Useful Configuration Steps for Securing Your WordPress Site

Categories WordPressPosted on
Useful Configuration

Security Keys:

You don’t have to remember the keys, just make them long, random and complicated that’s it. You can generate a new set of security keys using the WordPress Security Key Generator. You can change these at any time to invalidate all existing cookies. This does mean that all users will have to log in again. Copy the new key and paste it.

/* Authentication Unique Keys and Salts. */
define('AUTH_KEY',         '{|N7L~yMsLjtE7vc[[|4I*VaS*b~]KPAx{aW|kfSSPr.H;h<oo]%98GR024DnH6y');
define('SECURE_AUTH_KEY',  'T%8i4Mhmd!t=-R}i;-IyeR_eCI#z|s~v$;%Ebg Mz>(n(@LYKG-syN;Z%G`lE/ H');
define('LOGGED_IN_KEY',    '!Gsl1yz=>jAnVYW=N@*,:B>(?[Wq-1-~]vV|GO?h5Lk6HYF,m|<k2+((A,qNe 5&');
define('NONCE_KEY',        'SWvS4ci1Yg}B7v*akN~rlQz)na;#=#az-.meU*N$`$+<ft|y7aQv+_b]?31.@^4{');
define('AUTH_SALT',        'Yxql4ZOJuBumiTxi*(KPxb[PD]v-&lb;7$e[9L<t`kvqwD;{xd#,v0WZr|wNR}YZ');
define('SECURE_AUTH_SALT', 'v.CJ=@C598Ea<wf%p]6q]=BEB.l>u) drC-#56>^K2NvY.s+TD7CdzO#G^ :L3gF');
define('LOGGED_IN_SALT',   'YxG!au&?EQ{&Qn <{n9jM-n,^BXgr2BiSqY+n~7kHwyYq-eJ|eL(RYq@H9lmj%)}');
define('NONCE_SALT',       '}*=b2NECH xd^|U1&}_(}+:-#FJERDN1oFv2yY%iqPl18a&k;}<M)FO|U;v|=5_n');

MySQL database table prefix:

A table_prefix is placed in front of your database tables. By default, it’s set to wp_, change to something 6dRxWf_ like this. For the securing purpose, please try to change user_table and user_meta_table names. Please remember when you are using table prefix use only numbers, letters, and underscores.

/* MySQL database table prefix. */
$table_prefix = '6dRxWf_';
define( 'CUSTOM_USER_TABLE',      $table_prefix . 'brandname_user' );
define( 'CUSTOM_USER_META_TABLE', $table_prefix . 'brandname_usermeta' );

Moving and rename the wp-content folder:

The wp-content directory will store all your theme files, plugin files, and images. Why Move The wp-content Folder The best reason to move the wp-content is for security if you move this to an unexpected location any hackers looking to target this area won’t be able to find it, or it will make it more difficult to find.

/* Custom WordPress URL. */
define ('WP_CONTENT_FOLDERNAME', 'brandname');
define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/');

Move the WordPress Plugin Directory:

  1. Set WP_PLUGIN_DIR to the full local path of this directory (no trailing slash)
  2.  Set WP_PLUGIN_URL to the full URI of this directory (no trailing slash)
/* Move the WordPress Plugin Directory */
define( 'WP_PLUGIN_DIR', dirname(__FILE__) . '/brandname/foldername/plugins' );
define( 'WP_PLUGIN_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/brandname/foldername/plugins' );

Move the WordPress Theme folder:

You cannot move the themes folder because its path is hard coded relative to the wp-content folder.

$theme_root = WP_CONTENT_DIR . '/themes';

Move Uploads Directory:

/* Move Uploads Directory */
define( 'UPLOADS', 'brandname/media');

This path can not be absolute. It is always relative to ABSPATH, therefore does not require a leading slash. Add the define just after this:

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

Install plugins on localhost:

In some cases, you are not able to update/upgrade your WordPress plugins to a newer version without providing your FTP connection information. This is a common issue whereby the WordPress system can’t write to your /wp-content folder directly.

To solve this issue you need to define the FTP details. So WordPress will remember it. Alternatively, you may also provide WordPress with write access to your /wp-content folder by accessing the FTP root file and changing the folder file permission (CHMOD) to 775 rather than the default 755 and 644.

There is, however, an easier way to deal with this; by defining constant, FS_METHOD in your wp-config.php file. This bypasses WordPress’s recurring prompts and allows auto-updates of your files to happen. And it takes only 1 line of code to do this.

/* Unable to install plugins on localhost */

Disable Post Revisions:

Defaults WordPress WP_POST_REVISIONS to true (enable post revisions). If you want to disable the feature, use this setting:

/* Disable Post Revisions. */
define( 'WP_POST_REVISIONS', false );


/* Disable Post Revisions. */
define( 'WP_POST_REVISIONS', 3 );

Media Trash:

This constant controls the number of days before WordPress permanently deletes posts, pages, attachments, and comments, from the trash bin. The default is 30 days:

/* Media Trash. */
define( 'MEDIA_TRASH', true );
/* Trash Days. */
define( 'EMPTY_TRASH_DAYS', '7' );

WordPress debug mode for developers:

/* WordPress debug mode for developers. */
define( 'WP_DEBUG',         false );
define( 'WP_DEBUG_LOG',     true );
define( 'WP_DEBUG_DISPLAY', false );
define( 'SCRIPT_DEBUG',     true );
define( 'SAVEQUERIES',      false );

Save queries for analysis:

If “SAVEQUERIES” is true your website performance is getting slow, better we can turn off this if you are not debugging or troubleshooting.

define( 'SAVEQUERIES', true );

Then in the footer of your theme put this:

if ( current_user_can( 'administrator' ) ) {
    global $wpdb;
    echo "<pre>";
    print_r( $wpdb->queries );
    echo "</pre>";

PHP Memory:

/* PHP Memory */
define( 'WP_MEMORY_LIMIT', '128' );
define( 'WP_MAX_MEMORY_LIMIT', '256' );


/* Compression */
define( 'COMPRESS_CSS',        true );
define( 'COMPRESS_SCRIPTS',    true );
define( 'CONCATENATE_SCRIPTS', true );
define( 'ENFORCE_GZIP',        true );


/* Updates */
define( 'WP_AUTO_UPDATE_CORE', true );
define( 'DISALLOW_FILE_MODS', true );
define( 'DISALLOW_FILE_EDIT', true );

Automatic Database Optimizing:

The script can be found at {$your_site}/wp-admin/maint/repair.php

/* Automatic Database Optimizing */
define( 'WP_ALLOW_REPAIR', true );

Block External URL Requests

Block external URL requests by defining WP_HTTP_BLOCK_EXTERNAL as true and this will only allow localhost and your blog to make requests. The constant WP_ACCESSIBLE_HOSTS will allow additional hosts to go through for requests. The format of the WP_ACCESSIBLE_HOSTS constant is a comma separated list of hostnames to allow, wildcard domains are supported.

/* Blok External URL Requests */
define( 'WP_HTTP_BLOCK_EXTERNAL', true );
define( 'WP_ACCESSIBLE_HOSTS', ',' );

Cleanup-Image Edits:

By default, WordPress creates a new set of images every time you edit an image and when you restore the original, it leaves all the edits on the server. Defining IMAGE_EDIT_OVERWRITE as true changes this behavior. Only one set of image edits are ever created and when you restore the original, the edits are removed from the server.

/* Cleanup-Image Edits */
define( 'IMAGE_EDIT_OVERWRITE', true );

Override of default file permissions:

/* Override of default file permissions */
define( 'FS_CHMOD_DIR', ( 0755 & ~ umask() ) );
define( 'FS_CHMOD_FILE', ( 0644 & ~ umask() ) );

View All Defined Constants:

it returns an array of all the currently defined constants with their values.

print_r( @get_defined_constants() );

Thanks for stopping by guys! I'm Vijayan and Techpulse is my beloved brainchild. Currently working as a PHP developer in a digital marketing start-up, I'm overly passionate about not just learning new things but also putting those into practice. I swear by a quote I once came across... 'What separates successful people from unsuccessful people is the former's ability to execute'. Feel free to reach out to me if you have any questions, suggestions or feedback. Hoping to see more of you here!

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: