WordPress gets a bit of a bad wrap for being insecure. The reality is that any website is only as secure as the foundation that you host it on. These are some of the most important steps that every webmaster, host, and developer should follow for a secure WordPress database.
Securing Your WordPress Database
1. Secure Your WordPress Accounts
My first recommendation to secure any aspect of WordPress is to make sure that the accounts on your site are secure. Nearly every compromised WordPress site that I have come across has been due to an account that was setup with an insecure password.
How do I secure my WordPress accounts?
- Use a strong password for all users
- Use a plugin to limit login attempts
- Avoid a user with the username “admin” or “administrator”
2. Change Your Database Prefix
Don’t make it easy for potential hackers to guess the name of your database tables by using the default wp_ prefix. Using a unique prefix like wp_x23ms_ will make SQL injection just a little harder for your enemies.
3. Only Allow Access to MySQL Through Localhost or the Server That Needs Access
Do not allow access to your MySQL server from anywhere. Configure the firewall on your server to only allow access from local host or from other servers in your configuration. Keeping this locked down helps keep your database safe.
4. Use a Unique MySQL User For Every Website
When you are setting up your WordPress database, also create a unique user for that database. Sharing access to all of the databases on your server is convenient, but could make it easier for an attacker to access multiple sites on your server.
If someone manages to intercept your wp-config.php file, they would be able to read these credentials. You might as well try to limit their mayhem to a single website.
5. Use a Unique MySQL Password For Each User
Since the MySQL password is saved as plain text in your wp-config.php file, you should always use a completely unique password for each MySQL user. As you are already using a unique database user for each site (see the step above), this should mean that each site has a completely unique password as well. Neve use a password for your WordPress database that is anything close to something that you use somewhere else.
What is the risk?
Your database password is stored in your wp-config.php file as plain text. This means that if your site files are compromised that you could expose your database password. You may be able to limit damage to the actual database by locking down access at the server level, but you don’t want a shared password exposed in this way.
Use a password generator. Here is a pretty cool one that creates secure passwords that are also easy to remember – https://www.safetydetectives.com/password-meter/