How to Secure Your WordPress Site with WP-Config.php?


7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Every WordPress site contains a file called ‘wp-config.php’. This particular WordPress configuration file is one of the most significant WordPress files. The file contains many configuration parameters which can be modified for better site security. In this post, we’ll show you how to secure your WordPress site using the WordPress configuration file.

How to Secure Your WordPress Site Using the wp-config File?

1. Change Database Prefix

Have you ever seen your WordPress database tables? (You can access it through your web host account) By default, the database has eleven tables. Each table has a specific function. For instance, wp_posts stores information from posts, pages, and the navigation menu. Since the functions of each table are pre-determined, hacker knows where your site details are stored. For instance, if they want to exploit your site users, they can aim for the table ‘wp_users’.

WordPress uses the ‘wp_’ prefix for all the tables by default. Changing this to a unique prefix can be helpful in hiding table names and it’ll help secure your WordPress site. To do this, open your ‘wp-config’ file.

Step 1: To access the wp-config.php, open your web host account and go cPanel. Select File Manager, and it’ll take you a page that looks somewhat like this:

Secure Your WordPress Site
This is a typical file manager page

Step 2: On the left-hand side, there’s a public_html folder. In this folder, you’ll find the wp-config file.

Secure Your WordPress Site
The wp-config file can be found inside the ‘public_html’ folder

In the ‘wp-config’ file place the following lines:

[code]$table_prefix = ‘wp_’;[/code] 

You need to change it to something random like: 

[code]$table_prefix = ‘agora_’;[/code]

This will change the name of the tables in the database from ‘wp_users’ to ‘wp_agora’, ‘wp_posts’ to ‘wp_agora’ etc.

2. Disable Editing Theme/Plugins Files

In the WordPress dashboard, there is an option to edit the plugin/theme file. This means that with access to the dashboard and sufficient permission anyone can edit your themes or plugins.

Secure Your WordPress Site
You can edit themes and plugins from the WP dashboard

Although a handy tool if you want to reconfigure any plugin, it becomes dangerous in the hand of a hacker. For instance, suppose a hacker manages to break into your site with the help of an exploit. It’s easy for them to add a malware to an existing plugin or theme. They could be hiding backdoor which they’ll later exploit to gain access into your site whenever they want. You can prevent this from happening and secure your WordPress site by disabling the option to edit these files. Simply place the following code in your WordPress config file:


3. Prevent Users From Installing or Updating Plugin & Themes

Disabling users from editing these files only offers one level of security. It does not prevent the hackers from installing a malicious plugin which they can use to exploit your site. Once they have access to the admin panel along with the right user permission, they can install a rogue theme or plugin. If you don’t install plugins often, then you can disable the option by adding the following code in the WordPress config file:


4. Enforce the Use of ‘FTP’

Preventing users from installing and updating plugins and themes can be restrictive and even impractical for sites that install plugins quite often. Moreover, updating themes and plugins is very important for the security of a site. An alternative method to ensure that the plugins are being installed by a valid user is to force users to provide ‘FTP’ details. Even when your Admin Panel is compromised, hackers cannot install a rogue plugin unless they have your FTP credentials.

Just add the following lines to your ‘wp-config.php’:

[code]define(‘FS_METHOD’, ‘ftpext’);[/code] 

If your web host or server supports ‘FTPS’ then add the following lines in the config file:

[code]define(‘FTP_SSL’, true);[/code]

If your web host or server supports ‘SFTP’ then add the following lines:

[code]define(‘FS_METHOD’, ‘ssh2’);[/code]

5. Change Security Keys

You don’t have to enter your login credentials every time you need to log in to your site. Ever wondered how your browser stores these credentials? After signing into your account, your login information is stored in an encrypted manner in the browser cookie. Security keys are random variables that help improve this encryption. If your WordPress site is hacked, changing the secret keys will invalidate cookie and force every active user to log out automatically. Once thrown out, the hacker losses access to your WordPress admin.

You can generate a new set of security keys and place them in the ‘wp-config’ file. It’ll help secure your WordPress site.

6. Hide the ‘wp-config.php’

In any WordPress site, the wp-config file has a default location. Hence changing the file location can prevent it from falling into the hand of the hackers. Fortunately, WordPress allows the ‘wp-config’ folder to reside outside your WordPress installation. For instance, if your WordPress is installed in the public_html folder, then the config file will be present in the public_html folder by default. But you can move the wp-config outside the public_html folder and it’ll still work.

7. Secure the wp-config.php File

The configuration is vulnerable to attacks making it imperative to secure it. One way of doing it is by changing its location so that hackers can’t find it in its default location. Although some developers may oppose this, there are plenty who think it’s a good idea. Take a look at this discussion.

Another security measure that you can take is to restrict file permission. Set the file permissions to 600 so that only true owners can edit the wp-config file. To change the file permission of wp-config, select the file and then choose the option ‘Permission’.

secure your WordPress site
With this permission, only users can read and write in the wp-config file

And then you need to include the following lines in the .htaccess file to prevent hackers from loading the wp-config file directly from the browser.

# protect wpconfig.php 

<files wp-config.php> 

  order allow,deny 

  deny from all 


Over to You

With that, we have covered how to secure your WordPress site with the wp-config file but this is just one of the many ways to improve your site’s security. A few other security measures that you can take include using a security plugin, using an SSL certificate, using a unique and strong username and password, implementing HTTP authentication, and two-factor authentication among other things. But before implementing any of these methods, you must back up your site. If something goes wrong, you can simply restore a backup and get our site up and running in no time.


You may also like

Website logs
What are the Different Types of Website Logs?

Imagine driving a car without knowing your speed, engine temperature, or fuel levels. Sounds terrifying, right? Well, managing a website without understanding website logs is a bit like that. You…

What is Cross-Site Scripting (XSS) and How to Prevent It?

Websites can sometimes act strangely, showing unexpected pop-ups or exposing personal information. This isn’t just a glitch—it’s often due to a sneaky trick called Cross-Site Scripting (XSS). You might be…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.