WordPress Security – Protect Site with WP-Config.php File

Protect WordPress with wp-config

The WordPress wp-config.php file contains sensitive information like Database Connection, Security Keys, etc. Besides that, the wp-config.php file helps you to protect your WordPress website. In this article, we’ll learn how to protect the WordPress site through wp-config.php file.

Table of content

Change Security Keys

The wp-config.php files store the security keys that help to encrypt the information in many ways such as, authentication, nonce, and logged in.

define( 'AUTH_KEY',         '8201c1e0ac1645238f01021abccb055200d855c6');
define( 'SECURE_AUTH_KEY',  'afb1bb4f136a99b1424aa1d4ccf6c7de7eb7c7bb');
define( 'LOGGED_IN_KEY',    'ddb52cb06aa5ec2e7cc7c4a9c37af05e4f50204b');
define( 'NONCE_KEY',        '6ebd24bd142af0b3bb29786595ea9d7afe8c0ef6');
define( 'AUTH_SALT',        'e41b7965cd31091164f99fd8be077c562d36f7cb');
define( 'SECURE_AUTH_SALT', '97d579aba2301be64584634c718a535955b279ef');
define( 'LOGGED_IN_SALT',   '81512c5d181abc7af29c69c85433396254682acf');
define( 'NONCE_SALT',       '731ab0effedcdc8bddfa834d2ab479cbad635790');

These keys help to store sensitive information and it can help you to change them anytime especially when your site has been hacked. You can use the WordPress security key generator to replace these keys.

Disable Plugin / Theme Installation

If your website hacked then it’s easy for hackers to inject malicious theme/plugin to the website. We can use the DISALLOW_FILE_MODS that will disable the file editing and the will not allow anyone to install any theme or plugin. It will also disable the theme editor mode that you can find under the appearance menu.


You can paste this code at the bottom of the wp-config.php file to disable the theme/plugin installation.

Force the Use of SSL

Hackers can steal the personal data through the browser but the SSL Certificate will help to encrypt the connection between the site and the browser to make the information secure. You can use the FORCE_SSL_ADMIN to force the admin area to use the SSL. You can put the below code to wp-config.php file to force the SSL on the admin area.

define('FORCE_SSL_ADMIN', true);

But it’s always recommended to use the SSL on all the pages.

Enforcing the Use of FTP

Preventing the theme/plugin installation is always good for security purposes. But it’s always recommended to keep a theme/plugin up to date. There is also an alternative way to keep theme/plugin up to date by the valid user i.e. force users to provide FTP details. Even if your website compromised, hackers cannot install the malicious theme or plugin without getting the correct FTP user details.

You can enable this through the wp-config.php file but adding one of the following based on what your hosting support.

define('FS_METHOD', 'ftpext');
# If your host / server supports the SFTP then define this line
define('FS_METHOD', 'ssh2');
# If your host / server supports FTPS then define this line
define('FTP_SSL', true);

Enabling Auto-Update

It is always recommended to keep your website up to date. Because WordPress developers always try their best to provide you a safe and secure solution. That’s why they providing you an update randomly.

The minor security updates are automatically applied since WordPress 3.7. But for core updates, you need to add the WP_AUTO_UPDATE_CORE to your wp-config.php file.

define('WP_AUTO_UPDATE_CORE', true);

Always Turn-off Error Messages from Frontend

The error message displays the complete path of the working directory including the user name created by the host/server. You can protect your site by turn off the error message from the frontend and include them in the error log file. Define the WP_DEBUG_DISPLAY to the wp-config.php file to hide the error message from the frontend.

define( 'WP_DEBUG_DISPLAY', false );

Protecting the wp-config file

As we already know that wp-config consists of sensitive information for your wordpress site. It is always recommended to keep wp-config file safe from access.

You should apply the 600 to the wp-config file so that it’s only accessible by the host/server user. Where the number 6 means the host/server user only read and write the file.

You can apply this file permission through cPanel or FTP. Now add the following codes to the .htaccess file so that the file prevented to access through the browser.

<files wp-config.php> 
  order allow,deny 
  deny from all 

We hope this article helps you to protect your site through wp-config file. If you like this article then please follow us on Facebook and Twitter.