We had earlier given an overview on How to secure your WordPress site. This post is first of a series, where in we will detail the steps needed to make your WordPress site more secure.
Every WordPress site contains a file called `wp-config.php`. Many of us, who work closely with WordPress would have already seen this file. When we install WordPress for the very first time, this is where we enter the database details for the site. Along with the database details, this file also contains many other configuration parameters which can lead to a much better security of your WordPress Site.
1. Change Database Prefix (`$table_prefix`)
The WordPress database consists of many tables to store posts, links, comments, users etc. Now these tables by default have standard names like `wp_users`, `wp_options`, `wp_posts` etc. Now a hacker knows that your user details are stored in the table `wp_users`, and will try and exploit this. We can however prevent the hacker from guessing the name of the table. To do this, while installing WordPress, we need to change the setting for `$table_prefix`.
In your `wp-config` file there will be a line:[code]$table_prefix = ‘wp_’;[/code]
You need to change it to something random like:[code]$table_prefix = ‘axcsr_’;[/code]
This will cause the tables in the database to become `axcsr_users`, `axcsr_posts` etc, in turn making it harder for the hacker to guess.
2. Disable Editing of Theme/Plugin files
In the WordPress Dashboard, there is an option to edit your theme/plugin files. This option is not to be used by normal users under any circumstance. However, in the hands of a hacker it can be extremely dangerous. For example, suppose a hacker is able to login to your site using some exploit. One of easiest mechanisms for them to add malware to your site, will be by editing existing files. By disabling the option to edit these files, you take away a valuable tool from hackers. It can be done by adding the following line to your `wp-config.php` file:[code]define(‘DISALLOW_FILE_EDIT’,true);[/code]
3. Disallowing user to install plugins, themes or doing updates.
Disallowing a user to edit plugin/theme files will only provide one level of security. However, this does not prevent the hacker from adding a new plugin or theme. Once the Admin Panel is compromised, the hacker can also install a rogue theme or a rogue plugin. If you do not install plugins on a regular basis, we suggest, that you disable this option altogether. This can be done by using the option:[code]define(‘DISALLOW_FILE_MODS’,true);[/code]
In such cases, a plugin/theme can however be installed by directly copying the plugin to the site using `FTP.`
4. Forcing use of `FTP` for all uploads, upgrades and plugin installation.
Tip `#3` can be quite restrictive for many sites. An alternative in such cases could be to force users to provide `FTP` details whenever uploading a file, or installing a plugin/theme. Hence, even if a hacker is able to infiltrate your Admin Panel, they will not be able to install a new script without knowing your secret `FTP` credentials. To do this, add the following line to your `wp-config.php`:[code]define(‘FS_METHOD’, ‘ftpext’);[/code]
If `FTPS` is supported then add the following line to the config file:[code]define(‘FTP_SSL’, true);[/code]
5. Change Security Keys
When a user logs into the Admin panel, WordPress generates cookies to keep the status of the users. To ensure that the cookies are safe and not guessable, it adds a salt while generating the cookie. This salt should ideally be long and difficult to guess. The salt is picked from 8 parameters in `wp-config.php` and look something like this:[code]define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);[/code]
The above should be replaced with a new set upon installation, and WordPress provides and excellent tool to generate these randomly. You can get the same from: https://api.wordpress.org/secret-key/1.1/salt/
Also, in case your site gets hacked, it is highly advisable to change these keys with fresh ones. This will force all users to login again, and hence the hacker cannot use old cookies.
6. Move `wp-config.php` out of the core WordPress folder.
Typically `wp-config.php` is placed in the core WP folder along with other standard files like `wp-settings.php`, `wp-login.php` etc. WordPress also supports a more secure option, where in the `wp-config.php` can reside on the folder outside your wordpress installation. For example if your wordpress is installed in the folder `/public_html/` folder, instead of having the file being present as `/public_html/wp-config.php`, you should store it as /wp-config.php. WordPress will intelligently pick up the configuration from this instead.
7. File Permissions of `wp-config.php`
Change the permissions of the file, so that only your webserver can access it. Further this file should not be modifiable/writable by anybody. Hence the preferred permission here would be to use: `400` or `440` depending on your setup. Permissions can typically be changed by using `FTP` or `cPanel`.
8. Securing the `htaccess` file
Apache uses `htaccess` to prevent unauthorized access to certain parts of the site. Since `wp-config.php` should never be accessed directly by anybody, and since it contains the critical database details, we should block it from `htaccess` file too. This can be done by adding the following lines to your `htaccess` file:
deny from all
We will cover other mechanisms to improve the security of your site in future posts.