How to make your wordpress secure, wp config tips and many more

You don’t want your site to be hacked, right? Security should be at the top of to-do list. It doesn’t matter which CMS or platform you use for your website or application or portal, but you need to always think about security. Well, you never can stop a hacker to hack your site, but you can make this difficult for you. Today we are going to discuss about some security issue and wp-config tips.

wp-config.php file is the key of a wordpress site, like a foundation when you build a building. Everything in wordpress stand based on this configuration file. So, it’s important, but most of the users ignore this file or afraid of even looking at this file. But you know what, once you get familiar with this your life would be easier :)

So, let’s start!

  1. Make sure the file permission wp-config.php is 600 to prevent other users on the server from reading it. The permission of other directories should be 750 or 755. And all files should be 640 or 644. Never use 755 for a file or directory, not even for upload folder!
  2. To check any error in your site, you can enable debug mode. Though, enabling debug mode in a live site is not recommended at all. You should have a staging site where you can do all the testing, and when you are done, apply the changes in production server. Anyway, to enable debug more edit a line in wp-config.php. Change


    It will enable debug mode and you will see all the warnings, errors and notices (based on server configuration).

    Now, if you want to enable debug mode but don’t want to display the errors, then use:
    define( ‘WP_DEBUG_DISPLAY’, false );
    So, how can you see the errors? Well, you can enable logging the errors :) Adding the following line will create a debug.log file inside of wp-content directory with all the errors and notices.
    define( ‘WP_DEBUG_LOG’, true );

  3. So, as you saw the define function, so I hope you are familiar with it or will be :) You can take some advantage of this function. This function is used to define a constant. A constant is a variable but the value of that variable never be changed and you can use that constant anywhere in your site (something like global variable, but you don’t declare it globally before using). Example:
  4. Did you install SSL in your server for your domain? And the site admin is still being loaded over HTTP instead of HTTPS? Well, you can force SSL login.
    define( ‘FORCE_SSL_LOGIN’, true );
    You can force the admin of your site to be loaded over HTTPS as well:
    define( ‘FORCE_SSL_ADMIN’, true );
    If you use non secure virtual host, you can add this in httpd.conf file: (assuming your site is
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /(.*) HTTP/ [NC]
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^/?(wp-admin/|wp-login.php){REQUEST_URI}%{QUERY_STRING} [R=301,QSA,L]
  5. How’s about disabling theme and plugin editor? Editing via wordpress editor is really a bad habit unless you are sure what you are doing as there is no way to roll back. Adding the following line will disable the editors:
    define( ‘DISALLOW_FILE_EDIT’, true );
    If you want to restrict updating themes and plugins from inside the wordpress admin use:
    define( ‘DISALLOW_FILE_MODS’, true );
  6. Revision is one of the coolest features in wordpress. Besides it also increases the db size. So you can limit the revisions using the following code to 5 times:
    define( ‘WP_POST_REVISIONS’, 5 );
    If you want to completely disable the revision feature use:
    define( ‘WP_POST_REVISIONS’, false );
    Plus, if you want to increase the delay (in this example 1500s) of autosave, use this:
    define( ‘AUTOSAVE_INTERVAL’, 90000 );
  7. In latest version of wordpress the default theme is twentyfourteen. You can change the default theme to any installed theme. You must need to know the theme slug.
    define( ‘WP_DEFAULT_THEME’, ‘twentytwelve’ );

Include GitHub Gists in WordPress content makes it dead easy to include Gists in posts, but that isn’t available in the WordPress software by default.  So let’s add it!

GitHub’s Gist service normally provides an embed code to include Gists in other web sites. The embed code is really just a script to load the Gist via JavaScript. Since WordPress normally strips content like that (for security purposes), we’ll use a little shortcode snippet to make it easy to reference Gist code.

Here’s that shortcode snippet:

function gist_function( $atts ) {
$a = shortcode_atts( array(
'url' => ';
), $atts );
return '<script src="' . esc_attr($a['url']) . '.js"></script>';
add_shortcode( 'gist', 'gist_function' );

That snippet can be added to your theme’s functions.php, via a custom plugin or using Code Snippets.

Once added, you’ll be able to add Gist references by url like so:

Please note, we cannot be held accountable if you choose to change that url reference and it blows up your website. ;)


Limit one blog per user in a wordpress multisite

In a wordpress multisite, an user can create as many blog as he wants. If you Pro Sites you can control this. Pro Sites is a giant plugin that will help you to have control over the whole network.

But if you just want to limit one blog per user in a wordpress multisite and don’t want to use a huge plugin like Pro Sites, then this small snippet should help you.

function wpms_one_blog_only($active_signup) {
// get the array of the current user's blogs
$blogs = get_blogs_of_user( get_current_user_id() );
// all users may be members of blog 1 so remove it from the count, could be a "Dashboard" blog as well
if ($blogs["1"]) unset($blogs["1"]);
//if the user still has blogs, disable signup else continue with existing active_signup rules at SiteAdmin->Options
$n = count($blogs);
if(n > 0){
$active_signup = 'none';
echo '';
} else {
$active_signup = $active_signup;
return $active_signup; // return "all", "none", "blog" or "user"
add_filter('wpmu_active_signup', 'wpms_one_blog_only');

You can add those codes in your functions.php in the theme, if you think your theme won’t be changed. Otherwise mu-plugins is the best solution. To use mu-plugins, go to /wp-content/ and find the folder with name ‘mu-plugins’. If there is no folder in that name, then create a folder, name it ‘mu-plugins’, create a file inside that, give any name you like and paste the code in there. You don’t need to activate that plugin. Mu-plugins means must use plugins, so it will be activated automatically always. If you use mu-plugins then add a php start tag at the beginning of the code.