When using a third-party system, it is important to keep aware of developments on the system. Over time, for example, WordPress releases maintenance and security releases to make sure your website is as secure as possible. Keeping on top of these upgrades is important, as it ensures that you’re running the latest and most secure version of your software (as well as any new features they’ve bundled in which is, of course, beneficial).
The same goes for plugins and themes for WordPress. If you’re looking to modify your theme, be sure to use a child theme in order to facilitate easier theme upgrades. Regarding plugins, be sure to keep up with upgrades, as any outdated code on your web server could result in a security exploit. Keeping your WordPress-powered website up to date isn’t too difficult, provided you keep up with regular upgrades. Upgrading is one of those things one only realizes the true benefit of if/when something goes wrong or an exploit is made known online.
wp-config.php – The Technical Side
Up until now, we haven’t really looked into any code that can help to secure your website.
When maintaining or upgrading your WordPress-powered website, the wp-config.php file is one file that isn’t modified. This file contains your database settings and any other setup you’ve manually added to the file. Naturally, it’s possible to bolster this file a bit more, following a few guidelines available on the WordPress Codex’s section about the wp-config.php file. While this page explains each section of the file in detail, I’d like to focus on a few headings in particular that relate to security.
If you let WordPress create your wp-config.php file for you, you’ve no doubt seen the security keys section when opening the file in a text editor. This is a really great way to add further security to your WordPress installation. You can even use the online security key generator to create the code for you, which you’d then place in your wp-config.php file.
This setting, while incredibly useful in a development environment, should always be set to false on a live website. While this isn’t strictly a security measure, a PHP warning message displayed on your website could indicate certain aspects of your server configuration.
By default, WordPress knows to look for wp-config.php within your server’s public_html folder, as well as one folder up from that. Placing wp-config.php outside of the public_html folder ensures added security, as the file isn’t directly accessible to users who may be FTPing into the public_html folder with limited access.
There are several other advanced techniques listed on the WordPress Codex regarding custom table prefixes, etc. These are best handled when first installing WordPress. If you wish to implement this on an existing website, I’d advise erring on the side of caution, unless you are a more advanced user who is comfortable working on a MySQL database at direct database level. That being said, it doesn’t hurt to read the full page on the WordPress Codex to familiarize oneself with the possibilities. This is part of keeping oneself aware, as mentioned above.
In addition to the above, when installing WordPress, make sure to setup your default administrator as a username other than “admin”. This is a common starting point for hackers trying to get access to your website.
Please consider forwarding this blog post to your website administrators / designers if your website was developed in WordPress.