How to Secure Your WordPress Website

From WikiHTP

WordPress websites are frequently hacked. This topic is for techniques and practices that increase the security of your WordPress installation beyond what is achieved in a base install.

Apart from this topic, another good place to read about securing a WordPress installation is the Hardening WordPress Codex page.

Move wp-config.php file[edit]

The most sensitive information of a WordPress install is stored in the wp-config.php file. If a hacker gets access to this file then they have total control of your website.

By default, wp-config.php is stored in the WordPress installation folder. To make this file harder to steal you can move it out of the web accessible folder. If you move it just one folder above, WordPress will automatically find it. If you move wp-config.php to a different location, create an empty file called wp-config.php in the WordPress installation folder. Then add the following:

define('ABSPATH', dirname(__FILE__) . '/');
// '../../wp-config.php' defines location two folders above installation folder.
// Substitute with actual location of wp-config.php file as necessary.
require_once(ABSPATH . '../../wp-config.php');

You may need to make PHP executable in the folder you place wp-config.php in. You should make PHP executable in as few folders as possible. A good system puts the WordPress install in /path/to/wordpress/install/ and the config in /path/to/wordpress/config. You'd make sure the config folder is not web accessible and don't place any other sensitive information would be placed in /path/to/ or higher in the folder hierarchy. In that case, you'd write a line similar to the following in your php.ini:

open_basedir = "/path/to/wordpress/install/;/path/to/wordpress/config"

This technique is controversial and some people don't think it enhances security. Extensive discussion on the topic can be read at this WordPress StackExchange question.

Disable File Editor[edit]

The file editor that ships with WordPress are a security risk. If an attacker gains admin access to your WordPress website they will be easily able to insert malicious code into theme and plugin files. It is also a risk with clients who don't know what they're doing. Once misplaced colon in the file editor can break a site and make it inaccessible from the browser.

In your WordPress wp-config.php file, disable the file editor by adding the following line of code.

define( 'DISALLOW_FILE_EDIT', true );

That line will have the desired effect when added to your theme's functions.php file too but it is better to add to wp-config.php.

If you are using WordPress CLI to install WordPress you can use the following command to create a wp-config.php file with file editing disabled.

/* declare variables beforehand or substitute strings in */
wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU --extra-php <<PHP
define( 'DISALLOW_FILE_EDIT', true );

This method is useful if you install WordPress with a script.

Set a custom prefix for WordPress tables[edit]

When you install WordPress on your server, the installation script will place a prefix in front of all the WordPress MySQL table names. This prefix is set to 'wp_' by default. The WordPress posts table will be called wp_posts for example. By changing the table prefix you can create some security by obscurity. This way when a hacker attempts SQL injection attacks, they will have to guess the prefix of your table rather than just using 'wp_'. You can set this prefix to be whatever you like.

Set Prefix in New WordPress Installation

If using famous 5-minute installation Change prefix in the field during installation.


If installing via WordPress CLI use the following command:

// set other variables above, or substitute your strings in.
wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU

Change Prefix in Existing Installation Changing the prefix is a little more difficult. Firstly use a FTP program like FileZilla to edit the wp-config.php file. Change the entry $table_prefix = 'wp_'; to $table_prefix = 'foo_'; substituting 'foo' for your desired prefix.

Next, we'll need to edit the database. If you have access to phpMyAdmin, login and do the following:

  • Select the WordPress database
  • Select all tables and in the drop-down select replace table prefix.
  • In "From" type 'wp_'. In "To" type your prefix, 'foo_' in this example and press "Submit".
  • Tables should now look like this:

If you can't use phpMyAdmin then use the following MySQL command:

RENAME table `wp_comments` TO `foo_comments`

You'll need to run that command for each table, substituting 'comments' for the other table names.

Next, we need to change a few entries in some tables. Run this query on the 'foo_options' table

SELECT * FROM  foo_options WHERE option_name LIKE '%user_roles%'

A entry with option_name of 'wp_user_roles' should appear. In that entry change the 'option_name' entry from wp_user_roles to foo_user_roles.

Then open up 'foo_usermeta' table and find every entry with 'wp_' at the front.


and change it to 'foo_'. The number of entries you must change will depend on how many users you have.


That should be all you need to change the prefix in an existing installation

About This Tutorial

This page was last edited on 28 January 2019, at 06:36.