Active Web Hosting Logo

 

  1. Introduction
  2. Installation
    1. What You'll Need
    2. Where To Put WordPress
    3. Configuration
    4. Lock Down Your Writable Directories
    5. Uploading Your Installation
    6. Installing WordPress
    7. Finishing
    8. Plugin: Security
    9. Plugin: JetPack
  3. Security
    1. Prevention
    2. Detection
    3. Removal
  4. Updating Wordpress
  5. Removing WordPress
  6. Back Up Your Site
  7. Troubleshooting
  8. Resources

Configuration

This section shows you how to properly configure your site and also will give you options for using enhanced security to better protect your site.

IMPORTANT NOTE: You must do this configuration before you upload your WordPress files to your web site.

Prepare your Configuration File:

Be sure you are in a file manager and in the WordPress directory.

First copy the wp-config-sample.php file to a file called wp-config.php in the same directory. You may want to remove the wp-config-sample.php file to a safe place or else remember to not upload it when you upload WordPress.

Open the wp-config.php file in a text editor. Do not use a word processor such as Microsoft Word, LibreOffice or OpenOffice or other office "writer" programs. Your text editor must be able to save the file to a default ASCII Text (also known as "plain text") file. Examples of text editors include Windows notepad, EditPlus or Notepad++ for Windows, the default text editor or SublimeText for Mac, or Kate, Mousepad or GEdit for Linux.

Basic Configuration:

At the very least, you are required to fill in the following values. Note that highlighted areas must be replaced with your own required data as specified.

define('DB_NAME', 'database_name_here');
define('DB_USER', 'username_here');

Use your MySQL username (which is the same as your database name) for both database_name_here and username_here.

define('DB_PASSWORD', 'password_here');

Remove password_here and replace with your MySQL Password.

IMPORTANT NOTE: If you change your MySQL password in the Active Web Hosting Account Administration System, you will have to download this config file from your CGI Server account via FTP, edit it to use your new MySQL password and re-upload it via FTP to replace the old config file so that WordPress will continue to work.

In your web browser, go to the following address: https://api.wordpress.org/secret-key/1.1/salt/

Copy the text show in in your web browser (highlight all text in the browser and then use CTRL+C or right click and select 'copy').
Paste it into the config file replacing all these lines:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');


IMPORTANT NOTE:
It is very important that you do this for the security of your site! Each time you visit the above link, it will give you a new set of random phrases.

$table_prefix = 'wp_';

Replace wp_ with some other value and an underscore. Be very sure that the value you pick is not the same as one that is being used for any other script you are running on your CGI Server account. To do this, log into phpMyAdmin using your database usernname and password, click on your database name in the left side, and then click the Structure tab at the top to see your table prefixes. Choose something that does not start with the first letters before the underscore of the table names.

A good secure table name would be a mixture of upper and lower case letters and numbers (do not use symbols or spaces). Be sure there is an underscore after the value you created.

Security Configuration Options:

These configuration options may further protect your site. It is recommended that you do as many of these extra steps as possible (if applicable).

At the end of the wp-config.php file, add this:

/** Additional Security Configurations **/

Place any of the additional configurations under that line.

Disable WordPress File Editing

WordPress provides a way to edit your WordPress files such as CSS stylesheets and some WordPress PHP, plugin and theme files. This is a nice convenience but it also allow others to get into your site, edit these files as well and compromise your site or set it up to send spam. The safest way to edit files is to download them from your CGI Server account via FTP, edit them on your computer and then replace the old file on your site with your newly edited file.

To disable file editing so that these files cannot be edited, add this line near the bottom of your wp-config.php file:

define('DISALLOW_FILE_EDIT', 'true');

NOTE: You still will be able to create and edit your normal blog posts, comments and pages, etc. within WordPress. This only disables using WordPress to edit WordPress script files.

Prevent JetPack Plugin's Email Sharing Button Spam

If you are using the JetPack plugin, and you make use of the Email Sharing Button (which allows your visitors to share your blog posts to someone else via email), then you will need to protect this from being used to send spam. The best known way to do this is to protect it via Google Recaptcha.

First, create a free Google Account and sign up for Google Recaptcha (which is also free). Be sure to note your public and private keys.

Add these two lines to your wp-config.php file. Be sure to replace your_site_key and your_secret_key with your actual ReCaptcha keys.

define('RECAPTCHA_PUBLIC_KEY', 'your_site_key');
define('RECAPTCHA_PRIVATE_KEY', '
your_secret_key');

Disable WordPress Cron Jobs

WordPress contains it's own 'cron' system which sends timed emails, and pre-made posts that are to be posted after a certain time. However, these things you can do yourself within WordPress' Dashboard. Sometimes a bot or maliscious code can replace the code in the cron system file (wp-cron.php) so that it sends sends spam or gives a bot access to your site's WordPress files and directories. It also can slow down your site. This 'cron' system does not activate at a certain time. Instead, it relies on your visitors to visit your web site in order for it to check if work needs to be done and then does any tasks if it's time to do them. If you do not have a lot of visitors to your site, you might not notice this occurring. However, if you have a lot of visitors, this would execute every time someone visits your site unnecessarily and also could slow down your site as a result. It is recommended you disable the WordPress cron system and do these tasks yourself from your WordPress dashboard, if you are concerned about slowdown and security.

To do this, add this line near the bottom of your wp-config.php file:

define('DISABLE_WP_CRON', 'true');

After disabling this, you could also remove the wp-cron.php file from your WordPress directory if you want to ensure better security.

DO NOT change any other values in the configuration file!

Save the wp-config.php file and exit your text editor.

 


Home - Support - Management - About Us
... Active Web Hosting, 1445 American Pacific Dr. Ste 110-318, Henderson, NV 89074 ...
Phone 702-449-2337