{"id":155144,"date":"2016-05-11T14:00:13","date_gmt":"2016-05-11T14:00:13","guid":{"rendered":"https:\/\/premium.wpmudev.org\/blog\/?p=155144"},"modified":"2017-10-15T07:57:08","modified_gmt":"2017-10-15T07:57:08","slug":"tweaking-wp-config","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/tweaking-wp-config\/","title":{"rendered":"How to Tweak wp-config.php to Protect Your WordPress Site"},"content":{"rendered":"

If you think your site is safe\u00a0because it doesn\u2019t have\u00a0any content worthwhile to hackers, think again, because the vast majority of security breaches aren’t aimed at stealing your data or defacing your site.<\/p>\n

Hackers generally want to use your\u00a0server as an email relay for spam, or to setup a temporary web server, usually to serve illegal files. If you’re hacked, get ready to shell out money for soaring server costs.<\/p>\n

There are plenty of different ways you can strengthen the security of your site or Multisite network, but one of the simplest is to tweak your wp-config.php<\/em> file. Updating this configuration file, while not a sure-fire solution for keeping out hackers, is worth doing as part of your overall security strategy.<\/p>\n

With that in mind, let’s look at what WordPress constants are and how to use\u00a0them to make changes to your wp-config.php<\/em>\u00a0file to boost your site’s security.<\/p>\n

Setting WordPress Constants<\/h3>\n

In your WordPress configuration file, also called wp-config.php<\/em>, you can set what are called constants in PHP to execute certain tasks. WordPress has many constants you can use.<\/p>\n

The PHP documentation<\/a> describes constants as:<\/p>\n

“A constant is an identifier (name) for a simple value. As the name suggests, that value cannot change during the execution of the script (except for magic constants, which aren’t actually constants). A constant is case-sensitive by default. By convention, constant identifiers are always uppercase.”<\/p><\/blockquote>\n

Simply put, you can set a value to have a name. It’s also applied globally across an entire script so you can use it again and again. Constants are case-sensitive and usually contain only uppercase letters and underscores.<\/p>\n

An actual constant used in WordPress is WP_DEBUG<\/code>\u00a0and this is a great example of how to properly name them since they can only begin in a letter or a single underscore. (You can read more about how to use WP_DEBUG<\/code> here<\/a>.)<\/p>\n

Constants are also wrapped in the define()<\/code> function as shown in this basic syntax example:<\/p>\n

Loading gist 8fb29471988d827b5b3de42e04d1b8fa<\/a>

Please update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n

In WordPress, the wp-config.php<\/em> file is loaded before the rest of the files that makes up the core. This means, that if you change the value of a constant in wp-config.php<\/em>, you can change how WordPress reacts and functions. You could disable certain features or enable them all by changing the value. In many cases, this can be done by changing false<\/code> to true<\/code> and vice versa, for example.<\/p>\n

Below are constants as well as other types of PHP code you can use in your wp-config.php<\/em>\u00a0file to amp up your security. Place them all above the following line in your wp-config.php<\/em> file:<\/p>\n

Loading gist 1c739b1be3f1dd9a7f11e82e8bb72c91<\/a>

Please update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n

Warning: In Case of Emergency<\/h3>\n

Since the changes you’re about to make can drastically alter your site, it’s a good idea to back\u00a0it up. If a mistake is made, you can quickly restore your site to a point before you made any changes and once your site is functioning as normal, you can try again.<\/p>\n

For more details on how to create a backup or restore your site, check out some of our other posts:\u00a0How to Backup Your WordPress Website (and Multisite) Using Snapshot<\/a>,\u00a0Backup Plugins Aren\u2019t About Backing up, They\u2019re About Restoring<\/a> and\u00a07 Top Premium and Freemium WordPress Backup Plugins Reviewed<\/a>.<\/p>\n

If you find you have already been hacked and you’re trying to beef up your site’s security, install a security plugin such as Defender<\/a>\u00a0and give hackers the smackdown<\/a>.<\/p>\n

Once you’ve made a backup, you can start making the changes below.<\/p>\n

1. Change Your Security Keys<\/h3>\n

You may already be aware of the security keys section and you may have previously added unique keys which is great because they make it more difficult for hackers to be able to intrude.<\/p>\n

Security keys help encrypt information stored in cookies and it can be helpful to change them up every now and again, especially after your site has been hacked. \u00a0This would effectively end any open sessions of logged in users on your site which means hackers are logged out as well.<\/p>\n

As long as you reset your passwords and make sure your site is clean of any backdoor exploits<\/a> and the like, your site can be safe from hackers once again.<\/p>\n

You can generate a new set of security keys using the WordPress Security Key Generator<\/a>. Copy the entire output and paste it to replace the section that looks similar to the example below:<\/p>\n

Loading gist 91acb16b31797bb15a3afde89949a12d<\/a>

Please update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n

2. Force the Use of SSL<\/h3>\n

An SSL certificate<\/a> encrypts the connection between your site and your visitor’s browser so that hackers can’t intercept and steal personal information. If you already have an SSL certificate installed, forcing your site to use it can help step up your security game.<\/p>\n

To force the use of your SSL certificate when both logging in and viewing the admin dashboard, add this line:<\/p>\n

Loading gist 1f9c627bc9a008f8cc0eb32ae878a767<\/a>

Please update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n

These are great starts, but it’s ideal to use your SSL certificate on all pages of your site and you can get the details on how to do this in our post\u00a0How to Use SSL and HTTPS with WordPress<\/a>.<\/p>\n

3. Change Your Database Prefix<\/h3>\n

A prefix is placed in front of the names of all your tables in your database. By default, it’s set to wp_<\/code> and while you could go along your merry way without doing anything, changing it adds another step to a hacker’s to-do list if they want to get into your site.\u00a0The more obstacles you add in a hacker’s way, the less of a chance there is of them successfully infiltrating your site.<\/p>\n

Changing the default prefix helps with this and if you locate the line below in wp-config.php<\/em>, you can change wp_<\/code> to something else such as g628_<\/code> or similarly difficult prefixes that are less likely to be guessed.<\/p>\n

Loading gist 072388912d92b75b529b764cd08a1cc5<\/a>

Please update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n

4. Disable Plugin and Theme Editing<\/h3>\n

In every WordPress installation, you can directly edit plugins and themes through the dashboard. If a hacker were able to weasel their way into your site’s backend, they would have access to this special editor where they could then do whatever they wanted within your plugin and theme files such as add malware, viruses or spam.<\/p>\n

Containing a hacker once they successfully intrude should be a part of your security regimen. Sometimes, despite your best efforts, someone may still be able to hack your site so making it as difficult as possible for them to do any actual damage is important.<\/p>\n

On this thought train, you can disable the theme and plugin editor so hackers\u00a0won’t have access to it in case they are able to get in. This also means that your site or network’s users also won’t have access to it, but this usually isn’t a bad thing since it prevents them from making any huge errors that could potentially bring down your site.<\/p>\n

Add this line to disable the plugin and theme editor:<\/p>\n

Loading gist 9701987ffe73330cc23fbf7b9fb9e134<\/a>

Please update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n

5. Move the wp-config.php<\/em> File<\/h3>\n

Since your wp-config.php<\/em> file holds a lot of crucial information including passwords, it’s important to keep this file as safe as possible. Apart from setting the right user permissions<\/a> for it, you can also move the file one directory above the default location without breaking your site. Moving the file also makes it more difficult for hackers to predict its location in order to be able to hack into it.<\/p>\n

It may be important to note that this isn’t always possible, especially if you have one of these setups:<\/p>\n