A step-by-step WordPress Security Tutorial
The security of a WordPress site should be your priority and in this tutorial, we will teach you how to protect your WordPress configuration file from hackers.
The configuration file holds important structural information for your site. Protecting it from outside access keeps your website from falling prey to malicious hackers or malware.
If online intruders can access this file, they can completely disrupt the structure and functionality of your website. There are three different, but effective methods you can use to establish effective security barriers around your site.
You can choose one or use all three for extra safekeeping.
Note: After this, we highly recommend protecting your WordPress Installation File too.
Method 1: Restrict Access to the Configuration File
The first method you can use is restricting access to the configuration file via .htaccess. To use this approach, start by opening the .htaccess file found in the root directory of your WordPress installation.
Then, copy the below provided code:
# PROTECT WP-CONFIG
# Apache < 2.3
Deny from all
# Apache >= 2.3
Require all denied
And paste this code anywhere within the .htaccess file within your root directory.
After pasting the code into the file, save and upload to the server.
The next step is checking to make sure the code is working and access to this file is restricted.
In your web browser, type the URL of your wp-config file. The URL path should read as follows: example.com/wordpress/wp-config.php (replace example.com with your domain name)
Hit enter to reveal the 403 Forbidden response.
Method 2: Restrict Access Through File Permissions
The second option consists of restricting file permissions.
The way to limit permissions is to set our file permission numbers to 644, 640, or a lower number. You need to fix these numbers for both the wp-config files and the .htaccess file.
These numbers are a direct correlation to what users are allowed to do within the files. Typically, lower numbers equate to fewer permissions.
The WordPress recommended setting is 755 for folders and 644 for files.
So, when you set the wp-config and .htaccess to 644, you allow WordPress to access the data while abnegating external user access.
Use your web host’s server control panel (or FTP client) to view and edit the permissions for any site file. Within the cPenal File Manager you can check the .htaccess file to see it sets to 644.
Next check wp-config to know if it, too, is set to 644.
If you cannot see numerical values in the cPenal (not all server software displays in number form), there are online converters to use to translate the values.
We recommend using onlineconversion.com
To use, imitate the pattern. The correct conversion allows all users to read the files, but only the site owner can write within or edit the files.
If converted correctly, the CHMOD value equates to 644, which is the desired value.
Now, in your cPenal you can click the check boxes for Read, Write and Execute in case your host provider does not display numeric values.
Just like Method 1, check within your browser to make sure you get the Forbidden error.
Method 3: Moving and Modifying the Files
For advanced users
A final option you can execute is to move and modify the wp-config.php file. While this method is not in the same vein as building walls of protection around the coding, it is an option to consider.
This method is for advanced users, so make sure you know what you are doing!
The first step is to move the file to a new location. The simplest way to perform this action is by creating an entirely new file and either drag and drop or use the Move Tool in your File Manager to transfer the data to your newly selected location.
Note: If you move core data, such as your wp-config file, you will have to manually maintain the data in the new location with each update.
Next, you will need to remove any sensitive information from the wp-config file.
Create a new file that is not accessible through a WWW directory; this keeps your files from being accessed from outside visitors. This directory should look similar to this: home/youruser/. You want it to before the public directory.
Now, open your wp-config.php file and take any lines of code which contain connection details, security keys, and the database prefix and transfer them into the new file.
Be sure to encompass this transferred code with the <?php and ?>
define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host
// The WordPress Security Keys
// The WordPress database table prefix
$table_prefix = 'wp_'; // only numbers, letters and underscore
After you have moved all susceptible information to this new folder, set up the following two lines of code in your wp-config.php file to match this:
What these two steps have done is set up your wp-config files, with all security data into two new locations. The coding is all still present but will be read from different places.
Using any of these tactics keeps your wp-config and .htaccess files on lockdown, protected from malignant intentions. If you don’t want to use all, choose the strategy which works best for you. The protection provided by either method is sufficient on its own.
The ultimate goal is to keep access to your most vulnerable files under lock and key. It may require some long term maintain, for example, if you move and modify your files, but knowing hackers can’t reach your information is worth the additional effort.
If you liked this WordPress security tutorial and want to see more like this, please help us by sharing this article with your social media audience!