Setup — wp-config.php including WP file security


// ** WORDPRESS DEBUGGING **/
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', false);
define('SAVEQUERIES', false);
 
//** WORDPRESS & DATABASE settings **/
$table_prefix  = 'ysd_';
define('WPLANG', 'nl_NL');
define( 'MEDIA_TRASH', true );
 
//** WORDPRESS AUTO CLEANUP **/
define('EMPTY_TRASH_DAYS', '30');
define('WP_POST_REVISIONS', '4');
 
//** HTTPS AND SSL CONFIGURATION **/
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_CONTENT', true);
  
//** WORDPRESS FILE ACCESS **/
// define('FS_METHOD', 'direct');
define('DISALLOW_FILE_EDIT', 'true');
// define('DISALLOW_FILE_MODS', 'true'); 
  
//** WORDPRESS CONTENT DIRECTORY **/
// define('WP_CONTENT_DIR', __DIR__ . '/wp-content');
// define('WP_CONTENT_URL', 'http://example.com/files');
 
//** WORDPRESS CACHE OPTIMISING **/
define('ENABLE_CACHE', 'true');
define( 'WP_CACHE', false ); // Added by WP Rocket
// define('COMPRESS_CSS', 'true');
// define('COMPRESS_SCRIPTS', 'true');
// define('ENFORCE_GZIP', 'true');
 
//** WORDPRESS SITE & MULTISITE setup **/
// define('WP_ALLOW_MULTISITE', false);
//define('WP_ALLOW_MULTISITE', true);
//define( 'MULTISITE', true );
//define( 'SUBDOMAIN_INSTALL', false );
//define( 'DOMAIN_CURRENT_SITE', 'domain.com' );
//define( 'PATH_CURRENT_SITE', '/' );
//define( 'SITE_ID_CURRENT_SITE', 1 );
//define( 'BLOG_ID_CURRENT_SITE', 1 );
//define( 'WP_SITEURL', 'https://domain.com' );

 

See: https://wordpress.org/support/article/editing-wp-config-php/

Every WordPress site contains a file called ‘wp-config.php’. This particular WordPress configuration file is one of the most significant WordPress files. The file contains many configuration parameters which can be modified for better site security. In this post, we’ll show you how to secure your WordPress site using the WordPress configuration file.

1. Change Database Prefix

For instance, wp_posts stores information from posts, pages, and the navigation menu. Since the functions of each table are pre-determined, hacker knows where your site details are stored. For instance, if they want to exploit your site users, they can aim for the table ‘wp_users’.

So you need to change $table_prefix = ‘wp_’; to $table_prefix = ‘udbk_’; for example.

What to do?

  1. Download a plugin like Brozzme DB Prefix & Tools
  2. Go to tools DB Prefix –> new Prefix name –> Change DB Prefix
  3. Check if the site is still working and if the wp-config.php contains the new Prefix

 

2. Disable Editing Theme/Plugins Files

In the WordPress dashboard, there is an option to edit the plugin/theme file. This means that with access to the dashboard and sufficient permission anyone can edit your themes or plugins. You can edit themes and plugins from the WP dashboard

define(‘DISALLOW_FILE_EDIT’,true);

3. Prevent Users From Installing or Updating Plugin & Themes

Disabling users from editing these files only offers one level of security. It does not prevent the hackers from installing a malicious plugin which they can use to exploit your site. Once they have access to the admin panel along with the right user permission, they can install a rogue theme or plugin. If you don’t install plugins often, then you can disable the option by adding the following code in the WordPress config file:

define(‘DISALLOW_FILE_MODS’,true);

4. Enforce the Use of ‘FTP’

Preventing users from installing and updating plugins and themes can be restrictive and even impractical for sites that install plugins quite often.

Just add the following lines to your ‘wp-config.php’:

define(‘FS_METHOD’, ‘ftpext’);

If your web host or server supports ‘FTPS’ then add the following lines in the config file:

define(‘FTP_SSL’, true);

If your web host or server supports ‘SFTP’ then add the following lines:

define(‘FS_METHOD’, ‘ssh2’);

5. Change Security Keys

You don’t have to enter your login credentials every time you need to log in to your site. Ever wondered how your browser stores these credentials? After signing into your account, your login information is stored in an encrypted manner in the browser cookie. Security keys are random variables that help improve this encryption. If your site is hacked, changing the secret keys will invalidate cookie and force every active user to log out automatically. Once thrown out, the hacker losses access to your WordPress admin.

You can generate a new set of security keys and place them in the ‘wp-config’ file. It’ll help secure your WordPress site.

6. Hide the ‘wp-config.php’

In any WordPress site, the wp-config file has a default location. Hence changing the file location can prevent it from falling into the hand of the hackers. Fortunately, WordPress allows the ‘wp-config’ folder to reside outside your WordPress installation. For instance, if your WordPress is installed in the public_html folder, then the config file will be present in the public_html folder by default. But you can move the wp-config outside the public_html folder and it’ll still work.

website creatie yourstyle
Kan ik je helpen?
1
🚀 by Yourstyle
Mitchell Bakker | 06 - 514 656 03 Goedenacht, waar kan ik je op dit moment het beste mee helpen?