5 Steps to Follow for a Secure WordPress Database

WordPress gets a bit of a bad wrap for being insecure. The reality is that any website is only as secure as the foundation that you host it on. These are some of the most important steps that every webmaster, host, and developer should follow for a secure WordPress database.

5. Only Allow Access to MySQL Through Localhost or the Server That Needs Access

Do not allow access to your MySQL server from anywhere. Configure your firewall to only allow access from local host or from other servers in your configuration. Keeping this locked down helps keep your database safe.

4. Use a Unique MySQL User For Every Website

If you are running multiple databases on a single server, I recommend using a unique MySQL user for each database. (It goes without saying that every website that you are using should have a unique database.) If someone manages to intercept your wp-config.php file, they would have these credentials and you might as well limit their mayhem to a single website.

3. Use a Unique MySQL Password For Each User

Since the MySQL password is saved as plain text in your wp-config.php file, you should always use a completely unique password for each MySQL user. As you are already using a unique database user for each site (see the step above), this should mean that each site has a completely unique password as well. Neve use a password for your WordPress database that is anything close to something that you use somewhere else.

What is the risk?

Your database password is stored in your wp-config.php file as plain text. This means that if your site files are compromised that you could expose your database password. You may be able to limit damage to the actual database by locking down access at the server level, but you don’t want a shared password exposed in this way.

Pro Tip

Use a password generator like this one from LastPass.

2. Change Your Database Prefix

Don’t make it easy for potential hackers to guess the name of your database tables by using the default wp_ prefix. Using a unique prefix like wp_x23ms_ will make SQL injection just a little harder for your enemies.

1. Secure Your WordPress Account

The number one thing that you should be doing to achieve a secure WordPress database is also the top thing that you should be doing to secure your WordPress site in general. It doesn’t matter if you follow all of the above steps.

Securing Your WordPress Accounts

Do these things on all of your WordPress websites:

  • Use a super strong, unique password for all users
  • Use a plugin to limit login attempts