Skip to Main Content

What changes on wp-config.php to secure your WordPress blog

Divi: the easiest WordPress theme to use

Easily create your website with Elementor

Elementor allows you to easily create any website design with a professional look. Stop paying expensive for what you can do yourself. [Free]

If you think your site is safe because it is not of interest to hackers, then you are wrong, because the vast majority of security breaches are not aimed at stealing your data or disfiguring your site.

Hackers usually want to use your server as a relay for spam emails, or to set up a temporary web server, usually to serve illegal files. If you get hacked, be prepared to shell out some cash for server related costs.

There are several different ways to increase the security of your site or a multisite network, but one of the easiest is to edit your file. wp-config.php. Updating this configuration file, although there is no one-size-fits-all solution, is a policy that must be followed for overall security.

With that in mind, we'll explore the various changes you can make to secure your WordPress blog.

Configuring WordPress Constants

In your WordPress configuration file, also called wp-config.php , you can define what are called PHP constants to perform certain tasks. WordPress has a lot of constants that you can use.

Constants are also wrapped in the define function() as shown in this syntax example:

Define ('NOM_DE_LA_CONSTANTE', value);

On WordPress, the file wp-config.php is loaded before the rest of the files that make up the kernel. This means that if you change the value of a constant in wp-config.php, you can change the way WordPress reacts and works. You can disable some features or turn them on by changing the value. In many cases, this can be done by changing true For false, and vice versa, for example.

Below you will find the different constants as well as other types of PHP code that you can use in your file wp-config.php  to increase your security. Place them all above the next line in your file wp-config.php:

Divi: The best WordPress theme of all time!

With over 901.000 downloads, Divi is the most popular WordPress theme in the world. It is complete, easy to use and comes with more than 62 free templates. [Recommended]

/ * That's all, stop editing! Happy blogging. * /

Attention: Be careful

Since the changes you are about to make can dramatically change your site, this is a good idea of ​​backing it up. If an error occurs you can quickly restore your site to a point before these changes and once your site is functioning normally you can try again.

1. Change your security keys

You may already be aware of the different security keys and you may have already added unique keys, which is quite a good thing.

Information security keys encrypt the data stored in cookies and it can be useful to change them, especially after your site has been hacked. This would end all open sessions of logged in users on your site which means hackers are logged out as well.

When you reset passwords and make sure your site is free from backdoor exploits and the like.

You can generate a new set of security keys using the WordPress Security Key Generator. Copy all of the content and paste it to replace the section that looks like the following:

define ('AUTH_KEY', 't`DK% X:> xy | eZ (BXb / f (Ur`8 # ~ UzUQG - ^ _ Cs_GHs5U- & Wb? pgn ^ p8 ([email protected]} IcnCa | ' ); define ('SECURE_AUTH_KEY', 'D & ovlU # | CvJ ## uNq} bel + ^ MFtT & .b9 {UvR] g% ixsXhGlRJ7q! h} XWdEC [BOKXssj'); define ('LOGGED_IN_KEY', 'MGKi8Br (& {H * ~ & 0s; {k0[email protected]{8XE [DenYI ^ BVf {L: jvF, hf} zBf883td6D; Vcy8, S) - & G '); define ('SECURE_AUTH_SALT', 'I6`V | mDZq21-J | ihb u ^ q0F} F_NUcy`l, = obGtq * p # Ybe4a31R, r = | n # =] @] c #'); define ('LOGGED_IN_SALT', 'w <$ 4c $ Hmd% / *] ʻOom> (hdXW | 0M = X = {we6; Mpvtg + Vo <$ | #_} qG (GaVDEsn, ~ * 4i'); define ('NONCE_SALT', 'a | #h {c5 | P & xWs4IZ20c2 &% 4! C (/ uG} W: mAvy

2. Force the use of SSL

An SSL certificate encrypts the connection between your site and your visitor's browser, so hackers cannot intercept and steal personal information. If you already have an SSL certificate installed then you need to force WordPress to use it, it may increase your security.

To force the use of your SSL certificate during connection, add this line:

Define ('FORCE_SSL_LOGIN', true);

You can also force your SSL certificate on the admin dashboard with this line:

Define ('FORCE_SSL_ADMIN', true);

These are great places to start, although it would be ideal to use the SSL certificate on your entire website.

3. Change the database prefix

The prefix is ​​placed in front of the names of all the tables in your database. By default, the table uses the prefix " wp_" and adding it to your database will add an additional task for the hacker to do. The more obstacles you add, the harder your blog will be to hack.

Changing the default prefix helps and all you have to do is change the constant on the file " wp-config.php ", but it would also be necessary for the database tables in your installation to have the same new prefix. You can change wp_ for something like g628_. You have to choose something that is really not easy to guess.

4. Disable editing of themes and plugins

In each WordPress installation, you can directly edit plugins and themes through the dashboard. If a hacker was able to gain access to your dashboard, they have access to this special editor where they could then do whatever they wanted within your plugin and theme files such as add malware, viruses or spam.

5. Disable debugging

If you've ever turned on debugging on your site or on a network, you probably do because it's a great tool for troubleshooting, but don't forget to turn it off when you're done. Leaving this option enabled can reveal important information about your site and the location of its files to hackers to anyone who visits your site.

To turn off debug mode, you can change the WP_DEBUG constant from true to false as follows:

Define ('WP_DEBUG', false);

6. Disable error logging in WordPress

 If you can't make the previous change because you still need to actively debug your site, you can still protect your site's vital information by turning off front-end errors and turning off error logging.

To disable frontend error reporting, add this line while keeping your debugging (WP_DEBUG) set to true:

Define ('WP_DEBUG_DISPLAY', false);

7. Enable automatic updates

Keeping your site up to date with the latest versions of WordPress, along with your plugins and themes, should be an important part in developing a security strategy. Since theThese updates provide security fixes for known vulnerabilities, so do not update your blog exposures to these potential risks.

As of WordPress version 3.7, minor security fixes are automatically applied to WordPress sites, but basic versions are not. However, you can enable automatic updates for all new versions by changing the value of the constant for automatic updates:

Define ('WP_AUTO_UPDATE_CORE', true);

Likewise, you can add the following line below the previous one to enable automatic updates for plugins:

Add_filter ('auto_update_plugin', '__return_true');

You can also follow this line to allow automatic updates for themes:

Add_filter ('auto_update_theme', '__return_true');

That's it for this tutorial. Hope it will allow you to better secure your WordPress blog.

 

This article features 2 comments

  1. Hello to all the team,
    BRAVO for your site, which seems full of resources and of great interest: when my budget allows it, I will not fail to call on your services (I really need it…)!
    A small downside for the security article of * Hervé *: we quickly get lost in the explanations, if we are not familiar with php. [In addition, when editing the text, it may be beneficial to re-read: some words have been omitted - but not the spelling mistakes. ;-)))]

Leave a comment

Your email address will not be published. Required fields are marked with *

This site uses Akismet to reduce unwanted. Learn more about how your comments data is used.

Back To Top
4 shares
Share
tweet
Save4