[markb1439]

Hi,

For manual installations, WordPress advises people to set the four unique security keys in the config file. These can be generated easily at the URL provided in the config-sample file.

However, Installatron does not seem to set these keys when installing WordPress. So, it seems to me that a manual installation (following the recommended procedure) is more secure than one performed by Installatron.

Can Installatron be updated to set these keys when doing an installation? I would think that it would be fairly easy to implement.

Also, are there any other issues with Installatron installations of WordPress? I want to offer my users the most secure possible installations.

Thanks and best regards,

Mark

[Rowan]

Mark,

It was meant to set those keys, but there was a bug that I have just fixed and published. An Installatron update (or wait for the morning CRON) will grab it. Thanks for the headsup.

With that working correctly, Installatron's install is a 1:1 copy of a manual installation except that the Installatron installer also sets CHMOD 777 on 'wp-content'. This was added on request a long time ago, though there's no mention of it in the Wordpress documentation. Is that still needed or should I remove that CHMOD?

Rowan.

[markb1439]

Hi Rowan,

Thanks, that's great support!

Regarding the CHMOD issue, here's what WP says:

Some plugins require the /wp-content/ folder be made writeable, but in such cases they will let you know during installation. In some cases, this may require assigning 755 permissions or higher (e.g. 777 on some hosts). The same is true for /wp-content/cache/ and maybe /wp-content/uploads/

Additional directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions will vary.

So I think your judgment is best on what to do here.

One other thing I noticed (but haven't checked lately): With an Installatron installation, the site and blog URL in WP seems to default to:

http://domain.com/directory

...without the "www".

I prefer the "www", and when I do a manual WP install and enter the "www" when going to the install page, it sets the URL with the "www". Is it normal to default to installing without it? I guess that's just an aesthetic thing that the user can tweak, but I'm trying to prevent my clients from having to do tweaks unless necessary.

Thanks!!!

[Rowan]

I've published a new build of the Wordpress installer with the CHMOD of wp-content removed.

I'll speak to Phil tomorrow about the default domain.

Rowan.

[Rowan]

We talked over the "www." question, and will be leaving it like it is. It's really just a personal preference, which is why we include both options in the dropdown instead of just including one or the other.

Cheers,
Rowan.

[markb1439]

Makes sense.