Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
In this screencast, we improve site security by protecting the WordPress configuration file. As seen here, the configuration file is located in the root directory of our WordPress installation. It contains the username and database name and password for our database, as well as other super-sensitive information. This file is essentially the key to WordPress, and so it's mission-critical to keep it safe and secure. Here are two good ways of protecting the configuration file: restricting access via htaccess and restricting access via file permissions.
So let's return to the FTP editor and close the wp-config file and protect it with the htaccess code provided in this screencast. Just copy and paste beneath any existing rules in your htaccess file, as seen here, and then save and upload the file to your server. Returning to the Browser, let's check to make sure that our site is still working, that everything looks good still. We have the homepage, loads fine, single post works great, and we click around and see that everything is working great.
Now, let's check the actual configuration file and see what happens if somebody tries to access it directly. In the address bar of your browser, enter the installation directory of WordPress, followed by /wp-config.php, and hit Enter. We see a 403 Forbidden error, as expected. This means that the configuration file is now protected at the server level using our slice of htaccess code. Once the htaccess file is in place, we also want to ensure that file permissions are set to 640 or 644 for both wp-config and htaccess files.
These numbers correspond to the types of things that users can do with their files. In general, the lower the number, the less users may actually do with the file. For WordPress the recommended permission settings for folders is 755, and for files, it's 644 or less. So a setting of 644 for wp-config and htaccess allows WordPress to access the files, while returning the 403 Forbidden error to all external requests. So with our htaccess code in place, let's return to the browser and go look at the files on the server.
Here in the browser we're looking at the list of files and directories in the root directory of our WordPress installation, and here is the htaccess file. So if we look over in the Permissions column, we see rw-r--r--, so we click that. What does this mean? It means that the owner, group, and others can read the file, and the owner can write to the file, but nobody can execute or search the file. What do these permissions mean? So we go to an online conversion tool, like the one here, and we convert the RW values to what's called CHMOD number, by replicating the pattern here. Everyone can read, and the owner can write, which gives us the desired CHMOD value of 644, which is WordPress's recommended permission settings for files.
So now let's return and take a look at the configuration file. We scroll down a bit, and here is our configuration file, and we see that it has the same 644 settings, as shown here in our online tool. So, our wp-config file is now protected, and we are good to go. Normally, good hosts will set the best default permissions for files and directories, so there's really nothing to worry about, but even so, it's a good idea to double-check the settings for these key files. Technically, either of these methods, htaccess or proper file permissions, is going to protect your configuration file just fine.
So if you can't get into your server control panel right away, just adding the htaccess code is going to work perfectly well to keep it safe. In this screencast, we've seen how to protect the WordPress configuration file against malicious attacks. Two techniques are combined for maximum paranoid protection, but either one will do the job just fine. Just remember, the goal is to restrict access to the WordPress configuration file to help keep it and your site safe and sound.
There are currently no FAQs about WordPress 3: Developing Secure Sites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.