One simple change you can do to harden your install before you get going is to alter the wp_ prefix to your own choice on all the tables in your wp database, it can prevent some creative sql injection attempts that aim for the default.

Replace User "Admin" by creating a new User with full admin rights, with your own choice of login name and a separate "nickname" seen publicly. Remove User "Admins" privileges, then delete user Admin, Admin is just a username, not needed. Use a generated password, not something easy to remember.

When/if you do change the table prefixes, be sure to edit the wp-config.php to have the correct information there.

You can find much more at the WP Codex, do a search at wordpress.org for "Harden Wordpress".

she wants to move to wordpress because this is what she is use to

To me that is a red flag. If the only reason is "this is what she is use to" makes me question her marketing skills.

This happened to a client of mine two years ago and not only did her site end up being messed up, her SERP rankings fell. She ended up paying me to rebuild the original site and everything has been fine ever since. IMHO, if it ain't broke. don't fix it!

Marshall

We hired a new marketing manager and she wants to move to wordpress because this is what she is use to.

Marketing has authority over IT in the org chart? I'm not saying it's wrong (in many cases it makes sense)- I'm just asking if she is overstepping her authority.

Even if she isn't, migrating a site that (presumably) has been working well for 15+ years to a new platform that only the new hire knows (and presumably, as a marketing person, she lacks the technical skills to support it) is asking for trouble.

I agree with Marshall, especially if someone other than yourself is going to be managing the posts and pages. Things can easily be done wrong and have unwanted effects. Also because there is a world of exploiters seeking vulnerabilities in such a widely used CMS that you should try stay on top of the "What" and "How" of the admin/management tasks yourself.

My suggestions are for if the change is in place. If you go with WP, Yoast's SEO plugin lets you easily control duplicate problems by not adding all possible URLs to the sitemaps and no-indexing supplemental directories like /category/ or /tags/.

It is a wise move to have only one user with full admin privileges: yourself. Employees have been known to lock employers out of their own sites.

Marshall trust me I had a very hard and long discussion with our CEO on this and he said it was his decision and took into account all my concerns.
I am and will continue to work on the other sites as well as the wordpress so really to me OK I can learn another platform.

notsoeasy there will be 3 admins. Me marketing and a junior working under me.

Ok I have changed the prefix name from wp_ to a unique one for us and changed the config file as well.

You do not have sufficient permissions to access this page.

I get this when I log in in what did I miss?
Thanks

Lifeinasia she is building a new website to combine about 5 websites together under one roof so to speak.

We will continue to keep the ones generating traffic revenue and leads but some not all the content will be moved over to the new domain.

I will admit we are kind of scattered across the board and hopefully she will have the marketing strategy to bring it all together.

This is my 4-5 marketing manager I have been through and 3 years without one. I am ready for some help. This is the only one they have hired that has website development and knows more than the last 5 we had about the net.

I found the fix to the error user permissions needed to be changed as well.

Lifeinasia she is building a new website to combine about 5 websites together under one roof so to speak.

OK, in that sense, it's not so bad. I though she wanted to take an existing site and convert to WP.

Thanks for your help guys here is what I have done. Please let me know if I have missed anything or you have anything you might do. I am on a windows server.
1-changed Database prefix Table Names
2-changed the user names prefix to reflect the table name changes
3-there is no Admin log in for the site
4-made sure Folder and File Permissions were all set correctly
5-moved wp-config.php up a directory
6-added define('DISALLOW_FILE_EDIT',true); in my config file
7-added add_filter('login_errors', create_function('$a', "return null;"));
remove_action('wp_head', 'wp_generator'); in the theme's function.php file
8- deleted any theme not being used
9- added to my htaccess file
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

also added
#PROTECT HTACCESS
<Files HTACCESS>
Order Deny,Allow
Deny from All
</Files>

Anything else?

RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Is there any content in /wp-admin/ or /wp-includes/ that you do not want to block from http access? Or for that matter, in wp-anything? Seems like a simple

RewriteRule ^wp- - [F]

would do it.

Incidentally, the [F] flag implies [L]. The [L] doesn't do any harm, but isn't needed.

<Files HTACCESS>

If your code is copy-and-pasted from some other source, remove that source immediately from your list of useful references. The envelope should say

<FilesMatch ^\.ht>

... but unless you have the world's worst host, this rule is already present in the config file. I think it's part of Apache's boilerplate. The rule in its present form is worse than useless, because it creates the illusion that you've got a working rule when in fact you've got nothing.

I am on a windows server lucy24 so there isn't a borderpalte file I use a htpd.ini file so learning this as well.
Thanks,

If you're using RewriteRules, your server is Apache. Platform doesn't matter.

lucy24 I found out through testing it is not the same. The htaccess file is useless it is through IIS. There is a file like INI for aspx used for wp on a windows server

I also found out our Marketing Manager is another Hillary Clinton and it is going to be a rough road. If your a Hillary fan I am sorry I use the example as one that thinks they are a dictator. The biggest problem is she really doesn't have a clue.

I will post the final on the review.

The htaccess file is useless it is through IIS.

They make WordPress for IIS? Oops, didn't know that. But then your RewriteRules will have a different name.

lucy24 not they make it for IIS when it is installed you have to run it through IIS.
here a install link.
[codex.wordpress.org...]

I have know other people that tried to install it on a windows server and had all kinds of problems with the install and most moved to a Apache. I think most of them were getting the host to do it for them, I am on an unmanaged dedicated so I had to do it myself. I am pleasantly surprised it runs very well with really no problems. my biggest challenge right now is trying to figure out adding rules for some applications I need to use. WP on a windows uses a web-config file just like an aspx website.

Once upon a timer I installed Apache on a Windows server and gave FTP access to the clients. Soon after we had file permission problems that could not be fixed. Giving up on that idea we moved the Apache sites to an Apache server but had a lot of trouble downloading the sites due the file/permissions problems.

kendo You don't need Apache installed I found out it runs just fine on a windows through IIS installed correctly
.
I need to rant if I don't gonna go crazy.

I told our New Marketing manager since the site is new I have it blocked from indexing etc. and we have a lot of pages we take leads on another secure website in a iframe lets just do this right. Put the site under it's on SSL.Get rid of the iframes and we can put out leads on the site in html. This would give me the ability to do a few more things with them.

Did my research on a WP site under IIS and pretty confident I could get it. So today I did it. I wasn't a big hurry because I wanted to make sure it was done right the 1st time.

After the new IP resolved we changed the WP domain to https. I 1st tested all my redirects worked correctly to https by using another certificate from our company website. I got the warning but I knew I would. I just wanted to make sure the https redirects worked. So then I generated a new certificate request got the certificate installed and changed it to the domain. All worked. I think I got completed about 4-430.

4:45 get an email "how to fix" and a screen shot of a warning domain doesn't match. Could be a hacker or some bad language.

Come to find out the DA sent out an email campaign today to a website that is 60% completed and I was in the process of moving from http to https

Lord help me we got one DA. BTW she came in while I was doing my work,

Got another rant. I really don't care if any respond this gives me a place to unload.

Marketing manager without my knowledge added a plugin. It wasn't secure so when I moved the site to https it threw an error. Come to find out she purchased this who knows when, When I tried to look for a fix I found out the plugin hasn't been updated in 3 years and the maker's website is offline.

I have requested a meeting with mgt. she will abide by my rules on adding anything to the server. I am laying down the rules I don't care if she likes it or not. Put anything on my server without 1st contacting me is an automatic delete.

I have researched all the plugins on the site and all are fine. There will not be another one until I investigate it and she tells me why it is needed.

I have an update if anyone is interested. I pretty much quit because in this stage of my life I am not going to put up with the aggravation. I met with our personal manager and laid out what was going on and was asked to take a couple days off and come back. I was pretty ready to leave then.

A meeting was called while I took some time off and when I came back we all met over what had been happening. (I have only added a small part of what was going on). The company CEO went through all our exchanged emails and he could see I had tried to work with her. All my emails were professional she had send some that were not..

I will not work with anybody were it is my way or the highway. I have no problem taking the highway.

Looks like it will work out. We have established a team, set boundaries of allowed changes, and our main goal is working together to accomplish a common goal. There will not be anymore surprises.

She apologized to me and for me that is that.

This is all I can ask and it has been established.

Glad you got it all worked out, bwnbwn.....
Keep on keeping on...... :)