Below topics are the most important wp-config settings referring to security. To get a more complete overview over what wp-config can do, please go to the wp-config WordPress Codex page.
Keys and Salts
WordPress is using 8 unique keys for purposes security purposes mainly referring to cookies, passwords and authentication. The technical implications and usage isn’t important, however, it is VERY important to set custom keys and salts. The WordPress online key generator (https://api.wordpress.org/secret-key/1.1/salt/) makes changing to unique keys very easy. Simply click on the link, then take the generated keys and copy them into wp-config.php file replacing the standard keys.
The WordPress wp-config.php file contains a variable $table_prefix. The standard value for this variable is “wp_”. What that means is that when you look into your database after WordPress has been installed, all table names are preceded by “wp_”. Hackers of course know this and use this knowledge particularly through SQL injection attacks. Changing the variable $table_prefix to a custom string like “xyz_” (please pick a better one) can make it more tricky for attackers to mess around with your database tables, and making it more complicated is often already enough for them to leave your site for another one that hasn’t changed the prefix.
SSL Admin Login
Two remarks at the start of this paragraph: Before version 4.0 WordPress used a different constant to force SSL login (FORCE_SSL_LOGIN). As you should always have the latest WordPress version installed, this old constant isn’t discussed anymore here. Second remark is that you have to have a valid SSL certificate for this to be viable. If you don’t talk to your developer or hosting provider about how to get one. With that out of the way, here’s the line that needs to be added to WordPress to force login via SSL:
With this constant set to true, every login will be done via https (communication gets encrypted) as opposed to http (communication is not encrypted). In general it is advisable to run your whole website using https not http – also from an SEO point of view.
The final step is to make sure files cannot be edited from the WordPress backend. This is done by adding the following line of code:
This setting removes the editor in the backend (under Appearance / Editor) and might also have an impact on some plugins that allow you to e.g. edit .htaccess. However, in any way, this is a very good setting not just in the fight against attackers but also to avoid accidental changes by existing users that might lead to major changes on the site or even take the site down completely.