WordPress Security: This wp-config.php Protects Your Website
Most people think that their WordPress website was safe just because it doesn’t have any content worth hacking. Unfortunately, that is not true. Websites are often hacked to distribute spam emails, for example. Or the core and theme files are filled with malicious code to infect and hack your website visitor’s computers. It’s possible that you only notice the damage when Google has already removed you from the index. Don’t let this happen, and consider my tips for the perfect wp-config.php.
There are many ways to protect your WordPress-based website from getting hacked. The optimization of the wp-config.php can be considered to be an important part of a proper security strategy. Of course, the site won’t turn into the Bank of England, but you’ve made it a little harder for the hackers.
To optimize the wp-config.php, so-called constants are used. WordPress has a lot of constants that can be employed. But what is a constant? PHP.net describes constants the following way:
A constant is an identifier (name) for a simple value. As the name suggests, that value cannot change during the execution of the script (except for magic constants, which aren’t actually constants). A constant is case-sensitive by default. By convention, constant identifiers are always uppercase.
Constants are embedded in the define() function, and look like this: define('NAME_OF_THE_CONSTANT', value);
The wp-config.php is the control file for WordPress. It is loaded before all other files because WordPress needs to set up a database connection. The required information is located in the config-file. When changing the value of a constant, or adding a constant, you also change the behavior of WordPress.
Before the Work: Please Create a Backup
Before, editing the wp-config.php, create a backup of this file. Your website won’t work with wrong or missing entries.
Important: Always Update WordPress and Plugins Immediately
You’ve probably heard this a couple of times already. But this aspect is so important that I can’t repeat it often enough. Tons of websites got hacked because WordPress or the plugins weren’t up to date. Updates are the best insurance against hacking!
The Current Security Situation:
The security specialists Sucuri are currently warning against a security gap in the popular Jetpack plugin for WordPress. Malicious code can be implemented via the shortcode-embed-function. Automattic will indeed react soon and release a new version.
How to Close the Security Gap for Now:
If you happen to be using my “optimal .htaccess” file, you are not in danger. There, the great 6G firewall, which can fend off this type of attacks.
The Preparation:
For all the following work, you’ll need an FTP program, as well as an HTML editor. The wp-config.php is downloaded to the desktop, edited within the HTML editor, and uploaded back to the server afterward.
1 – Use the Security Keys
Security keys in WordPress are critical, as the encrypt things like the login information in cookies, for example. Even when your wp-config.php already has security keys, changing them can’t hurt. When the keys are changed, all still outstanding logins of your users are signed out. Subsequently, you’ll be able to log in regularly, using your username and password.
However, if you’ve been hacked already, you should first remove the malicious code from your website. A guide on that can be found in the additional information on this aspect. Afterward, visit the WordPress Generator for security keys, and copy a new set. Replace the old part with the new ones – view screenshot:
If you haven’t implemented security keys yet, this is the right time to do so.
Additional Information:
2 – Force the Use of HTTPS
An SSL certificate encrypts the connection between your website and the visitor’s browsers. HTTPS makes it impossible for hackers to trap and steal personal data. If you already have an SSL certificate for your website, you can force the use of HTTPS instead of HTTP. This increases your site’s security significantly. If you don’t have an SSL certificate yet, you should strongly consider using one.
You don’t have to be afraid of major costs, as SSL is also available for free.
The following entries should be used when your website already uses SSL. The uppermost entry is meant for the secured login, while the lowest one forces the browser to make the admin area of WordPress usable with SSL only.
View the code on Gist.
3 – Change the Database Prefix
The database prefix is also known under the label “table prefix.” This prefix is used as an extension of every database table generated by WordPress. Here, the standard is wp_. This standard should be changed to something else. The more cryptic, the better. Don’t worry; you don’t need to remember what you enter here. This value is only placed once.
Thinking about it, the possibility of an SQL injection is not very likely. But it is possible. Thus, alter the value before installing WordPress. Use something like hdr7rf_, for example.
Attention: If you change the value of an already existing WordPress installation, the website is not accessible anymore!
If you want to change the table prefix of an existing WordPress website, the plugin Acunetix WP Security could help you. It lets you change the value easily, and all you have to do afterward is log back in. Nonetheless, you should still create a backup in beforehand.
4 – Turn Off the Plugin and Theme Editor
In every WordPress installation, it is possible to edit theme and plugin files directly within the admin area. Under the menu items “Design” and “Plugin,” you’ll find the respective editor for each file. This editor is very dangerous if it happens to get into the hands of a hacker. Data can be destroyed, and viruses, trojans, spam, and other malware can be added. But the editor is also important for a website’s admin. A single mistake, a single missing semicolon is all it takes for the infamous white pages to show up, and nothing will work anymore.
Changes to theme or plugin files are generally made via (S)FTP, as it is much safer. Thus, the editors need to be deactivated. A single line in the wp-config.php is enough to safely turn off both editors:
View the code on Gist.
5 – Move the wp-config.php
The wp-config.php is the heart of your website. All relevant data, including the database passwords, are entered there. That’s why it is imperative to keep this file as safe as possible. There are two approaches for this. The first one is an access block via .htaccess-file. The second approach moves the file to a different spot, where a hacker would not expect it to be.
- Moving it may be problematic if the website is in a sub-index, and you are using a cheap shared hosting.
- It can also become tough if you have a lot of websites in custom directories. If neither of the constellations applies to you, you can move the file.
View the code on Gist.
If you have adjusted the path to the wp-config.php correctly, your website should work afterward.
6 – Force the Use of FTPS
If your web host has activated the File Transfer Protocol Secure (FTPS), you can force the use of FTPS for the transfer of files. This will encrypt the connection between the visitor and your server. Now, it is impossible to access the data on the server with the unsafe FTP protocol. FTP is unsafe, as the access information is transferred to your server unencrypted. Thus, if possible, only use the safe connection via FTPS. Your web host can tell you if an FTPS connection is possible.
Forcing the use of FTPS is this simple:
View the code on Gist.
7 – Force the Use of SFTP
Instead of the FTPS protocol, some hosters have activated the SFTP protocol for data transfer. Here, the connection between the user’s FTP program and the server is encrypted as well. The following line of code lets you force the use of SFTP:
View the code on Gist.
8 – Deactivating the Debug Mode
If you have activated the WordPress debug mode for development purposes, it is vital to turn it back off. In some circumstances, an activated debug mode may pass on sensitive data that could help hackers do their thing. That’s why an activated debug mode is extremely dangerous on a live system. I have made this small, dumb mistake already; humans quickly forget things. That’s why you should take a quick look, just to check. This is how to deactivate the debug mode:
View the code on Gist.
9 – Turn off the Display of PHP Errors
If for some reason, you need the debug mode to be activated, I recommend turning off the public display of error messages. The relevant error messages can also be written into a log that is not accessible to the public. This is the much safer, and more elegant option. This constant is required to leave the WordPress error mode on, and to suppress the public error display:
View the code on Gist.
10 – Turn On Automatic Updates
As I have already mentioned earlier, immediately updating the WordPress core, and all plugins is crucial for the security of the system. With every release of a new WordPress version, the security gaps of its predecessors are made public. This gives a hacker a solid foundation to be able to hack your website. Thus, these weaknesses should be removed as fast as possible.
Since WordPress version 3.7, smaller security updates are conducted automatically. However, this is not the case for primary versions of core upgrades. Main versions still need to be updated manually. However, activating automatic updates for all WP versions is very easy:
View the code on Gist.
By the way, it is also possible to make plugins update automatically. However, that’s connected to a bit of work. It requires the creation of a plugin:
View the code on Gist.
This plugin has to be moved into the folder /wp-content/mu-plugins/. If the folder doesn’t exist, just create it. The folder /mu-plugins/ contains the “must use” plugins. Its content is loaded by all other plugins.
Automatic theme updates can be done the same way. For that, the plugin needs to be extended by the following line:
View the code on Gist.
Please inform yourself about these automatic plugins in advance, and only use the code if you know exactly what it does. Of course, the two filters are only able to keep plugins and themes up to date that originate from the official WordPress index. Themes and plugins from a different source won’t be updated.
Additional Information:
WordPress Codex: Must Use Plugins
Conclusion
All of these aspects together will already increase the safety of your WordPress by a lot and should be part of a good security strategy. The fact that WordPress is the world’s most popular Content Management System attracts many hackers. The situation could be compared to the computer OS Windows. On Windows, you install an anti-virus software, and WordPress takes a bit of manual work. But the safety gain definitely makes up for the small work effort.
(dpe)