Make your WordPress site more secure – part 2


When you’ve carried out (or at least considered) the security measures discussed in part 1, there are further (more techy!) steps that you can take to tighten security on your WordPress site:

7. Change the database prefix to prevent SQL injection attacks
These are attacks whereby hackers embed database commands in a URL. Such attacks might be thwarted by changing the database tables’ prefix from the default wp_. If you are setting up your website from scratch, simply change this line in your wp-config.php file before creating the database:
    $table_prefix = ‘wp_’;
eg. to something like this:
    $table_prefix = ‘cml392_’;
If your site has already been set up, a few more steps are involved to rename all of your existing tables. There is a great set of instructions in this article:
http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/
This sort of security measure is sometimes referred to as “security through obfuscation” – ie hiding things rather than preventing access to them – and not everyone considers it an appropriate strategy. I see no reason not to adopt this strategy in addition to other security measures. (Why make things easy for hackers?!)
 
8. Disable file-editing
The WordPress Dashboard, by default, allows administrators to edit PHP files such as theme and plugin files. This can be disabled by adding the following line to your wp-config.php file:
    define(‘DISALLOW_FILE_EDIT’, true);
It won’t prevent an attacker from uploading malicious files to your site, but might stop some attacks. (You’ll have to decide whether it’s worth the inconvenience to you if you’re regularly changing theme and plugin files.)
 
9. Set security keys in wp-config.php
Security keys are used to ensure better encryption of information stored in the cookies that are used to manage login sessions. If you don’t set your own security keys in wp-config.php, your cookie info will still be secure as WordPress will generate its own and store them in the database. However, there is an obvious advantage to storing password and security keys in two different places (the database and wp-config.php, respectively) – you ensure that a hacker would need access to both in order to construct a valid cookie and log in to your site.
Security keys can be set to whatever you want – just make sure that they’re long, random and complicated. An easy way to get suitable security keys is to use WordPress’s online generator.
Security keys can be changed whenever you want. Note that changing them will invalidate all login cookies, so anybody on your site will have to re-login.
 
10. Keep file permissions as tight as possible
It is best to lock down your file permissions as much as possible. Permissions will vary from host to host, so it’s difficult to give a definitive rule. However, all core WordPress files should typically be writable only by your user account and files such as .htaccess and wp-config.php should be particularly tightly managed. Restrictions can always be loosened on the occasions that you need to allow write access.
 
See also:
Make your WordPress site more secure – part 1
Make your WordPress site more secure – part 3
 
If you’d like help with making your WordPress site more secure, or if you’d like a review of your site’s current security set-up, please get in touch.