WordPress Security: This wp-config.php Protects Your Website
Most people think that their WordPress website was safe just because it doesn't have any content worth hacking. Unfortunately, that is not true. Websites are often hacked to distribute spam emails, for example. Or the core and theme files are filled with malicious code to infect and hack your website visitor's computers. It's possible that you only notice the damage when Google has already removed you from the index. Don't let this happen, and consider my tips for the perfect wp-config.php. There are many ways to protect your WordPress-based website from getting hacked. The optimization of the wp-config.php can be considered to be an important part of a proper security strategy. Of course, the site won't turn into the Bank of England, but you've made it a little harder for the hackers. To optimize the wp-config.php, so-called constants are used. WordPress has a lot of constants that can be employed. But what is a constant? PHP.net describes constants the following way:
A constant is an identifier (name) for a simple value. As the name suggests, that value cannot change during the execution of the script (except for magic constants, which aren't actually constants). A constant is case-sensitive by default. By convention, constant identifiers are always uppercase.Constants are embedded in the define() function, and look like this:
define('NAME_OF_THE_CONSTANT', value);The wp-config.php is the control file for WordPress. It is loaded before all other files because WordPress needs to set up a database connection. The required information is located in the config-file. When changing the value of a constant, or adding a constant, you also change the behavior of WordPress.
Before the Work: Please Create a BackupBefore, editing the wp-config.php, create a backup of this file. Your website won't work with wrong or missing entries.
Important: Always Update WordPress and Plugins ImmediatelyYou've probably heard this a couple of times already. But this aspect is so important that I can't repeat it often enough. Tons of websites got hacked because WordPress or the plugins weren't up to date. Updates are the best insurance against hacking! The Current Security Situation: The security specialists Sucuri are currently warning against a security gap in the popular Jetpack plugin for WordPress. Malicious code can be implemented via the shortcode-embed-function. Automattic will indeed react soon and release a new version. How to Close the Security Gap for Now: If you happen to be using my "optimal .htaccess" file, you are not in danger. There, the great 6G firewall, which can fend off this type of attacks.
The Preparation:For all the following work, you'll need an FTP program, as well as an HTML editor. The wp-config.php is downloaded to the desktop, edited within the HTML editor, and uploaded back to the server afterward.
1 - Use the Security KeysSecurity keys in WordPress are critical, as the encrypt things like the login information in cookies, for example. Even when your wp-config.php already has security keys, changing them can't hurt. When the keys are changed, all still outstanding logins of your users are signed out. Subsequently, you'll be able to log in regularly, using your username and password. However, if you've been hacked already, you should first remove the malicious code from your website. A guide on that can be found in the additional information on this aspect. Afterward, visit the WordPress Generator for security keys, and copy a new set. Replace the old part with the new ones - view screenshot: [caption id="attachment_76372" align="alignnone" width="660"] The Security Keys in the wp-config.php.[/caption] If you haven't implemented security keys yet, this is the right time to do so.
2 - Force the Use of HTTPSAn SSL certificate encrypts the connection between your website and the visitor's browsers. HTTPS makes it impossible for hackers to trap and steal personal data. If you already have an SSL certificate for your website, you can force the use of HTTPS instead of HTTP. This increases your site's security significantly. If you don't have an SSL certificate yet, you should strongly consider using one. You don't have to be afraid of major costs, as SSL is also available for free. The following entries should be used when your website already uses SSL. The uppermost entry is meant for the secured login, while the lowest one forces the browser to make the admin area of WordPress usable with SSL only. https://gist.github.com/anonymous/712f774fc40c460a7aedc45a6dead338
3 - Change the Database PrefixThe database prefix is also known under the label "table prefix." This prefix is used as an extension of every database table generated by WordPress. Here, the standard is wp_. This standard should be changed to something else. The more cryptic, the better. Don't worry; you don't need to remember what you enter here. This value is only placed once. Thinking about it, the possibility of an SQL injection is not very likely. But it is possible. Thus, alter the value before installing WordPress. Use something like hdr7rf_, for example. Attention: If you change the value of an already existing WordPress installation, the website is not accessible anymore! If you want to change the table prefix of an existing WordPress website, the plugin Acunetix WP Security could help you. It lets you change the value easily, and all you have to do afterward is log back in. Nonetheless, you should still create a backup in beforehand.
4 - Turn Off the Plugin and Theme EditorIn every WordPress installation, it is possible to edit theme and plugin files directly within the admin area. Under the menu items "Design" and "Plugin," you'll find the respective editor for each file. This editor is very dangerous if it happens to get into the hands of a hacker. Data can be destroyed, and viruses, trojans, spam, and other malware can be added. But the editor is also important for a website's admin. A single mistake, a single missing semicolon is all it takes for the infamous white pages to show up, and nothing will work anymore. Changes to theme or plugin files are generally made via (S)FTP, as it is much safer. Thus, the editors need to be deactivated. A single line in the wp-config.php is enough to safely turn off both editors: https://gist.github.com/anonymous/0ba02504a6a6c771058b34053ec10066
5 - Move the wp-config.phpThe wp-config.php is the heart of your website. All relevant data, including the database passwords, are entered there. That's why it is imperative to keep this file as safe as possible. There are two approaches for this. The first one is an access block via .htaccess-file. The second approach moves the file to a different spot, where a hacker would not expect it to be.
- Moving it may be problematic if the website is in a sub-index, and you are using a cheap shared hosting.
- It can also become tough if you have a lot of websites in custom directories. If neither of the constellations applies to you, you can move the file.