Advertisement
Security

Conquering the wp-config.php File - 11 Good Practices

by

There are 981 files and 95 folders which come with the WordPress (v3.4.1) package. None of these files need manual modification, except the wp-config.php file. Of course, we don't have to edit the file if we're fine with the default WordPress configuration but it's essential that we learn how to conquer the file in order to apply security precautions, speed tricks and other stuff which we will be studying in this article.


First Things First: Back Up!

Better safe than sorry: Back your content up, right now! Either use the built-in export page or use a plugin or back up from phpMyAdmin, but always have the power of undoing what you did while tweaking your website.

The operations could affect the database but they will not do anything with any of the files except the file we're going to work with, so backing the wp-config.php file up is adequate... but if you haven't backed up your files for more than a month, I suggest doing that too. Frequent backups are always good.

Ready? OK, here we go!


Speed: Disable the Revisions... Now!

The revisions feature for posts is enabled by default, but can lead to significant database bloat. Revisions are there so you can revert to a previous version of a post if you need to. If you don't plan on using revisions to check the "earlier versions" of your posts, you definitely should disable this feature by adding the following line to the wp-config.php file:

define('WP_POST_REVISIONS', false );

However, if you're fine with revisions but you're not going to benefit from unlimited copies of your edited posts, you can limit the maximum number of revisions for each posts with this line of code:

define('WP_POST_REVISIONS', 2 );

Speed: Set a Cookie Domain

If you serve static content (i.e. your media uploads) from a subdomain, it's a good idea to set a "cookie domain". By doing that, cookies won't be sent each time static content is requested.

define('COOKIE_DOMAIN', 'www.yourwebsite.com');

Quick Tip: To serve your media uploads from a subdomain, simply point the last two text fields on the Media Options page to the path (for example /home/myblog/public_html/mysubdomain) and URL (for example http://mysubdomain.myblog.com/) of your subdomain.


Speed: Change the Filesystem Method

If you install, update or delete your plugins and themes frequently, chances are you kind of hate entering your FTP password every time you deal with them. The code below makes it easier for you by forcing the filesystem to use direct file I/O request from within PHP - in other words, you won't need to enter FTP credentials anymore.

define('FS_METHOD', 'direct');

Please note that this one might not work with every hosting provider and even if it works, it might cause security issues with poorly configured hosts. So make sure that you're using it on a decent server.


Security: Restrict Access to the wp-config.php File

This tip requires you to edit the .htaccess file in your root directory, not the wp-config.php file. It basically prevents evil minded people from loading yourblog.com/wp-config.php directly with a browser:

# protect wpconfig.php
<files wp-config.php>
	order allow,deny
	deny from all
</files>

Just add this to your .htaccess file and you're good to go!


Security: Force SSL on the Admin Panel

Is SSL enabled on your server? Great! You can force WordPress to use a secure connection while you're logging in with this line of code:

define('FORCE_SSL_LOGIN', true);

And if you're extra paranoid about security (which is a good thing, really), you can make WordPress use SSL on every admin page so everything you do in there is done with an encrypted connection:

define('FORCE_SSL_ADMIN', true);

You can find additional information about setting up SSL in the WordPress Codex on the Administration Over SSL page.


Security: Change the Database Prefix

If WordPress had a security flaw which allowed evil minded people to use the hacking method known as "SQL injection", they would easily use the default prefixes on your WordPress database tables to delete them. However, if you have a different table prefix than the default (wp_), they wouldn't be able to guess that, would they?

So, while setting up a new WordPress website, either change the default value on the installation page or in the wp-config.php file, change the line below:

$table_prefix  = 'wooh00yeah_';

Beware: If you want to make this work in an existing WordPress site, you can't just change the prefix on the wp-config.php file - you'll get database connection errors. You should use a plugin for that to change the wp-config.php file AND the database tables AND some specific values inside those tables. I recommend the DB Prefix Change plugin.


Security: Add Security Keys... Now!

Let's just read from the WordPress Codex:

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like "password" or "test" is simple and easily broken. A random, unpredictable password such as "88a7da62429ba6ad3cb3c76a09641fc" takes years to come up with the right combination. A 'salt is used to further enhance the security of the generated result.

This is one of the most essential security precautions for WordPress - and it's easy as copying and pasting the randomly generated content of this page to your wp-config.php file. The hardest part is finding the default, empty values of these constants and deleting them! :)


Other: Change the Autosave Interval

If you sometimes work on your post for 4 hours, you might find it annoying that WordPress automatically saves the state of your post every 60 seconds. I'll give credit that it's not a bad thing but sometimes it's really, really annoying. Anyways, if you want to set the autosave interval to a higher value, you can do it by defining it in the wp-config.php file like this:

define('AUTOSAVE_INTERVAL', 240 ); // the value should be in seconds!

Other: Easily Move Your WordPress Website

WordPress is full of surprises, and this is one of them. If you ever need to move your website to a new domain (or a new subdomain, or a new folder), define this constant on your wp-config.php file before moving your files and database:

define('RELOCATE',true); // We're not done yet!

After setting this and moving your FTP and database, log in with your WP credentials on yournewwebsite.com/login.php and after that, check if the home URL has changed on the General Options page. After confirming that it has changed, delete the constant in your wp-config.php file. This little trick of WordPress' saves you the burden of editing the database manually.

Tip: While this literally "moves" your website, it doesn't affect the hard-coded links in your content. To replace them, you should use a plugin like Search Regex and change the old links with new ones.


Other: Disable Editing of Plugin & Theme Files

If you're a web designer and using WordPress with your clients' websites, you might want to disable the editing of theme and plugin files by adding the constant below:

define('DISALLOW_FILE_EDIT',true);

Better yet, you can also disable installing new themes and plugins, and updating them:

define('DISALLOW_FILE_MODS',true);

Just remember that theme and plugin updates are sometimes very important when they fix security flaws. So if you're going to disable updating and installing new plugins/themes, you're going to have to track the updates in a different way.


Other: Enable WP_DEBUG While Developing

This is an easy one: If you're developing a plugin or a theme, it's good practice to enable the debug feature of WordPress to see what kinds of notices and warnings you're getting:

define('WP_DEBUG',true);

Sometimes it's amazing to see how easy mistakes you can make while developing! :)


Conclusion

We chose 11 great tips and tricks for your WordPress websites but the tricks for the wp-config.php file are, of course, not limited to these ones. Do you have any good tricks to share? Your comments are always welcome!

Related Posts
  • Code
    Tips
    New wp-config Tweaks You Probably Don't Know8 new wp config tweaks you probably didnt know about 400
    The wp-config.php file: One of the most loved WordPress feature for some, one of the worst nightmares for others. There are countless tips and tricks in a plethora of articles, and you can't get enough of them; however, this article is aiming to be different. In this article, we're going to get familiar with eight new wp-config tricks that are less known than functionality such as turning off post revisions, increasing the memory limit, or other similar features.Read More…
  • Code
    Theme Development
    Creating a WordPress Theme From Static HTML: Releasing Your ThemeCreating wordpress theme from html 400
    If you've been following this series you now have a working WordPress theme. Your theme has a number of template files, including a page template and an archive template, and also has featured image support.Read More…
  • Business
    App Training
    How to Convert WordPress into a HelpdeskPreview supportdesk
    Questions are fantastic. Even questions from customers are great, though they can take up time to answer. Questions from our customers give us insight into what they want or need. Customer questions can help us come up with ideas for new products or services.Read More…
  • Business
    Freelance
    The Top WordPress Plugins You Need for Your Authority Blog5 preview authority blog wordpress plugins
    In the last post we got your blog setup with a unique-looking design courtesy of the Canvas theme framework. But aesthetics are just one piece of the puzzle -- in reality, any successful blog needs to function well in order to succeed. Although WordPress has great functionality out the box, its true power lies in its extensibility, which is exactly what we're going to cover today. I'm going to take you through the top WordPress plugins you can use to elevate your authority site to another level. We're going to cover everything from backups, to security, to search engine optimization, to post promotion and more. This step-by-step guide will show you how to install and setup each of the WordPress plugins I consider to be must-haves for authority site owners. Enjoy!Read More…
  • Code
    WP101 Training
    Beginning With WordPress: Installing WordPress ManuallyBeginning with wordpress
    So, there you are - sitting looking at a couple of emails: one with the keys to your domain name, one with the keys to your website, and now you're going to have to get your act together and actually put WordPress on your site but you really don't know where to go next. Well, you have two options: You can use an automatic installer (usually provided by your web host, something like Fantastico, Softaculous, or Installatron). You can install it yourself. Now, because this series is about really getting under the hood of what we're doing, let's focus on a full manual install. Stay with me, it's not too difficult if you follow the instructions methodically.Read More…
  • Code
    Security
    Imposing SSL and Other Tips for Impenetrable WP SecurityImposing ssl and other tips for impenetrable wp security b
    Internet security has always been as important as your personal security. If you are making money through your blog or website, the security of your website becomes as critical as securing your bank account. Luckily, WordPress strives to ensure better security with every new version. Besides, there are plenty of plug-ins you can use to fortify your website or blog’s security. However, not all users, including developers, are as security savvy as they can and should be. The most interesting part is that optimizing a WordPress blog/website for better security requires only small tweaks, most of which are previously covered in one of our posts. Today, we share a few more interesting and effective tips to help you secure your website/blog against information theft, breaches, intrusions and interception.Read More…