugins) are plugins installed in a special directory inside the content folder and which are automatically enabled. 

Must-use plugins do not show in the default list of plugins on the Plugins page and cannot be disabled except by removing the plugin file from the must-use directory, which is found in wp-content/mu-plugins by default.

For more details, please refer Must Use Plugins.

Developing Plugins

The WordPress community relies on plugin developers to maintain a healthy and growing collection of plugins. A large part of what makes WordPress valuable is the extensive and freely available plugins. 

You can help WordPress users by creating your own plugins for distribution through the WordPress plugin directory.

You can get started with the WordPress plugin development using the resources in the WordPress Plugin Developer Handbook.

phpMyAdmin is a program used to manipulate databases remotely through a web interface. A good hosting package will have this included. For information on backing up your WordPress database, see Backing Up Your Database.

Information here has been tested using phpMyAdmin 4.0.5 running on Unix.

The following instructions will replace your current database with the backup, reverting your database to the state it was in when you backed up.

Restore Process

Using phpMyAdmin, follow the steps below to restore a MySQL/MariaDB database.

1. Login to phpMyAdmin.
2. Click “Databases” and select the database that you will be importing your data into.
3. You will then see either a list of tables already inside that database or a screen that says no tables exist. This depends on your setup.
4. Across the top of the screen will be a row of tabs. Click the Import tab.
5. On the next screen will be a location of text file box, and next to that a button named Browse.
6. Click Browse. Locate the backup file stored on your computer.
7. Make sure SQL is selected in the Format drop-down menu.
8. Click the Go button.

Now grab a coffee. This bit takes a while. Eventually you will see a success screen.

If you get an error message, your best bet is to post to the WordPress support forums to get help.

Using MySQL/MariaDB Commands

The restore process consists of unarchiving your archived database dump, and importing it into your MySQL/MariaDB database.

Assuming your backup is a .bz2 file, created using instructions similar to those given for Backing up your database using MySQL/MariaDB commands, the following steps will guide you through restoring your database:

1. Unzip your .bz2 file:

user@linux:~/files/blog> bzip2 -d blog.bak.sql.bz2

Note: If your database backup was a .tar.gz file called blog.bak.sql.tar.gz, then

tar -zxvf blog.bak.sql.tar.gz

is the command that should be used instead of the above.

1. Put the backed-up SQL back into MySQL/MariaDB:

user@linux:~/files/blog> mysql -h mysqlhostserver -u mysqlusername -p databasename < blog.bak.sql

Enter password: (enter your mysql password) 
user@linux:~/files/blog>

Moving to a New Server

If you are moving WordPress from one server to another, begin by backing up your WordPress directory, images, plugins, and other files on your site as well as the database. See WordPress Backups and Backing Up Your Database.

Keeping Your Domain Name and URLs

Moving your domain without changing the Home and Site URLs of your WordPress site is very simple, and in most cases can be done by moving the files.

• If database and URL remain the same, you can move by just copying your files and database.
• If database name or user changes, edit wp-config.php to have the correct values.
• If you want to test before you switch, you must temporarily change “siteurl” and “home” in the database table “wp_options” (through phpMyAdmin or similar).
• If you had any kind of rewrites (permalinks) setup you must disable .htaccess and reconfigure permalinks when it goes live.

Changing Your Domain Name and URLs

Moving a website and changing your domain name or URLs (i.e. from http://example.com/site to http://example.com, or http://example.com to http://example.net) requires the following steps – in sequence.

1. Download your existing site files.
2. Export your database – go in to MySQL and export the database.
3. Move the backed up files and database into a new folder – somewhere safe – this is your site backup.
4. Log in to the site you want to move and go to Settings > General, then change the URLs. (ie from http://example.com/ to http://example.net ) – save the settings and expect to see a 404 page.
5. Download your site files again.
6. Export the database again.
7. Edit wp-config.php with the new server’s MySQL database name, user and password.
8. Upload the files.
9. Import the database on the new server.

When your domain name or URLs change there are additional concerns. The files and database can be moved, however references to the old domain name or location will remain in the database, and that can cause issues with links or theme display.

If you do a search and replace on your entire database to change the URLs, you can cause issues with data serialization, due to the fact that some themes and widgets store values with the length of your URL marked. When this changes, things break. To avoid that serialization issue, you have three options:

1. Use the Velvet Blues Update URLs or Better Search Replace plugins if you can access your Dashboard.
2. Use WP-CLI’s search-replace if your hosting provider (or you) have installed WP-CLI.
3. Use the Search and Replace for WordPress Databases Script to safely change all instances on your old domain or path to your new one. (** only use this option if you are comfortable with database administration ** )

Note: Only perform a search and replace on the wp_posts table.
Note: Search and Replace from Interconnectit is a 3rd party script

Moving Directories On Your Existing Server

Moving the WordPress files from one location on your server to another – i.e. changing its URL – requires some special care. If you want to move WordPress to its own folder, but have it run from the root of your domain, please read Giving WordPress Its Own Directory for detailed instructions.

Here are the step-by-step instructions to move your WordPress site to a new location on the same server:

1. Create the new location using one of these two options:
   1. If you will be moving your WordPress core files to a new directory, create the new directory.If you want to move WordPress to your root directory, make sure all index.php, .htaccess, and other files that might be copied over are backed up and/or moved, and that the root directory is ready for the new WordPress files.
2. Log in to your site.
3. Go to the Administration > Settings > General screen.
4. In the box for WordPress Address (URL): change the address to the new location of your main WordPress core files.
5. In the box for Site Address (URL): change the address to the new location, which should match the WordPress (your public site) address.
6. Click Save Changes.
7. (Do not try to open/view your site now!)
8. Move your WordPress core files to the new location. This includes the files found within the original directory, such as http://example.com/wordpress, and all the sub-directories, to the new location.
9. Now, try to open your site by going to yourdomain.com/wp-admin. Note, you may need to go to yourdomain.com/wp-login.php
10. If you are using Permalinks, go to the Administration > Settings > Permalinks panel and update your Permalink structure to your .htaccess, file, which should be in the same directory as the main index.php file.
11. Existing image/media links uploaded media will refer to the old folder and must be updated with the new location. You can do this with the Better Search Replace or Velvet Blues Update URLs plugins, WP-CLI’s search-replace if your hosting provider (or you) have installed WP-CLI, manually in your SQL database, or by using the 3rd party database updating tool Search and Replace Databases Script * Note: this script is best used by experienced developers.
12. In some cases your permissions may have changed, depending on your ISP. Watch for any files with “0000” permissions and change them back to “0644”.
13. If your theme supports menus, links to your home page may still have the old subdirectory embedded in them. Go to Appearance > Menus and update them.
14. Sometimes you would need to restart your server, otherwise your server may give out an error. (happens in MAMP software (Mac)).

It is important that you set the URI locations BEFORE you move the files.

If You Forget to Change the Locations

If you accidentally moved the files before you changed the URIs: you have two options.

1. Suppose the files were originally in /path/to/old/ and you moved them to /path/to/new before changing the URIs. The way to fix this would be to make /path/to/old/ a symlink (for Windows users, “symlink” is equivalent to “shortcut”) to /path/to/new/, i.e.
   ln -s /path/to/new /path/to/old
   and then follow the steps above as normal. Afterwards, delete the symlink if you want.
2. If you forget to change the WordPress Address and Blog Address, you will be unable to change it using the wordpress interface. However, you can fix it if you have access to the database. Go to the database of your site and find the wp_options table. This table stores all the options that you can set in the interface. The WordPress Address and Blog Address are stored as siteurl and home (the option_name field). All you have to do is change the option_value field to the correct URL for the records with option_name=’siteurl‘ or option_name=’home‘.

Note: Sometimes, the WordPress Address and Blog Address are stored in WordPress Transients. Search and replace scripts can have trouble modifying those to the new address and some plugins might therefore refer to the old address because of them. Transients are temporary (cached) values stored in the wp_options database table that can be recreated on-demand when removed. It’s therefore safe to delete them from the migrated database copy and let them be recreated. This database query (again, have a backup!) clears all transients:

DELETE FROM `wp_options` WHERE option_name LIKE '%\_transient\_%' 

If You Have Accidentally Changed your WordPress Site URL

Suppose you accidentally changed the URIs where you cannot move the files (but can still access the login page, through a redirection or something).

wp-login.php can be used to (re-)set the URIs. Find this line:

require( dirname(__FILE__) . '/wp-load.php' );

and insert the following lines below:

//FIXME: do comment/remove these hack lines. (once the database is updated)
update_option('siteurl', 'http://your.domain.name/the/path' );
update_option('home', 'http://your.domain.name/the/path' );

You’re done. Test your site to make sure that it works right. If the change involves a new address for your site, make sure you let people know the new address, and consider adding some redirection instructions in your .htaccess file to guide visitors to the new location.

Changing The Site URL also provides the details of this process.

Managing Your Old Site

Shutting It Down

1. Download a copy of the main wordpress files from your OLD site to your hard drive and edit wp-config.php to suit the new server.
2. Go back to your OLD site and go to Administration > Settings > General screen and change the URL (both of them) to that of your new site.
3. Login on your server, go to phpMyAdmin, export as file, and save your database (but keep the old one just in case). Now, upload this new database and the copy of the wordpress core files with the edited wp-config.php to your new server. That’s it!

Keeping it Running

Caution: Make sure you have a backup of your old site’s WordPress database before proceeding!

Part A – Activating Your New Site

1. Download your entire WordPress installation to your hard drive. Name the folder appropriately to indicate that this is your OLD site’s installation.
2. Download your database.
3. Go back to your OLD site and go to options and change the url (both of them) to that of your new site.
4. Again, download your entire WordPress installation to your hard drive. Name the folder appropriately to indicate that this is your NEW site’s installation.
5. Download your database once again (but keep the old one). Upload this database to your new server. It will be easiest if you use the same database name and you create a user with the same login credentials on your new server as on your old server.
6. If you used a different database name and/or user (see previous step), edit wp-config.php in your NEW site’s installation folder appropriately.
7. Upload the NEW site’s installation folder to your new site. Presto, your NEW site should be working!

Part B – Restoring Your Old Site

1. On the original server, delete your OLD site’s database (remember, you should have a copy on your local computer that you made at the very beginning).
2. Upload your OLD site’s installation folder to your original server, overwriting the files that are currently there (you may also delete the installation folder on the server and simply re-upload the OLD site’s files).
3. Upload your OLD site’s database from your local computer to the server. That should do it!

Another procedure for making copies of posts, comments, pages, categories and custom field (post status, data, permalinks, ping status, etc.) easy to follow:

1. Install a new WordPress site
2. Go on old site Admin panel. Here, in Manage > Export select “all” in menu Restrict Author.
3. Click on Download Export File
4. In new site go on Manage > Import, choose WordPress item.
5. In the page that will be shown, select the file just exported. Click on Upload file and Import
6. It will appear a page. In Assign Authors, assign the author to users that already exist or create new ones.
7. Click on Submit
8. At the end, click on Have fun

Note: using this method, if there are some articles in the new site (like Hello World, Info Page, etc.), these will not be erased. Articles are only added. Using the former procedure, the articles in new site will be deleted.

Moving WordPress Multisite

Multisite is somewhat more complicated to move, as the database itself has multiple references to the server name as well as the folder locations. If you’re simply moving to a new server with the same domain name, you can copy the files and database over, exactly as you would a traditional install.

If, instead, you are changing domains, then the best way to move Multisite is to move the files, edit the .htaccess and wp-config.php (if the folder name containing Multisite changed), and then manually edit the database. Search for all instances of your domain name, and change them as needed. This step cannot yet be easily automated. It’s safe to search/replace any of the wp_x_posts tables, however do not attempt blanket search/replace without the Search and Replace for WordPress Databases script (aka the interconnectit script).

If you’re moving Multisite from one folder to another, you will need to make sure you edit the wp_blogs entries to change the folder name correctly. You should manually review both wp_site and wp_blogs regardless, to ensure all sites were changed correctly.

Also, manually review all the wp_x_options tables and look for three fields and edit them as needed:

• home
• siteurl
• fileupload_url

If you are moving from subdomains to subfolders, or vice-versa, remember to adjust the .htaccess file and the value for SUBDOMAIN_INSTALL in your wp-config.php file accordingly.

Related Links

• How to move WordPress site to another server with zero downtime
• Moving a blog from wordpress.com to self-hosted blog
• Moving WordPress to a new domain or server
• Italian version of this article – Versione italiana dell’articolo
• How to move a WordPress Blog or Website
• Search and Replace for WordPress Databases
• Online WordPress Serialized PHP Search and Replace
• Cloning a live WordPress site to a local Mac test environment
• PHP script to replace site url in WordPress database dump, even with WPML
• The Duplicator plugin helps administrators move a site from one location to another
• Technical tutorial on moving your WordPress blog to Bitnami’s AWS configuration

They are, in short, an attack on the weakest link in any website’s security… you.

Due to the nature of these attacks, you may find your server’s memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.

This sort of attack is not endemic to WordPress, it happens with every webapp out there, but WordPress is popular and thus a frequent target.

Protect Yourself

A common attack point on WordPress is to hammer the wp-login.php file over and over until they get in or the server dies. You can do some things to protect yourself.

Don’t use the ‘admin’ username

The majority of attacks assume people are using the username ‘admin’ due to the fact that early versions of WordPress defaulted to this. If you are still using this username, make a new account, transfer all the posts to that account, and change ‘admin’ to a subscriber (or delete it entirely).

You can also use the plugin Change Username to change your username.

Good Passwords

The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.

WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

You can use the Force Strong Password plugin to force users to set strong passwords.

Things to avoid when choosing a password:

• Any permutation of your own real name, username, company name, or name of your website.
• A word from a dictionary, in any language.
• A short password.
• Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.

To further increase the strength of your password, you can enable Two Step Authentication to further protect your blog.

Plugins

There are many plugins available to limit the number of login attempts made on your site. Alternatively, there are also many plugins you can use to block people from accessing wp-admin altogether.

Protect Your Server

If you decide to lock down wp-login.php or wp-admin, you may find you get a 404 or 401 error when accessing those pages. To avoid that, you will need to add the following to your .htaccess file.

ErrorDocument 401 default

You can have the 401 point to 401.html, but the point is to aim it at not WordPress.

For Nginx you can use the error_page directive but must supply an absolute url.

error_page  401  http://example.com/forbidden.html;

On IIS web servers you can use the httpErrors element in your web.config, set errorMode="custom":

<httpErrors errorMode="Custom">
 <error statusCode="401"
 subStatusCode="2"
 prefixLanguageFilePath=""
 path="401.htm"
 responseMode="File" />
</httpErrors>

Password Protect wp-login.php

Password protecting your wp-login.php file (and wp-admin folder) can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses ajax on the front end, it’s usually sufficient to just protect wp-login.php.

To do this, you will need to create a .htpasswd file. Many hosts have tools to do this for you, but if you have to do it manually, you can use this htpasswd generator. Much like your .htaccess file (which is a file that is only an extension), .htpasswd will also have no prefix.

You can either put this file outside of your public web folder (i.e. not in /public_html/ or /domain.com/, depending on your host), or you can put it in the same folder, but you’ll want to do some extra security work in your .htaccess file if you do.

Speaking of which, once you’ve uploaded the .htpasswd file, you need to tell .htaccess where it’s at. Assuming you’ve put .htpasswd in your user’s home directory and your htpasswd username is mysecretuser, then you put this in your .htaccess:

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
</Files>
# Protect wp-login.php
<Files wp-login.php>
  AuthUserFile ~/.htpasswd
  AuthName "Private access"
  AuthType Basic
require user mysecretuser
</Files>

The actual location of AuthUserFile depends on your server, and the ‘require user’ will change based on what username you pick.

If you are using Nginx you can password protect your wp-login.php file using the HttpAuthBasicModule. This block should be inside your server block.

location /wp-login.php {
    auth_basic "Administrator Login";
    auth_basic_user_file .htpasswd;
}

The filename path is relative to directory of nginx configuration file nginx.conf

The file should be in the following format:

  user:pass
  user2:pass2
  user3:pass3

Unfortunately there is no easy way of configuring a password protected wp-login.php on Windows Server IIS. If you use a .htaccess processor like Helicon Ape, you can use the .htaccess example mentioned above. Otherwise you’d have to ask your hosting provider to set up Basic Authentication.

All passwords must be encoded by function crypt(3). You can use an online htpasswd generator to encrypt your password.

Limit Access to wp-login.php by IP

If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-login.php (and thus the wp-admin/ folder) access to everyone but yourself via an .htaccess or web.config file. This is often referred to as an IP whitelist.

Note: Beware your ISP or computer may be changing your IP address frequently, this is called dynamic IP addressing, rather than fixed IP addressing. This could be used for a variety of reasons, such as saving money. If you suspect this to be the case, find out out how change your computer’s settings, or contact your ISP to obtain a fixed address, in order to use this procedure.

In all examples you have to replace 203.0.113.15 with your IP address. Your Internet Provider can help you to establish your IP address. Or you can use an online service such as What Is My IP.

Examples for multiple IP addresses are also provided. They’re ideal if you use more than one internet provider, if you have a small pool of IP addresses or when you have a couple of people that are allowed access to your site’s Dashboard.

Create a file in a plain text editor called .htaccess and add:

# Block access to wp-login.php.
<Files wp-login.php>
  order deny,allow
  allow from 203.0.113.15
  deny from all
</Files>

You can add more than one allowed IP address using:

# Block access to wp-login.php.
<Files wp-login.php>
  order deny,allow
  allow from 203.0.113.15
  allow from 203.0.113.16
  allow from 203.0.113.17
  deny from all
</Files>

Are you using Apache 2.4 and Apache module mod_authz_host? Then you have to use a slightly different syntax:

# Block access to wp-login.php.
<Files wp-login.php>
  Require ip 203.0.113.15
</Files>

If you want to add more than one IP address, you can use:

# Block access to wp-login.php.
<Files wp-login.php>
  Require ip 203.0.113.15 203.0.113.16 203.0.113.17
  # or for the entire network:
  # Require ip 203.0.113.0/255.255.255.0
</Files>

For Nginx you can add a location block inside your server block that works the same as the Apache example above.

error_page  403  http://example.com/forbidden.html;
location /wp-login.php {
  allow   203.0.113.15
  # or for the entire network:
  # allow   203.0.113.0/24;
  deny    all;
}

Note that the order of the deny/allow is of the utmost importance. You might be tempted to think that you can switch the access directives order and everything will work. In fact it doesn’t. Switching the order in the above example has the result of denying access to all addresses.

Again, on IIS web servers you can use a web.config file to limit IP addresses that have access. It’s best to add this in an additional <location directive.

<location path="wp-admin">
  <system.webServer>
    <security>
      <ipSecurity allowUnlisted="false"> <!-- this rule denies all IP addresses, except the ones mentioned below -->
        <!-- 203.0.113.x is a special test range for IP addresses -->
        <!-- replace them with your own -->
        <add ipAddress="203.0.113.15" allowed="true" />
        <add ipAddress="203.0.113.16" allowed="true" />
      </ipSecurity>
    </security>
  </system.webServer>
</location>

Deny Access to No Referrer Requests

Extended from Combatting Comment Spam, you can use this to prevent anyone who isn’t submitting the login form from accessing it:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>

Nginx – Deny Access to No Referrer Requests

location ~* (wp-comments-posts|wp-login)\.php$ {
      if ($http_referer !~ ^(http://example.com) ) {
           return 405;
      }
}

Windows Server IIS – Deny access to no referrer requests:

<rule name="block_comments_without_referer" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" ignoreCase="true" />
  <conditions logicalGrouping="MatchAll">
    <add input="{URL}" pattern="^/(wp-comments-post|wp-login)\.php" negate="false"/>
    <add input="{HTTP_REFERER}" pattern=".*example\.com.*" negate="true" />
    <add input="{HTTP_METHOD}" pattern="POST" />  </conditions>
  <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="No comments without referrer!" />
</rule>

Change example.com to your domain. If you’re using Multisite with mapped domains, you’ll want to change example.com to (example.com|example.net|example4.com) and so on. If you are using Jetpack comments, don’t forget to add jetpack.wordpress.com as referrer: (example.com|jetpack\.wordpress\com)

ModSecurity

If you use ModSecurity, you can follow the advice from Frameloss – Stopping brute force logins against WordPress. This requires root level access to your server, and may need the assistance of your webhost.

If you’re using ModSecurity 2.7.3, you can add the rules into your .htaccess file instead.

Fail2Ban

Fail2ban is a Python daemon that runs in the background. It checks the logfiles that are generated by Apache (or SSH for example), and on certain events can add a firewall rule. It uses a so called filter with a regular expression. If that regular expression happens for example 5 times in 5 minutes, it can block that IP address for 60 minutes (or any other set of numbers).

Installing and setting up Fail2ban requires root access.

Blocklists

It appears that most brute force attacks are from hosts from Russia, Kazachstan and Ukraine. You can choose to block ip-addresses that originate from these countries. There are blocklists available on the internet that you can download. With some shell-scripting, you can then load blockrules with iptables.

You have to be aware that you are blocking legitimate users as well as attackers. Make sure you can support and explain that decision to your customers.

Besides blocklists per country, there are lists with ip-addresses of well-known spammers. You can also use these to block them with iptables. It’s good to update these lists regularly.

Setting up of blocklists and iptables requires root access.

Cloud/Proxy Services

Services like CloudFlare and Sucuri CloudProxy can also help mitigate these attacks by blocking the IPs before they reach your server.

See Also

• Sucuri: Protecting Against WordPress Brute Force Attacks
• How to: Protect WordPress from brute-force XML-RPC attacks
• Liquid Web: ModSecurity Rules To Alleviate Brute Force Attacks
• HostGator: Password Protecting wp-login
• Stopping Brute-force Logins
• Swiss Army Knife for WordPress (SAK4WP) – Free Open Source Tool that can help you protect your wp-login.php and /wp-admin/ but not /wp-admin/admin-ajax.php with one click and much more

Suffering a hack can be one of the more frustrating experiences you’ll have on your online journey. Like most things however, taking a pragmatic approach can help you maintain your sanity. While also moving beyond the issues with as little impact as possible.

A hack is a very ambiguous term, which in it of itself will provide little insights into what exactly happened. To ensure you get the help you need via the forums, be sure to understand the specific symptoms that lead you to believe you’ve been hacked. These are otherwise known as Indicators of Compromise (IoC).

A couple of IoC’s that are clear indicators of a hack include:

• Website is blacklisted by Google, Bing, etc..
• Host has disabled your website
• Website has been flagged for distributing malware
• Readers complaining that their desktop AV’s are flagging your site
• Contacted that your website is being used to attack other sites
• Notice behavior that was not authorized (i.e., creation of new users, etc…)
• You can visibly see that your site has been hacked when you open it in the browser

Not all hacks are created equal, so when engaging in the forums please keep this in mind. If you can better understand the symptoms the teams will be better equipped to provide help.

Below you will find a series of steps that are designed to help you start working through the post-hack process. They are not all encompassing as it would be impractical to account for every scenario, but they are designed to help you think through the process.

Some steps to take

Stay calm.

When addressing a security issue, as a website owner, you’re likely experiencing an undue amount of stress. It’s often the most vulnerable you have found yourself since being on line and it’s contrary to what every one told you, “Hey, WordPress is Easy!!”

The good news is that all is not lost! Yes, you might lose some money. Yes, you might take a hit against your brand. Yes, you will recover from this.

So, yes, take a step back and compose yourself. Doing so will allow you to more effectively take control of the situation and allow you to recover your online presence.

Document.

The first actionable step you should take post-compromise is documentation. Take a moment to document what you’re experiencing, and if possible times. A couple of things you want to keep in mind:

• What are you seeing that leads you to believe you are hacked?
• What time did you notice this issue? What timezone?
• What actions have you taken recently? Was a new plugin installed? Did you make a change to a theme? Modify a widget?

You are creating the baseline for what is recognized as an incident report. Whether you are planning to perform the incident response yourself, or engage a professional organization, this document will prove invaluable over time.

Recommend taking a moment to annotate details of your host environment as well. It will be required at some point during the incident response process.

Scan your website.

When scanning your website you have a few different ways to do this, you can use external remote scanners or application level scanners. Each are designed to look and report on different things. No one solution is the best approach, but together you improve your odds greatly.

Application Based Scanners (Plugins):

• Quttera
• GOTMLS
• WordFence
• Sucuri

Remote Based Scanners (Crawlers):

• VirusTotal
• Sitecheck

There are also a number of other related security plugins available in the WP repo. The ones annotated above have been around a long time and have strong communities behind each of them.

Scan your local environment.

In addition to scanning your website, you should start scanning your local environment. In many instances, the source of the attack / infection begins on your local box (i.e., notebook, desktop, etc…). Attackers are running trojans locally that allow them to sniff login access information to things like FTP and /wp-admin that allow them to log in as the site owner.

Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice extends to both Windows, OS X and Linux machines.

Check with your hosting provider.

The hack may have affected more than just your site, especially if you are using shared hosting. It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example.

One very serious implication of a hack these days is around Email blacklisting. This seems to be happening more and more. As websites are abused to send out SPAM emails, Email Blacklist authorities are flagging the website IP’s and those IP’s are often associated with the same server being used for email. The best thing you can do is look at Email providers like Google Apps when it comes to your business needs.

Be Mindful of Website Blacklists.

Google Blacklist issues can be detrimental to your brand. They currently blacklist somewhere in the neighborhood of 9,500 to 10,000 websites a day. This number grows daily. There are various forms of warnings, from large splash pages warning users to stay away, to more subtle warnings that pop up in your Search Engine Result Pages (SERPs).

Although Google is one of the more prominent ones, there are a number of other blacklist entities like Bing, Yahoo and a wide range of Desktop AntiVirus applications. Understand that your clients / website visitors may leverage any number of tools and any one of them could be causing the issue.

It’s recommended that you register your site with the various online webmaster consoles like:

• Google Search Console
• Bing Webmaster
• Yandex Webmaster
• Norton Webmaster

Improve your Access Controls.

You will often hear folks talking about updating things like Passwords. Yes, this is a very important piece, but it’s one small piece in a much larger problem. We need improve our overall posture when it comes to access control. This means using Complex, Long and Unique passwords for starters. The best recommendation is to use a Password Generator like those found in apps like 1Password and LastPass.

Remember that this includes changing all access points. When we say access points we mean things like FTP / SFTP, WP-ADMIN, CPANEL (or any other administrator panel you use with your host) and MYSQL.

This also extends beyond your user, and must include all users that have access to the environment.

It is also recommended to consider using some form of Two Factor / Multi-Factor authentication system. In it’s most basic form, it introduces, and requires, a second form of authentication when logging into your WordPress instance.

Some of the plugins available to assist you with this include:

• Rublon
• Duo

Reset all Access.

Once you identify a hack, one of the first steps you will want to do is lock things down so that you can minimize any additional changes. The first place to start is with your users. You can do this by forcing a global password reset for all users, especially administrators.

Here is a plugin that can assist with this step:

• iThemes Security

You also want to clear any users that might be actively logged into WordPress. You do this by updating the secret keys in wp-config. You will need to create a new set here: the WordPress key generator. Take those values then overwrite the values in your wp-config.php file with the new ones. This will force anyone that might still be logged in off.

Create a Backup.

You hopefully have a backup of your website, but if you don’t, this will be a good time to create one. Backups are a critical piece of your continuation of operations, and should be something you actively plan for moving forward. You should also ask your host what their policy is as it pertains to backups. If you do have a backup, you should be able to perform a restore and skill right into the forensics work.

Side note: It’s important you keep regular backups of your database and files. If this ever happens again.

Regardless, before you move into the next phase of cleaning, it is recommended you take one more snapshot of the environment. Even if it’s infected, depending on the type of hack, the impacts can cause a lot of issues and in the event of catastrophic failure you’ll at least have that bad copy to reference.

Find and remove the hack.

This will be the most daunting part of the entire process. Finding and removing the hack. The exact steps you take will be dictated by a number of factors, including, but not limited to, the symptoms provided above. How you approach the problem will be determined by your own technical aptitude working with websites and web servers.

To help in the process though, we’ve included a number of different resources that should help you in the process:

• Did Your WordPress Site Get Hacked?
• How to Clean Your Hacked Install
• How To Clean a Hacked WordPress Site
• How to Cope With a Hacked Site
• Four Malware Infections
• How to Clean a WordPress Hack

It might be tempting to purge everything and start over. In some cases that’s possible, but in many instances it’s just not possible. What you can do however is reinstall certain elements of the site with little regard to impacting the core of your website. You always want to make sure you reinstall the same version of software your website is using, if you choose an older or newer one you’re likely to kill your website. When reinstalling, be sure not to use the reinstall options in your WP-ADMIN. Use your FTP / SFTP application to drag and drop the versions. This will prove much more effective in the long run as those installers often only overwrite existing files, and hacks often introduce new files… You can replace the following directories safely:

• /wp-admin
• /wp-includes

From there, it’s recommended that you be more diligent in updating and replacing files as you move through wp-content as it contains your theme and plugin files.

The one file you will definitely want to look at is your .htaccess file. It’s one of the more common files, regardless of the type of infection, that is most often updated and used for nefarious activities. This file is often located at the root of your installation folder, but can also be embedded within several other directories on the same installation.

Regardless of the type of infection, there are will be some common files you will want to keep an eye on during your remediation process. They include:

• index.php
• header.php
• footer.php
• function.php

If modified, these files can usually adversely affect all page requests, making them high targets for bad actors.

Leverage the Community

We often forget but we’re a community based platform, this means that if you’re in trouble someone in the community is likely to give a lending hand. A very good place to start if you’re strapped for cash or just looking for a helping hand is the WordPress.org Hacked or Malware forum.

Update!

Once you are clean, you should update your WordPress installation to the latest software. Older versions are more prone to hacks than newer versions.

Change the passwords again!

Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now. Again remembering to use Complex, Long and Unique passwords.

You may consider to change the database user account and password. When you changed them, do not forget enhancing them to wp-config.php file.

Forensics.

Forensics is the process of understanding what happened. How did the attackers get in? The goal is to understand the attack vector a bad actor used to ensure they’re unable to abuse it again. In many instances, it’s very difficult for website owners to perform this type of analysis due to lack of technical knowledge and / or available data. If you do have the metadata required, then there are tools like like OSSEC and splunk that can help you synthesize the data.

Secure your site.

Now that you have successfully recovered your site, secure it by implementing some (if not all) of the recommended security measures.

Can’t Log Into WordPress Admin Panel

There are times that a bad actor will hijack your administrator account[s]. This is not a reason to panic, there are a few different things you can do to regain control of your account. You can follow these steps to reset your password

Tools like phpMyAdmin and Adminer are often made available via your hosting provider. They allow you to log into your database directly, bypassing your Administration Screen and resetting your user in the users table wp_users.

If you don’t want to mess with password hashes or can’t figure it out, simply update your email and go back to Login Screen, click forgot password, and wait for the email.

Using version control?

If you are using version control, it can be very handy to quickly identify what has changed and to rollback to a previous version of the website. From the terminal or command line you can compare your files with the versions stored in the official WordPress repository.

$ svn diff .

Or compare a specific file:

$ svn diff /path/to/filename

Other Resources

• Hacked WordPress Backdoors (OttoPress)
• WordPress Security – Cutting Through the BS (Sucuri)
• Security Posts (Perishable Press)

Login to your site

Login to your hosting control panel (cPanel) with information provided by your host company.

MySQL Database Wizard

Under the Database section, click on the MySQL Database Wizard icon.

Step 1. Create a Database

Step 1 in the wizard is creating the database. Simply give your database a name. The actual database name will be prepended by your hosting account name. In this example, after clicking Next Step, the database michaelh_demowp will be created.

Step 2. Create Database Users

The next step in the wizard requires creating a database user and assigning that user a password. When entering the password, make sure the password strength meter registers Very Strong for your selected password. Also remember the password you enter as you will need that information later. In this example, dbuser is entered in the Username field, but when the Create User button is clicked, the database user ultimately will be named michaelh_dbuser.

Step 3. Add User to Database

In Step 3, you assign the user to the database and you assign the necessary database privileges. In this case, click the All Privileges checkbox and click the Next Step button to assign all privileges to the database user.

Step 4. Complete the task

In this step, you are notified that the user was addeed to the database. You have successfully created the database, created the user, and assigned privileges to that user.

Editing the WordPress Config File

Open the file wp-config-sample.php using a text editor.
There are the four pieces of information you need to complete in the file. The following is an example; yours may look slightly different:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'michaelh_demowp');

/** MySQL database username */
define('DB_USER', 'michaelh_dbuser');

/** MySQL database password */
define('DB_PASSWORD', 'abc.123.!@#');

/** MySQL hostname */
define('DB_HOST', 'localhost');

Note that the prefix michaelh_ assigned by that cPanel is part of the database and database user. Also note, the DB_HOST value for almost all cPanel hosts is localhost.

Important!!!! Save the completed file as wp-config.php.

Continuing the Installation

The database is created, and user is created and assigned to the database with the proper privileges. And the wp-config.php is updated with the database information. At this point it is okay to move to Step 4 of the Installation process.

An administrator’s tool of sorts, phpMyAdmin is a PHP script meant for giving users the ability to interact with their MySQL databases. WordPress stores all of its information in the MySQL database and interacts with the database to generate information within your WordPress site. A “raw” view of the data, tables and fields stored in the MySQL database is accessible through phpMyAdmin.

What is it good for?

The phpMyAdmin program is handy for performing maintenance operations on tables, backing up information, and editing things directly in the event that WordPress is not working. Occasionally, in the Support Forums, someone will post a SQL query of some benefit or other that can be run using phpMyAdmin. Although many of the same tasks can be performed on the MySQL command line, doing so is not an option for many people.

Where can I get it?

Often host control panels, such as cPanel and Plesk, have phpMyAdmin pre-installed, so there is nothing special you have to do to use it. It is usually linked from the database page. Ask your host if this is available.

You can download phpMyAdmin yourself and install it from the main phpMyAdmin project page.

Warning

With great power comes great responsibility. phpMyAdmin allows you to interact with the database directly: it also lets you mess up the database directly. There is no “undo” or “undelete” in your database. Always exercise caution when working with the database.

This guide will show you how to diagnose JavaScript issues in different browsers.

Step 1: Try Another Browser

To make sure that this is a JavaScript error, and not a browser error, first of all try opening your site in another browser.

• if the site is not having the same issue in the new browser you know that the error is browser specific
• if the site is having the same error it is not an error that is specific to one browser

Make note of any browsers you are experiencing the error in. You can use this information when you are making a support request.

Step 2: Enable SCRIPT_DEBUG

You need to turn on script debugging. Open wp-config.php and add the following line before “That’s all, stop editing! Happy blogging”.

define('SCRIPT_DEBUG', true);

Check to see if you are still having an issue.

• Issue is fixed – turn off script debugging and report the issue on the support forum, telling the volunteers that you turned on script debugging and it solved the problem.
• Issue persists – proceed to Step 3.

Step 3: Diagnosis

Now that you know which browsers you are experiencing issues in you can start to diagnose the issue.

Chrome

1. Open the DevTools

Press Command+Option+J (Mac) or Control+Shift+J (Windows, Linux, Chrome OS) to jump straight into the Console panel of Chrome DevTools.

Or, navigate to More Tools > Developer Tools from Chrome menu, and click Console tab.

2. Identify the Error

The error console will open. If you don’t see any errors try reloading the page. The error may be generated when the page loads.

The console will provide you with the error type, the location of the error and the line number

Firefox

1. Open the Web Console

Press Command+Option+K (Mac) or Control+Shift+K (Windows) to jump straight into the Console panel of Firefox Web Console.

Or, navigate to Web Development > Web Console from Firefox menu, and click Console tab.

2. Identify the Error

The error console will open. If you don’t see any errors try reloading the page. The error may be generated when the page loads.

The console will provide you with the error type, the location of the error and the line number

Edge

Refer above Chrome section.

Internet Explorer

Bear in mind, IE behaves vastly differently from other browsers when it comes to JS errors, and reports on them in disparate ways. The first thing to check when facing a problem in IE is if the problem only exists in IE. Also note that the debugging tools built into some IE versions are limited, and may not be available.

NOTE: WordPress officially dropped support for Internet Explorer 11 in WordPress 5.8. If you are currently using IE11, it is strongly recommended that you switch to a more modern browser, such as Google Chrome, Mozilla Firefox, Safari, or Microsoft Edge. More information can be found on the Making WordPress Blog.

1. Open the Console

Go to the screen where you are experiencing the error. In Internet Explorer, navigate to Settings > F12 Developer Tools. Or click F12

Click on the Console tab.

2. Identify the Error

The error console will open. If you don’t see any errors try reloading the page. The error may be generated when the page loads.

The console will provide you with the error type, the location of the error and the line number

The image above shows the error to be in jquery.js on line 2.

Safari

1. Enable Developer Tools

Navigate to Safari > Preferences > Advanced and check the box that says Show Develop menu in menu bar

2. Open the Console

Go to the screen where you are experiencing the error. In Safari, navigate to Develop > Show Error Console

3. Identify the Error

The error console will open. If you don’t see any errors try reloading the page.

The console show you the error, the error location and the line number:

The image above shows the error to be in jquery.js on line 2.

Note: If you cannot see the error click the back button within the console.

Opera

1. Open the Console

Go to the screen where you are experiencing the error. In Chrome, navigate to Tools > Advanced > Error Console.

2. Identify the Error

The error console will open. Select JavaScript and Errors from the two drop downs. To find the error location, expand one of the errors. You’ll see the error and the location.

The image above shows the error to be in jquery.js on line 2, however remember to copy the whole stack information! Just saying what line is less helpful that showing context.

Step 4: Reporting

Now that you have diagnosed your error, you should make your support forum request. Go to the troubleshooting forum.

If your problem is with a specific theme or plugin, you can access their dedicated support forum by visiting https://wordpress.org/support/plugin/PLUGINNAME or https://wordpress.org/support/theme/THEMENAME

Please include the below information:

• the browsers that you are experiencing the problem in
• whether SCRIPT_DEBUG fixed the error or not
• the JavaScript error
• the location of the error – both the file name and the line number
• the context of the error – including the whole error stack will help developers