Previously on the CogitActive Saga:
Thank you for becoming a SiteGround customer! Your account was successfully created!
In their Getting Started Tutorial, SiteGround describes the various steps you should go through, once you have signed up for an account. For instance, you should
Set Up Your Domain (Step 1),
Set Up Your Website (Step 2), and so on. Obviously, all of these steps require logging in to your User Area. Now, the first time you do so, there is a pop-up asking you if you want to start a new website on your account.
Of course, I want! That is why I sign up for a hosting plan with SiteGround. I have actually chosen a WordPress plan (see Getting my web host) since I decided to build my website using this platform (see A CMS platform). Before to come back to this pop-up window, let me describe the various WordPress installation methods open to me.
Installing WordPress manually
Here comes the famous 5-minute installation. WordPress claims that the installation process is simple. However, as explained in their Installing WordPress guide, you will need few things:
- Access to you web server (via FTP or shell)
- Ability to create MySQL databases
- A text editor
- A FTP Client
- Your web browser of choice
Okay, let me check the definition of “simple” in a dictionary1:
Easily understood or done; presenting no difficulty.
I didn’t have to read the all guide to realize that I was not comfortable with using this installation method.
Installing WordPress using Softaculous
This semi-automatic method involves using an auto-installer, namely Softaculous. This makes it easy to install WordPress with just a few clicks. Without going into details, here is the procedure.
You should login to your cPanel account, click on the Softaculous icon (located under the Autoinstallers section) and choose the application you want to install (i.e. WordPress). After clicking the Install tab at the top of the page, you will have to configure your installation, i.e. to provide the following information:
- Protocol (http or https)
- Directory (where to install WordPress)
- Database Name
- Table Prefix
- Site Name
- Site Description
- Admin Username
- Admin Password
- Admin E-mail
Whereas most settings are straightforward, some requires some guidance. Fortunately, there are several articles online to help you through this process. Anyway, once you have filled out everything, you just have to click on the Install button. And voilà!
In contrast to the previous method, this one requires no advanced skills. Yet, you need to understand few things in order to configure your installation properly (e.g. Protocol, Directory, Database Name and Table Prefix)2.
Installing WordPress using SiteGround Setup Wizard
SiteGround (managed) WordPress plans include free WordPress installation. Using their Setup Wizard, you can get WordPress pre-installed on your hosting account (one-click install). Obviously, the wizard gives you fewer options to customize your WordPress installation than the other two approaches. However, this fully automatic method makes setting up your WordPress website easy and headache free.
Simply, you have to provide the login information for your new WordPress application (Admin e-mail, Username and Password). You can also choose to enhance your account (e.g. SG Site Scanner3), but that is it! You confirm your choices, click on the Complete Setup button and you are done.
WordPress will be installed and configured for you4.
Back to the pop-up window
As soon as I was done signing up with SiteGround (see Getting my web host), I was congratulated with this message:
Your account was successfully created!
There was also an invitation to proceed to my User Area. As I wanted to
Set Up [My] Domain (step 1 of the aforementioned Getting Started Tutorial), I did follow the invitation link. I was faced with a pop-up window asking me if I want to start a new website on my account.
Having chosen one of SiteGround WordPress
managed optimized plans; I knew I could take advantage of their free WordPress installation, among other things. So why do without it?
What I should have done (part 1)
I should have opt for the option hidden at the very bottom of the window –
I do not want to set up now. Remind me next time I log in – and get the same pop-up window later. This would have provided me with some extra time to think (i.e. cogit) and avoid some mistakes by acting rashly.
Alternatively, I didn’t have to use the Wizard Setup. I could have done a manual install, or more realistically, use Softaculous. Indeed, I could have chosen
Don’t need help now (instead of
Start a new website).
Here I am, I have selected
Start a new website, I have chosen WordPress as the software to install, I have entered my login information and I am now clicking on the Confirm button.
You have requested to install WordPress on your account. Your request will be proceeded once you complete the setup.
There was also a notification that I didn’t choose any “Enhancements” to add to my account. I confirmed that I had read and agreed to the SiteGround Terms of Services and clicked on the Complete Setup button. That is it!
Your hosting account is Ready to Use!
I clicked on the Proceed to Customer Area button (again) and started to work on Setting Up My Domain5.
What I should have done (part 2)
Instead of rushing back to my initial plan of action (i.e. step 1 – Set Up Your Domain), I should have followed SiteGround advice6:
You can now go to the front page of your site and
check out the newly installed WordPress application.
Indeed, I received an e-mail explaining that my new hosting account was all set! This e-mail was also providing my Website information – my Admin URL (the address to access my WordPress login page) in particular.
Doing so, I would have noticed that SiteGround had published a page that includes general tips and links to their WordPress resources.
In the same spirit and principle that WordPress manual installation comes with a default “Hello world!” post, SiteGround automatically publishes a “WordPress Resources at SiteGround” page (when you use the Wizard Setup7). SiteGround states that the goal of this page is to provide a better client experience by pointing the just-starting customer to useful resources. Fair enough! However, Nate Shivar8 has a different opinion about this page:
An automatically published page that is not connected to the rest of your website is suspicious and spammy. It also adds a factor of risk for their customers – they are the ones unknowingly participating in a link scheme.Nate Shivar
the page is published, live on the internet and crawlable to the search engines8. As suggested by Nate Shivar, SiteGround could have published instead
a note on the Dashboard – which will be visible only to the website owner8. My concern, however, is not about being
in violation of Google’s Webmaster Guidelines and open to a manual penalty8. It is a more serious matter!
To understand fully the problem, you may consider watching this 9-minute video by lattepress. Just skip the beginning and jump directly to 03:38. As explained in the video, if you hover over the author of a post, you can see the actual Username of the user. When SiteGround published their “WordPress Resources at SiteGround” page, they did it on my behalf that is as the site Administrator! By doing this, they made my Administrator Username available to anyone. That is not acceptable!
Earlier in this post, I recommended you to avoid using “admin” as your Username. In fact, this is the default WordPress Username – if you don’t provide one during the installation process. Hackers are well aware of this weakness and having your administrator username (i.e. “admin”, if you didn’t change it) makes it easier for them to find your password using brute force.
Do you see the problem now?
By publishing this page, SiteGround put me at risk. Sure enough, hackers’ crawlers found my Username quickly. Equipped with this information, hackers tried to brute-force their way into my website immediately. Fortunately, I had a very complex password.
What I should have done (part 3)
Obviously, I should have watch the aforementioned video earlier! More importantly, I should have gone to my newly installed WordPress site (see above) and follow this advice immediately:
Just remember to delete that page.Nate Shivar
To be continued…
1 Simple (2010) Oxford Dictionary of English – Third Edition. Oxford University Press. ^
2 For advanced settings, such as the Database name or the Table prefix, some people recommend not to make any change, while others stress the weaknesses of leaving the default values as-is. ^
3 See Getting my web host. ^
4 According to this review by Nate Shivar, the wizard
installs a slightly customized version of WordPress. Yet, like any other WordPress installation, this version includes two plugins – Hello Dolly and Akismet – by default. ^
5 This will be covered in the next post Pointing my domain name to my website. ^
6 In Use SiteGround Wizard to Install WordPress Tutorial. ^
7 Recently, SiteGround has rolled out a new WordPress Starter Plugin and
it does not add the link resources page8. This option was not available when I went through this process. ^
8 Nate Shivar (2018) SiteGround Hosting Review: Pros & Cons of Using SiteGround. ShivarWeb. ^