2.5 Securing wp-config.php

Hey, welcome back to the WordPress secure set up guide in this lesson we're gonna be looking at the wpconfig.php file, and how you can secure it. First let's have a look at the file, and talk about what it does. Now, I mentioned earlier I'm gonna be working inside an offline set up for the rest of this course, so what you're seeing here, I have this HT docs folder selected, and that's equivalent to the public HTML folder, on your web host. So whenever you see me working inside that folder, you should work inside the public HTML folder, so inside your main root folder, your public HTML folder, look for wpconfig.php, then you wanna download that file, so you have it offline, on your computer, and then open up for editing inside your favorite code editor, or just plain text editor. So here we are inside that wpconfig.php folder, let's have a look through, and see what's in this file, so we scroll down, and here you can see all of the information that we entered during setup that gives access to our database. Got the database name, the user name, the password, everything that you need to be able to access that database, so as you can imagine, it's very important to protect this file, because if somebody is able to read the contents of this file, they're able to get into your database, and do whatever they want. Down here, we also have a series of secret keys, now these keys work in various ways that we won't go into now that help to secure your website, and below that, we have the table prefix that we set up earlier. So there's another piece of very important information relevant to security, then below that we also have another couple of settings, you won't touch these bottom lines here, but during development sometimes you will need to sit wp debug to true. You can get some error messages printing out when you try to go to a site that can help you with debugging, but unless you're specifically going through development cycle, leave the wp debug set to false. All right, so there are a few steps that we're gonna go through to secure this file. The first thing we're gonna do, is generate ourselves a new set of secret keys, and we're gonna do that by going to the secret key generator website, that WordPress provides, and the link to this will be included in the notes below this video. All you need to do is go to this URL, and just hit refresh, and there will be a brand new set of keys generated for you, and you can copy these, and then you can add them straight into your wp config file, so just highlight the whole up, and just paste in your new keys. And the next thing that we're going to do is move the wp config file, by default, it sits inside the root folder of your website. So that will be inside your public HTML folder, if your site is on your main domain, or inside whichever subdirectory you're building your site in, but WordPress actually allows you to take that wp config file, and move it up one level, so it's outside of your public folder. I'm just working offline here, so I'm just going to simply drag, and drop this file, but in your online setup, what you can do, is use file manager, just like we did in an earlier lesson, and you can use that move tool. So you just select your WP config file, hit the move tool, and then change the directory that you wanna have the file put into, so WordPress is still able to find that WP config file, it's still gonna work just the same. However, if you do want to use the security technique, you may have to talk to your host, if it doesn't work the first time, and make sure that your server is set up in a way that is going to allow this. So let's go back to our site, and you can see here that it's telling us, session has expired, and that's because, when we change the security keys it canceled out all cookies, which means that any accounts that were signed in now need to sign in again. So go ahead, and do that, and now we're in an even though we've moved the WP config file everything is still working perfectly. Now we can add just one more security measure to help protect a WP config file, and that is we gonna add an HT access file in the same directory, that our WP config file is now that blocks anybody from accessing this file. If you do need to edit this file, you should always download a copy, make the changes offline, and then re-upload, that's gonna be easiest for you, if you create this HT access file offline, and then upload it into the same directory, as your WP config file. So inside the target directory, begin to create a new file, Plain text file called htaccess.text, and we're only creating this is a dot text file, as a sort of intermediary, because in HT access file has no file extension, and you won't be able to create a new file without a file extension, so we just create this. Now, we're gonna rename it, going to trim the file extension of the end, and were gonna put a dot in front of it, now we just confirm, and that's actually not fully applied yet, so what we also need to do is, choose get info, and then trim the .txt extension off the end there, as well. And that's gonna be probably a different process, if you're in Windows, if you are on Windows probably the best bet is, to make the changes to your file was still named .txt, then rename it just by trimming off the extension. That's probably all you're gonna have to do on Windows, then upload your .htaccess file from there. All right, so we're going to edit this, and then we're gonna add this code, and you'll find a link below to a page, where you can copy, and paste this code. Now, this code here is gonna deny access to, the wpconfig.php file, so once you've done that, just upload it into the same directory, as your file, and then your all done. All right, so now we're done setting up a security measures for the wpconfig.php file. Next up we're gonna move on to securing the admin area, so I'll see you in the next lesson.