The `wp-config.php` file is the brain of your WordPress site. If it's compromised, your entire database is exposed. Plugins are a start, but true security happens at the file and server level.
By implementing these constants and rules, you reduce the attack surface of your site by disabling high-risk features and obscuring technical details that hackers use to find vulnerabilities.
Critical Hardening Snippets
1. Absolute File Lockdown
While `DISALLOW_FILE_EDIT` stops the editor, `DISALLOW_FILE_MODS` is the professional standard. It blocks the editor AND prevents plugin/theme installations or updates from the dashboard.
// Disable the editor and all dashboard-level installs/updates define( 'DISALLOW_FILE_MODS', true );
2. Prevent Information Leakage
Errors in production can reveal your absolute server paths. This snippet ensures that while errors are logged for your review, they are never shown to a visitor.
// Disable display of errors to visitors define( 'WP_DEBUG_DISPLAY', false ); @ini_set( 'display_errors', 0 );
3. Cryptographic Salts
Crucial: Salts hash your users' cookies. If you suspect a breach, changing these will instantly log out every user on the site.
Always use unique, long strings. You can generate a fresh set at the official WordPress API:
https://api.wordpress.org/secret-key/1.1/salt/4. Force SSL for Admin
Encryption is mandatory for login credentials. This forces WordPress to use HTTPS for all administrative traffic.
// Force SSL for login and admin screens define( 'FORCE_SSL_ADMIN', true );
Why File-Level Security Wins
Zero Overhead
Constants in wp-config are checked before any plugins load, making them incredibly fast and efficient.
Immune to Dashboard Hacks
Even if an attacker gains an admin account, they cannot re-enable file editing if it's hard-coded in the config.
Strategic Note
Security is about layers. While these constants provide a solid foundation, always combine them with server-level firewalls (like Cloudflare or ModSecurity) and regular off-site backups. A secure site is a fast, reliable site that Google and users can trust.