Yesterday, I posted some security tips to help you lock down your WordPress sites against malicious attacks. I talked about how to edit file permissions and how to use .htaccess to shield your wp-config.php file. But today, I want to encourage you to take wp-config security one step further.
For those of you using Linux hosting, you will be familiar with how all your Web accessible files are located in /home/username/public_html/. And therein lies part of the problem, because a sensitive file like wp-config is Web accessible. And the details you need to keep the most safe and secure are in wp-config. Look at what is defined in wp-config -
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
Your database name, your database username, your database password and your database hostname are all contained in that file. Do you see why I am trying to do whatever I can to make this file as secure as I can make it?
Well, let's take all those sensitive details and let's move them to a location that is not Web accessible. We are going to move them above public_html, to /home/username/, away from prying eyes.
To do this, we are going to create a new file. Call it config.php and insert the following bits of the wp-config file into it -
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information
* by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
?>
Be sure to fill in all of the requested information, as you will need it to make this work correctly.
Save the file as config.php and then you can FTP it to /home/username/.
Now, we are going to prepare the wp-config file, which is everything else you did not move above public_html, plus one line.
<?php
include('/home/username/config.php');
/**
* WordPress Localized Language, defaults to English.
*
* Change this to localize WordPress. A corresponding MO file for the chosen
* language must be installed to wp-content/languages. For example, install
* de.mo to wp-content/languages and set WPLANG to 'de' to enable German
* language support.
*/
define ('WPLANG', '');
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
?>
Line 2 is the line you need to edit, inserting the username on your particular server.
You need to understand if someone wants to crack your site, they are going to get in. But with the above set-up, you are adding another layer of security. You have moved all the sensitive details of your wp-config file into an area not accessible by the Web. If someone does manage to get to your wp-config file, they will not find anything of any importance.
Download the Ultimate Security Check plugin and run it on your WordPress site. How high is your score? What was your overall grade? Can you really afford to get anything less than a top score?
Related posts:
{ 3 comments… read them below or add one }
I’m loath to add more to my workload with the new wp site I am setting up, but this seems like a really sound tip. thanks, I’ll get on it
Mikey recently posted..MadMikeyB Twitter Weekly Updates for 2010-08-29
Better safe than sorry is my motto. It really doesn’t take so long to set up and it brings peace of mind. A good trade-off in my book.
Good idea – will do this tomorrow when I’m wide awake and bushy tailed
Lisa recently posted..Sex and the City!