Comments on: Rock Solid WordPress: 7 Quick Strategies to Beef Up Your Security

By: Alvaro Gilabert

Alvaro Gilabert — Tue, 06 Apr 2010 11:08:24 +0000

On the .htaccess file, the code should read

files wp-config.php
order allow, deny
deny from all
/files

with the first and last time enclosed within

By: Alvaro Gilabert

Alvaro Gilabert — Tue, 06 Apr 2010 11:07:00 +0000

And the code did not appear :)

We’re talking of a basic include in PHP where you can reference the file.

include(‘/vhost/johndoe/private/wp-config.php’);

By: Alvaro Gilabert

Alvaro Gilabert — Tue, 06 Apr 2010 10:54:25 +0000

Sarah,

Very nice article covering some of the basics that all WP owners should follow. The new WP 3.0 lets you select how you want to name the admin user, I just hope that people will not chose admin or, worse, god. Hopefully we will also see the table prefix as part of the installation procedure.

I believe however that you forget one additional step that can further increase the security of any blog.

The most usual hack of a WordPress blog involves the file wp-config.php which is always located in the root of the installation. Someone being able to read that file will have full access to your blog, no matter how hard you try to protect it.

Almost all hosting scenarios, from a dedicated server to a sharing package, include a folder that is outside of the confins of the webserver (i.e. none can reach that folder from the web). The idea then would be to move the file wp-config.php to that folder and create a wp-config.php to replace it.

Say that you are in a typical shared package where your webserver full path is /vhost/johndoe/httpdocs/. Chances are that you have folders in /vhost/johndoe/ where you can put files, such as /vhost/johndoe/private/

So move your wp-config.php to /vhost/johndoe/private/wp-config.php and replace the original wp-config.php by the following code:

Nobody will be able to get access to your dB connection string from the web space.

For extra security, add the directive

order allow,deny
deny from all

to your .htaccess file

By: Ed

Ed — Thu, 18 Mar 2010 20:15:50 +0000

Thanks Michael. It worked. This time, I entered a password for the new admin name before changing the site admin.

By: Michael Marian

Michael Marian — Thu, 18 Mar 2010 20:04:52 +0000

Hi Ed,

It’s a bit confusing. While admin, I created a new member and gave full administration privileges to it. Don’t delete admin just yet.

While still logged in as “admin” user go to Site Admin > Options. Scroll down near the bottom is Administration Settings. The field for this is Site Admins and you can remove the admin and replace it with your new administrator’s user name. If it was me, it would be michaelmarian instead of admin. Then you can try out the new account and if all is well delete the admin account.

By: Ed

Ed — Thu, 18 Mar 2010 19:27:51 +0000

I have tried this two times so far. Each time I add a new user with admin privilege and then change admin to my new admin name, then save settings. The form immediately removes my admin privilege, so I log out. Then I attempt to login using my new admin name. …. It won’t accept my old password.

The article does not mention what happens to the old password. Also, it cannot email my new password because it does not recognize something.

So it is a catch 22. My only way out is to delete BP and then reinstall it all over again.

Is there some part of the instructions that is going unsaid?

By: Mark

Mark — Sun, 14 Mar 2010 04:54:44 +0000

But can I change it in wp-config right now? Or do I have to backup my db, and erase the tables first?

By: Michael Marian

Michael Marian — Sun, 14 Mar 2010 04:39:55 +0000

WP Security Scan does the prefix change as noted in Sara’s post. Mind you with Buddypress installed, I’m not completely comfortable trying it as it indicates I have already done it when I haven’t. I think it may have to do with the buddypress install..

By: Mark

Mark — Sun, 14 Mar 2010 04:17:56 +0000

About the prefix change in the DB.

1. Can I do this after installing WPMU?

2. Would there be plugins that could be affected by this? I can’t think of any functions in plugins that could, but I’m just putting it out there.

3. Would I have to change it back after each upgrade?

By: Michael Marian

Michael Marian — Sat, 13 Mar 2010 22:25:43 +0000

Yes. You need to change the Options in the Site Admin. Click on Options and scroll down to Administration Settings. The field is called Site Admin and the admin needs to be changed to the username of the new site admin. Otherwise you won’t have access to all Site Admin controls. Now you can login with the new account and delete the old site admin. I didn’t and had to go into the database and change it manually in the sitemeta table.

I’m glad I’ve done this now.