The Case Against WordPress/CMS Auto-Installation

Where to find Fantastico Deluxe in HostGator

Our cPanel/WHM hosting control panels come standardly with Fantastico. As many of us know, Fantastico is a beloved piece of software because its auto-installation capabilities (similarly to SimpleScripts or Softaculous) make it such an easy way to get your site up and running with all of the major open-source content management system (CMS) options out there – Drupal, WordPress, Joomla!, etc..

However, there is a case against using any type of auto-installation application. I’m going to do this essentially as a literature review of blogs – by Regina Smola for WPSecurityLock, Alex Sysoef for WordPress Howto Spotter, and by Navjot Singh for NSpeaks – arguing against the use of auto-installers. Let’s look at that perspective to determine whether it might be worth it for you to manually install the CMS portion of your site.

Why manual rather than automated?

Essentially, there will be security concerns with any auto-installation tool that you use. The reason this is the case is because hackers know the default language of WordPress – a pattern that’s repeated during auto-installation. Utilizing the defaults makes it easier for ignoble miscreants to get inside your website.

As Regina points out, the cookie-cutter approach essential to how auto-installation works means that you lose control of the process as the tool does its job – yes, this means less work… but it also means that you have less of a handle on ensuring that your site is as secure as possible. It’s similar to going to your son’s piano recital when you could be watching the 30 surveillance monitors in your living room.

Beyond security, being in the driver’s seat makes a blogger or site owner better educated about the tools they are using. This education makes the blogger avoid headaches during updates and gives them better sensibility during emergencies. All these aspects give the CMS manager better strength at running the site.

Besides, manual installation is not nearly as difficult or time-consuming as you might think – after all, these CMSs are built with ease of use in mind. Regina writes, “Installing WordPress manually is a breeze. It only takes a few minutes longer than auto-installers and it’s well worth your time to do it right.”

Auto-Installers Make You a Back-Seat Driver

When installing WordPress automatically, Regina ran across several issues – all were instances of security vulnerabilities that she noticed during installation but was not able to adjust.

1.)    Your WordPress is SO a week ago.

An auto-installer needs updating just like the CMS does. Auto-installers may be encoded with the previous version of WordPress, especially if a new version has just recently been released. Install manually to control the version.

2.)    That which we call a rose.

The database was automatically named wrdp1. An additional database would then be called wrdp2, etc. Returning to what I said above about hackers knowing the language of the defaults, these database names are the first ones they choose when they’re trying to access your site for malware distro. Install manually to control naming.

3.)    Didn’t you wear that shirt yesterday?

The database username matched the database name. Diversify to ward off hackers. Services such as the one at can be helpful to ensure even you couldn’t guess your own usernames and passwords.

4.)    Size matters.

The database password generated was 12 characters of numbers and letters (uppercase and lowercase). Symbols are always a good idea. Per Regina, stretch your passwords to 14 characters as well.

5.)    Everyone is welcome at the table.

wp_ was used as the table prefix, and there was no possibility to adjust it. Like with the database name, this is another example of default WordPress name usage. Don’t name your daughter Jennifer. Name her Rainbownifer.

6.)    You are all the same.

Same thing with the creation of a file with the name fantversion.php. All the major auto-installation programs create this file. Someone needs to teach these robots a little creativity.

7.)    Spot me – I don’t know what I’m doing.

As is typical with auto-installation programs, Fantastico is unsupported by its creators. Bear in mind, though – there are forums that can help you. Additionally, you can seek assistance through your hosting company.

8.)    Crusher of all things Web.

Auto-installers can be a little buggy – and this can especially become problematic during upgrades, according to Regina: “[T]here have been times … that they stall or have conflicts and at times break websites.”

Since Alex seconds Regina’s thoughts on upgrading/updating (making it his point of focus), let’s turn to him next.

Updates Mean Well… But They Might Mess Up Your Website’s Face

Alex says that auto-installation can work fine in the absence of modification and plug-ins and when using a default WordPress theme – in other words, when you are not looking to make the design or functionality of your site unique or customized at all. In these cases he recommends auto-installation, provided the hosting company is diligent about maintaining its software updates, because it effectively speeds up and simplifies installation and upgrading.

However, Alex recommends manual installation for the following scenarios:

  • When a theme is customized and a number of different plug-ins are used.
  • When wishing to engage with the CMS and learn about how it works.
  • In the interest of general self-reliance and expertise.


Below are Alex’s problems he came across installing WordPress via Fantastico:

1.)    The updates want to eat your children.

Alex argues that no one should ever upgrade their website using an auto-installer. When initially installing the blog, there may be arguments against using an auto-installer, but you won’t immediately do damage to your current web presence. Alex describes the problem with updates as follows: “It might work for you once without any glitch, twice or however many times it might be but there will come a time when you click that Upgrade button only to learn [a] few minutes later that your blog is a total mess!”

When updates go wrong, the results are public – because as opposed to with the initial installation, during an update your site is already live. Alex suggests becoming as familiar as possible with the CMS platform you are using – taking advantage of hands-on opportunities such as manual installation

2.)    This changes everything!

Part of Alex’s difficulties , by his own assessment, arose from keeping his site entirely active during the updating/upgrading process. He cites a piece of the WordPress updating instructions that recommends a plug-in called Maintenance Mode during any major changes to the site, such as an update. WordPress also recommends backing up the entire site prior to the shift. Plug-ins should be deactivated, and they should be reactivated one at a time on the updated site.

Alex notes that WordPress’s recommendation of the maintenance plug-in is not possible to follow during auto-installation. He further recounts specific issues he has had with dysfunctional plug-ins following an upgrade.

Most disturbingly, the plug-in might make it impossible for you to get into your administrative control panel for deactivation of the bad apple. Manually, deactivating a problematic plug-in is simple: via your cPanel File Manager or FTP, access the /wp-content/plugins/ folder and give the plug-in a different name.

3.)    Actually… This doesn’t change everything.

Alex says that contrary to the WordPress instructions for updating, before you do so, you should look for updates of your theme and any plug-ins. These aspects of your site need to be updated as well. Since the focus of updating the WordPress software is specifically on at basic element, issues with themes and plug-ins do not get addressed. Here’s what you need to do:

  • Go to the company that created your theme, and see if there is a new and improved version to fit the WordPress upgrade – typically there is.
  • Access your plug-ins through the administration panel. Make a list and ensure that each one is completely updated. Make sure that your blog is functioning properly as you activate the plug-ins one at a time. Alex recommends a video to assist in this process.


Be a Good Boy Scout

Navjot suggests that emergency-preparedness is an important component of running a website. He mentions preparation for the bad times as one key component of avoiding auto-installation. Here are his pointers:

1.)    CMS updates don’t immediately impact auto-installers

This is stated above but it bears repeating: when a weakness is found in the security of software code, it must be remedied immediately. Unfortunately, there is always a lag time with an auto-installer. You are using a middleman, and that middleman is not necessarily fully compatible with the latest version of script you are installing.

2.)    Cookie-cutter settings

Navjot agrees with Regina on this: auto-installation is the express lane. Yes, you get to drive by all those annoying options to change settings. Those options, however, are not just annoying. Here is an example Navjot gives: a couple previous versions of WordPress were set by default to make blogs private. It was then necessary for the owner at each blog to change that setting to public to continue to show up in SERP entries. Aspects such as this are difficult to miss when manually installing.

3.)    Configuration & installation for emergencies

Navjot believes that manual installation makes a blog owner more familiar with “tweaks you can use to improve script performance or even troubleshoot yourself in case of a problem later.”

4.)    Further ideas on upgrading

Navjot points out that Fantastico is not built for upgrading. It doesn’t really know how to do it because the code was not written with that new version of WordPress, or whatever the CMS is, in mind.


As you can see, there are plenty of reasons not to use auto-installation when installing or updating your site. Security is a major factor. Glitches can also make your site looks sloppy until you get them fixed – you can avoid those as well when manually installing. Finally, you gain valuable knowledge when getting your hands a little dirtier by not using an automated tool.

In the end, it’s your decision: it does certainly speed up the process. You may find, however, that the extra time for manual installation is worth it.

by Kent Roberts and Richard Norwood