Open Ticket 
+373 79 600002 
Telegram Live Chat 
F.A.Q 
English
Русский 
Română 
Deutsch 
Français 
Türkçe 
Español 
Português 
Українська 
български 
Polski 
Indonesia 
中文 (中国) 
AdministrationHow to Install WordPress: The Complete Technical Guide
WordPress powers over 43% of all websites on the internet — a statistic that reflects both its flexibility and the maturity of its installation ecosystem. Whether you are deploying a personal blog, a high-traffic business site, or a WooCommerce storefront, the installation process follows a predictable set of steps that can be completed in under 15 minutes when done correctly.
The core requirement for any WordPress installation is a LAMP or LEMP stack: a web server (Apache or Nginx), PHP 7.4 or higher (8.1+ recommended for performance), and a MySQL 5.7+ or MariaDB 10.4+ database. Every method described in this guide — one-click, cPanel, or FTP — ultimately configures these same three components.
Prerequisites: What You Need Before You Start
Before touching an installer or an FTP client, confirm the following are in place:
- A hosting account with SSH, cPanel, or FTP access — VPS Hosting gives you full root access for the most flexible setup
- A registered domain name pointed to your server's IP via an A record — see Domain Registration if you need one
- A valid SSL certificate — WordPress should never run over plain HTTP in production; install an SSL certificate before or immediately after WordPress setup via SSL Certificates
- PHP 8.1 or higher with the extensions
mysqli,curl,gd,mbstring,xml,zip, andimagickenabled - MySQL 5.7+ or MariaDB 10.4+ with a dedicated database and user for WordPress (never use the root database user)
A common pitfall beginners miss: installing WordPress on a domain that still has the default hosting placeholder page. Clear the public_html directory of any index.html or index.php stub files before uploading WordPress files, otherwise the installer will never trigger.
Method 1: One-Click Installation via Softaculous (Recommended for Beginners)
Most managed hosting environments — including VPS with cPanel and Shared Web Hosting plans — include Softaculous, the industry-standard auto-installer. This method handles database creation, file extraction, and wp-config.php generation automatically.
Step 1: Access the Softaculous Installer
Log in to cPanel and locate the Softaculous Apps Installer section. Click the WordPress icon. Alternatively, navigate directly to the WordPress Tools or Website Installers section if your host uses a custom dashboard.
Step 2: Configure the Installation Parameters
Click Install Now and fill in the following fields carefully:
- Choose Protocol: Select
https://— neverhttp://. If your SSL certificate is not yet active, install it first. - Choose Domain: Select the target domain from the dropdown.
- In Directory: Leave this field blank to install WordPress at the root (
yourdomain.com). Entering a subdirectory likebloginstalls it atyourdomain.com/blog. - Site Name and Description: These populate
blognameandblogdescriptioninwp-optionsand can be changed later from the dashboard. - Admin Username: Do not use
admin— this is the first username brute-force bots try. Use something unique. - Admin Password: Use a minimum 16-character password with mixed case, numbers, and symbols.
- Admin Email: Use a real, monitored address. WordPress sends critical security and update notifications here.
- Select Language: Choose your preferred language for the WordPress admin interface.
- Select Plugins: Softaculous may offer to pre-install plugins. Decline unless you specifically need them — a clean install is easier to audit.
Step 3: Advanced Options (Do Not Skip)
Expand the Advanced Options panel:
- Database Name and Table Prefix: Change the default
wp_table prefix to something random likexk7_. This is a meaningful hardening step against SQL injection attacks that target predictable table names. - Automated Backups: Enable this if your host supports it.
- Disable WordPress Cron: If you are on a high-traffic VPS, consider disabling the built-in WP-Cron and replacing it with a real system cron job later.
Step 4: Complete and Access the Dashboard
Click Install. Softaculous will create the database, extract WordPress files into the target directory, configure wp-config.php, and run the database schema installation. The entire process takes 30–90 seconds.
Access your dashboard at https://yourdomain.com/wp-admin/ using the credentials you set.
Method 2: Manual Installation via cPanel (Intermediate)
Manual installation gives you explicit control over every configuration parameter and is the recommended approach when you need non-default settings — custom database collation, a specific PHP version, or a subdirectory install with custom rewrite rules.
Step 1: Download WordPress
Always download from the official source:
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gzIf working locally, download from wordpress.org/download and extract the zip file. The result is a folder named wordpress containing all core files.
Step 2: Create a MySQL Database and User
In cPanel, navigate to MySQL Databases:
- Under Create New Database, enter a name such as
wp_productionand click Create Database. - Under MySQL Users, create a new user with a strong, unique password. Do not reuse passwords from other services.
- Under Add User to Database, select both the user and the database, click Add, and on the next screen grant All Privileges.
Critical note: The database user only needs the following privileges for normal WordPress operation: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER. Granting ALL PRIVILEGES is convenient but grants more access than necessary. On a production server with multiple sites, use the minimal privilege set.
Step 3: Upload WordPress Files
In cPanel's File Manager, navigate to public_html (or your domain's document root). Upload the contents of the wordpress folder — not the folder itself — directly into public_html. After upload, the directory should contain wp-login.php, wp-config-sample.php, and the wp-content, wp-admin, and wp-includes directories at the root level.
Step 4: Configure wp-config.php
In File Manager, locate wp-config-sample.php, right-click it, and rename it to wp-config.php. Open it for editing and update the following values:
define( 'DB_NAME', 'your_database_name' );
define( 'DB_USER', 'your_database_user' );
define( 'DB_PASSWORD', 'your_database_password' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );Additionally, replace the placeholder Authentication Keys and Salts by visiting https://api.wordpress.org/secret-key/1.1/salt/ and pasting the generated block into wp-config.php. These salts secure session cookies and are frequently overlooked in manual installs.
Add these hardening constants while the file is open:
define( 'DISALLOW_FILE_EDIT', true ); // Disables the theme/plugin editor in the dashboard
define( 'WP_DEBUG', false ); // Set to true only during development
define( 'FORCE_SSL_ADMIN', true ); // Forces HTTPS for all admin sessionsAlso change the default table prefix from $table_prefix = 'wp_'; to a randomized value:
$table_prefix = 'xk7_';Step 5: Run the Web-Based Installer
Navigate to https://yourdomain.com in a browser. WordPress will detect the configured wp-config.php and launch the installation wizard. Complete the following fields:
- Site Title
- Username (avoid
admin) - Password
- Your Email
- Search Engine Visibility: Check "Discourage search engines" only if the site is not yet ready for public indexing. Forgetting to uncheck this later is one of the most common causes of new WordPress sites not appearing in Google.
Click Install WordPress. The installer creates all database tables and inserts default data. You will see a success screen with a Log In button.
Method 3: Manual Installation via SSH and FTP (Advanced)
This method is preferred by system administrators deploying WordPress on a Dedicated Server or a bare VPS without a control panel. SSH access allows you to perform the entire installation from the command line, which is faster and scriptable.
Full SSH-Based Installation
# Navigate to the web root
cd /var/www/html
# Download and extract WordPress
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz
mv wordpress/* .
rm -rf wordpress latest.tar.gz
# Set correct ownership and permissions
chown -R www-data:www-data /var/www/html
find /var/www/html -type d -exec chmod 755 {} ;
find /var/www/html -type f -exec chmod 644 {} ;
# Create the database (run as root or a MySQL admin user)
mysql -u root -p <<EOF
CREATE DATABASE wp_production CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON wp_production.* TO 'wp_user'@'localhost';
FLUSH PRIVILEGES;
EOF
# Configure wp-config.php
cp wp-config-sample.php wp-config.php
sed -i "s/database_name_here/wp_production/" wp-config.php
sed -i "s/username_here/wp_user/" wp-config.php
sed -i "s/password_here/StrongPassword123!/" wp-config.phpAfter running these commands, complete the installation through the browser as described in Method 2, Step 5.
FTP-Based Upload (When SSH Is Unavailable)
If SSH is not available, use an FTP client such as FileZilla:
- Connect using the FTP credentials from your hosting control panel. Use SFTP (SSH File Transfer Protocol) or FTPS (FTP over TLS) — never plain FTP, which transmits credentials in cleartext.
- Navigate to the remote
public_htmldirectory. - Drag the contents of the local
wordpressfolder intopublic_html. - Edit
wp-config-sample.phplocally, add your database credentials, save it aswp-config.php, and upload it. - Complete the browser-based installer.
File Permission Reference
Incorrect file permissions are a leading cause of WordPress security incidents and plugin/theme installation failures. Use this reference:
| Path | Recommended Permission | Reason |
|---|---|---|
wp-config.php | 440 or 400 | Prevents web-readable access to database credentials |
wp-content/ | 755 | Allows the web server to write uploads and cache files |
wp-content/uploads/ | 755 | Required for media uploads |
All .php files | 644 | Readable by web server, not world-writable |
| All directories | 755 | Standard directory traversal permission |
.htaccess | 644 | Writable by WordPress for permalink updates |
Never set 777 permissions on any directory. This makes every file in that directory writable by any process on the server — a critical vulnerability on shared hosting environments.
Method Comparison
| Feature | One-Click (Softaculous) | cPanel Manual | SSH / FTP Manual |
|---|---|---|---|
| Technical skill required | Beginner | Intermediate | Advanced |
| Time to complete | 2–5 minutes | 15–30 minutes | 10–20 minutes |
| Database auto-created | Yes | No | No |
| wp-config.php auto-generated | Yes | No | No |
| Salts auto-generated | Yes | No | Yes (with WP-CLI) |
| Custom table prefix support | Yes (in Advanced Options) | Yes | Yes |
| Suitable for production | Yes | Yes | Yes (preferred) |
| Scriptable / automatable | No | No | Yes |
| Requires control panel | Yes | Yes | No |
Post-Installation Hardening and Configuration
A fresh WordPress install is functional but not production-ready. The following tasks should be completed before the site receives public traffic.
Security Hardening
- Change the login URL: The default
wp-adminpath is targeted by automated bots constantly. Use a plugin like WPS Hide Login to move it to a custom path. - Install a Web Application Firewall: Wordfence or Sucuri Security provide firewall rules, malware scanning, and login protection.
- Disable XML-RPC if you do not use the WordPress mobile app or Jetpack: add
add_filter('xmlrpc_enabled', '__return_false');tofunctions.phpor block it at the server level. - Limit login attempts: Use a plugin or configure Fail2Ban at the server level to block IPs after repeated failed login attempts.
- Set up two-factor authentication for all administrator accounts using a plugin like WP 2FA or Google Authenticator.
Performance Configuration
- Set up a caching layer: W3 Total Cache, WP Super Cache, or LiteSpeed Cache (if your server runs LiteSpeed) dramatically reduce Time to First Byte.
- Configure a CDN: Cloudflare's free tier or a dedicated CDN offloads static assets and reduces server load.
- Replace WP-Cron with a real cron job: WordPress's built-in pseudo-cron only fires on page loads, which is unreliable on low-traffic sites and inefficient on high-traffic ones.
# Add to server crontab (run as the web server user)
*/5 * * * * php /var/www/html/wp-cron.php --allow-root > /dev/null 2>&1Then disable the built-in cron in wp-config.php:
define( 'DISABLE_WP_CRON', true );Essential Plugins to Install
| Plugin | Purpose | Priority |
|---|---|---|
| Yoast SEO or Rank Math | On-page SEO, sitemaps, schema markup | High |
| Wordfence Security | Firewall, malware scanning, login protection | High |
| UpdraftPlus | Automated backups to remote storage | High |
| WP Rocket or W3 Total Cache | Page caching and performance optimization | High |
| WooCommerce | E-commerce functionality | Conditional |
| Contact Form 7 or WPForms | Contact forms | Medium |
| Smush or ShortPixel | Automatic image compression | Medium |
Permalink and SEO Configuration
Navigate to Settings > Permalinks and select Post name (/%postname%/). This structure is both human-readable and optimal for SEO. After saving, WordPress rewrites the .htaccess file (on Apache) or updates the Nginx configuration rules.
If you are running Nginx, WordPress cannot automatically update the server configuration. You must manually add the rewrite rules to your Nginx server block:
location / {
try_files $uri $uri/ /index.php?$args;
}Configuring WordPress Email
By default, WordPress uses PHP's mail() function to send emails, which is frequently blocked by hosting providers or flagged as spam. Configure SMTP delivery using a plugin like WP Mail SMTP with credentials from a dedicated mail service. For professional transactional email, consider a dedicated Email Hosting solution to ensure reliable delivery of password resets, order confirmations, and admin notifications.
Practical Decision Matrix: Which Installation Method to Use
Use the following criteria to select the right approach for your situation:
- You are a beginner or building a personal site on shared hosting — use Softaculous one-click install via cPanel.
- You need a clean install with custom database settings on a cPanel server — use the manual cPanel method.
- You are deploying to a VPS or dedicated server without a control panel — use the SSH method; it is faster, auditable, and scriptable.
- You have FTP access only and no SSH — use the FTP method, but ensure you use SFTP or FTPS.
- You are deploying multiple WordPress instances — use WP-CLI with a shell script; this is outside the scope of this guide but is the professional standard for multi-site deployments.
- You need maximum server control, custom PHP versions, or high-traffic infrastructure — a Dedicated Server with a manual SSH install is the correct architecture.
Technical Checklist Before Going Live
Before pointing production traffic to a new WordPress install, verify each item:
- [ ] SSL certificate installed and
FORCE_SSL_ADMINset totrueinwp-config.php - [ ]
wp-config.phppermissions set to440 - [ ] Authentication keys and salts generated from the WordPress API and inserted into
wp-config.php - [ ] Default
wp_table prefix changed to a random string - [ ]
adminusername not used for the administrator account - [ ] "Discourage search engines" unchecked in Settings > Reading (if the site is live)
- [ ] Permalink structure set to Post name
- [ ] SMTP email configured and tested
- [ ] At least one backup plugin configured with remote storage
- [ ] Security plugin installed and firewall rules active
- [ ]
DISALLOW_FILE_EDITset totrueinwp-config.php - [ ] XML-RPC disabled if not required
- [ ] WP-Cron replaced with a system cron job on VPS/dedicated environments
FAQ
What are the minimum PHP and MySQL versions required to install WordPress?
WordPress 6.x requires PHP 7.4 as an absolute minimum, but PHP 8.1 or 8.2 is strongly recommended for performance and security. MySQL 5.7 or MariaDB 10.4 are the minimum database versions. Running below these versions will result in installation failures or silent compatibility issues with modern plugins.
Why does the WordPress installer show a blank page or a database connection error?
A blank white screen typically indicates a PHP fatal error — check the server's PHP error log. A "Error establishing a database connection" message means the credentials in wp-config.php are incorrect, the database does not exist, or the database user has not been granted privileges. Verify all three in your MySQL management interface.
Can I install WordPress in a subdirectory while serving it from the root domain?
Yes. Install WordPress in a subdirectory such as /wordpress, then in Settings > General set the WordPress Address to https://yourdomain.com/wordpress and the Site Address to https://yourdomain.com. Copy index.php from the subdirectory to the root and edit it to update the require path. This is a legitimate and widely used configuration.
What is the correct way to move WordPress from HTTP to HTTPS after installation?
Update both WordPress Address and Site Address in Settings > General to use https://. Add define('FORCE_SSL_ADMIN', true); to wp-config.php. Run a search-and-replace on the database to update hardcoded http:// URLs — use the WP-CLI command wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables or a plugin like Better Search Replace. Finally, configure a 301 redirect in .htaccess or your Nginx server block.
Is it safe to install WordPress on shared hosting for a business site?
Shared hosting is acceptable for low-traffic business sites, but comes with inherent limitations: shared PHP processes, restricted server configuration, and exposure to neighboring accounts. For sites handling e-commerce, user data, or significant traffic, a VPS Hosting environment provides process isolation, dedicated resources, and the ability to enforce server-level security rules that shared hosting cannot offer.