Moving the wp-content directory

Another directory in your WordPress installation that’s attractive to hackers is the /wp-content folder. Hackers sometimes attack this directory because it holds all your theme and plugin files. If a hacker can exploit any of the code found within those files, she can gain control of your Web site, or at the very least, mess it up a lot.

You can move the /wp-content directory to a location on your Web server
outside the WordPress installation directory, making it a lot harder, if not
impossible, for outside hackers to locate. To move the folder, create a new
folder on your Web server outside the WordPress installation directory and
then, using your FTP program, drag and drop the /wp-content folder to
the new one you just created. In most popular FTP programs, you can right-
click with your mouse and choose New Folder, which allows you to create a
new folder and give it a name.

Read More

Absolute WordPress path

The configuration file defines the absolute path, or the full directory path on your web server, to the WordPress files on your Web server. This is called once when WordPress is executed and tells the Web server where, within your directory, it needs to look for the core files to successfully run WordPress on your site. The code that defines the absolute path in the wp-config.php file looks like this:

/** Absolute path to the WordPress directory. */ if ( !defined(‘ABSPATH’) )

define(‘ABSPATH’, dirname(__FILE__) . ‘/’);

/** Sets up WordPress vars and included files. */ require_once(ABSPATH . ‘wp-settings.php’);

Read More

Database table prefix

The underscore after the table prefix isn’t required but is recommended practice to make the database tables easier to read and sort. Refer to Figure 5-1 and you see that the tables are named like this: wp_commentmeta, wp_ comments, and so on. Placing the underscore after the prefix makes for easier reading and a more organized looking database. Reading a database can be confusing enough, so make it easy on yourself and use the underscore if you choose to change the database table prefix.

 

Read More

Database table prefix

During the installation process, you can change the default wp_ prefix to
anything you want. In fact, most security experts recommend that you
change the database prefix because WordPress is a big target for hacking
(malicious scripts, spam, and so on). Web bots and spiders can be set to
look for the usual WordPress default settings and attempt to exploit them.
The wp_ database table prefix is one of those obvious default settings, so
to safeguard your installation, change the prefix to anything you choose.
However, keep in mind that if you change the prefix, you need to change it
to something very difficult for a script or an automated program to guess.
Treat the prefix like a password and make it a random string of letters and
numbers — something like sd30df43xxi54_. Just be sure that it’s unique
and difficult to guess.

If you didn’t change the table prefix during installation, you can go back and
do it later if you want to. You will need to edit the $table_prefix line in
the wp-config.php file. Also, you’ll need to alter the table names in your
database by accessing the database administration interface provided by
your Web hosting provider (like phpMyAdmin, for example) and by renam-
ing the tables to replace the wp_ prefix with the one you defined in the
wp-config.php.

Read More

Database table prefix

By default, when installing WordPress, you’re asked for the database table prefix and given the wp_ default prefix. This is how the tables in the database are defined and called by the different WordPress functions in the

code. Figure 5-1 shows Lisa’s WordPress database displayed in phpMyAdmin (a database administration interface), which displays all the tables in Lisa’s WordPress installation with the wp_ prefix.

Here’s how the database table prefix definition looks in the wp-config.php file:

/**

* WordPress Database Table prefix.

* You can have multiple installations in one database if you give each a unique
prefix. Only numbers, letters, and underscores please!

*/

$table_prefix = ‘wp_’;

Read More

Default language

 

English is the default language for every WordPress installation; how-

ever, you can use any of the language translations currently available for

WordPress by changing the WPLANG parameter in the wp-config.php file. By default, the WPLANG parameter looks like this:

/**

* WordPress Localized Language, defaults to English.

* Change this to localize WordPress. A corresponding MO file for the chosen
language must be installed to wp-content/languages. For example, install
de.mo to wp-content/languages and set WPLANG to ‘de’ to enable German
language support.

*/

define (‘WPLANG’, ‘‘);

We don’t have the room to list the all the available languages, but you

can find the specifics at the WordPress Codex page (http://codex.
wordpress.org/WordPress_in_Your_Language), which lists all the
languages you have access to, including the language code. If you want
WordPress translated into French, for example, look up the language code
on the Codex page. You can see that the code is fr_FR. To use French
rather than English, you change the WPLANG parameter to:

define (‘WPLANG’, ‘fr_FR’);

Then save the file and upload it to your server. Your WordPress Dashboard

displays in the French language, rather than the default English.

 

Read More

Discovering the Configuration File

Follow the directions in the file and visit the WordPress secret-key service
Web page (https://api.wordpress.org/secret-key/1.1/salt;
be sure to refresh this page a few times to make sure that you get unique
keys) to obtain the keys that you need to replace the existing defaults (rep-
resented in the wp-config.php file by the lines that start with define.
Copy the keys from the Web page and then replace the eight lines of default
(blank) keys in your wp-config.php file. After you do that, this section of
the file looks like this (except with your own, unique secret keys):

/**#@+

* Authentication Unique Keys and Salts.

* Change these to different unique phrases!

* You can generate these with the {@link https://api.wordpress.org/secret-key/1.1/
salt/ WordPress.org secret-key service}. You can change these at any point in

time to invalidate all existing cookies. This will force all users to have to
log in again.

* @since 2.6.0

*/

define(‘AUTH_KEY’,’OkjsE|hTe1A#+yK*;zWOh_~we{X}(uX=TUXtV`WC9Owz_eA@c_
LKH-Le;qKDPcn’);

 

define(‘SECURE_AUTH_KEY’,’mGt;>cS&Gn,weoFIoJts[.+8bm$Qk|+|a|]>u<TLQRJBH2_
eb>$TDk{ru&:|$5b’);

define(‘LOGGED_IN_KEY’,’N13G3G^n8w%B4Nge)|V6TyI!S^Td!u|6_]}8kVSDB]p|@fTu=%>)

M<s>%|t<qJb’);

define(‘NONCE_KEY’,’pOj/Uj?&+AJVO9SnRhr<e8:dO+A8>XgSO5SuUYpvkjy@%O:Hi

< Z->|!~YIA+Yq’);

define(‘AUTH_SALT’,’8c%^y1/Kts3(I|N9/:`DM(j+qx.rKQh+I##E~e!Oq7|

@p5j^D1:Yic+GQtlX>d’);

define(‘SECURE_AUTH_SALT’,’!$Fi=K0jfK([;1x~EzN,QQOja_y5a|oxl_On~7AIT&8<dE:)

M|DGc?Cb:sQiTor’);

define(‘LOGGED_IN_SALT’,’N&j*A6khkJb}DhN>)+||e2}(:^Oo+mw!~DV0V;3W:75C|KCrHK[)

7th_w:3%Fqe’);

define(‘NONCE_SALT’,’xscOi.7I=%1;=-{mWjN=+gN03].RjLR6|ZpvbZt@

bqK{p$2p;M.%,&i#9U8SLZ’);

You can change the secret keys any time by editing the wp-config.php file and replacing the keys with new ones. Doing so doesn’t affect the function-

ing of your Web site, but it does require that users log in to your site again, if they were already logged in, because changing the keys changes user

authentication and retires the cookies that had already been placed in their browsers.

Read More

Secret keys (salts)

Secret keys enhance WordPress security through user authentication with the placement of a cookie in the user’s Web browser. They are also referred to as salts, a word commonly used in cryptography to represent random keys, such as in a password. Secret keys in your wp-config.php file make your site harder for outside sources to gain access to because they add random keys to the user password.

These keys aren’t populated during the WordPress installation, so after the
installation is complete, you need to visit the wp-config.php file to set the
keys so that your WordPress installation has unique keys that are different
from any other installation — making it more secure because the keys are
specific only to your site. By default, the code in the file looks like this:

/**#@+

* Authentication Unique Keys and Salts.

* Change these to different unique phrases!

* You can generate these with the {@link https://api.wordpress.org/secret-key/1.1/
salt/ WordPress.org secret-key service}. You can change these at any point in
time to invalidate all existing cookies. This will force all users to have to
log in again.

* @since 2.6.0

*/

define(‘AUTH_KEY’,         ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’,           ‘put your unique phrase here’);

define(‘NONCE_KEY’,     ‘put your unique phrase here’);

define(‘AUTH_SALT’,      ‘put your unique phrase here’);

define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);

define(‘LOGGED_IN_SALT’,            ‘put your unique phrase here’);

define(‘NONCE_SALT’,     ‘put your unique phrase here’);

Read More

Database information

The database information section of the wp-config.php file contains the

database credentials that are required for WordPress to connect to your
database. During installation, the WordPress installation script populates

this data after you input the database name, username, password, and host in the installation form (see Book II, Chapter 4). The following lines of code show you what this section of the file looks like in its default form:

// ** MySQL settings - You can get this info from your Web host ** //

/** The name of the database for WordPress */

define(‘DB_NAME’, ‘database_name_here’);

/** MySQL database username */

define(‘DB_USER’, ‘username_here’);

/** MySQL database password */

define(‘DB_PASSWORD’, ‘password_here’);

/** MySQL hostname */

define(‘DB_HOST’, ‘localhost’);

 

Read More

Exploring main configuration settings

After the wp-config.php file is nice and secure, you need to know what’s stored within it so you can reference it and understand how WordPress hooks into, or communicates with, the database you configured and set up in Chapter 4 of this minibook. Open the wp-config.php file by using your default text editor and have a look inside. The next sections take you through, in detail, the information stored within.

 

Read More

Securing the configuration file

3. Save the new .htaccess file and upload it to your Web server.

Your wp-config.php file is hidden from any outside bots or search engines.

4. Change file permission (chmod) on wp-config.php to 640.

See Chapter 2 of this minibook for information on file permissions and how to change permissions (chmod) via FTP.

Changing the file permission to 640 ensures that the file can be written
(or changed/edited) only by the owner of the file, not by the public; or
worse yet, by any automated bots or script programs run by hackers.

Read More

Securing the configuration file

1. Log in to your Web server via FTP, and then locate and open the
.htaccess file to edit it.

See Chapter 2 of this minibook for information on File Transfer Protocol (FTP).

Most FTP programs allow you to open and edit a file on the server by
right-clicking the filename and choosing Edit. This opens the file in the
default text editor on your computer (either Notepad for Windows or
TextMate for Mac).

2. Add the Deny from all code to the top of the .htaccess file.

 

This secures the file from being seen by any bots or search engines on the Web:

<Files wp-config.php>
Order Allow,Deny

Deny from all
</Files>

Read More

Securing the configuration file

 

As you can probably already guess, hackers find the valuable information
stored in the wp-config.php file attractive. If someone with nefarious
intent were to get your database username and password, he could log in
and undo everything that you’ve built! Therefore, take whatever steps you
can to secure that file so that no one, but you, has access to it. One quick
and easy way to do that is to disallow any bots (automated software appli-
cations that run on the Internet) access to it and to change the file permis-
sions. To do so, follow these steps:

Read More

Discovering the Configuration File

 

Every WordPress installation contains a configuration file that holds essential data for your Web site to work. The file, wp-config.php, is located in your WordPress installation directory (see Chapter 4 of this minibook). Simply put, your Web site doesn’t work if this file is missing or if the data found within the file is incorrect.

More than likely, you haven’t even looked at your wp-config.php file yet because when you download the WordPress software, the file is actually wp-config-sample.php. When you install WordPress, the file is renamed wp-config.php and is populated by WordPress with the following information, some of which you may remember from when you installed WordPress, and some that we explain later in this chapter:

✦ Database name
✦ Database username
✦ Database password
✦ Database host
✦ WordPress language: English is the default.
✦ WordPress database table prefix: wp_
✦ Secret keys
✦ Absolute path to the WordPress files on your Web server

All this information must be present in the wp-config.php file for your
installation to work correctly. If WordPress already works on your site, most likely, your wp-config.php file is correct and functioning beautifully. (See Chapter 4 in this minibook for how to install WordPress.)

Read More

Common WordPress Installation Problems

Error Message       Common Cause           Solution

500:                         Permissions on           Try setting the permissions (chmod)

Internal                PHP files are set           on the PHP files to 666. If that change

Server                     incorrectly.               doesn’t work, set them to 644. Each

Error                                                                  Web server has different settings for

how it lets PHP execute on its servers.

404: Page              The URL for the           Double-check that the URL you’re

Not Found            login page is incor-   using to get to the login page is

rect.                         the same as the location of your

WordPress installation (such as

http://yourdomain.com/

wp-login.php).

403:                         An index.html           WordPress is a PHP application, so

Forbidden             or index.htm               the default home page is index.

Access                    file exists in the        php. Look in the WordPress installa-

WordPress instal-     tion folder on your Web server. If an

lation directory.         index.html or index.htm file

is there, delete it.

 

Read More