WordPress Security: wp-config

The file wp-config.php is the central file WordPress uses for configuration purposes. Most parts of the configuration refer to setup and how WordPress is run, some parts, however, are quite important for security and are highlighted in this post.

Below topics are the most important wp-config settings referring to security. To get a more complete overview over what wp-config can do, please go to the wp-config WordPress Codex page.

Keys and Salts

WordPress is using 8 unique keys for purposes security purposes mainly referring to cookies, passwords and authentication. The technical implications and usage isn’t important, however, it is VERY important to set custom keys and salts. The WordPress online key generator (https://api.wordpress.org/secret-key/1.1/salt/) makes changing to unique keys very easy. Simply click on the link, then take the generated keys and copy them into wp-config.php file replacing the standard keys.

Database prefix

The WordPress wp-config.php file contains a variable $table_prefix. The standard value for this variable is “wp_”. What that means is that when you look into your database after WordPress has been installed, all table names are preceded by “wp_”. Hackers of course know this and use this knowledge particularly through SQL injection attacks. Changing the variable $table_prefix to a custom string like “xyz_” (please pick a better one) can make it more tricky for attackers to mess around with your database tables, and making it more complicated is often already enough for them to leave your site for another one that hasn’t changed the prefix.

SSL Admin Login

Two remarks at the start of this paragraph: Before version 4.0 WordPress used a different constant to force SSL login (FORCE_SSL_LOGIN). As you should always have the latest WordPress version installed, this old constant isn’t discussed anymore here. Second remark is that you have to have a valid SSL certificate for this to be viable. If you don’t talk to your developer or hosting provider about how to get one. With that out of the way, here’s the line that needs to be added to WordPress to force login via SSL:

define('FORCE_SSL_ADMIN', true);

With this constant set to true, every login will be done via https (communication gets encrypted) as opposed to http (communication is not encrypted). In general it is advisable to run your whole website using https not http – also from an SEO point of view.

File edit

The final step is to make sure files cannot be edited from the WordPress backend. This is done by adding the following line of code:

define('DISALLOW_FILE_EDIT', true);

This setting removes the editor in the backend (under Appearance / Editor) and might also have an impact on some plugins that allow you to e.g. edit .htaccess. However, in any way, this is a very good setting not just in the fight against attackers but also to avoid accidental changes by existing users that might lead to major changes on the site or even take the site down completely.



Share this Article

About the Author

Wolfgang GeigerHi, I'm Wolfgang, the founder, director and developer behind Wohok Solutions. Passionate about web development from an early age, I have built websites for more than half of my life. I have degrees in both, Computing and Business Management and I am fluent in German, English and Mandarin. Based in Hong Kong, I help companies in the city and around the world to improve their business through technology.

Get in Touch

Do you have any comments or questions? Get in touch, I'd love to hear from you!