How to Tweak wp-config.php to Protect Your WordPress Site
If you think your site is safe because it doesn’t have any content worthwhile to hackers, think again, because the vast majority of security breaches aren’t aimed at stealing your data or defacing your site.
Hackers generally want to use your server as an email relay for spam, or to setup a temporary web server, usually to serve illegal files. If you’re hacked, get ready to shell out money for soaring server costs.
There are plenty of different ways you can strengthen the security of your site or Multisite network, but one of the simplest is to tweak your wp-config.php file. Updating this configuration file, while not a sure-fire solution for keeping out hackers, is worth doing as part of your overall security strategy.
With that in mind, let’s look at what WordPress constants are and how to use them to make changes to your wp-config.php file to boost your site’s security.
Setting WordPress Constants
In your WordPress configuration file, also called wp-config.php, you can set what are called constants in PHP to execute certain tasks. WordPress has many constants you can use.
The PHP documentation describes constants as:
“A constant is an identifier (name) for a simple value. As the name suggests, that value cannot change during the execution of the script (except for magic constants, which aren’t actually constants). A constant is case-sensitive by default. By convention, constant identifiers are always uppercase.”
Simply put, you can set a value to have a name. It’s also applied globally across an entire script so you can use it again and again. Constants are case-sensitive and usually contain only uppercase letters and underscores.
An actual constant used in WordPress is
WP_DEBUG and this is a great example of how to properly name them since they can only begin in a letter or a single underscore. (You can read more about how to use
Constants are also wrapped in the
define() function as shown in this basic syntax example:
In WordPress, the wp-config.php file is loaded before the rest of the files that makes up the core. This means, that if you change the value of a constant in wp-config.php, you can change how WordPress reacts and functions. You could disable certain features or enable them all by changing the value. In many cases, this can be done by changing
true and vice versa, for example.
Below are constants as well as other types of PHP code you can use in your wp-config.php file to amp up your security. Place them all above the following line in your wp-config.php file:
Warning: In Case of Emergency
Since the changes you’re about to make can drastically alter your site, it’s a good idea to back it up. If a mistake is made, you can quickly restore your site to a point before you made any changes and once your site is functioning as normal, you can try again.
For more details on how to create a backup or restore your site, check out some of our other posts: How to Backup Your WordPress Website (and Multisite) Using Snapshot, Backup Plugins Aren’t About Backing up, They’re About Restoring and 7 Top Premium and Freemium WordPress Backup Plugins Reviewed.
Once you’ve made a backup, you can start making the changes below.
1. Change Your Security Keys
You may already be aware of the security keys section and you may have previously added unique keys which is great because they make it more difficult for hackers to be able to intrude.
Security keys help encrypt information stored in cookies and it can be helpful to change them up every now and again, especially after your site has been hacked. This would effectively end any open sessions of logged in users on your site which means hackers are logged out as well.
As long as you reset your passwords and make sure your site is clean of any backdoor exploits and the like, your site can be safe from hackers once again.
You can generate a new set of security keys using the WordPress Security Key Generator. Copy the entire output and paste it to replace the section that looks similar to the example below:
2. Force the Use of SSL
An SSL certificate encrypts the connection between your site and your visitor’s browser so that hackers can’t intercept and steal personal information. If you already have an SSL certificate installed, forcing your site to use it can help step up your security game.
To force the use of your SSL certificate when both logging in and viewing the admin dashboard, add this line:
These are great starts, but it’s ideal to use your SSL certificate on all pages of your site and you can get the details on how to do this in our post How to Use SSL and HTTPS with WordPress.
3. Change Your Database Prefix
A prefix is placed in front of the names of all your tables in your database. By default, it’s set to
wp_ and while you could go along your merry way without doing anything, changing it adds another step to a hacker’s to-do list if they want to get into your site. The more obstacles you add in a hacker’s way, the less of a chance there is of them successfully infiltrating your site.
Changing the default prefix helps with this and if you locate the line below in wp-config.php, you can change
wp_ to something else such as
g628_ or similarly difficult prefixes that are less likely to be guessed.
4. Disable Plugin and Theme Editing
In every WordPress installation, you can directly edit plugins and themes through the dashboard. If a hacker were able to weasel their way into your site’s backend, they would have access to this special editor where they could then do whatever they wanted within your plugin and theme files such as add malware, viruses or spam.
Containing a hacker once they successfully intrude should be a part of your security regimen. Sometimes, despite your best efforts, someone may still be able to hack your site so making it as difficult as possible for them to do any actual damage is important.
On this thought train, you can disable the theme and plugin editor so hackers won’t have access to it in case they are able to get in. This also means that your site or network’s users also won’t have access to it, but this usually isn’t a bad thing since it prevents them from making any huge errors that could potentially bring down your site.
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox - free!
Add this line to disable the plugin and theme editor:
5. Move the wp-config.php File
Since your wp-config.php file holds a lot of crucial information including passwords, it’s important to keep this file as safe as possible. Apart from setting the right user permissions for it, you can also move the file one directory above the default location without breaking your site. Moving the file also makes it more difficult for hackers to predict its location in order to be able to hack into it.
It may be important to note that this isn’t always possible, especially if you have one of these setups:
- You already have a wp-config.php file located one level up since, just as in the film Highlander, there can only be one – in the same spot
- Your site is in a sub-directory instead of the root and you’re on shared hosting or you have many sites in their own directories since the above rule would apply in these setups
If you’re not in one of these situations, you should be just fine to move your configurations file, but going one step further, you can move it to anywhere you want and creating a new wp-config.php file in its original place with the following contents:
Your site should be able to function as it normally would as long as you replace
/path/to/wp-config.php with the actual path to your configurations file.
6. Enforcing the Use of FTPS
If your hosting has File Transfer Protocol Secure (FTPS) enabled, you can force the use of FTPS when transferring files. This would encrypt the connection between your server and the user so a hacker can’t intercept and steal files and information.
To force the use of FTPS, add the following line:
7. Enforcing the Use of SFTP
Similar to the above tip, if your hosting has SSH File Transfer Protocol (SFTP) enabled to secure and encrypt your connection when using SSH and the command line, you can force its use for all members with the line below.
8. Turning Off Debugging
If you previously turned on debugging for your site or network, it’s a great tool for troubleshooting issues, but you shouldn’t forget to disable it once you’re finished. Leaving this option enabled can reveal important information about your site and the location of its files to hackers and anyone who visits your site and it results in an error.
Since I often forget to do this, myself, this can serve as a reminder for you if you’re already aware of this idea.
To turn off the debugging mode, you can switch true to false so the debugging line looks like the example below:
You could also remove the line if you’re confident that you don’t need it any longer.
9. Disabling Front-End Error Logging
If you can’t make the change above because you still need to actively debug your site, you can still protect your site’s vital information by turning off the front-end errors that are displayed and including them in an error log that’s not publicly visible or accessible.
To disable front-end error reporting, add this line while keeping your debugging constant intact and set to
You can check out one of our other posts Debugging WordPress: How to Use WP_DEBUG for more details on debugging in WordPress.
10. Enabling Automatic Updates
Keeping your site updated with the latest versions of the WordPress core along with your plugins and themes should be an important part of your security strategizing. Since updates provide security fixes for known vulnerabilities, not updating means you’re putting your site at risk by not fixing these security holes.
You can find out more about the importance of updating for security by checking out Why You Should Have the Latest Version of WordPress and The Ultimate Guide to Updating WordPress and Multisite.
Since version 3.7 of WordPress, minor security releases are automatically applied to WordPress sites, but major versions for core updates aren’t, although, you can turn on automatic updates for all new versions by changing the value of the auto update constant as shown below:
As a bonus, you can add the following line below to a must use plugin in the /wp-content/mu-plugins/ folder to enable automatic updates for plugins:
You can additionally follow that with this line to enable automatic updates for themes:
It may be important to note that adding auto upgrades for plugins and themes usually only work if they’re from the WordPress directory. Plugins and themes found elsewhere including premium ones may not work since they aren’t required to follow the same guidelines that are necessary for submitting to the WordPress repository. This means that they may not have the code included for enabling auto updates to function properly.
Still, there may be a chance that they do follow the requirements so it can still be useful to give it a try and enable automatic updates, especially if you use a mix of free and premium plugins.
Automatically Apply these Tweaks
These tips should get you well on your way to helping secure your site by adding to the wp-config.php file, but it can be a time-consuming task. Not to mention that while these tweaks are useful, they shouldn’t be the only steps you take toward securing your site.
Installing a security plugin like Defender for your single or Multisite install can automatically make these adjustments for you safely as well as automatically. Once these changes are made in a couple clicks, Defender also remains vigilant so you don’t have to, blocking and giving hackers the smack-down even while you sleep.
If you’re already a member of WPMU DEV, Defender is included in your subscription, but if you haven’t signed up yet, you can try it out for free.
Have you been able to successfully use these tips? What are your favorite tweaks for increasing the security of your site? Feel free to share your experience in the comments below.