How to Secure Your WordPress Site with WP-Config.php?
Every WordPress site contains a file called ‘wp-config.php’. This particular WordPress configuration file is one of the most significant WordPress files. The file contains many configuration parameters which can be modified for better site security. In this post, we’ll show you how to secure your WordPress site using the WordPress configuration file.
How to Secure Your WordPress Site Using the wp-config File?
1. Change Database Prefix
Have you ever seen your WordPress database tables? (You can access it through your web host account) By default, the database has eleven tables. Each table has a specific function. For instance, wp_posts stores information from posts, pages, and the navigation menu. Since the functions of each table are pre-determined, hacker knows where your site details are stored. For instance, if they want to exploit your site users, they can aim for the table ‘wp_users’.
WordPress uses the ‘wp_’ prefix for all the tables by default. Changing this to a unique prefix can be helpful in hiding table names and it’ll help secure your WordPress site. To do this, open your ‘wp-config’ file.
Step 1: To access the wp-config.php, open your web host account and go cPanel. Select File Manager, and it’ll take you a page that looks somewhat like this:
Step 2: On the left-hand side, there’s a public_html folder. In this folder, you’ll find the wp-config file.
In the ‘wp-config’ file place the following lines:
[code]$table_prefix = ‘wp_’;[/code] You need to change it to something random like: [code]$table_prefix = ‘agora_’;[/code]
This will change the name of the tables in the database from ‘wp_users’ to ‘wp_agora’, ‘wp_posts’ to ‘wp_agora’ etc.
2. Disable Editing Theme/Plugins Files
In the WordPress dashboard, there is an option to edit the plugin/theme file. This means that with access to the dashboard and sufficient permission anyone can edit your themes or plugins.
Although a handy tool if you want to reconfigure any plugin, it becomes dangerous in the hand of a hacker. For instance, suppose a hacker manages to break into your site with the help of an exploit. It’s easy for them to add a malware to an existing plugin or theme. They could be hiding backdoor which they’ll later exploit to gain access into your site whenever they want. You can prevent this from happening and secure your WordPress site by disabling the option to edit these files. Simply place the following code in your WordPress config file:
3. Prevent Users From Installing or Updating Plugin & Themes
Disabling users from editing these files only offers one level of security. It does not prevent the hackers from installing a malicious plugin which they can use to exploit your site. Once they have access to the admin panel along with the right user permission, they can install a rogue theme or plugin. If you don’t install plugins often, then you can disable the option by adding the following code in the WordPress config file:
4. Enforce the Use of ‘FTP’
Preventing users from installing and updating plugins and themes can be restrictive and even impractical for sites that install plugins quite often. Moreover, updating themes and plugins is very important for the security of a site. An alternative method to ensure that the plugins are being installed by a valid user is to force users to provide ‘FTP’ details. Even when your Admin Panel is compromised, hackers cannot install a rogue plugin unless they have your FTP credentials.
Just add the following lines to your ‘wp-config.php’:
If your web host or server supports ‘FTPS’ then add the following lines in the config file:
If your web host or server supports ‘SFTP’ then add the following lines:
5. Change Security Keys
You don’t have to enter your login credentials every time you need to log in to your site. Ever wondered how your browser stores these credentials? After signing into your account, your login information is stored in an encrypted manner in the browser cookie. Security keys are random variables that help improve this encryption. If your site is hacked, changing the secret keys will invalidate cookie and force every active user to log out automatically. Once thrown out, the hacker losses access to your WordPress admin.
You can generate a new set of security keys and place them in the ‘wp-config’ file. It’ll help secure your WordPress site.
6. Hide the ‘wp-config.php’
In any WordPress site, the wp-config file has a default location. Hence changing the file location can prevent it from falling into the hand of the hackers. Fortunately, WordPress allows the ‘wp-config’ folder to reside outside your WordPress installation. For instance, if your WordPress is installed in the public_html folder, then the config file will be present in the public_html folder by default. But you can move the wp-config outside the public_html folder and it’ll still work.
7. Secure the wp-config.php File
The configuration is vulnerable to attacks making it imperative to secure it. One way of doing it is by changing its location so that hackers can’t find it in its default location. Although some developers may oppose this, there are plenty who think it’s a good idea. Take a look at this discussion.
Another security measure that you can take is to restrict file permission. Set the file permissions to 600 so that only true owners can edit the wp-config file. To change the file permission of wp-config, select the file and then choose the option ‘Permission’.
And then you need to include the following lines in the .htaccess file to prevent hackers from loading the wp-config file directly from the browser.
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
Over to You
With that, we have covered how to secure your WordPress site with the wp-config file but this is just one of the many ways to improve your site’s security. A few other security measures that you can take include using a security plugin, using an SSL certificate, using a unique and strong username and password, implementing HTTP authentication, and two-factor authentication among other things. But before implementing any of these methods, you must back up your site. If something goes wrong, you can simply restore a backup and get our site up and running in no time.
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.