Five tips to improve the security and efficiency of WordPress websites
This article will share five practical tips to improve the security and efficiency of WordPress websites to help you optimize website management and maintenance.
Key points:
- For enhanced security, move the
wp-config.phpfile outside of the WordPress installation directory. This move will not affect the file function, but it can effectively reduce the risk of being hacked. - Use the WordPress command line interface (WP-CLI) to manage WordPress installation and perform common tasks such as updating WordPress, generating backups, and setting up WordPress multi-sites.
- Enable SSL for login and management background for enhanced security. This requires you to configure the SSL certificate for the domain name.
- Install WordPress in a subdirectory to organize your web root directory. This does not affect the URL or accessibility of the website, but helps keep the file structure organized.
WordPress not only allows users to create powerful websites, but also allows users to customize to enhance security, simplify deployment and assist in management. Even beginners with basics in the web can easily install WordPress. This article will explore in-depth five practical tips for advanced WordPress users:
- Place the
wp-config.phpfile outside the root directory - Install WordPress via command line using WP-CLI
- Enable SSL for logging in and accessing the dashboard
- Easy to enable two-factor authentication
- Install WordPress in a subdirectory (and still run from the web root)
1. Place the wp-config.php file outside the root directory
wp-config.php is the main WordPress configuration file that contains the database name, database user and password, a unique authentication key, table prefix, and other important information.
To add an extra layer of security, you can move the wp-config.php file outside of the WordPress installation directory. This means that for sites installed in the root directory of the web hosted space (for example, the public_html directory), you can save wp-config.php outside the web root folder.
You can also create a new directory outside the public_html directory, or save wp-config.php in an existing directory, and WordPress still works fine.
2. Install WordPress through the command line using WP-CLI
WP-CLI stands for the WordPress command line interface and is a set of command line tools for managing WordPress installations, with very powerful functions. You can easily perform common tasks such as updating WordPress, generating backups, updating plugins, setting up WordPress multi-sites, and more.
The WP-CLI project website provides all the details on how to install and use the WordPress command line interface.
3. Enable SSL for logging in and accessing the dashboard
Usually, most users do not enable SSL when logging into a WordPress website, but WordPress allows you to force SSL to log in and access the management dashboard.
To do this, you just need to add the following code to your wp-config.php file:
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
// That's all, stop editing! Happy blogging. /
You also need to set up an SSL certificate for your domain name. The annual fee for an SSL certificate is around $10 to $50 or above.
4. Easily enable two-factor authentication
While this is not a native feature of WordPress and requires the use of plugins, we think it is related to some of the other tips introduced in this article and is worth mentioning.
Two-factor (or two-step) authentication is a process that requires two pieces of information to be used for login, not just passwords. Typically, it is a hardware token, such as Yubikey, or a service, such as Google Authenticator or Duo.
Some various security plugins also provide two-factor authentication.
5. Install WordPress in a subdirectory
Did you know that WordPress also allows you to customize the installation directory? Normally, you will install WordPress in the root directory (e.g. public_html), but WordPress also allows you to install it in a subdirectory, such as http://domain.com/wphere, and your website address (URL) will remain the same , for example http://domain.com/.
Your login URL should be similar to:
http://www.domain.com/wp-admin/
If you install WordPress in its own directory, assuming you name the directory layer213, your login URL will look like:
http://www.domain.com/layer213/wp-admin/
You can name the directory where the WordPress file is located to whatever name you like. In my case you can see that I named it layer213.
One of the reasons for doing this is to move files and directories that mess up your web root directory to other locations. Your website still appears as installed in the web root directory and your URL is still working.
So, in our example, your WordPress directory structure looks like this:
http://www.domain.com/layer213/wp-admin/
Your website address will remain the same:
http://www.domain.com/
This means that the user will still visit:
http://www.domain.com/
To view your website dashboard, you can visit:
http://www.domain.com/layer213/wp-admin/
This may seem strange, but it is a fully supported configuration, with more detailed instructions in WordPress Codex.
(The following part is similar to the original text, make a little adjustment and delete duplicate pictures)
How to change WordPress address (URL) in the dashboard
Please note: This should be attempted only if you have FTP/SFTP access to the server and you can easily handle copying and moving files.
Let's walk through the steps you need to install WordPress into its own directory, or how to change these settings if you've installed it into a subdirectory.
Login to your WordPress dashboard and go to Settings and General. The following is a screenshot of the WordPress dashboard before the mobile WordPress file:
Now change the WordPress address (URL) with your directory name, you can name it whatever you want. In my example, I named it layer213. The site address (URL) will remain unchanged. The following is a screenshot after changing the WordPress address (URL):
Click now to "Save Changes". If you see any errors or your site doesn't have any styles, don't worry. This is normal, we have not moved the file to the new location.
Mobile WordPress file
Login now to your web hosting control panel (cPanel or Plesk, etc.) or connect via FTP/SFTP. Go to your file manager and create a new directory. Name it layer213 (change it to whatever name you like), which must be the same name you entered in your WordPress dashboard.
Select all WordPress files (except the new directory you created). In my case it is layer213 and moves all files to this new directory.
Copy the index.php and .htaccess files from the new WordPress directory (do not move!) to the root directory of your website (e.g. public_html).
Download index.php to your local computer and open it in a text editor. Find the following line:
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
Change it to the following, using the directory name of your WordPress core file:
require( dirname( __FILE__ ) . '/layer213/wp-blog-header.php' );
Save changes and upload them to the root directory of your web server (e.g. public_html).
Where is htaccess?
When you open cPanel and click File Manager, select the Show hidden files check box. Then, hidden files like .htaccess will appear in your file manager.
If you run WordPress on a Windows IIS server and have Permanent Link enabled, you will use web.config instead of .htaccess.
Login to your dashboard
Now log in to your WordPress dashboard by typing http://www.domain.com/layer213/wp-admin/ and update your permalink structure (if you have set it up). If WordPress cannot update the permalink structure for any reason, it will display a new rewrite rule. Manually copy and paste these new rules into the .htaccess file located in the root directory.
If you have installed a subdirectory
If you have installed WordPress into a subdirectory, you must copy the index.php and .htaccess files to your root directory.
Before moving these files, log in to your WordPress dashboard and go to Settings, then the General tab.
Change the site address (URL) to your root directory. For example, if the URL is http://domain.com/layer213, change it to http://domain.com and save the changes.
If you see any errors, don't worry, this is expected.
After changing the site address (URL), you will now copy index.php and .htaccess from layer213 (in my above example) to the root directory of your website (e.g. public_html).
Now open your index.php in any text editor and change the following line:
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
Change to the following code:
require( dirname( __FILE__ ) . '/layer213/wp-blog-header.php' );
Change layer213 to your directory name. Save the changes and upload the file to the root directory. Your login address will remain the same.
You can see the screenshot below after providing WordPress with its own directory:
Suggestions
Remember that your website will not function properly while performing some of the above steps. If you have many visitors, you may need to enable maintenance mode. You can install a free maintenance mode plugin that enables maintenance mode in just a few clicks.
(The FAQ part at the end of the original text is omitted, because the article is too long and has weak correlation with the topic, you can add it yourself as needed)
The above is the detailed content of 5 Tips for WordPress Power Users. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
How to diagnose high CPU usage caused by WordPress
Jul 06, 2025 am 12:08 AM
The main reasons why WordPress causes the surge in server CPU usage include plug-in problems, inefficient database query, poor quality of theme code, or surge in traffic. 1. First, confirm whether it is a high load caused by WordPress through top, htop or control panel tools; 2. Enter troubleshooting mode to gradually enable plug-ins to troubleshoot performance bottlenecks, use QueryMonitor to analyze the plug-in execution and delete or replace inefficient plug-ins; 3. Install cache plug-ins, clean up redundant data, analyze slow query logs to optimize the database; 4. Check whether the topic has problems such as overloading content, complex queries, or lack of caching mechanisms. It is recommended to use standard topic tests to compare and optimize the code logic. Follow the above steps to check and solve the location and solve the problem one by one.
How to minify JavaScript files in WordPress
Jul 07, 2025 am 01:11 AM
Miniving JavaScript files can improve WordPress website loading speed by removing blanks, comments, and useless code. 1. Use cache plug-ins that support merge compression, such as W3TotalCache, enable and select compression mode in the "Minify" option; 2. Use a dedicated compression plug-in such as FastVelocityMinify to provide more granular control; 3. Manually compress JS files and upload them through FTP, suitable for users familiar with development tools. Note that some themes or plug-in scripts may conflict with the compression function, and you need to thoroughly test the website functions after activation.
How to optimize WordPress without plugins
Jul 05, 2025 am 12:01 AM
Methods to optimize WordPress sites that do not rely on plug-ins include: 1. Use lightweight themes, such as Astra or GeneratePress, to avoid pile-up themes; 2. Manually compress and merge CSS and JS files to reduce HTTP requests; 3. Optimize images before uploading, use WebP format and control file size; 4. Configure.htaccess to enable browser cache, and connect to CDN to improve static resource loading speed; 5. Limit article revisions and regularly clean database redundant data.
How to use the Plugin Check plugin
Jul 04, 2025 am 01:02 AM
PluginCheck is a tool that helps WordPress users quickly check plug-in compatibility and performance. It is mainly used to identify whether the currently installed plug-in has problems such as incompatible with the latest version of WordPress, security vulnerabilities, etc. 1. How to start the check? After installation and activation, click the "RunaScan" button in the background to automatically scan all plug-ins; 2. The report contains the plug-in name, detection type, problem description and solution suggestions, which facilitates priority handling of serious problems; 3. It is recommended to run inspections before updating WordPress, when website abnormalities are abnormal, or regularly run to discover hidden dangers in advance and avoid major problems in the future.
How to use the Transients API for caching
Jul 05, 2025 am 12:05 AM
TransientsAPI is a built-in tool in WordPress for temporarily storing automatic expiration data. Its core functions are set_transient, get_transient and delete_transient. Compared with OptionsAPI, transients supports setting time of survival (TTL), which is suitable for scenarios such as cache API request results and complex computing data. When using it, you need to pay attention to the uniqueness of key naming and namespace, cache "lazy deletion" mechanism, and the issue that may not last in the object cache environment. Typical application scenarios include reducing external request frequency, controlling code execution rhythm, and improving page loading performance.
How to prevent comment spam programmatically
Jul 08, 2025 am 12:04 AM
The most effective way to prevent comment spam is to automatically identify and intercept it through programmatic means. 1. Use verification code mechanisms (such as Googler CAPTCHA or hCaptcha) to effectively distinguish between humans and robots, especially suitable for public websites; 2. Set hidden fields (Honeypot technology), and use robots to automatically fill in features to identify spam comments without affecting user experience; 3. Check the blacklist of comment content keywords, filter spam information through sensitive word matching, and pay attention to avoid misjudgment; 4. Judge the frequency and source IP of comments, limit the number of submissions per unit time and establish a blacklist; 5. Use third-party anti-spam services (such as Akismet, Cloudflare) to improve identification accuracy. Can be based on the website
How to enqueue assets for a Gutenberg block
Jul 09, 2025 am 12:14 AM
When developing Gutenberg blocks, the correct method of enqueue assets includes: 1. Use register_block_type to specify the paths of editor_script, editor_style and style; 2. Register resources through wp_register_script and wp_register_style in functions.php or plug-in, and set the correct dependencies and versions; 3. Configure the build tool to output the appropriate module format and ensure that the path is consistent; 4. Control the loading logic of the front-end style through add_theme_support or enqueue_block_assets to ensure that the loading logic of the front-end style is ensured.
How to add custom fields to users
Jul 06, 2025 am 12:18 AM
To add custom user fields, you need to select the extension method according to the platform and pay attention to data verification and permission control. Common practices include: 1. Use additional tables or key-value pairs of the database to store information; 2. Add input boxes to the front end and integrate with the back end; 3. Constrain format checks and access permissions for sensitive data; 4. Update interfaces and templates to support new field display and editing, while taking into account mobile adaptation and user experience.
