Brad Williams: WordPress Security
Published
July 11, 2009
Brad Williams talks about how to keep your WordPress-powered website secure from hackers and exploits.
Slides from the presentation are available here.
Video Production by Arthur Cormon of TV McGill.
Event
Speakers
Tags
Language
Download
Subtitles
Subtitle this video →Producer
An 
Opus
WordPress.tv 
August 13, 2009 at 6:01 am |
Great Talk
sshing and chmod-ing files right now!
Thanks a whole heap – very useful information!
LikeLike
August 14, 2009 at 10:14 pm |
really great talk, thank you Brad for very important information about security.
LikeLike
August 20, 2009 at 3:06 am |
Lots of good suggestions that I intend to look into further. Thanks Brad.
One glaring error in the wp-config.php stuff though. The file should really be in the directory above public_html/, not in public_html/ itself. If WordPress is installed directly in public_html/ then you’re all set.
But if, like me, you’re using a folder like wordpress/ to organize things, you need WordPress to look 2 levels up. The simple solution is to modify wp-config.php with something like this: require_once(ABSPATH . ‘../../secret.php’); just before the require for wp-settings.php. Put secret.php above your public_html folder and move all the password stuff to there.
LikeLike
August 24, 2009 at 6:46 pm |
Nathan, would you mind fleshing that out a bit with a pseudo example?
Thanks for dealing with the case of sub folder which WP seems to have neglected.
LikeLike
August 25, 2009 at 5:18 am |
@mugger I’ve been meaning to do a blog post about my particular setup. Actually I’m planning to setup a new blog on WordPress coding, just need to make the time to do it. When I do, I’ll post here again.
LikeLike
September 15, 2009 at 1:08 pm |
Thanks for the kind words everybody! Actually the wp-config.php file can exist in one of two places by default: either the root WordPress directory or one level above that directory. WordPress will look in both spots before throwing an error.
LikeLike
September 16, 2009 at 3:59 am |
@mugger I’m prepping a base setup that can be readily cloned… http://hg.nathany.com/wp-base/src/ It has an my wp-config as well as secret-sample as a template for creating ../secret.php (up a level).
An accompanying blog post should be up in a few days. Right now I’m waiting for DNS for vogsphere.org.
I’d also like to review Brad’s video and get those suggestions into my base setup.
@Brad Maybe something is different between our configs, but for me, ABSPATH points to the /wordpress/ folder inside public_html (webroot, htdocs, you get the idea ). WordPress looks in the ABSPATH folder and one directory up, which in my case is the public_html/wordpress/ folder and the public_html/ folder. Hence, my little workaround to drop a file two levels up from ABSPATH so its not inside public_html.
If ABSPATH is defined differently for you, as the actual public_html/ folder, I’d sure like to understand what I’m doing differently.
LikeLike
February 6, 2015 at 7:56 am |
But if, like me, you’re using a folder like wordpress/ to organize things, you need WordPress to look 2 levels up. The simple solution is to modify wp-config.php with something like this: require_once(ABSPATH . ‘../../secret.php’); just before the require for wp-settings.php. Put secret.php above your public_html folder and move all the password stuff to there.
LikeLike
August 25, 2015 at 10:19 am |
One glaring error in the wp-config.php stuff though. The file should really be in the directory above public_html/, not in public_html/ itself. If WordPress is installed directly in public_html/ then you’re all set.
LikeLike