Proteger WordPress

1. Change Database Prefix ($table_prefix)

The WordPress database consists of many tables to store posts, links, comments, users etc. Now these tables by default have standard names like wp_users, wp_options, wp_posts etc. Now a hacker knows that your user details are stored in the table wp_users, and will try and exploit this. We can however prevent the hacker from guessing the name of the table. To do this, while installing WordPress, we need to change the setting for $table_prefix.

In your wp-config file there will be a line:

$table_prefix  = 'wp_';

You need to change it to something random like:

$table_prefix  = 'axcsr_';

This will cause the tables in the database to become axcsr_usersaxcsr_posts etc, in turn making it harder for the hacker to guess.

2. Disable Editing of Theme/Plugin files

In the WordPress Dashboard, there is an option to edit your theme/plugin files. This option is not to be used by normal users under any circumstance. However, in the hands of a hacker it can be extremely dangerous. For example, suppose a hacker is able to login to your site using some exploit. One of easiest mechanisms for them to add malware to your site, will be by editing existing files. By disabling the option to edit these files, you take away a valuable tool from hackers. It can be done by adding the following line to your wp-config.php file:


3. Disallowing user to install plugins, themes or doing updates.

Disallowing a user to edit plugin/theme files will only provide one level of security. However, this does not prevent the hacker from adding a new plugin or theme. Once the Admin Panel is compromised, the hacker can also install a rogue theme or a rogue plugin. If you do not install plugins on a regular basis, we suggest, that you disable this option altogether. This can be done by using the option:


In such cases, a plugin/theme can however be installed by directly copying the plugin to the site using FTP.

 4. Forcing use of FTP for all uploads, upgrades and plugin installation.

Tip #3 can be quite restrictive for many sites. An alternative in such cases could be to force users to provide FTP details whenever uploading a file, or installing a plugin/theme. Hence, even if a hacker is able to infiltrate your Admin Panel, they will not be able to install a new script without knowing your secret FTP credentials. To do this, add the following line to your wp-config.php:

define('FS_METHOD', 'ftpext');

If FTPS is supported then add the following line to the config file:

define('FTP_SSL', true);
 If your webhost or server supports SFTP you should use the following more secure option instead:
define('FS_METHOD', 'ssh2');

5. Change Security Keys

When a user logs into the Admin panel, WordPress generates cookies to keep the status of the users. To ensure that the cookies are safe and not guessable, it adds a salt while generating the cookie. This salt should ideally be long and difficult to guess. The salt is picked from 8 parameters in wp-config.php and look something like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

The above should be replaced with a new set upon installation, and WordPress provides and excellent tool to generate these randomly. You can get the same from:

Also, in case your site gets hacked, it is highly advisable to change these keys with fresh ones. This will force all users to login again, and hence the hacker cannot use old cookies.

6. Move wp-config.php out of the core WordPress folder.

Typically wp-config.php is placed in the core WP folder along with other standard files like wp-settings.php, wp-login.php etc. WordPress also supports a more secure option, where in the wp-config.php can reside on the folder outside your wordpress installation. For example if your wordpress is installed in the folder /public_html/ folder, instead of having the file being present as /public_html/wp-config.php, you should store it as /wp-config.php. WordPress will intelligently pick up the configuration from this instead.

A good WordPress Backup solution like blogVault will identify that the file is present in the outer folder, and will still back it up.

 7. File Permissions of wp-config.php

Change the permissions of the file, so that only your webserver can access it. Further this file should not be modifiable/writable by anybody. Hence the preferred permission here would be to use:  400 or 440 depending on your setup. Permissions can typically be changed by using FTP or cPanel.

8. Securing the htaccess file

Apache uses htaccess to prevent unauthorized access to certain parts of the site. Since wp-config.php should never be accessed directly by anybody, and since it contains the critical database details, we should block it from htaccess file too. This can be done by adding the following lines to your htaccess file:

order allow,deny
<strong>deny from all

We will cover other mechanisms to improve the security of your site in future posts.



Security Ninja Lite Site Analysis


The right way to remove the WordPress version number

Going a step beyond the previous method, this technique gets the job done quite eloquently, with a mere 41 characters of code:

remove_action('wp_head', 'wp_generator');

Just place that single line into your theme’s functions.php and enjoy a small taste of “security through obscurity”. 🙂


Protection from malicious URL Requests

Block Bad Queries (BBQ) plugin will check for malicious URL requests Long request strings, presence of either “eval” and “base64″ php functions .Install this plugin to harden wordpress security.

Proteger WordPress

Proteger WordPress
Vote neste artigo


  1. wordpress || at

    Prestamos serviço de programação na área de wordpress


O seu endereço de email não será publicado. Campos obrigatórios marcados com *