Install promptly to protect from the WordPress setup hack

Wordpress Setup Hack can be avoided with care

Hackers are always finding new ways to attack that we need to protect against. I call this new attack the ‘WordPress setup Hack’ and it exploits the time it takes to install WordPress.

This new attack uses the easy setup wizard against us by connecting your WordPress setup to the hacker controlled database. It then becomes their WordPress site and they can use it to attack any other sites on your hosting account.

Here is how the attack works and four easy ways to stop them using it on your new WordPress website.

How does the WordPress Setup Hack Work?

The way that the hackers do this is they scan for the standard URL:


and if it returns a SetupWizard then they know they are in the window between uploading your WordPress files and finishing the initial setup.

Here is what you see when WordPress is already configured if you type this URL:

The WordPress setup hack will not work here - This WordPress site is already set up

In this case you are safe from this attack.

But if you have not yet started the setup then you see this familiar screen and you are vulnerable to the WordPress setup hack. (Note in this case there is a custom subdomain in the red box so I would not be found as easily).

The WordPress setup hack would work here if the page is found - WordPress Setup Screen (note the custom subdirectory)

How do I protect myself from this attack?

Here are four suggestions on how you can protect yourself from this WordPress setup hack. The attack relies on the attacker being able to scan and find the setup-config.php file. If they can’t find it then the attack will fail.

The first two do not require you to do anything special, the third uses your host CPanel to protect you, and the last one requires some changes to your site that may be complicated for beginners. My recommendation is number two or three which provide a balance of protection and ease of use.

1. Don’t delay in setting up your site

This attack uses the time between uploading your files and running the setup. The smaller you keep this gap the less likely you are to be attacked but remember the hackers will be using a computer program so then only need a fraction of a second if you are unlucky enough to be found.

So do not delay when uploading your WordPress files to your server and do not upload the files until you are ready to commence.

Set up your database before you upload your WordPress files to help minimise this delay.

This method is not really protection but it ensures you minimise the period you are exposed.

2. Install WordPress in a non-standard directory

I always suggest installing WordPress in a subdirectory of your root domain that is non-standard and unique. You can still easily configure WordPress so that this subdirectory is not in your URL (ie your URL does not need to be yourdomain/subdirectory)

This does not guarantee safety but it would prevent a new site being scanned for this attack. In the screenshot above you can see in the red box that I have even done this on my local computer by installing in the subdirectory /wppgsas/

This means that any scan for the standard URL will return a 404 error and the hacker will move on to the next victim.

(For a tutorial that includes this please see my tutorial on setting up a new WordPress blog properly)

3. Use temporary directory protection on your site

Most hosts will allow you to put a password on your site – this will prevent a scanner from finding the setup-config.php file. Once you are done you can remove this protection from your CPanel.

The WordPress Setup Hack will be stopped by adding temporary a directory password

Once you have set up your site you can remove this protection using the same CPanel controls.

4. Change your .htaccess file so only you can access your site

If you are more technically inclined you can edit the .htaccess file so that only the IP address of your computer can access the site. Add this code to your .htaccess file and add the IP address for your computer.

order deny,allow
deny from all
allow from <your-computer-ip-address>

When you are done you can remove these lines and allow access to the world again. See the article from

If you have an existing site then I would change this to a redirect to a static maintenance or coming-soon page so that returning visitors know that something is happening.

A clean site is a safer site

The people most at risk from this attack are those who have uploaded files and then not completed the setup. Check your hosting account now and make sure you do not have any WordPress installations uploaded that are not configured and delete them if they are not needed.

For further reading and some more detailed analysis of the attack the team at WordFence have a great article on how this attack is trending.

Stay Safe!

Brian (your People’s Geek)