diff --git a/dev/container-create.sh b/dev/container-create.sh
index 89d00a9..8fc6795 100755
--- a/dev/container-create.sh
+++ b/dev/container-create.sh
@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -e
+
 _host="$_local_hostname.$_local_domain"
 _user_root='root'
 _ssh_cmd_root="ssh $_user_root@$_host"
@@ -23,8 +25,9 @@ $_ssh_cmd_root 'chown -R www-data: /var/www/html'
 printf "\nCreating database ..."
 # database is insecure (no root password, remote root login, etc) - but not
 # worried because it's in a trusted dev environment with no remote connections.
+# TODO ensure production database is secure TODO
 $_ssh_cmd_root 'echo "create database wordpress;" | mysql'
-_mysql_cmd='GRANT ALL PRIVILEGES ON wordpress.* TO \"wordpress\"@\"localhost\" IDENTIFIED BY \"wordpress\";'
+_mysql_cmd='GRANT ALL PRIVILEGES ON wordpress.* TO \"wordpress\"@\"localhost\" IDENTIFIED BY \"'"$_wp_db_passwd"'\";'
 $_ssh_cmd_root "echo \"$_mysql_cmd\" | mysql"
 $_ssh_cmd_root 'echo "FLUSH PRIVILEGES;" | mysql'
 
@@ -34,6 +37,8 @@ $_ssh_cmd_root "wget -nv -O /usr/local/bin/wp https://raw.githubusercontent.com/
 printf "\nInstalling WordPress ..."
 $_ssh_cmd_www "cd /var/www/html && wp core download --path=wordpress --skip-content"
 
+printf "\nConfiguring WordPress ..."
+$_ssh_cmd_root 'mkdir -p /var/www/.wp-cli/cache && chown -R www-data: /var/www/.wp-cli'
 $_ssh_cmd_www_cd "wp config create --dbname=wordpress --dbuser=wordpress --dbpass=$_wp_db_passwd"
 $_ssh_cmd_www 'sed -i "s/<?php$/<?php\n\ndefine( '\''WP_DEBUG'\'', true );\ndefine( '\''WP_DEBUG_LOG'\'', true );\n/" /var/www/html/wordpress/wp-config.php'
 $_ssh_cmd_www_cd "wp core install --url=$_wp_url --title=\"$_wp_title\" --admin_user=$_wp_admin_user --admin_password=\"$_wp_password\" --admin_email=$_wp_email --skip-email"