Security Tips to Configure wp-config in WordPress Hosting
The wp-config.php file is the most important file to protect on your site. It contains your username, password, and database name (among other things) for your WordPress install and by default, is accessible from any web browser.
The wp-config.php file is a standard part of your WordPress installation. It defines the configuration settings required to access your MySQL database. If you’re self-hosting WordPress, there's no way of getting around not using it.
It's your job to protect it ! You certainly don't want this file falling into the wrong hands in the event of a server problem. You can protect it by encrypting its content when you upload and denying access to it.
There are two main ways to easily protect the wp-config.php file from prying eyes and hackers. Both methods require you to have sftp or server-level access. Also turn off any caching plug-ins you may be using before attempting these steps.
Move wp-config.php up one directory : This is the easiest way assuming you’re comfortable moving files on your server. Essentially this works by taking wp-config.php and moving it outside of the public realm (typically one level above /public_html).
Modify your .htaccess or .conf file : This option is a little more advanced and requires that you’re running Apache or Nginx. You’ll need to edit your .htaccess file (Apache) or nginx.conf (Nginx) using a text editor. Be careful not to alter any other code in this file otherwise your site may break.
Copy and paste the following code into your .htaccess file to deny access to your wp-config.php file.
# protect wpconfig.php
deny from all
When saving your changes using “Notepad,” make sure that you change the “Save as type” dropdown to “All Files” so that it does not change your .htaccess file into a .txt file.
How to Secure WordPress website
WordPress is a content management system which helps to create attractive websites or blog. It is important to secure WordPress website from attackers and annoying users who want to hack your admin area.
To increase you security areas there are some actions through which you can protect your WordPress.
1. Use a good Password : To secure your password, you should use combinations of upper case and lower case letters,numbers and special characteristics in a password. Name and company names are bad password because it is very easy to hack these passwords.
2. Never use admin as a User Name : User name in wordpress can be identified easily. Use ‘Admin' as a user name may disclose your privacy. Use another user name which cannot be guessed or hacked by attacker.
3. Update website Plug-ins and CMS : Keep Plug-in and CMS up to date will avoid security issues of previous versions. update CMS and add new feature will keep your WordPress site bug free. To enhance WordPress you need to add, delete and replace files manually or automatically.
4. Using a Security Plug-in : Good WordPress Plug-in like All in One WP Security and Firewall, Sucuri-Sanncer or Bullet-Proof Security enables to block invalid login attempts from back-end of website. These plug-ins allow to rename website back-end login URL as different name.
5. Secure hosting infrastructure must be provided by hosting providers : security of your WordPress website should be taken care by you as well as your WordPress hosting provider . So make sure how webhosting provider can secure your WordPress website installation.
6. Backup Website : If new content added frequently then backup should be done once in a week. If no new content added then once a month is required. Website hosting control panel is much better alternate then plugins. Hosting provider will give more details regarding backup. You are free to ask hosting provider for help.
7. Monitor your website : Services like Pingdom provides check on your website and receive email or alerts when website goes off.
8. Avoid free website themes and plug-ins : Free themes and plug-ins can allow attackers to break website privacy. Generally Paid themes takes time to design and more secure as they develop in an account.
9. Don't allow commenting : Through comment boxes attacker might access website back end. It can cause a big risk regarding security. To avoid commenting in the WordPress settings and on individual pages under discussion settings.
10. Disable user registrations : Enabling user registration can lead to hacking. So user registration should be disabled on website.