If you think your site is safe because it is not of interest to hackers, then you are wrong, because the vast majority of security breaches are not aimed at stealing your data or disfiguring your site.
Hackers usually want to use your server as a relay for spam emails, or to set up a temporary web server, usually to serve illegal files. If you get hacked, be prepared to shell out some cash for server related costs.
There are several different ways to increase the security of your site or a multisite network, but one of the easiest is to edit your file. wp-config.php. Updating this configuration file, although there is no one-size-fits-all solution, is a policy that must be followed for overall security.
With that in mind, we're going to explore the various modifications you can make to secure your WordPress blog.
Configuring WordPress Constants
In your WordPress configuration file, also called wp-config.php , you can define what are called PHP constants to perform certain tasks. WordPress has a lot of constants that you can use.
Constants are also wrapped in the define function()
as shown in this syntax example:
Define ('NOM_DE_LA_CONSTANTE', value);
On WordPress, the file wp-config.php is loaded before the rest of the files that make up the kernel. This means that if you change the value of a constant in wp-config.php, you can change the way WordPress reacts and works. You can disable some features or turn them on by changing the value. In many cases, this can be done by changing true
For false, and vice versa, for example.
Below you will find the different constants as well as other types of PHP code that you can use in your file wp-config.php to increase your security. Place them all above the next line in your file wp-config.php:
/ * That's all, stop editing! Happy blogging. * /
Attention: Be careful
Since the changes you are about to make can dramatically change your site, this is a good idea of backing it up. If an error occurs you can quickly restore your site to a point before these changes and once your site is functioning normally you can try again.
1. Change your security keys
You may already be aware of the different security keys and you may have already added unique keys, which is quite a good thing.
Information security keys encrypt the data stored in cookies and it can be useful to change them, especially after your site has been hacked. This would end all open sessions of logged in users on your site which means hackers are logged out as well.
When you reset passwords and make sure your site is free from backdoor exploits and the like.
You can generate a new set of security keys using the WordPress Security Key Generator. Copy all of the content and paste it to replace the section that looks like the following:
define ('AUTH_KEY', 't`DK% X:> xy | eZ (BXb / f (Ur`8 # ~ UzUQG - ^ _ Cs_GHs5U- & Wb? pgn ^ p8 (2 @} IcnCa |'); define ('SECURE_AUTH_KEY ',' D & ovlU # | CvJ ## uNq} bel + ^ MFtT & .b9 {UvR] g% ixsXhGlRJ7q! H} XWdEC [BOKXssj '); define (' LOGGED_IN_KEY ',' MGKi8Br (& {H * ~ & 0s; {k0 (hdXW | 5M = X = {we4; Mpvtg + Vo <$ | #_} qG (GaVDEsn, ~ * 2i '); define (' NONCE_SALT ',' a | #h {c7 | P & xWs0IZ2c8 &% 883! c ( / uG} W: mAvy
2. Force the use of SSL
An SSL certificate encrypts the connection between your site and your visitor's browser, so hackers cannot intercept and steal personal information. If you already have an SSL certificate installed then you need to force WordPress to use it, it may increase your security.
To force the use of your SSL certificate during connection, add this line:
Define ('FORCE_SSL_LOGIN', true);
You can also force your SSL certificate on the admin dashboard with this line:
Define ('FORCE_SSL_ADMIN', true);
These are very good points to start with, although the ideal would be to use the SSL certificate on all your website.
3. Change the database prefix
The prefix is placed in front of the names of all the tables in your database. By default, the table uses the prefix " wp_"
and adding it to your database will add an additional task for the hacker to do. The more obstacles you add, the more your blog will be difficult to hack.
Changing the default prefix helps and all you have to do is change the constant on the file " wp-config.php ", but it would also be necessary for the database tables in your installation to have the same new prefix. You can change wp_
for something like g628_.
You have to choose something that is really not easy to guess.
4. Disable editing of themes and plugins
In each WordPress installation, you can directly edit plugins and themes through the dashboard. If a hacker was able to gain access to your dashboard, they have access to this special editor where they could then do whatever they wanted within your plugin and theme files such as add malware, viruses or spam.
5. Disable debugging
If you've ever enabled debugging on your site or on a network, you probably do so because it's a great tool for troubleshooting, but don't forget to disable it when you're done. Leaving this option enabled can reveal important information about your site and the location of its files to hackers to anyone who visits your site.
To turn off debug mode, you can change the WP_DEBUG constant from true to false as follows:
Define ('WP_DEBUG', false);
6. Disable error logging in WordPress
If you can't make the previous change because you still need to actively debug your site, you can still protect your site's vital information by turning off front-end errors and turning off error logging.
To disable frontend error reporting, add this line while keeping your debugging (WP_DEBUG) set to true:
Define ('WP_DEBUG_DISPLAY', false);
7. Enable automatic updates
Keeping your site up to date with the latest versions of WordPress, along with your plugins and themes, should be an important part in developing a security strategy. Since theUpdates provide security fixes for known vulnerabilities, not updating exposes your blog to these potential risks.
As of WordPress version 3.7, minor security fixes are automatically applied to WordPress sites, but basic versions are not. However, you can enable automatic updates for all new versions by changing the value of the constant for automatic updates:
Define ('WP_AUTO_UPDATE_CORE', true);
Likewise, you can add the following line below the previous one to enable automatic updates for plugins:
Add_filter ('auto_update_plugin', '__return_true');
You can also follow this line to allow automatic updates for themes:
Add_filter ('auto_update_theme', '__return_true');
That's it for this tutorial. I hope it will allow you to better secure your WordPress blog.
Hello to all the team,
BRAVO for your site, which seems full of resources and of great interest: when my budget allows it, I will not fail to call on your services (I really need it…)!
A small downside for the security article of * Hervé *: we quickly get lost in the explanations, if we are not familiar with php. [In addition, when editing the text, it may be beneficial to re-read: some words have been omitted - but not the spelling mistakes. ;-)))]
Thank you Ivan for the return and forgiveness for the mistakes.