WordPress Security: This wp-config.php Protects Your Website
Most people think that their WordPress website was safe just because it doesn't have any content worth hacking. Unfortunately, that is not true. Websites are often hacked to distribute spam emails, for example. Or the core and theme files are filled with malicious code to infect and hack your website visitor's computers. It's possible that you only notice the damage when Google has already removed you from the index. Don't let this happen, and consider my tips for the perfect wp-config.php.
There are many ways to protect your WordPress-based website from getting hacked. The optimization of the wp-config.php can be considered to be an important part of a proper security strategy. Of course, the site won't turn into the Bank of England, but you've made it a little harder for the hackers.
To optimize the wp-config.php, so-called constants are used. WordPress has a lot of constants that can be employed. But what is a constant? PHP.net describes constants the following way:
A constant is an identifier (name) for a simple value. As the name suggests, that value cannot change during the execution of the script (except for magic constants, which aren't actually constants). A constant is case-sensitive by default. By convention, constant identifiers are always uppercase.Constants are embedded in the define() function, and look like this:
define('NAME_OF_THE_CONSTANT', value);
The wp-config.php is the control file for WordPress. It is loaded before all other files because WordPress needs to set up a database connection. The required information is located in the config-file. When changing the value of a constant, or adding a constant, you also change the behavior of WordPress.
Before the Work: Please Create a Backup
Before, editing the wp-config.php, create a backup of this file. Your website won't work with wrong or missing entries.Important: Always Update WordPress and Plugins Immediately
You've probably heard this a couple of times already. But this aspect is so important that I can't repeat it often enough. Tons of websites got hacked because WordPress or the plugins weren't up to date. Updates are the best insurance against hacking! The Current Security Situation: The security specialists Sucuri are currently warning against a security gap in the popular Jetpack plugin for WordPress. Malicious code can be implemented via the shortcode-embed-function. Automattic will indeed react soon and release a new version. How to Close the Security Gap for Now: If you happen to be using my "optimal .htaccess" file, you are not in danger. There, the great 6G firewall, which can fend off this type of attacks.The Preparation:
For all the following work, you'll need an FTP program, as well as an HTML editor. The wp-config.php is downloaded to the desktop, edited within the HTML editor, and uploaded back to the server afterward.1 - Use the Security Keys
Security keys in WordPress are critical, as the encrypt things like the login information in cookies, for example. Even when your wp-config.php already has security keys, changing them can't hurt. When the keys are changed, all still outstanding logins of your users are signed out. Subsequently, you'll be able to log in regularly, using your username and password. However, if you've been hacked already, you should first remove the malicious code from your website. A guide on that can be found in the additional information on this aspect. Afterward, visit the WordPress Generator for security keys, and copy a new set. Replace the old part with the new ones - view screenshot: [caption id="attachment_76372" align="alignnone" width="660"] The Security Keys in the wp-config.php.[/caption] If you haven't implemented security keys yet, this is the right time to do so.Additional Information:
2 - Force the Use of HTTPS
An SSL certificate encrypts the connection between your website and the visitor's browsers. HTTPS makes it impossible for hackers to trap and steal personal data. If you already have an SSL certificate for your website, you can force the use of HTTPS instead of HTTP. This increases your site's security significantly. If you don't have an SSL certificate yet, you should strongly consider using one. You don't have to be afraid of major costs, as SSL is also available for free. The following entries should be used when your website already uses SSL. The uppermost entry is meant for the secured login, while the lowest one forces the browser to make the admin area of WordPress usable with SSL only. https://gist.github.com/anonymous/712f774fc40c460a7aedc45a6dead3383 - Change the Database Prefix
The database prefix is also known under the label "table prefix." This prefix is used as an extension of every database table generated by WordPress. Here, the standard is wp_. This standard should be changed to something else. The more cryptic, the better. Don't worry; you don't need to remember what you enter here. This value is only placed once. Thinking about it, the possibility of an SQL injection is not very likely. But it is possible. Thus, alter the value before installing WordPress. Use something like hdr7rf_, for example. Attention: If you change the value of an already existing WordPress installation, the website is not accessible anymore! If you want to change the table prefix of an existing WordPress website, the plugin Acunetix WP Security could help you. It lets you change the value easily, and all you have to do afterward is log back in. Nonetheless, you should still create a backup in beforehand.4 - Turn Off the Plugin and Theme Editor
In every WordPress installation, it is possible to edit theme and plugin files directly within the admin area. Under the menu items "Design" and "Plugin," you'll find the respective editor for each file. This editor is very dangerous if it happens to get into the hands of a hacker. Data can be destroyed, and viruses, trojans, spam, and other malware can be added. But the editor is also important for a website's admin. A single mistake, a single missing semicolon is all it takes for the infamous white pages to show up, and nothing will work anymore. Changes to theme or plugin files are generally made via (S)FTP, as it is much safer. Thus, the editors need to be deactivated. A single line in the wp-config.php is enough to safely turn off both editors: https://gist.github.com/anonymous/0ba02504a6a6c771058b34053ec100665 - Move the wp-config.php
The wp-config.php is the heart of your website. All relevant data, including the database passwords, are entered there. That's why it is imperative to keep this file as safe as possible. There are two approaches for this. The first one is an access block via .htaccess-file. The second approach moves the file to a different spot, where a hacker would not expect it to be.- Moving it may be problematic if the website is in a sub-index, and you are using a cheap shared hosting.
- It can also become tough if you have a lot of websites in custom directories. If neither of the constellations applies to you, you can move the file.
Woah, what happened to this site? It looks like a PBS kids show website now. Yikes.
The world is grey enough ;-)
In addition to all the useful instructions that I have already implemented, I also use an external service that notify me of any changes to the wordpress files ( https://monitorwebsitefilechanges.cloud ).
In some cases it has been useful to remedy the security flaws that allowed some cracker to upload a shell script on my website.
All ok expect for automatic updates. I think those should be done manually, as you might get a situation when the theme is not compatible with the plugin(s).
thank you for share, it very useful
FORCE_SSL_LOGIN is deprecetad since more than 2 years. https://codex.wordpress.org/Version_4.0#Deprecated_2
It’s a wonderful share Andreas. Being a wp developer myself, I find security as one of the main issues on WordPress. The one thing that most website owners forget is to update the plugins which I believe creates the loop hole to inject the code. These tips are really important and should be implemented by every developers.
Thanks for the tips!
However, I’m not clear on where to put the code to move the wp-config.php file. Can you please explain some more about this?
Nice! I appreciate this little workaround
Probably the best tell-all about wp-config.php file. I am glad that I already use all the suggestions given in the article.
There is another really easy fix for a lot of issues. WordPress uses wp-login.php to handle all log in requests, therefore blocking all traffic except your IP in the .httaccess file to wp-login.php is a really effective way of managing the majority of brute force attacks…
Great article, lengthy but worth the time spent reading.
Hi,
I have a website already running in WordPress, do i can Use the Security Keys now? Does it hurt my running site or not?