How to make your wordpress secure, wp config tips and many more

by · Published · Updated

You don’t want your site to be hacked, right? Security should be at the top of to-do list. It doesn’t matter which CMS or platform you use for your website or application or portal, but you need to always think about security. Well, you never can stop a hacker to hack your site, but you can make this difficult for you. Today we are going to discuss about some security issue and wp-config tips.

wp-config.php file is the key of a wordpress site, like a foundation when you build a building. Everything in wordpress stand based on this configuration file. So, it’s important, but most of the users ignore this file or afraid of even looking at this file. But you know what, once you get familiar with this your life would be easier :)

So, let’s start!

  1. Make sure the file permission wp-config.php is 600 to prevent other users on the server from reading it. The permission of other directories should be 750 or 755. And all files should be 640 or 644. Never use 755 for a file or directory, not even for upload folder!
  2. To check any error in your site, you can enable debug mode. Though, enabling debug mode in a live site is not recommended at all. You should have a staging site where you can do all the testing, and when you are done, apply the changes in production server. Anyway, to enable debug more edit a line in wp-config.php. Change 
    define( 'WP_DEBUG', false );

    to

    define( 'WP_DEBUG', true );

    It will enable debug mode and you will see all the warnings, errors and notices (based on server configuration).

    Now, if you want to enable debug mode but don’t want to display the errors, then use:
    [php]
    define( ‘WP_DEBUG_DISPLAY’, false );
    @ini_set(‘display_errors’,0);
    [/php]
    So, how can you see the errors? Well, you can enable logging the errors :) Adding the following line will create a debug.log file inside of wp-content directory with all the errors and notices.
    [php]
    define( ‘WP_DEBUG_LOG’, true );
    [/php]

  3. So, as you saw the define function, so I hope you are familiar with it or will be :) You can take some advantage of this function. This function is used to define a constant. A constant is a variable but the value of that variable never be changed and you can use that constant anywhere in your site (something like global variable, but you don’t declare it globally before using). Example: 
    define( 'My_Name', 'Kodepress' );
echo My_name; //So you can use anywhere My_Name
  4. Did you install SSL in your server for your domain? And the site admin is still being loaded over HTTP instead of HTTPS? Well, you can force SSL login.
    [php]
    define( ‘FORCE_SSL_LOGIN’, true );
    [/php]
    You can force the admin of your site to be loaded over HTTPS as well:
    [php]
    define( ‘FORCE_SSL_ADMIN’, true );
    [/php]
    If you use non secure virtual host, you can add this in httpd.conf file: (assuming your site is domain.com)
    [html]
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} /(.*) HTTP/ [NC]
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^/?(wp-admin/|wp-login.php) domain.com%{REQUEST_URI}%{QUERY_STRING} [R=301,QSA,L]
    [/html]
  5. How’s about disabling theme and plugin editor? Editing via wordpress editor is really a bad habit unless you are sure what you are doing as there is no way to roll back. Adding the following line will disable the editors:
    [php]
    define( ‘DISALLOW_FILE_EDIT’, true );
    [/php]
    If you want to restrict updating themes and plugins from inside the wordpress admin use:
    [php]
    define( ‘DISALLOW_FILE_MODS’, true );
    [/php]
  6. Revision is one of the coolest features in wordpress. Besides it also increases the db size. So you can limit the revisions using the following code to 5 times:
    [php]
    define( ‘WP_POST_REVISIONS’, 5 );
    [/php]
    If you want to completely disable the revision feature use:
    [php]
    define( ‘WP_POST_REVISIONS’, false );
    [/php]
    Plus, if you want to increase the delay (in this example 1500s) of autosave, use this:
    [php]
    define( ‘AUTOSAVE_INTERVAL’, 90000 );
    [/php]
  7. In latest version of wordpress the default theme is twentyfourteen. You can change the default theme to any installed theme. You must need to know the theme slug.
    [php]
    define( ‘WP_DEFAULT_THEME’, ‘twentytwelve’ );
    [/php]
You may also read:  Removing index.php in codeigniter

You may also like...

Leave a Reply

%d bloggers like this: