How to Secure Your WordPress Website
WordPress websites are frequently hacked. This topic is for techniques and practices that increase the security of your WordPress installation beyond what is achieved in a base install.
Apart from this topic, another good place to read about securing a WordPress installation is the Hardening WordPress Codex page.
Move wp-config.php file
The most sensitive information of a WordPress install is stored in the
wp-config.php file. If a hacker gets access to this file then they have total control of your website.
wp-config.php is stored in the WordPress installation folder. To make this file harder to steal you can move it out of the web accessible folder. If you move it just one folder above, WordPress will automatically find it. If you move
wp-config.php to a different location, create an empty file called
wp-config.php in the WordPress installation folder. Then add the following:
define('ABSPATH', dirname(__FILE__) . '/'); // '../../wp-config.php' defines location two folders above installation folder. // Substitute with actual location of wp-config.php file as necessary. require_once(ABSPATH . '../../wp-config.php');
You may need to make PHP executable in the folder you place wp-config.php in. You should make PHP executable in as few folders as possible. A good system puts the WordPress install in
/path/to/wordpress/install/ and the config in
/path/to/wordpress/config. You'd make sure the config folder is not web accessible and don't place any other sensitive information would be placed in
/path/to/ or higher in the folder hierarchy. In that case, you'd write a line similar to the following in your
open_basedir = "/path/to/wordpress/install/;/path/to/wordpress/config"
This technique is controversial and some people don't think it enhances security. Extensive discussion on the topic can be read at this WordPress StackExchange question.
Disable File Editor
The file editor that ships with WordPress are a security risk. If an attacker gains admin access to your WordPress website they will be easily able to insert malicious code into theme and plugin files. It is also a risk with clients who don't know what they're doing. Once misplaced colon in the file editor can break a site and make it inaccessible from the browser.
In your WordPress
wp-config.php file, disable the file editor by adding the following line of code.
define( 'DISALLOW_FILE_EDIT', true );
That line will have the desired effect when added to your theme's
functions.php file too but it is better to add to
If you are using WordPress CLI to install WordPress you can use the following command to create a
wp-config.php file with file editing disabled.
/* declare variables beforehand or substitute strings in */ wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU --extra-php <<PHP define( 'DISALLOW_FILE_EDIT', true ); PHP
This method is useful if you install WordPress with a script.
Set a custom prefix for WordPress tables
When you install WordPress on your server, the installation script will place a prefix in front of all the WordPress MySQL table names. This prefix is set to
'wp_' by default. The WordPress posts table will be called
wp_posts for example. By changing the table prefix you can create some security by obscurity. This way when a hacker attempts SQL injection attacks, they will have to guess the prefix of your table rather than just using
'wp_'. You can set this prefix to be whatever you like.
Set Prefix in New WordPress Installation
If using famous 5-minute installation Change prefix in the field during installation.
If installing via WordPress CLI use the following command:
// set other variables above, or substitute your strings in. WP_DBPREFIX=foo wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU
Change Prefix in Existing Installation
Changing the prefix is a little more difficult. Firstly use a FTP program like FileZilla to edit the
wp-config.php file. Change the entry
$table_prefix = 'wp_'; to $table_prefix = 'foo_'; substituting 'foo' for your desired prefix.
Next, we'll need to edit the database. If you have access to phpMyAdmin, login and do the following:
- Select the WordPress database
- Select all tables and in the drop-down select replace table prefix.
- In "From" type
'wp_'. In "To" type your prefix,
'foo_'in this example and press "Submit".
- Tables should now look like this:
If you can't use phpMyAdmin then use the following MySQL command:
RENAME table `wp_comments` TO `foo_comments`
You'll need to run that command for each table, substituting 'comments' for the other table names.
Next, we need to change a few entries in some tables. Run this query on the 'foo_options' table
SELECT * FROM foo_options WHERE option_name LIKE '%user_roles%'
A entry with option_name of 'wp_user_roles' should appear. In that entry change the 'option_name' entry from
Then open up 'foo_usermeta' table and find every entry with 'wp_' at the front.
and change it to 'foo_'. The number of entries you must change will depend on how many users you have.
That should be all you need to change the prefix in an existing installation