How to Secure Your WordPress Site with WP-Config.php?


There is a file on any WordPress site named ‘wp-config.php’. One of the most important WordPress files is this particular WordPress configuration file. There are several configuration parameters in the file which can be changed for improved protection of the web. In this post, we’ll teach you how to use the WordPress configuration file to protect your WordPress account.

How to Secure Your WordPress Site Using the wp-config File?

Change Database Prefix

Have you ever seen domain tables with the WordPress? (You can access it through your web host account) The database has eleven tables by default. Each table has a particular purpose. For example, from messages, sites, and the navigation menu, wp posts stores data. Because each table’s roles are fixed, the hacker knows where the specifics of your site are kept. For eg, if they try to exploit the users on your site, they will reach for the ‘wp-users’ table.

The ‘wp_’ prefix is used by WordPress for all tables by example. It may be useful to adjust this to a special prefix when hiding table names and it will help protect the WordPress account. Open up your ‘wp-config’ file to do this.

Step 1: Open the site host account to access wp-config.php and go to cPanel. Choose the File Manager, and you’ll get a website that looks a little like this:

Step 2: There’s a public-html folder on the left-hand side. You’ll find the wp-config file in this folder.


In the ‘wp-config’ file place the following lines:

[code]$table_prefix = ‘wp_’;[/code] 

You need to change it to something random like: 

[code]$table_prefix = ‘agora_’;[/code]

This will change the name of the tables in the database from ‘wp_users’ to ‘wp_agora’, ‘wp_posts’ to ‘wp_agora’ etc.

Disable Editing Theme/Plugins Files

There is an option on the WordPress dashboard to edit a plugin/theme file. This means that anyone can edit your themes or plugins with access to the dashboard and sufficient authorization.


While it is a valuable tool if you try to reconfigure some plugin, it is risky in a hacker’s hand. For example, suppose a hacker, with the aid of an exploit, manages to get into your web. Adding malware to an existing plugin or theme is easy for them. They may be hiding backdoors that they will later use whenever they want to gain access to your site. By disabling the option to edit these files, you can prevent this from happening and secure your WordPress site. In your WordPress config file, simply place the following code:


Prevent Users From Installing or Updating Plugin & Themes

Disabling users from editing such files provides only one level of security. This does not stop hackers from installing a malicious plugin that can be used to exploit your website. They may instal a rogue theme or plugin once they have access to the admin panel along with the right user permission. If you do not instal plugins frequently, you can disable the option by adding the following code to the configuration file of WordPress:


Enforce the Use of ‘FTP’

For sites that instal plugins quite often, preventing users from installing and updating plugins and themes can be restrictive and even impractical. In addition, it is very important for the security of a site to update themes and plugins. An alternative method to ensure that a valid user instals the plugins is to force users to provide details about ‘FTP’. Hackers can not instal a rogue plugin even when your Admin Panel is compromised, unless they have your FTP credentials.

Just add to your ‘wp-config.php’ the following lines:

[code]define(‘FS_METHOD’, ‘ftpext’);[/code]

If your web host or server supports ‘FTPS’ then add the following lines in the config file:

[code]define(‘FTP_SSL’, true);[/code]

If your web host or server supports ‘SFTP’ then add the following lines:

[code]define(‘FS_METHOD’, ‘ssh2’);[/code]

Change Security Keys

Each time you need to login to your site, you don’t have to enter your login credentials. Ever wondered how these credentials are stored by your browser? After signing into your account, your login information is stored in the browser cookie in an encrypted manner. Random variables that help to enhance this encryption are security keys. Changing the secret keys will invalidate the cookie and force every active user to automatically log out if your site is hacked. The hacker loses access to your WordPress admin after being thrown out.

A new set of security keys can be generated and placed in the file ‘wp-config’. It’s going to help secure the WordPress site.

Hide the ‘wp-config.php’

The wp-config file has a default location on any WordPress site. Changing the location of the file can thus prevent it from falling into the hacker’s hand. Luckily, WordPress allows the folder ‘wp-config’ to reside outside of your installation of WordPress. For example, if the WordPress is installed in the public html folder, the configuration file will be present by default in the public html folder. But the wp-config can be moved outside the public-html folder and it will still work.

Secure the wp-config.php File

The configuration is susceptible to attacks that make it necessary to secure it. One way to do it is by changing its location so that it can not be found in its default location by hackers. Although this may be opposed by some developers, there are plenty that think it’s a good idea. Take a look at the discussion here.

Restricting file permission is another security measure that you can take. Set file permissions to 600, so that the wp-config file can only be edited by the true owners. To change wp-file config’s permission, select the file and choose ‘Permission’.

And then, to prevent hackers from loading the wp-config file straight from the browser, you need to include the following lines in the .htaccess file.

# protect wpconfig.php 

<files wp-config.php> 

  order allow,deny 

  deny from all 


Towards You Over

We have discussed how to secure the wp-config file on your WordPress site, but this is just one of the many ways to improve the security of your site. Using a security plugin, using an SSL certificate, using a unique and strong username and password, implementing HTTP authentication, and two-factor authentication, among other things, are some of the other security measures that you can take. But you have to backup your site before implementing any of these techniques. You can simply restore a backup if something goes wrong and get our site up and running in no time.