Andreas Hecht November 30th, 2016

WordPress Security: This wp-config.php Protects Your Website

Most people think that their WordPress website was safe just because it doesn't have any content worth hacking. Unfortunately, that is not true. Websites are often hacked to distribute spam emails, for example. Or the core and theme files are filled with malicious code to infect and hack your website visitor's computers. It's possible that you only notice the damage when Google has already removed you from the index. Don't let this happen, and consider my tips for the perfect wp-config.php. There are many ways to protect your WordPress-based website from getting hacked. The optimization of the wp-config.php can be considered to be an important part of a proper security strategy. Of course, the site won't turn into the Bank of England, but you've made it a little harder for the hackers. To optimize the wp-config.php, so-called constants are used. WordPress has a lot of constants that can be employed. But what is a constant? describes constants the following way:
A constant is an identifier (name) for a simple value. As the name suggests, that value cannot change during the execution of the script (except for magic constants, which aren't actually constants). A constant is case-sensitive by default. By convention, constant identifiers are always uppercase.
Constants are embedded in the define() function, and look like this: define('NAME_OF_THE_CONSTANT', value); The wp-config.php is the control file for WordPress. It is loaded before all other files because WordPress needs to set up a database connection. The required information is located in the config-file. When changing the value of a constant, or adding a constant, you also change the behavior of WordPress.

Before the Work: Please Create a Backup

Before, editing the wp-config.php, create a backup of this file. Your website won't work with wrong or missing entries.

Important: Always Update WordPress and Plugins Immediately

You've probably heard this a couple of times already. But this aspect is so important that I can't repeat it often enough. Tons of websites got hacked because WordPress or the plugins weren't up to date. Updates are the best insurance against hacking! The Current Security Situation: The security specialists Sucuri are currently warning against a security gap in the popular Jetpack plugin for WordPress. Malicious code can be implemented via the shortcode-embed-function. Automattic will indeed react soon and release a new version. How to Close the Security Gap for Now: If you happen to be using my "optimal .htaccess" file, you are not in danger. There, the great 6G firewall, which can fend off this type of attacks.

The Preparation:

For all the following work, you'll need an FTP program, as well as an HTML editor. The wp-config.php is downloaded to the desktop, edited within the HTML editor, and uploaded back to the server afterward.

1 - Use the Security Keys

Security keys in WordPress are critical, as the encrypt things like the login information in cookies, for example. Even when your wp-config.php already has security keys, changing them can't hurt. When the keys are changed, all still outstanding logins of your users are signed out. Subsequently, you'll be able to log in regularly, using your username and password. However, if you've been hacked already, you should first remove the malicious code from your website. A guide on that can be found in the additional information on this aspect. Afterward, visit the WordPress Generator for security keys, and copy a new set. Replace the old part with the new ones - view screenshot: [caption id="attachment_76372" align="alignnone" width="660"]The Security Keys in the wp-config.php. The Security Keys in the wp-config.php.[/caption] If you haven't implemented security keys yet, this is the right time to do so.

Additional Information:

2 - Force the Use of HTTPS

An SSL certificate encrypts the connection between your website and the visitor's browsers. HTTPS makes it impossible for hackers to trap and steal personal data. If you already have an SSL certificate for your website, you can force the use of HTTPS instead of HTTP. This increases your site's security significantly. If you don't have an SSL certificate yet, you should strongly consider using one. You don't have to be afraid of major costs, as SSL is also available for free. The following entries should be used when your website already uses SSL. The uppermost entry is meant for the secured login, while the lowest one forces the browser to make the admin area of WordPress usable with SSL only.

3 - Change the Database Prefix

The database prefix is also known under the label "table prefix." This prefix is used as an extension of every database table generated by WordPress. Here, the standard is wp_. This standard should be changed to something else. The more cryptic, the better. Don't worry; you don't need to remember what you enter here. This value is only placed once. Thinking about it, the possibility of an SQL injection is not very likely. But it is possible. Thus, alter the value before installing WordPress. Use something like hdr7rf_, for example. Attention: If you change the value of an already existing WordPress installation, the website is not accessible anymore! If you want to change the table prefix of an existing WordPress website, the plugin Acunetix WP Security could help you. It lets you change the value easily, and all you have to do afterward is log back in. Nonetheless, you should still create a backup in beforehand.

4 - Turn Off the Plugin and Theme Editor

In every WordPress installation, it is possible to edit theme and plugin files directly within the admin area. Under the menu items "Design" and "Plugin," you'll find the respective editor for each file. This editor is very dangerous if it happens to get into the hands of a hacker. Data can be destroyed, and viruses, trojans, spam, and other malware can be added. But the editor is also important for a website's admin. A single mistake, a single missing semicolon is all it takes for the infamous white pages to show up, and nothing will work anymore. Changes to theme or plugin files are generally made via (S)FTP, as it is much safer. Thus, the editors need to be deactivated. A single line in the wp-config.php is enough to safely turn off both editors:

5 - Move the wp-config.php

The wp-config.php is the heart of your website. All relevant data, including the database passwords, are entered there. That's why it is imperative to keep this file as safe as possible. There are two approaches for this. The first one is an access block via .htaccess-file. The second approach moves the file to a different spot, where a hacker would not expect it to be.
  • Moving it may be problematic if the website is in a sub-index, and you are using a cheap shared hosting.
  • It can also become tough if you have a lot of websites in custom directories. If neither of the constellations applies to you, you can move the file. If you have adjusted the path to the wp-config.php correctly, your website should work afterward.

6 - Force the Use of FTPS

If your web host has activated the File Transfer Protocol Secure (FTPS), you can force the use of FTPS for the transfer of files. This will encrypt the connection between the visitor and your server. Now, it is impossible to access the data on the server with the unsafe FTP protocol. FTP is unsafe, as the access information is transferred to your server unencrypted. Thus, if possible, only use the safe connection via FTPS. Your web host can tell you if an FTPS connection is possible. Forcing the use of FTPS is this simple:

7 - Force the Use of SFTP

Instead of the FTPS protocol, some hosters have activated the SFTP protocol for data transfer. Here, the connection between the user's FTP program and the server is encrypted as well. The following line of code lets you force the use of SFTP:

8 - Deactivating the Debug Mode

If you have activated the WordPress debug mode for development purposes, it is vital to turn it back off. In some circumstances, an activated debug mode may pass on sensitive data that could help hackers do their thing. That's why an activated debug mode is extremely dangerous on a live system. I have made this small, dumb mistake already; humans quickly forget things. That's why you should take a quick look, just to check. This is how to deactivate the debug mode:

9 - Turn off the Display of PHP Errors

If for some reason, you need the debug mode to be activated, I recommend turning off the public display of error messages. The relevant error messages can also be written into a log that is not accessible to the public. This is the much safer, and more elegant option. This constant is required to leave the WordPress error mode on, and to suppress the public error display:

10 - Turn On Automatic Updates

As I have already mentioned earlier, immediately updating the WordPress core, and all plugins is crucial for the security of the system. With every release of a new WordPress version, the security gaps of its predecessors are made public. This gives a hacker a solid foundation to be able to hack your website. Thus, these weaknesses should be removed as fast as possible. Since WordPress version 3.7, smaller security updates are conducted automatically. However, this is not the case for primary versions of core upgrades. Main versions still need to be updated manually. However, activating automatic updates for all WP versions is very easy: By the way, it is also possible to make plugins update automatically. However, that's connected to a bit of work. It requires the creation of a plugin: This plugin has to be moved into the folder /wp-content/mu-plugins/. If the folder doesn't exist, just create it. The folder /mu-plugins/ contains the "must use" plugins. Its content is loaded by all other plugins. Automatic theme updates can be done the same way. For that, the plugin needs to be extended by the following line: Please inform yourself about these automatic plugins in advance, and only use the code if you know exactly what it does. Of course, the two filters are only able to keep plugins and themes up to date that originate from the official WordPress index. Themes and plugins from a different source won't be updated. Additional Information: WordPress Codex: Must Use Plugins


All of these aspects together will already increase the safety of your WordPress by a lot and should be part of a good security strategy. The fact that WordPress is the world's most popular Content Management System attracts many hackers. The situation could be compared to the computer OS Windows. On Windows, you install an anti-virus software, and WordPress takes a bit of manual work. But the safety gain definitely makes up for the small work effort. (dpe) Featured image by Baolin Liu on Unsplash

Andreas Hecht

Andreas Hecht is a journalist and specialist for WordPress and WordPress Security. He roams the web since its inception. He has published an ebook on WordPress Security, which you might want to take a look at.


  1. In addition to all the useful instructions that I have already implemented, I also use an external service that notify me of any changes to the wordpress files ( ).

    In some cases it has been useful to remedy the security flaws that allowed some cracker to upload a shell script on my website.

  2. All ok expect for automatic updates. I think those should be done manually, as you might get a situation when the theme is not compatible with the plugin(s).

  3. It’s a wonderful share Andreas. Being a wp developer myself, I find security as one of the main issues on WordPress. The one thing that most website owners forget is to update the plugins which I believe creates the loop hole to inject the code. These tips are really important and should be implemented by every developers.

  4. Thanks for the tips!
    However, I’m not clear on where to put the code to move the wp-config.php file. Can you please explain some more about this?

  5. Probably the best tell-all about wp-config.php file. I am glad that I already use all the suggestions given in the article.

  6. There is another really easy fix for a lot of issues. WordPress uses wp-login.php to handle all log in requests, therefore blocking all traffic except your IP in the .httaccess file to wp-login.php is a really effective way of managing the majority of brute force attacks…

  7. Hi,
    I have a website already running in WordPress, do i can Use the Security Keys now? Does it hurt my running site or not?

Leave a Reply

Your email address will not be published. Required fields are marked *