In this video, we will talk-through 7 steps in securing your WordPress site through the
wp-config.php settings. Many of these settings that I will show you do not come setup by default so if you’ve built your website on WordPress, check these out and make sure you’ve applied them to your production sites.
NOTE: Before you perform any of the steps in this tutorial, backup your wp-config.php file and also backup your WordPress database.
Video Index: 00:00 - Intro 01:52 - Tip # 1 - Move wp-config.php file outside of the public folder. 05:08 - Tip # 2 - Change WP Table Prefix 08:02 - Tip # 3 - Update Security Keys & Salt Keys 10:54 - Tip # 4 - FORCE SSL on Admin and Login pages 13:05 - Tip # 5 - Disable Debug in Production 14:02 - Tip # 6 - Disable File Edit 15:45 - Tip # 7 - Block External HTTP Connections
If you have trouble with Tip # 1: https://wp-wingman.com/how-to-move-your-wp-config-php-file-to-secure-your-wordpress-site/
Changes covered in the video:
- Change the WP prefix table.
$table_prefix = 'wp_';
- Update the security keys (https://api.wordpress.org/secret-key/1.1/salt/)
- Force the WP Admin to load on HTTPS:
- Disable file editor
- Move the
- Add this to an existing wp config file
<?php define('ABSPATH', dirname(__FILE__) . '/'); require_once(ABSPATH . '../path/to/wp-config.php');
- Turn of debugging on production sites
- Auto update WordPress core:
- Block external linking and hot linking
define( 'WP_HTTP_BLOCK_EXTERNAL', true );
define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' );
All videos tutorials on the website as well as the YouTube channel aim to provide a simplified process for a specific scenario; there could be many different factors and unique use cases you may have. The tutorials may not cover every situation; so treat is as a starting point or learning concept to apply to your unique situations, and consider this inspiration but not prescription or explicit direction.