In this video, we will talk-through 7 steps in securing your WordPress site through the wp-config.php
settings. Many of these settings that I will show you do not come setup by default so if you’ve built your website on WordPress, check these out and make sure you’ve applied them to your production sites.
NOTE: Before you perform any of the steps in this tutorial, backup your wp-config.php file and also backup your WordPress database.
Video Index:
00:00 - Intro
01:52 - Tip # 1 - Move wp-config.php file outside of the public folder.
05:08 - Tip # 2 - Change WP Table Prefix
08:02 - Tip # 3 - Update Security Keys & Salt Keys
10:54 - Tip # 4 - FORCE SSL on Admin and Login pages
13:05 - Tip # 5 - Disable Debug in Production
14:02 - Tip # 6 - Disable File Edit
15:45 - Tip # 7 - Block External HTTP Connections
If you have trouble with Tip # 1: https://wp-wingman.com/how-to-move-your-wp-config-php-file-to-secure-your-wordpress-site/
Changes covered in the video:
- Change the WP prefix table.
$table_prefix = 'wp_';
- Update the security keys (https://api.wordpress.org/secret-key/1.1/salt/)
- Force the WP Admin to load on HTTPS:
define('FORCE_SSL_ADMIN', true);
- Disable file editor
define('DISALLOW_FILE_EDIT', true);
- Move the
wp-config.php
file- Add this to an existing wp config file
<?php
define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . '../path/to/wp-config.php');
- Turn of debugging on production sites
define('WP_DEBUG', false);
- Auto update WordPress core:
define('WP_AUTO_UPDATE_CORE', true);
- Block external linking and hot linking
define( 'WP_HTTP_BLOCK_EXTERNAL', true );
define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' );
All videos tutorials on the website as well as the YouTube channel aim to provide a simplified process for a specific scenario; there could be many different factors and unique use cases you may have. The tutorials may not cover every situation; so treat is as a starting point or learning concept to apply to your unique situations, and consider this inspiration but not prescription or explicit direction.