Back to Tutorials
WordPress Install Workflow with WP-CLI
Automated WordPress setup: config, security, plugins, cleanup, and .htaccess hardening using WP-CLI.
A repeatable WordPress installation workflow using WP-CLI. Covers configuration, security hardening, plugin installation, cleanup, and .htaccess optimization.
Install WP-CLI
bash
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
WordPress Configuration
Add these constants to wp-config.php:
php
// Autosave every 5 minutes instead of 60 seconds
define('AUTOSAVE_INTERVAL', 300);
// Disable post revisions
define('WP_POST_REVISIONS', false);
// Enable automatic background updates
define('WP_AUTO_UPDATE_CORE', true);
// Increase memory limit
define('WP_MEMORY_LIMIT', '256M');
// Debug logging (disable display)
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
@ini_set('display_errors', 0);
// Force SSL on admin
define('FORCE_SSL_LOGIN', true);
// Disable file editing from admin panel
define('DISALLOW_FILE_EDIT', true);
Clean Default Installation
bash
# Remove default content
php wp-cli.phar post delete 1 --force
php wp-cli.phar post delete 2 --force
# Remove default plugins and themes
php wp-cli.phar plugin delete hello
php wp-cli.phar plugin delete akismet
php wp-cli.phar theme delete twentytwelve
php wp-cli.phar theme delete twentythirteen
php wp-cli.phar theme delete twentyfourteen
# Remove default sidebar widgets
php wp-cli.phar widget delete $(wp widget list sidebar-1 --format=ids)
Update Settings
bash
php wp-cli.phar option update blog_public 0
php wp-cli.phar option update timezone_string Africa/Casablanca
php wp-cli.phar option update date_format 'j F Y'
php wp-cli.phar option update time_format 'G\hi\m\i\n'
Install Essential Plugins
bash
php wp-cli.phar plugin install advanced-custom-fields --activate
php wp-cli.phar plugin install code-snippets --activate
php wp-cli.phar plugin install contact-form-7 --activate
php wp-cli.phar plugin install cookie-law-info --activate
php wp-cli.phar plugin install custom-fonts --activate
php wp-cli.phar plugin install custom-post-type-ui --activate
php wp-cli.phar plugin install disable-comments --activate
php wp-cli.phar plugin install duplicate-post --activate
php wp-cli.phar plugin install limit-login-attempts-reloaded --activate
php wp-cli.phar plugin install seo-by-rank-math --activate
php wp-cli.phar plugin install sucuri-scanner --activate
php wp-cli.phar plugin install svg-support --activate
php wp-cli.phar plugin install white-label-cms --activate
php wp-cli.phar plugin install wps-hide-login
Update Permalinks
bash
php wp-cli.phar rewrite structure "/%postname%/" --hard
php wp-cli.phar rewrite flush --hard
Harden .htaccess
apache
# Disable directory browsing
Options -Indexes
# Increase upload limits
php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300
# Protect sensitive files
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# Protect wp-includes
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# Block direct PHP access in wp-content
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
# Prevent script injection
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
# Block username enumeration
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
</IfModule>
# Block XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Cleanup
bash
rm index.html license.txt readme.html