Migrating from Drupal 6 to WordPress: Part 1 – Installation & Security
After six years, I finally bit the bullet and decided to make the jump from Drupal to WordPress. The reasons are numerous and I’m planning another blog post to chisel through that particular rock and hard place.
In the meantime, I thought it might be useful to run through the steps to migrate from a relatively simple Drupal 6 installation to a sparkly new WordPress
3.6.1 3.7 (just released). As much as anything, this is an exercise in understanding the process and making notes.
The blog post turned into a bit of a beast so I’ve split it up into 3 parts:
- Part 1 – Installation & security (this one)
- Part 2 – Moving content from Drupal to WordPress
- Part 3 – Themes and some choice plugins (coming soon)
The technical part of this took around 2 hours, mucking around with the theme, creating a child theme and getting the hang of the WordPress interface probably took 4-5 hours. That’s, by some margin, quicker than the last Drupal install I created.
For this migration on a virtual host, it was a little more involved. WordPress was installed and set up on a subdomain new.toodlepip.co.uk, which after migration and testing, will switch back to toodlepip.co.uk.
Lots of hosts have one-step installs, mine doesn’t so here’s the steps:
- Download latest version of WordPress
- Create directory and unzip files (for Debian this lives at /var/local/sites/site.name.com)
- Set ownership and permissions for the directory
- Create the apache config in /etc/apache2/sites-available/site.name.com
- Enable apache config with en2site site.name.com
- Reload web server sudo /etc/init.d/apache2 reload – will reload without restarting
- Create database, database user and password
- Create a wp-config.php file with the database settings
- Run the WordPress installation script: http://site.name.com/wp-admin/install.php
I’ve skipped over a tonne of detail here as it varies so much between hosts, but hopefully that outlines gives a starting point. The detailed instructions at WordPress.org aren’t bad either.
- WordPress.org installation instructions
- Downloading the latest version of WordPress
- FAQs: Installation and Troubleshooting
There’s plenty of hacked WordPress installs out there. It’s worth at least taking 10 minutes to read some of the posts about making the setup more secure. No-one likes a hacked site, especially the owner!
- Hardening WordPress (WordPress.org)
- 10 steps to WordPress security (Copyblogger)
- 28 Ways to Secure WordPress Website (Hosting Facts)
Logins are one of the things that need security. It’s not a great idea to be sending username/passwords over insecure connections. Luckily there’s a setting to make WordPress use SSL for logins, which we’ll be using for all the admin tasks.
There’s a stricter option which makes all admin activity with the site use SSL. Probably a good idea to consider this option.
Let’s go for a more secure option. It’s dead simple, edit wp-config.php and add:
Just make sure it’s added above final include:
/* That's all, stop editing! Happy blogging. */ require_once(ABSPATH . 'wp-settings.php');
UPDATE: Found a way of using SSH without requiring any additional plugs, see: Using SSH for WordPress Automatic Updates.
Keeping WordPress secure should be top priority. The popularity of the platform is also its achilles heel. Once a security flaw has been publicised, the baddies out there will start scanning sites to exploit. Fortunately, WordPress core, plugins and themes are updated regularly.
Unfortunately, FTP is turned off on our servers – it’s too much of a security hole – SSH is used instead. This encrypts the data when it’s moved – so that plugin update you made in an Internet café with an open Wifi network should still be secure from snoopers.
Handily, there’s a WordPress plugin that makes it easy to use SSH, it’s (not-so-snappily) called SSH-SFTP-Updater-Support, but don’t let the name put you off.
Install the plugin as normal, probably manually or using a tool provided by your web shot i.e. download, move to wp-content/plugins folder, unzip and activate the plugin.
For every plugin or theme update, you’ll then have an extra option to use SSH for the install. A public and private key is required, but it’s dead easy to generate them on a Mac and only slightly more tricky in Windows.
Generate an SSH key (on a Mac):
ssh-keygen -t rsa -f wpkey
You can use a passphrase for extra security, this’ll be required on each update in addition to the key itself. Last step, is to let your server know about the key you’ll be using. Upload the file wpkey.pub and add it to the end of your list of authorised keys:
cat wpkey.pub >> ~/.ssh/authorized_keys
Next time you’re updating a plugin or theme, you’ll be asked to locate this file to complete the upgrade or installation. Voila!
UPDATE: The latest version of WordPress includes automatic background updates. The method above won’t work for the automatic updates, fortunately the folks at Blenderbox published a way of enabling automatic updates on WordPress using SSH.
- There’s A Plugin For That: 50+ Best WordPress Plugins Free & Premium
- 40+ essential WordPress plugins
- WordPress Codex: Importing from Drupal to WordPress
- How to convert Drupal to WordPress
- Drupal to WordPress migration
- 75+ Best Personal Blogging WordPress Themes
- Top 15 Best Social Sharing Plugins for WordPress