How to Secure Your WordPress Website with wp-config Tweaks

In this video, we will talk-through 7 steps in securing your WordPress site through the wp-config.php settings. Many of these settings that I will show you do not come setup by default so if you’ve built your website on WordPress, check these out and make sure you’ve applied them to your production sites.

NOTE: Before you perform any of the steps in this tutorial, backup your wp-config.php file and also backup your WordPress database.

Video Index:
00:00 - Intro
01:52 - Tip # 1 - Move wp-config.php file outside of the public folder. 
05:08 - Tip # 2 - Change WP Table Prefix
08:02 - Tip # 3 - Update Security Keys & Salt Keys
10:54 - Tip # 4 - FORCE SSL on Admin and Login pages
13:05 - Tip # 5 - Disable Debug in Production
14:02 - Tip # 6 - Disable File Edit
15:45 - Tip # 7 - Block External HTTP Connections

If you have trouble with Tip # 1: https://wp-wingman.com/how-to-move-your-wp-config-php-file-to-secure-your-wordpress-site/

Changes covered in the video:

1. Change the WP prefix table.
   • $table_prefix  = 'wp_';
2. Update the security keys (https://api.wordpress.org/secret-key/1.1/salt/)
3. Force the WP Admin to load on HTTPS:
   • define('FORCE_SSL_ADMIN', true);
4. Disable file editor
   • define('DISALLOW_FILE_EDIT', true);
5. Move the wp-config.php file
   • Add this to an existing wp config file

<?php
		
define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . '../path/to/wp-config.php');

1. Turn of debugging on production sites
   • define('WP_DEBUG', false);
2. Auto update WordPress core:
   • define('WP_AUTO_UPDATE_CORE', true);
3. Block external linking and hot linking
   • define( 'WP_HTTP_BLOCK_EXTERNAL', true );
   • define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com' );