Brad Williams: WordPress Security

7 responses on “Brad Williams: WordPress Security

  1. Steve

    Great Talk

    sshing and chmod-ing files right now!

    Thanks a whole heap – very useful information!


  2. ilan

    really great talk, thank you Brad for very important information about security.


  3. Nathan Youngman

    Lots of good suggestions that I intend to look into further. Thanks Brad.

    One glaring error in the wp-config.php stuff though. The file should really be in the directory above public_html/, not in public_html/ itself. If WordPress is installed directly in public_html/ then you’re all set.

    But if, like me, you’re using a folder like wordpress/ to organize things, you need WordPress to look 2 levels up. The simple solution is to modify wp-config.php with something like this: require_once(ABSPATH . ‘../../secret.php’); just before the require for wp-settings.php. Put secret.php above your public_html folder and move all the password stuff to there.


    • mugger

      Nathan, would you mind fleshing that out a bit with a pseudo example?
      Thanks for dealing with the case of sub folder which WP seems to have neglected.


  4. Nathan Youngman

    @mugger I’ve been meaning to do a blog post about my particular setup. Actually I’m planning to setup a new blog on WordPress coding, just need to make the time to do it. When I do, I’ll post here again.


  5. Brad

    Thanks for the kind words everybody! Actually the wp-config.php file can exist in one of two places by default: either the root WordPress directory or one level above that directory. WordPress will look in both spots before throwing an error.


  6. Nathan Youngman

    @mugger I’m prepping a base setup that can be readily cloned… It has an my wp-config as well as secret-sample as a template for creating ../secret.php (up a level).
    An accompanying blog post should be up in a few days. Right now I’m waiting for DNS for

    I’d also like to review Brad’s video and get those suggestions into my base setup.

    @Brad Maybe something is different between our configs, but for me, ABSPATH points to the /wordpress/ folder inside public_html (webroot, htdocs, you get the idea ). WordPress looks in the ABSPATH folder and one directory up, which in my case is the public_html/wordpress/ folder and the public_html/ folder. Hence, my little workaround to drop a file two levels up from ABSPATH so its not inside public_html.

    If ABSPATH is defined differently for you, as the actual public_html/ folder, I’d sure like to understand what I’m doing differently.


Continue the discussion

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


July 11, 2009

Brad Williams talks about how to keep your WordPress-powered website secure from hackers and exploits.

Slides from the presentation are available here.

Video Production by Arthur Cormon of TV McGill.

Rate this:


WordCamp Montreal 2009 8


Brad Williams 13


security 70


English 2358

MP4: Low
OGG: Low
Subtitle this video →

Get every new post delivered to your Inbox.

Join 12,604 other followers

%d bloggers like this: