Scripts for Dealing with Host Support


Secure File Permissions on your server

The permissions need to be 644 for files and 755 for directories. This is super easy for someone who has server-level access. So take this little tidbit to your host to inquire if this is done:

WordPress is supposed to have permissions set for the files. I’ve been checking my security but this one is a bit over my head. Can you check and confirm for me that the directories are all ‘755’ and files ‘644’ please?

Preventing Access to Sensitive Information

There is one file in particular that allows access to the entire site. It’s the wp-config.php file. So let’s prevent access to it! In most cases your host will do this for you. And while we’re at it, lets prevent access to the file that prevents access. You can ask something like this:

WordPress needs this put in the ‘.htaccess’ file. Can you add this for me?

<files wp-config.php>
order allow,deny
deny from all

<files .htaccess>
order allow,deny
deny from all

Change the Unique Keys

This you will likely need to take to your developer. Or you can do this if you know how to use FTP. All you want to do is replace the long strings of random characters listed in wp-config.php. Go to the page here which generates a unique set on every visit. They will look something like this:

define('AUTH_KEY',         'KpVlTrn%GS/YRNgP,vUC!NCxyqUt+~-uC(|: NEi72Yk]tT~fqQ =ZNepyM2eEf5');
define('SECURE_AUTH_KEY',  'L+f3+u8%n=(aGa4L)b;|YxQ^-;Q8!g/:zcxSdeJ.M.l`zV/L8!|u8}Z.}aIAO|iV');
define('LOGGED_IN_KEY',    '.R&S!7,]Iu|*+J~~6aX<).MD-xf4oU~R[09T<0kX%n5%U~cHEon9Lb=pgU![)jgQ');
define('NONCE_KEY',        'x}-/NY09s#K5w.K%jNt<M1xA#$AA e|CQ&S+ZT.3jvZ:BsFn:rD1XL-j3v(}CZ3a');
define('AUTH_SALT',        '[>ZMt7)I`sq-s`X*c>if(aTQ rXt+|n1?k^Sa-d|2w D%!o;iS+#!^xUNz:lY*NG');
define('SECURE_AUTH_SALT', '%Mt57-7lK3#d+h.BRl0r([email protected]=xaphPcce}5EaD+GDYt4D7U2OYY%*cw/');
define('LOGGED_IN_SALT',   'p7-f @=aS.~Bb+y{6Z{Y}XKP(Az-9CHX-`q6ptRcOk^34Og7-hTT^28|jW+V(YYG');
define('NONCE_SALT',       ',[email protected]@)HPOe+O m+bQBh=>e[r):ci-3}9/FQSU;3r~S0jc|TS#hTosY,');

Pretty cool, eh? They look a lot more difficult than it is. All you do is copy and paste. 🙂

One Website Per Account

This requires a bit of explanation. One of my pet peeves is when a web host announces that they have unlimited accounts. Its not true – or we’d all be paying $6/mo for hosting. Its simply not true. If you read the small print there are limits – either to CPU or nodes. Explaining these is beyond the scope of this article, however, what it means is there are limits.

That little sermon was completely free my friends. Onwards.

Choose the best hosting you can afford and look for something called “Managed WordPress Hosting”. WordPress hosting is completely different from regular accounts. Although the requirements are quite common now.

Even though you’re paying a lot more than $6/mo, you need to have a different account for each website. If you keep all websites on one account it is likely that if something goes wrong with one, it will spread to them all.

NOTE: I’m using the word ‘account’ to mean a server container. However, if the webhost uses the word “Account” to mean your billing or customer account, then you can have as many hosting packages (or containers) as you like within the same account.

The main point is to keep each website in its own account (or container).


I hope you’ve learned a bit during our WordPress Security Week. To wrap it all up, we’ve produced a free download: WordPress Security Cheat Sheet.

[convertkit form=4988741]