There are literally hundreds of plugins promising to improve the safety of your shiny but vulnerable WordPress site. However, as a wise coworker of mine once said:

more code = more bugs = more security breach possibilities


So instead of adding more code, let’s take a few simple measures to drastically improve any WordPress install. We will have 2 goals here:

  1. Change the default settings so that our config is less predictable
  2. Put all critical resources on lockdown

1.  MySQL table prefix

Imagine a world where all the websites would use the exact same names for their MySQL tables. Wouldn’t that be heaven for a hacker? So yeah, the first step is to switch from wp_ to something different. It can be the name of your website, or even better, something totally random like 9iugHYt9y7_

This is preferably done when configuring database access before installing WordPress, in wp-config.php:

$table_prefix  = '9iugHYt9y7_';

If you already have a running install, you can always migrate, but it’s kind of risky. Here’s a complete tutorial on how to do so.

2. Secret Salt Keys

Salt keys are a set of random variables that improve encryption of information stored in the user’s cookies. Long story short, it makes your password a lot more difficult to crack. Setting unique salt keys isn’t required for WordPress to install properly, so a lot of wp-config.php files have default salt keys in them.

Setting secret salt keys is easy. Just go to to generate random and unique keys, then open your wp-config.php file and paste those generated keys in the appropriate section.


Note that it’s safe to do that on a running install, you will just need to log back in.

3. Disable debug messages

Debug messages usually contain sensitive information, like the full path to your WordPress install. This is why it’s highly recommanded to turn debugging off. Once again this is done in wp-config.php:

define('WP_DEBUG', false);

It’s also recommended to disable PHP errors entirely, by adding the following lines at the very begining of your wp-config.php:

@ini_set(‘display_errors’, 0);


4. Disable the theme and plugin editor

WordPress allows its privileged users to edit a file directly from the administration interface. If your administrator account is hacked, it will be an open door to your code base. That’s why it’s also recommended to disable this feature, again in wp-config.php:

define('DISALLOW_FILE_EDIT', true);

5. Protect wp-config.php

As you probably noticed, a lot of WordPress security settings are controlled from one single file: wp-config.php. Your database connexion information are in there too. That would be a shame if you set everything up correctly but allow anyone to read or edit that file… This is probably the most important action to do: secure wp-config.php.

To do so, log in to your server via FTP or command line, and change the file permission settings to 400. It means that the file owner can only read it, but won’t be able to edit it or delete it. Everyone else than the file owner won’t even be able to read it.

chmod 400 wp-config.php

For extra precaution, you can also forbid anyone to access the file from their browser. This is not absolutely necessary as the PHP code in the file won’t actually be displayed by the browser, but better safe than sorry!

To do that, open the .htaccess file at the root of your install, and add the following lines:

<files wp-config.php>
order allow,deny
deny from all

6. Hide the administrator

A WordPress account is protected by 2 things: the username, and the password. Let’s not give half of it to hackers. Knowing who is the administrator is super easy: just add ?author=1 to your home URL and voilà, you are redirected to the first user’s profile page, who usually is the admin.

To address this issue, WPMU has a drastic solution: redirect author archive pages to the homepage. If you don’t bother getting rid of author pages, then copy paste the following code to your functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);
    function bwp_template_redirect()
        if (is_author()) {
            wp_redirect( home_url() ); exit;

Wrapping up

That’s all I got for now, but I’ll be sure to add new security related tips in here as I run into them. Also feel free to share your best practices in the comments section.