The WordPress owners guide to a secure WordPress site – the installation


a Big part of a secure WordPress site can be set at installation. This post will take you through the tweaks that you can make during setup to ensure a secure WordPress installation. Whilst you will not be able to see anything different after making this changes, rest assured that the difference that this changes will make is huge.

Change the table prefix

The first thing that you should do is to change the table prefix.

Attackers bargain on you not changing the default table prefix. Automated scripts that target the WordPress database aim for default table names during their attacks. When you change the table prefix, you effectively disable these scripts.

In the image below you will see the standard welcome screen when you install WordPress. The table prefix is already completed as “wp_” and for that reason it’s missed by most. The change doesn’t need to be elaborate, just a two or three letter name with an underscore will already be a huge step forward.

Change the salt and secret keys

If you open the default Wp-config.php file you will see the secret keys and salt listed:

define('AUTH_KEY',         '>m;jf[!):XW!_Z,|3W=kMA^^lu!h#z!b!,5=BP?n12');
define('SECURE_AUTH_KEY',  'h+|rh?OSxneQi`..qqWrgC?+*B8h61&gI48$K|s6s.');
define('LOGGED_IN_KEY',    'G!hksTXr1LVa((f3TRTN=/t,p6A>pPiJ;WJ>LD(U/X');
define('NONCE_KEY',        '7L)P%f!HvVz1_puHb#$$R>Q*}W%4[lu>.%2%d*-BrM');
define('AUTH_SALT',        ')X51GQ[r2,?3^Ecy@,=mO8eWvNGQaW?f^S[,Pp.PK$');
define('SECURE_AUTH_SALT', '%kWs[*ZySpR4M,SuhrQd!~Rtm}BF_##1>GQ{w-EDF.');
define('LOGGED_IN_SALT',   '.5kXEPFCqsdjVV[qE[s[`c!P]WPn8,l;@[]#:UP$+f');
define('NONCE_SALT',       '<7+p(}ik4Uz)kb~9#GSG0y{5AJWELR4?uVmfL)2;.f');

The secret keys and salt are used to encrypt the data that is stored in the cookies. The cookies help WordPress identify your computer as one that is logged into your WordPress website as a certain user.

If your WordPress cookies are ever obtained by someone with bad intentions, the encrypted cookie will make it much more difficult if not impossible for this individual to compromise your website using your cookies.

As with the table prefixes though, the keys are known as a standard, so if you refresh the keys and salt with a fresh set, your security is automatically bumped up another level.

Getting a fresh set of keys is quite easy just visit the generator here grab yourself a fresh copy and replace the default set in the wp-config.php. Remember to save.

Delete what you don’t need

Ensure that you have the bare essentials in your installation to get by, and we’re not saying that you should not use the things that’s available, but rather that you should delete what you’re not using.

Unused user accounts, unused plugins and themes are all code that’s attached to your WordPress installation and present a threat.

The reason that it’s important to delete what you are not using is that we are focused to update only the things that we need, and forget the software that we’re not using.

Regularly when we assist with support we see old plugins causing havoc on sites. When we ask users about it, they simply say that they do not use it so they do not update it. That’s dangerous and that plugin that you do not use can be the security flaw that a hacker is looking for, Get rid of it.