WordPress websites are frequently hacked. This topic is for techniques and practices that increase the security of your WordPress installation beyond what is achieved in a base install.
Apart from this topic, another good place to read about securing a WordPress installation is the Hardening WordPress Codex page.
The file editor that ships with WordPress is a security risk. If an attacker gains admin access to your WordPress website they will be easily able to insert malicious code into theme and plugin files. It is also a risk with clients who don't know what they're doing. Once misplaced colon in the file editor can break a site and make it inaccessible from the browser.
In your WordPress wp-config.php
file, disable the file editor by adding the following line of code.
define( 'DISALLOW_FILE_EDIT', true );
That line will have the desired effect when added to your theme's functions.php
file too but it is better to add to wp-config.php
.
If you are using WordPress CLI to install WordPress you can use the following command to create a wp-config.php
file with file editing disabled.
/* declare variables beforehand or substitute strings in */
wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU --extra-php <<PHP
define( 'DISALLOW_FILE_EDIT', true );
PHP
This method is useful if you install WordPress with a script.
The most sensitive information of a WordPress install is stored in the wp-config.php
file. If a hacker gets access to this file then they have total control of your website.
By default wp-config.php
is stored in the WordPress install folder. To make this file harder to steal you can move it out of the web accessible folder. If you move it just one folder above, WordPress will automatically find it. If you move wp-config.php
to a different location, create an empty file called wp-config.php
in the WordPress installation folder. Then add the following:
define('ABSPATH', dirname(__FILE__) . '/');
// '../../wp-config.php' defines location two folders above installation folder.
// Substitute with actual location of wp-config.php file as necessary.
require_once(ABSPATH . '../../wp-config.php');
You may need to make php
executable in the folder you place wp-config.php in. You should make php executable in as few folders as possible. A good system puts the WordPress install in /path/to/wordpress/install/
and the config in /path/to/wordpress/config
. You'd make sure the config folder is not web accessible and don't place any other sensitive information would be placed in /path/to/
or higher in the folder hierarchy. In that case you'd write a line similar to the following in your php.ini
:
open_basedir = "/path/to/wordpress/install/;/path/to/wordpress/config"
This technique is controversial and some people don't think it enhances security. Extensive discussion on the topic can be read at this WordPress StackExchange question.
When you install WordPress to your server, the installation script will place a prefix in front of all the WordPress MySQL table names. This prefix is set to 'wp_' by default. The WordPress posts table will be called wp_posts
for example. By changing the table prefix you can create some security by obscurity. This way when a hacker attempts SQL injection attacks, they will have to guess the prefix of your table rather than just using 'wp_'. You can set this prefix to be whatever you like.
Set Prefix in New WordPress Installation
If using famous 5 minute installation Change prefix in field during installation.
If installing via WordPress CLI use the following command:
// set other variables above, or substitute your strings in.
WP_DBPREFIX=foo
wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU
Change Prefix in Existing Installation
Changing the prefix is a little more difficult. Firstly use a FTP program like FileZilla to edit the wp-config.php
file. Change the entry $table_prefix = 'wp_';
to $table_prefix = 'foo_';
substituting 'foo' for your desired prefix.
Next we'll need to edit the database. If you have access to phpMyAdmin, login and do the following:
If you can't use phpMyAdmin then use the following MySQL command:
RENAME table `wp_comments` TO `foo_comments`
You'll need to run that command for each table, substituting 'comments' for the other table names.
Next we need to change a few entries in some tables. Run this query on the 'foo_options' table
SELECT * FROM foo_options WHERE option_name LIKE '%user_roles%'
A entry with option_name of 'wp_user_roles' should appear. In that entry change the 'option_name' entry from wp_user_roles
to foo_user_roles
.
Then open up 'foo_usermeta' table and find every entry with 'wp_' at the front. and change it to 'foo_'. The number of entries you must change will depend on how many users you have.
That should be all you need to change the prefix in an existing installation