Steps to prepare your ISP account and your home computer for a WordPress install:

New install pre-installation steps:

• Pre-install Step #1:

  Add PHP and MySQL to your ISP account. Linux accounts usually come with these, but Windows accounts do not. Minimum required versions for WordPress are PHP 4.3 and MySQL 4.0.

• Pre-install Step #2:

  Install a FTP client software on your home computer. I recommend the free software, Cyberduck on Mac OSX or FireFTP add-on for FireFox 1.5+ on Windows/Linux. Configure your FTP client to connect to your ISP account and set the default file transfer type to “Auto” or “Ascii”. It must NOT be set to “binary”.
  Important Note: If your ISP allows sFTP access (secure FTP), configure your FTP client connection to use this protocol instead of FTP. The FTP protocol is inherently insecure because it transmits passwords in plain text and any network packet analyzer can easily intercept it.

• Pre-install Step #3:

  Create a MySQL database on your ISP account. ISPs usually provide an interface for you to do this through your web browser or a shell account. Take note of the hostname or IP of the database server, the database name, username, and password for install step #2 below.

  If your ISP does not provide a means to create a MySQL database, they may provide an automatic install of WordPress itself. If you are creating a new site, you can run this and note where WordPress files are installed and the database server, name and password created. Then use that information in the install steps below, but you will be upgrading instead.

  For more detail and examples on creating a MySQL database for WordPress, refer to the WordPress codex detailed instructions.

Upgrade pre-installation steps:

• Pre-install Step #1:

  Backup wordpress! Use a backup plugin, use your phpMyAdmin interface, or export your entire blog to a file. You have multiple backup options available to you, so there is no excuse not to do it. This may seem an annoying chore right now, but believe me, the one time you need that backup, it will all be worth it.

• Pre-install Step #2:

  Deactivate all plugins. Go to your WordPress admin menu ==>Plugins and click the [deactivate all plugins] button at the top of the plugin list. For WordPress 2.3 or less, this option is at the bottom of the plugins page.

• Pre-install Step #3:

  If your current WordPress install is in your website root directory, to avoid overwriting files that you may need later (ex: wp-config.php, uploads, themes, etc.), you should move all your wordpress files and folders into a “backup” or “temporary” folder. If your FTP software doesn't come with a “move” option, you can use the “rename” option instead: first create the directory, “temp-folder” in your website root directory, then highlight each wordpress file or folder, select rename, and enter “temp-folder/filename” as the new name of “filename”.

  Note: If you already have the latest version of WordPress installed but want to change your configuration to use this more secure setup, you should move all your wordpress files and folders into a new directory called “wp-folder” (or other name that is not easily guessable), then skip install steps 1-3, and 5, and follow install steps 4, 6-8, and all the post-install steps below.

Important Note for Upgraders: To avoid potential problems that could disable your blog, it is better to wait before upgrading to a new branch of WordPress (eg. upgrade from 2.3.3 to 2.5.0). From my personal experience, non-standard WordPress configurations such as this do not get beta tested sufficiently before a new branch launch. I recommend that you wait for the “.1″ or higher version of the branch (eg. WordPress 2.5.1) before upgrading.

Steps to download WordPress, create startup files, install on your ISP account, and configure settings to get your WordPress site up and running.

• Install Step #1: Download WordPress

  From your web browser, download a current copy of WordPress and save it on your home computer. The WordPress download package is available at http://wordpress.org/download. Uncompress the file after download. A double-click will usually unzip it on a Windows or Mac PC.

• Install Step #2: Create the configuration file, wp-config.php

  Note: This is the most important step in your WordPress setup. “wp-config.php” contains vital MySQL connection information for WordPress. If this file has incorrect data or is corrupted, WordPress won’t run or will run with errors.

  On your home computer, go to the “wordpress” folder that was created when you unzipped the WordPress download package and make a duplicate of the file “wp-config-sample.php”. Rename the copy “wp-config.php”. Next, open “wp-config.php” with a text editor and substitute the contents of the first 4 “define” lines with the information from the database you created in pre-install step #3. For example:

  // ** MySQL settings ** //
  define('DB_NAME', 'your_db_name');
  define('DB_USER', 'your_db_user');
  define('DB_PASSWORD', 'your_db_password');
  define('DB_HOST', 'mysqlserver.mydomain.com');

  “mysqlserver.mydomain.com” can also be an IP address or “localhost”, if your MySQL server is on the same server as your website. Be careful not to change any other part of this file except “SECRET_KEY” which you should replace with your own phrase.

  Warning for Windows PC users: Do NOT edit “wp-config.php” with “Word” or “WordPad”. These word processors insert extraneous characters and hidden “whitespaces” that can corrupt text files. You need to be extra careful of this because “WordPad” is often the default text editor on Windows. You should use “Notepad” as your text editor, instead. The first line of “wp-config.php” is exactly: <?php and the last line is exactly: ?> with no blank lines or spaces immediately before or after. If you see any extra spaces or lines, then this file has been corrupted and you should create a new copy from “wp-config-sample.php” and start over. Do not attempt to fix it, as you probably won’t be able to find all the hidden whitespaces.

  Note for upgraders: You should reuse “wp-config.php” from your existing WordPress website. Download it with your FTP software and put it in your PC’s “wordpress” folder. If you want to keep your existing theme and plugins, you need to download them as well. Also download the contents of your “wp-content/uploads” folder. Put these in their equivalent folder location within “wordpress” on your PC.

• Install Step #3: Rename “wordpress” folder

  You should now rename the “wordpress” folder on your PC to something else. The new name should be something you will remember, but not something that a hacker can guess easily. Don't rename it “blog” because that is too obvious. This is an important security step because makes it more difficult for hackers to find your WordPress admin folder. For the rest of these instructions, I will assume that you have renamed “wordpress” folder, “wp-folder”.

• Install Step #4: Create the startup file, index.php

  Copy the file, “index.php”, from your wordpress folder, “wp-folder”, into wp-folder's parent directory, one level up. This duplicate keeps the name “index.php” and will be your new website startup file. Open “index.php” in a text editor and change the “require” statement to prepend your WordPress folder path to “wp-blog-header.php”. Here is an example “index.php” file with some additional code for error redirection:

  <?php
  	$WP_folder = "wp-folder/"; //<== replace wp-folder with your WordPress folder name
  	if (file_exists($WP_folder."wp-blog-header.php")) {
  		/* Short and sweet */
  		define('WP_USE_THEMES', true);
  		require($WP_folder."wp-blog-header.php");
  	} else {
  		/* in case something goes wrong */
  		header("HTTP/1.1 503 Service Unavailable");
     		header("Retry-After: 1800");
  		echo "<p>I'm sorry, this site is temporarily unavailable.  Please try again in a few minutes.</p>";
  	}?>

  Do not edit the original “index.php” inside “wp-folder” as this gives you an alternative way to start WordPress, if needed.

  Note for sites with an existing “index” or “home” page: The file, “index.php”, replaces your existing (static) website startup page in your root directory (“home.html” or “index.html”). You must rename or move that file, before this WordPress install. You can NOT keep it as your startup file in this WordPress configuration. Fortunately, if that file is an html document, you can restore it by copying and pasting it's content (minus navigation menus/javascript) into the WordPress page editor and assign it as your “front page”, after you complete the WordPress install.

• Install Step #5: Upload “wp-folder” to your website root directory

  Use your FTP software to upload the whole directory, “wp-folder”, to your website root directory. Make sure that your ftp software is set for “ascii” upload, not “binary” which can cause “wp-config.php” to become corrupted.

  Important Note: Your FTP upload is “wp-folder”, a single item. Do NOT select individual files/directories from within “wp-folder” for upload.

  Important Notes for upgraders: If you want to keep your old WordPress plugins, css theme and file/image uploads, you must copy them into “wp-folder”. You should do this before uploading “wp-folder”. Use your ftp software to download the directories “wp-content/uploads”, “wp-content/themes”, and “wp-content/plugins” and copy them into their equivalent folder locations in “wp-folder” on your home computer.

• Step #6: Upload the startup file, “index.php”

  Use your FTP software to upload the startup file, “index.php” that you created in step #4 to your ISP account. Upload it to your website's root directory, NOT “wp-folder”.

  Note: This is a very important step. If you miss it or make an error, then step #8 below will disable your site. If this happens, don't worry. It is easily fixable.

  Note for (Future) Upgrades: Because this startup file is not in the “wordpress” directory itself, it will not get overwritten by future automatic upgrades. If you plan to do manual upgrades in the future, you should still leave this file untouched and only upgrade “wp-folder” contents.

• Step #7: Run the WordPress “Install” script

  In your web browser, type: http://www.mysite.com/wp-folder/wp-admin/install.php. Replace “www.mysite.com” with your own website domain or subdomain and “wp-folder” with the name you gave your WordPress folder. Follow the directions given and note the admin password.

  Note: You can copy the admin password to your clipboard by highlighting it and entering Ctrl-C or “Copy” from the web browser menu.

  Note for Upgraders: If you are updating your WordPress to this securer configuration, run the “upgrade” script instead of “install”: http://www.mysite.com/wp-folder/wp-admin/upgrade.php. You will need to enter your admin username and password after the upgrade to perform the next steps.

• Step #8: Change WordPress URL and Blog URL in “Settings”

  Go to your WordPress Admin menu screen by typing http://www.mysite.com/wp-folder/wp-admin/ in your browser. Login as “admin”, if you are prompted, then select the “Settings” tab. Enter your blog URL and your WordPress URL. These are your site URL and site URL/WordPress folder, respectively. For example:

   WordPress address (URL): www.mysite.com/wp-folder/
   Blog address (URL)    : www.mysite.com

  Save settings. To verify that the new settings are in effect and that WordPress is installed correctly, click the “Visit site” button. New installs should see the WordPress' blog index displayed in the Kubrick theme and an initial “Hello World” post. Upgraders should see their blog index page or front page, if set, displayed in their selected theme.

  Note: If you get an error message (500/404) and don't see your site, clear your browser cache, then reload your browser window. If that doesn't work, redo step #6 above and refresh your browser cache again. If that still doesn't work, go back to WordPress Admin menu, select “Settings” tab, and double-check the URLs you entered.

  Note for Upgraders: If your site displays but the style format is a mess, your theme css needs refreshing. Just clear your browser cache and reload your browser window. If that doesn't fix the problem, go back to the WordPress admin menu, select “Design” tab, and reselect your preferred WordPress theme.

Optional configuration steps and steps to strengthen WordPress security.

• Post-install Step #1: Delete the user, “admin”

  To stop all attempts to hack into your blog as “admin”, create a new user account with admin privilages then delete the user, “admin”: From WordPress Admin menu, go to “Users” tab and scroll down to “Add a new user”. Create a new id for yourself with the role, “Administrator”. Click “Add User” button, and logout. Then, login in under your new user id, go to “Users” tab, check user, “admin”, and click the “delete” button.

• Post-Install Step #2: Enable permalinks in “settings”

  This step configures search engine-friendly URLs on your web site. This is not required, but strongly advised. In WordPress' admin menu, click the “Settings” tab, then click “Permalinks”, check a permalink structure, and “Save Changes”.

• Post-install Step #3: Recreate your “home” page, if needed

  If you had a pre-existing “static” home page on your website that you want to restore, WordPress provides the means to do this, if that page was an html document with no dependent javascript. First you need to create two pages in WordPress “Page” editor, one for the “front page”, and one for the “Blog index” page: Go to WordPress admin menu==>Write==>Page, enter a simple title, like “Welcome”, switch edit mode from “Visual” to “HTML”, and paste the html-only content from the body of your old home page into the editor, then click the “Publish” button. For the “blog index” page, go to “Write”==>”Page”, enter the title “Blog”, leave the contents blank, then click “Publish”.

  Next, you need to change WordPress settings to assign “Welcome” and “Blog” as your new “front page” and “blog index page”, respectively: Go to WordPress admin menu==>Settings==>Reading. Select “Front Page Displays: a static page” and for “Front Page”, select “Welcome”, and for “Posts page”, select “Blog”. For example:

  Front page displays:
      * A static page (select below)
         Front page: Welcome
         Posts page: Blog

  “Save Changes” and click the “visit site” button to confirm that these changes have gone into effect. You many have to clear your browser cache and reload the page to see these changes.

  Please note that the style of your new “home” page will be affected by the current theme style that is in effect in WordPress. You may need to adjust your document to better fit this style or vice versa.

• Post-install Step #4: Install an Anti-spam Plugin

  As your blog grows more popular, it will be inundated by the bottom feeders of the internet, comment spammers. Unless you plan to restrict comments to registered users only, it is vital that you have an anti-spam plugin installed to prevent spam from getting into to your blog. Akismet comes built into WordPress and needs to be activated, but any anti-spam plugin will do.

  I recommend you also install a “gatekeeper” plugin like Bad Behavior to stop spammers, hackers, and content thieves before they get to your site. Together with an anti-spam plugin to catch any spam that do get through, you can keep your site's comments almost completely spam free.

  NOTE: You must upgrade your anti-spam software regularly for it to remain effective. Spammers continually develop new tactics to workaround anti-spam code.

• Post-install Step #5: Remove “register” and “login” from your “meta” widget and sidebar.

  “Login” and “Register” give spammers and hackers easy access to your blog. Unless you plan to recruit blog contributers or editors, or are restricting comments to registered users only, you should remove these from your blog's sidebar and widgets. Even if you allow open registration, I recommend putting “Register” and “Login” on your blog’s “About” page only. That is where interested parties are likely to go to learn more about your blog. If you have a forum, you should also put these on a forum login page.

  If you decide to disallow open registration (recommended highly), you should go to WordPress Admin menu==>Settings, and under “Membership:”, uncheck “Anyone can register”, and save.

  You can remove “Register” and “Login” from the meta widget by editing the template file, “functions.php”: go to WordPress Admin menu==>Design==>Theme Editor, select “functions.php” and add the following code for meta widget replacement:

  <?php
  //# Replace built-in Meta widget with a custom widget function
  if ( function_exists('register_sidebar_widget') ) {
  	register_sidebar_widget(__('Meta'), 'widget_my_meta');
  }
  //#Meta widget replacement
  function widget_my_meta() {
  	global $post;
  	?>
  	<li id="meta" class="widget widget_meta">
  	<h2 class="widgettitle">Meta</h2><ul>
  	<?php
  	//###Login and Register Meta Links
  	// Only shown on 'About' page or when user is already logged in.
  	get_currentuserinfo();
  	if (is_user_logged_in() ) { ?>
  		<li> <?php wp_loginout(); ?></li>
  		<?php wp_register(); ?>
  	<?php } elseif (is_page('about')) { ?>
  		<li> <?php wp_loginout(); ?></li>
  		<?php wp_register(); ?>
  	<?php } ?>
  	<?php
  	//###RSS Meta Links ?>
  	<li><span class="rss"><a href="<?php bloginfo('rss2_url'); ?>">Entries RSS</a></span></li>
  	<?php //comments RSS shown when viewing a single post or page
  	if ((is_single() || is_page()) && 'open' == $post->comment_status) { ?>
  		<li><span class="rss"><?php comments_rss_link('Comments RSS'); ?></span></li>
  	<?php	}
  	wp_meta(); ?>
  	</ul></li>
  <?php
  } //end function widget_my_meta
  ?>

  Note: These instructions alter the meta widget for the current theme, only. You will need to redo this, if you switch theme templates.

  Note: “Login” and “Register” also reveal the folder location of your WordPress install, undoing some of the security that a separate directory install gives you. Unfortunately, even without these in your sidebar, a determined hacker can still find your “wordpress” install directory by parsing WordPress’ document head where style links added by theme template and plugins, and ping-back links added by WordPress, also reveal that location. Currently, there is no easy way to completely get around this built-in weakness in WordPress, but that's a separate issue.

• And you are done. Happy blogging!

  You may now customize your WordPress by adding a nice theme style and useful plugins*. But remember to update “functions.php” again to secure “login” and “register”, whenever you activate a new theme template.