Delete and Relocate Your Way To Better WordPress Security

Often security measures are not about prevention but about deterrence. Alarms don’t prevent your auto from being stolen but they increase the effort and risk and likely make thieves pass your auto by for one without an alarm.

WordPress sites are no different. You cannot protect your site against any and every hack attempt but with a few simple steps you can quickly move those hack bots onto the sites of less conscientious WordPress owners.

In this week’s Weekend Project, we’ll spend just ten minutes deleting and relocating our way to a more secure WordPress site.

Image showing delete key
Removing unneeded files is a simple and effective path to improved WordPress security

Relocate wp-config.php

The wp-config.php file is pure hacker gold, containing all the sensitive information about your WordPress site including passwords and database locations.

It’s not browsable by default but it’s name is well-known as its default location in the root directory. But it doesn’t have to sit there, it can actually live one folder up in the folder structure making it virtually inaccessible to hackers.

Moving the wp-config.php file is easy. Fire up your favourite FTP app and simply drag the wp-config.php up one folder. Alternatively, move it via CPanel’s File Manager if you have access.

If, when you browse your site you get the message about being unable to find a config file then you’ve moved it too far. If you can’t correct this, then simply move it back to the root folder.

Note: Moving the config file works best if your WordPress install is in the root directory. You obviously can’t have more than one config file in a directory, so if the site is in a sub-folder, which is often the case with multiple or sub-domains on a shared hosting account, you won’t be able to move it.

Delete Obselete Files

There are quite a few files left over from the installation process that serve no purpose other than to offer potential back-doors to the unscrupulous.

Once again, jump into your FTP application or into CPanel File Manager and remove the following files and directories:

  • readme.html – this file lets potential hackers know which version of WordPress is running. The less they know about your WordPress site the better.
  • wp-admin/install.php – the site is installed so you don’t need this anymore
  • wp-config-sample.php – it’s amazing how many people update this with real data. Again, not required, so delete it.

Remove Unused Themes and Plugins

It’s natural that over a period of time you’ll end up with a number of themes and plugins that your site no longer makes use of. Don’t keep them just in case you might need them, delete them and keep your installation as lean as possible. You can always reinstall a theme or plugin later if needed.

Not All Threats Are External

Don’t ignore the potential threat posed by those with authorised access to your site, especially if you are providing services to clients who can unintentionally wreak havoc by “tweaking”.

Disabling the Editor function for plugins and themes is recommended as well as disabling plugin and theme installations. Here’s how to protect yourself from dangerous clients.

It’s often the simple steps that provide the biggest improvements in deterrence and if, as WordPress owners, we accept that we are not security experts and that deterrence is our goal, not prevention then this often frightening and horribly technical topic becomes a lot more manageable.

Photo credits: Kate Ter Haar