WordPress TutorialRemove Version from WordPress and StylesheetsRun WordPress local with XAMPPSecurity in WordPress - EscapingSecurity in WordPress - SanitizationThe Loop (main WordPress loop)Update WordPress ManuallyWordPress Actions and FiltersWordPress add action()WordPress add editor style()WordPress add menu page()WordPress Add ShortcodeWordPress add submenu page()WordPress add theme support()WordPress Add/remove contact info for users with user contactmethods filter hookWordPress Admin Dashboard WidgetsWordPress AJAXWordPress Alternating main loop (pre get posts filter)WordPress Child Theme BasicsWordPress Create a Post ProgrammaticallyWordPress Create Template for Custom Post TypeWordPress Creating a custom templateWordPress Custom exerpts with excerpt length and excerpt moreWordPress Custom Post TypesWordPress Customizer Basics (Add Panel, Section, Setting, Control)WordPress Customizer Hello WorldWordPress DebuggingWordPress Enqueuing scriptsWordPress Enqueuing StylesWordPress Function : wp trim words()WordPress Function: add action()WordPress get bloginfo()WordPress get home path()WordPress get option()WordPress get permalink()WordPress get template part()WordPress get the category()WordPress get the title()WordPress home url()WordPress How Can I integrate Markdown editor with Advance Custom Fields repeater Add-on.WordPress initWordPress Installation and ConfigurationWordPress Making network requests with HTTP APIWordPress Meta BoxWordPress Options APIWordPress Plugin creationWordPress Plugin developmentWordPress Post FormatsWordPress Querying postsWordPress Remove Auto Line Breaks from Content and ExcerptWordPress REST APIWordPress Secure your installationWordPress ShortcodeWordPress Shortcode with attributeWordPress ShortcodesWordPress SidebarsWordPress Site MigrationWordPress TaxonomiesWordPress Template hierarchyWordPress template includeWordPress the $wpdb ObjectWordPress the Admin Bar (aka The Toolbar)WordPress the title()WordPress theme and child-theme developmentWordPress ThemesWordPress wp get current user()WordPress WP Query() LoopWordPress WP-CLIWordPress WP-Cron

WordPress Secure your installation

From WikiOD

Remarks[edit | edit source]

WordPress websites are frequently hacked. This topic is for techniques and practices that increase the security of your WordPress installation beyond what is achieved in a base install.

Apart from this topic, another good place to read about securing a WordPress installation is the Hardening WordPress Codex page.

Move wp-config.php[edit | edit source]

The most sensitive information of a WordPress install is stored in the wp-config.php file. If a hacker gets access to this file then they have total control of your website.

By default wp-config.php is stored in the WordPress install folder. To make this file harder to steal you can move it out of the web accessible folder. If you move it just one folder above, WordPress will automatically find it. If you move wp-config.php to a different location, create an empty file called wp-config.php in the WordPress installation folder. Then add the following:

define('ABSPATH', dirname(__FILE__) . '/');
// '../../wp-config.php' defines location two folders above installation folder.
// Substitute with actual location of wp-config.php file as necessary.
require_once(ABSPATH . '../../wp-config.php');

You may need to make php executable in the folder you place wp-config.php in. You should make php executable in as few folders as possible. A good system puts the WordPress install in /path/to/wordpress/install/ and the config in /path/to/wordpress/config. You'd make sure the config folder is not web accessible and don't place any other sensitive information would be placed in /path/to/ or higher in the folder hierarchy. In that case you'd write a line similar to the following in your php.ini:

open_basedir = "/path/to/wordpress/install/;/path/to/wordpress/config"

This technique is controversial and some people don't think it enhances security. Extensive discussion on the topic can be read at this WordPress StackExchange question.

Disable File Editor[edit | edit source]

The file editor that ships with WordPress is a security risk. If an attacker gains admin access to your WordPress website they will be easily able to insert malicious code into theme and plugin files. It is also a risk with clients who don't know what they're doing. Once misplaced colon in the file editor can break a site and make it inaccessible from the browser.

In your WordPress wp-config.php file, disable the file editor by adding the following line of code.

define( 'DISALLOW_FILE_EDIT', true );

That line will have the desired effect when added to your theme's functions.php file too but it is better to add to wp-config.php.

If you are using WordPress CLI to install WordPress you can use the following command to create a wp-config.php file with file editing disabled.

/* declare variables beforehand or substitute strings in */
wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU --extra-php <<PHP
define( 'DISALLOW_FILE_EDIT', true );

This method is useful if you install WordPress with a script.

Set a custom prefix for WordPress tables[edit | edit source]

When you install WordPress to your server, the installation script will place a prefix in front of all the WordPress MySQL table names. This prefix is set to 'wp_' by default. The WordPress posts table will be called wp_posts for example. By changing the table prefix you can create some security by obscurity. This way when a hacker attempts SQL injection attacks, they will have to guess the prefix of your table rather than just using 'wp_'. You can set this prefix to be whatever you like.

Set Prefix in New WordPress Installation

If using famous 5 minute installation Change prefix in field during installation.


If installing via WordPress CLI use the following command:

// set other variables above, or substitute your strings in.
wp core config --dbname="$MYSQL_DBNAME" --dbuser="$MYSQL_USERNAME" --dbpass="$MYSQL_PASS" --dbprefix="$WP_DBPREFIX"_ --locale=en_AU

Change Prefix in Existing Installation

Changing the prefix is a little more difficult. Firstly use a FTP program like FileZilla to edit the wp-config.php file. Change the entry $table_prefix = 'wp_'; to $table_prefix = 'foo_'; substituting 'foo' for your desired prefix.

Next we'll need to edit the database. If you have access to phpMyAdmin, login and do the following:

  • Select the WordPress database Secure_your_installation
  • Select all tables and in the dropdown select replace table prefix.Secure_your_installation
  • In "From" type 'wp_'. In "To" type your prefix, 'foo_' in this example and press "Submit". Secure_your_installation
  • Tables should now look like this:Secure_your_installation

If you can't use phpMyAdmin then use the following MySQL command:

RENAME table `wp_comments` TO `foo_comments`

You'll need to run that command for each table, substituting 'comments' for the other table names.

Next we need to change a few entries in some tables. Run this query on the 'foo_options' table

SELECT * FROM  foo_options WHERE option_name LIKE '%user_roles%'

A entry with option_name of 'wp_user_roles' should appear. In that entry change the 'option_name' entry from wp_user_roles to foo_user_roles.

Then open up 'foo_usermeta' table and find every entry with 'wp_' at the front. Secure_your_installation and change it to 'foo_'. The number of entries you must change will depend on how many users you have. Secure_your_installation

That should be all you need to change the prefix in an existing installation