Remove your malware now. Malware Removal OR Call 0411 950 709

Close/Open top message

Useful Security Musts For WP-CONFIG.PHP

The wp-config.php file is the most important file in the WordPress installation.  The file sits in the root of your WP installation and configures the database connection functionalities but also has some very important security details that can easily be updated to save your site from being hacked.

To access the wp-config.php file you can log into your FTP or Cpanel and edit the file on the fly.  This article assumes that you already have your WordPress site setup.

Security Keys

The security keys is a set of encrypted variables which stores information in the user’s cookies.  If you installed your WordPress prior to version 3.0 then you would have had to install the security keys manually in the wp-config.php file.  However, the later version of WordPress wp-config file now come pre-installed with the security keys.  Another thing to note is that prior to 3.0 there use to be 4 secret keys however, post 3.0 there are now 8 security keys available.

So why security keys? OR Salts as you may have seen them referred to?  Well, WordPress doesn’t use PHP session to track sessions such as login state it uses cookies.  What this means is that the “login information” is stored on the client-side (website visitor – you!) inside a cookie, which essentially means that you have access to the session details.  The SALTS encrypt the “information” to disable visitors from snooping around.

A set of SALTS can be generated here – WordPress Security Key Generator.

How do I update my Salts?

Like previously mentioned the Salts can be accessed from the wp-config.php file which can be found in your FTP or CPANEL on the root directory.

It’s a simple task of copying and replacing the current salts found in this page.

WordPress Security Authentication

Changing the database prefix

The database prefix “WP_” is default across all WordPress installations.  As another level of security is highly recommended to change this.  The WP_ prefix can be changed on the first instance of the WordPress installation, but also must be updated in the wp_config.php file.

If you did not update your wp_ prefix in the database when you initially installed your WordPress site it can get a little tricky.

Before undertaking any changes your site, especially updating files and databases it’s imperative to take a backup of your site.  We use the BackupWordPress plugin!  OK, lets get started.

Step 1: Open your wp-config.php file and change the $table_prefix  = 'wp_';to something unique.  It might be adding a few random numbers such as wp_12874_.

Step 2:  Through MyPhpAdmin access your database.  By default there are 11 database tables.  If you have installed other plugins, there might be a few more than 11.  You will need to click on the SQL tab and input the following;

RENAME table `wp_commentmeta` TO `wp_12874_commentmeta`;
RENAME table `wp_comments` TO `wp_12874_comments`;
RENAME table `wp_links` TO `wp_12874_links`;
RENAME table `wp_options` TO `wp_12874_options`;
RENAME table `wp_postmeta` TO `wp_12874_postmeta`;
RENAME table `wp_posts` TO `wp_12874_posts`;
RENAME table `wp_terms` TO `wp_12874_terms`;
RENAME table `wp_term_relationships` TO `wp_12874_term_relationships`;
RENAME table `wp_term_taxonomy` TO `wp_12874_term_taxonomy`;
RENAME table `wp_usermeta` TO `wp_12874_usermeta`;
RENAME table `wp_users` TO `wp_12874_users`;

Step 3: In the options table we need to also find any “wp_” prefixes and update this.  And yes, we have another SQL Query for you.  So like you previously did use the following code from the SQL tab.

SELECT * FROM `wp_12874_options` WHERE `option_name` LIKE '%wp_%'

Step 4: We also need to update the UserMeta table.  Like you just did we will use the following code

SELECT * FROM `wp_12874_usermeta` WHERE `meta_key` LIKE'%wp_%

We are done!

These are two very important aspects to updating your wp-config file to prevent security hacks.  It is recommended that ALL WORDPRESS sites undertake these two steps.

If you wish MySiteGotHacked to help you do this, feel free to contact us.  But remember, don’t do anything without BACKING UP!

Comments are closed.