In previously article we speak about security essential on WordPress site. It’s time to know more how to protect your WordPress site.
Wordpress as CMS (Content Management System) may be vulnerable in cases where no measures are taken that are recommended by the developers of the system. It does not matter for what purpose created the website: it will be a corporate site, online shop or just a business card site, it may be interesting for hackers after some time.

1. File wp-config.
We must to protect wp-config.php because this file is most of the important file in the WordPress site and have essential information such as user, password and …. We have 2 way to secure this file more:

  • Restricting access via .htaccess file
  • Restricting access via file permissions

1. Restricting access via .htaccess file
If your host is on Linux server and you can use this method .
You must to add .htaccess file to main directory of your site.
Write this code bellow in Notepad (for example) and save it as .htaccess.

# PROTECT WP-CONFIG
<Files wp-config.php>
Order Allow, Deny
Deny from all
</Files>

Then test your site by address: www.example.com/wp-config.php and as you see now nobody do not have permission to this file.

2. Restricting access via file permissions
At all you must to do this method and it is not depended that what kind of hosting you use.
You can easily save your wp-config.php by set permission 644 -rw-r–r– for this file. This is so much important for save your site. For more information about permission you can refer to your host or find a lot of information in Internet. For example you can go to WordPress codex.

2. Secret keys.
Wordpress site will be safe if you know that how save it!
In wp-config.php you have secret keys that must to define but most of the developer and administrator do not have attention about this step! And hacker and bad program use this, how we can set this key?

As you see in wp-config file you must go to the address and get secret key and put to line that show below:

* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

And then save it. So that was so easy but believe me that is so much important!

3. DB prefix.
Wordpress have standard structure database that is so easy for hacker that destroy and use site but if you change database structure from default to custom , your database will be more safe. How we can do this ?

As you see in wp-config, we have table prefix that you can set for your database not default name. As default in wordpress database, all tables start with “wp_ “. For example, wp_users, wp_terms and etc. But we can change it, for example, to “fgdgerFDSF343_ “. After this your database tables will be start with fgdgerFDSF343_users, fgdgerFDSF343_terms and etc.

* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = ‘wp_’;

After set new name for prefix save and refresh site if everything was true you will see nothing different and then go to database you will see that everything’s change! This is wonderful.

Have attention that do not forget put underline ” _” after new database prefix. If you forget it must go to wp-config.php and change it before do anything! Get backup database before change!!!! This is necessary because if you make mistake can easily back your database.“

4. Username.
Please have attention that changes your user from default (admin) to another! This is so much important step because this is default from WordPress and all of bad boy know it and we don’t like it. So please change (admin) for user to another.

5. Permissions.
Do not forget that set good permissions for file and folder in site. This is main key to save your site from attack! When you don’t want to change your site set 644 permission for wp-content folder. And at all be close site when you don’t want to change something.

After reading and following our advices you can more protect your website. If you need help, you can write for us and we will solve your problem together.

In next article we will tell you more about how save your website on WordPress.