Why wp-config.php Is Your First Line of Defense
Most WordPress security guides focus on plugins. But the most impactful security changes happen at two levels most site owners never touch: wp-config.php and server configuration. These tweaks run before any plugin loads, making them faster and harder to bypass than plugin-based solutions.
Here are 10 hardening tweaks we apply to every production WordPress site. Each one addresses a specific attack vector.
1. Regenerate Salt Keys
WordPress salt keys encrypt session cookies. If they’re compromised, an attacker can forge admin sessions without knowing the password.
When to regenerate: After any suspected breach, after removing a compromised admin user, or on a regular schedule (quarterly for high-value sites).
WP-CLI shortcut:
2. Change the Database Table Prefix
The default wp_ prefix makes SQL injection attacks easier because attackers know the exact table names. Change it during installation or migrate an existing site:
For existing sites: You’ll need to rename all tables in the database and update the usermeta and options tables that reference the old prefix. Use a migration plugin or careful SQL queries, don’t just change the config value.
3. Disable File Editing
WordPress includes a built-in code editor that lets admins modify plugin and theme files directly from the dashboard. If an attacker gains admin access, this is the first thing they use to inject malware.
This removes the Theme Editor and Plugin Editor menu items entirely. Developers should use SFTP or version control instead.
4. Disable Plugin and Theme Installation
For production sites that shouldn’t have software installed or updated from the dashboard:
This goes further than DISALLOW_FILE_EDIT, it also prevents plugin/theme installs and updates via the dashboard. Use this on sites managed via deployment pipelines (Git-based workflows, CI/CD).
5. Force SSL for Admin and Logins
This ensures all login pages and admin dashboard traffic goes through HTTPS, even if someone types http://. Combined with an HSTS header at the server level, this prevents session hijacking on insecure networks.
6. Limit Post Revisions
This isn’t strictly a security tweak, but it reduces database bloat which makes backups faster and reduces the attack surface of the database:
Unlimited revisions (the default) can bloat the wp_posts table to millions of rows on active sites. Keep 3-5 revisions for undo capability without the bloat.
7. Move wp-config.php Above Web Root
WordPress automatically looks for wp-config.php one directory above the web root. Moving it there prevents direct web access:
No code changes needed, WordPress handles this automatically. The file is no longer accessible via yourdomain.com/wp-config.php even if PHP processing fails.
8. Secure Headers via .htaccess or Nginx
Add these security headers to prevent common attack vectors. For a deeper dive into .htaccess configuration, see our dedicated guide on WordPress .htaccess tweaks for security and performance:
Apache (.htaccess)
Nginx
9. Restrict wp-admin Access by IP
If your admin team uses static IPs or a VPN, lock down wp-admin to those IPs only:
Apache (.htaccess in wp-admin/)
Nginx
Important: Always include wp-admin/admin-ajax.php as an exception if your frontend uses AJAX (most themes do).
10. Disable XML-RPC
XML-RPC is a legacy API that’s rarely needed but frequently exploited for brute force attacks and DDoS amplification:
In wp-config.php
At the Server Level (Preferred)
Blocking at the server level is better because the request never reaches PHP, saving server resources during attacks.
Bonus: Monitor for Changes
After hardening, set up file integrity monitoring. If wp-config.php, .htaccess, or core files change unexpectedly, you want to know immediately:
- Wordfence, File change detection built into the free version
- WP-CLI,
wp core verify-checksumschecks core files against official hashes - OSSEC / Fail2ban, Server-level intrusion detection for login attempts and file changes
Implementation Order
Apply these tweaks in this order to minimize risk:
- Backup everything (database + files)
- Force SSL (#5), if not already done
- Regenerate salts (#1)
- Disable file editing (#3)
- Add security headers (#8)
- Disable XML-RPC (#10)
- Move wp-config (#7)
- Change table prefix (#2), requires database changes
- Restrict wp-admin (#9), only if you have static IPs
- Disable file mods (#4), only for deployment-managed sites
Wrapping Up
These 10 tweaks won’t make your site unhackable, nothing will. But they eliminate the most common attack vectors and raise the bar significantly for any attacker. Combined with strong passwords, two-factor authentication, and regular updates, this server-level hardening forms a solid security foundation. For a real-world example of why this matters, see our analysis of the WPVivid vulnerability that exposed 800K sites.
The key principle: harden at the lowest possible level. Server config beats plugin config. wp-config.php beats a settings page. The closer to the metal, the harder to bypass.
Security Hardening wp-config.php
Last modified: February 25, 2026
