WordPress Security : Securing wp-config.php

WordPress Security : Securing wp-config.php


This post is first of a series, where in we will detail the steps needed to make your WordPress site more secure.

Every WordPress site contains a file called wp-config.php. Many of us, who work closely with WordPress would have already seen this file. When we install WordPress for the very first time, this is where we enter the database details for the site. Along with the database details, this file also contains many other configuration parameters which can lead to a much better security of your WordPress Site.

1. Change Database Prefix ($table_prefix)

The WordPress database consists of many tables to store posts, links, comments, users etc. Now these tables by default have standard names like wp_users, wp_options, wp_posts etc. Now a hacker knows that your user details are stored in the table wp_users, and will try and exploit this. We can however prevent the hacker from guessing the name of the table. To do this, while installing WordPress, we need to change the setting for $table_prefix.

In your wp-config file there will be a line:

$table_prefix  = 'wp_';

You need to change it to something random like:

$table_prefix  = 'axcsr_';



This will cause the tables in the database to become axcsr_usersaxcsr_posts etc, in turn making it harder for the hacker to guess.

2. Disable Editing of Theme/Plugin files

In the WordPress Dashboard, there is an option to edit your theme/plugin files. This option is not to be used by normal users under any circumstance. However, in the hands of a hacker it can be extremely dangerous. For example, suppose a hacker is able to login to your site using some exploit. One of easiest mechanisms for them to add malware to your site, will be by editing existing files. By disabling the option to edit these files, you take away a valuable tool from hackers. It can be done by adding the following line to your wp-config.php file:



3. Disallowing user to install plugins, themes or doing updates.

Disallowing a user to edit plugin/theme files will only provide one level of security. However, this does not prevent the hacker from adding a new plugin or theme. Once the Admin Panel is compromised, the hacker can also install a rogue theme or a rogue plugin. If you do not install plugins on a regular basis, we suggest, that you disable this option altogether. This can be done by using the option:


In such cases, a plugin/theme can however be installed by directly copying the plugin to the site using FTP.


 4. Forcing use of FTP for all uploads, upgrades and plugin installation.

Tip #3 can be quite restrictive for many sites. An alternative in such cases could be to force users to provide FTP details whenever uploading a file, or installing a plugin/theme. Hence, even if a hacker is able to infiltrate your Admin Panel, they will not be able to install a new script without knowing your secret FTP credentials. To do this, add the following line to your wp-config.php:

define('FS_METHOD', 'ftpext');

If FTPS is supported then add the following line to the config file:

define('FTP_SSL', true);

If your webhost or server supports SFTP you should use the following more secure option instead:

define('FS_METHOD', 'ssh2');


5. Change Security Keys

When a user logs into the Admin panel, WordPress generates cookies to keep the status of the users. To ensure that the cookies are safe and not guessable, it adds a salt while generating the cookie. This salt should ideally be long and difficult to guess. The salt is picked from 8 parameters in wp-config.php and look something like this:


define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

The above should be replaced with a new set upon installation, and WordPress provides and excellent tool to generate these randomly. You can get the same from: https://api.wordpress.org/secret-key/1.1/salt/

Also, in case your site gets hacked, it is highly advisable to change these keys with fresh ones. This will force all users to login again, and hence the hacker cannot use old cookies.


6. Move wp-config.php out of the core WordPress folder.

Typically wp-config.php is placed in the core WP folder along with other standard files like wp-settings.php, wp-login.php etc. WordPress also supports a more secure option, where in the wp-config.php can reside on the folder outside your wordpress installation. For example if your wordpress is installed in the folder /public_html/ folder, instead of having the file being present as/public_html/wp-config.php, you should store it as /wp-config.php. WordPress will intelligently pick up the configuration from this instead.

7. File Permissions of wp-config.php

Change the permissions of the file, so that only your webserver can access it. Further this file should not be modifiable/writable by anybody. Hence the preferred permission here would be to use:  400 or 440 depending on your setup. Permissions can typically be changed by usingFTP or cPanel.

8. Securing the htaccess file

Apache uses htaccess to prevent unauthorized access to certain parts of the site. Since wp-config.php should never be accessed directly by anybody, and since it contains the critical database details, we should block it from htaccess file too. This can be done by adding the following lines to your htaccess file:

</strong>order allow,deny
deny from all

We will cover other mechanisms to improve the security of your site in future posts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s