How We WordPress: Security and Stability

Author: Chris Everson | 5 minute read

How We WordPress: Security and Stability

This is the second entry in a four-part series examining how we use WordPress here at Flywheel Co. to provide our clients with an efficient, secure, and scalable website.

The first entry in our "How We WordPress" series covered keeping the admin experience intuitive and consistent for the day-to-day website managers. In this entry to the series, we'll be addressing the steps we take to ensure that the WordPress-based websites we create for our clients remain secure and stable throughout their lifespan.

Keeping your website free of malicious content is essential to ensuring a desirable experience for your visitors as well as maintaining good search result rankings. Powering an estimated 36% of websites, it's no surprise that WordPress is a common target for malicious actors, and while the WordPress core development team does a phenomenal job at securing the base installation, there are a number of additional actions you can take to further improve your site's security.

Today we'll focus on a few of the more basic steps you can take to keep your WordPress site safe and sound in the following areas:

  • Folder and file structure
  • Site configuration
  • Release awareness

These practices are by no means a complete list of the steps we take to secure the sites we build and host, but are a great starting point for moving in the right direction.

Using a Non-Standard Folder and File Structure

The majority of malicious attacks against WordPress installations will rely on your site's files being in the standard locations for WordPress installations to inject malicious code. Changing the folder and file structure of your installation is a great first step when starting a new WordPress project.

A typical installation will house the core files directly in your project's root directory. Not only is this predictable, it can get quite chaotic as you begin to add files to your project, leading to a project infrastructure that is difficult to maintain. Moving the project's web root to a sub-directory and separating wp-content from the rest of your WordPress installation is a great way to make your file structure less predictable making your project clearer to maintain.

Modified WordPress Folder and File Structure

In the example above, a public subdirectory is used as the project's web root. You'll also notice that the wp-content directory becomes public/app while the rest of the WordPress files are moved to public/core. This separates our actual website from any configuration files your project might accrue over time such as package manager manifests, and build-related configurations.

To make WordPress adhere to our example's change in folder and file structure, the public/index.php and public/wp-config.php files will receive minor modifications.

The public/index.php file needs to have the path to the WordPress installation updated in the last require statement. This will tell WordPress to load itself from our new public/core directory.

/** public/index.php */

// ...

require __DIR__ . '/core/wp-blog-header.php';

In our public/wp-config.php file, we'll update our global configuration to define the new folder and file structure locations. For more information on modify you're wp-config.php file checkout the official guide on

/** public/wp-config.php */

// ...

// update the site urls
define('WP_SITEURL', 'https://example.test');
define('WP_HOME',    'https://example.test/core');

// define the new wp-content locations
define('WP_CONTENT_URL', 'https://example.test/app');
define('WP_CONTENT_DIR', __DIR__ . '/app');

// ...

The final step is to update your web server configuration to utilize the new folder and file structure. If you're unfamiliar with how to update your project's web root, there are a plethora of great guides available throughout the web for reference. Once completed, your project will be served using your new file structure, enhancing your site's security and reliability.

Site Configuration

Regardless of the folder and file structure of your project, there are a few things you can easily implement and adhere to when configuring our WordPress installation that will assist in keeping your website safe and stable.

1. Create strong admin users

When creating your admin users, endeavour to use unique usernames. An admin user named admin is very common and thusly, less secure. In addition to taking care in setting up your admin user's credentials, you should be ensuring that only the users that truly need full administrative access are being given admin permissions. Assigning proper user roles is essential in limiting your exposure to risk.

2. Use a unique database table prefix

Using a non-standard database table prefix is another step you can take to make your website's inner-workings a bit less predictable. By default, WordPress database tables are prefixed with wp_, but can be modified to use your unique prefix and then adding or updating the $table_prefix variable in your wp-config.php file to make WordPress aware of your custom table prefix.

/** wp-config.php */

// ...

$table_prefix = 'example_5309_';

// ...

3. Disable the admin code editor

Out of the box, WordPress has a code editor in the admin providing users the ability to edit the code that makes up themes and plugins. Disabling this functionality is an essential practice when it comes to keeping your website secure and stable.

With the code editor enabled, unauthorized users could use compromised login credentials to easily add malicious code to your website. Even authorized users pose as risk as they could accidentally make updates to your theme or plugin files, potentially bringing the website to a halt and rendering it inaccessible to visitors and admins alike.

To disable the admin code editor, all we have to do as add one new line to our project's wp-config.php file:

/** wp-config.php */

// ...

define('DISALLOW_FILE_EDIT', true);

// ...

Release awareness

Above all else, keeping your site's WordPress installation up-to-date is essential for keeping your site running smoothly and uninterrupted. When an update to WordPress is released, there are typically a variety security enhancements included to ensure the platform is protected from the ever-changing landscape of risk.

Being aware of when WordPress receives an update allows you to stay on top of keeping your websites current. Here at Flywheel Co., we stay up-to-date through the WordPress Slack workspace, setting it up to notify us when a new release is posted in the #announcements channel.

If you're not a Slack user, you could alternatively setup an RSS feed reader to notify you of updates subscribing to the releases category in the WordPress blog.

The security practices above will add layers of protection, providing a basic starting point for your secure and stable WordPress project, paving the way for a hassle-free experience. To continue learning about securing your website, read the WordPress Security White Paper and check back in the future for the third and fourth parts of our "How We WordPress" series for even more suggestions and practices for smooth sailing in the digital seas.

How We WordPress Series:

  1. Putting the User First
  2. Security and Stability

Flywheel Co. : Chris Everson - Development Lead
Development Lead

Chris Everson

Chris is an extraordinary programmer and source of comedy at Flywheel. Although he once had a desk in the office, he has since relocated to Australia and is our international wing.


Keep Reading

Our Blog

More thoughts and ideas from the Flywheel team.