Security plugin: need some help please.

The answer to 2) depends on your hosting setup. With shared hosting you often can only have one database user which has full rights in your databaase. If you have more control over your mysql setup, you can limit the rights of your WordPress db user account through phpmyadmin or mysqladmin.

Hi mrmist, I already have 2 users and website is local for now, so on my computer..

The database security check just looks to see if your WordPress user has all priviledges for the database. It’s generally a good idea to create a new user for your WordPress database that has just the ability to read, write and alter the tables.

ok mrmist, thanks, I am going to recheck my user rights.
Can anyone answer to question 1) please?

You would need to change the permissions for the wp-config.php so that it is writeable by your web server account – in much the same way as files in wp-content/themes have to be to use the theme editor.

thank you once more to take some more time with me mrmist, can you be more explicit please? :-S sorry, do I have to add or change a line in this file, or to change something in my databases ?

Answer to Q1: You’ll need to either use FTP or your Web control panel at your hosting company to change file permissions. In particular, you need to enable write access to the wp-config.php file which is located in the directory where you installed WordPress.

If you use FTP then read the help file that comes with your FTP software (assuming it has some help built in) or if your hosting company uses cPanel for managing your site then go to File Manager in cPanel, open your site’s directory, find wp-config.php, and adjust permissions. In some versions of cPanel you have to right-click the file name and choose Permissions.

When you’ve finished changing your database prefix remove write access to wp-config.php and all other .php files in your WP root directory.

Answer to Q2: The database user that has access to your WP database might need ALTER, and/or CREATE privileges in order to change the database prefix – depending on how the plugin works (I haven’t read the code). It’s probably a good idea to limit database privileges (after you alter the table prefix) HOWEVER if you remove CREATE privileges then you will not be able to use plugins that need to create tables. So keep that in mind.

To modify database permissions you’ll need to use your hosting company Web admin panel. If it’s cPanel the look in the Database section for ‘MySQL databases’. Go there, locate your database name in the list, look for the user name associated with it, and click the user name to edit the permissions. Minimally you’ll need SELECT, INSERT, UPDATE, and DELETE permissions. And if you have trouble installing or enabling plugins then you probably also need CREATE and maybe even DROP permissions.

You might also want to check into Maximum Security for WordPress to help keep WordPress secure

Hi wpsec, and thank you very very much for this huge good security content.

I have 2 versions of my website: one local on which I am experimenting all new changes and another one hosted by an online provider.

So for now, I am only trying things on my local website (using xampp), waiting for the moment when all security will be fixed on this version to do it online. I have another issue: using new permalink structure.

Concerning the databases prefix, I managed to change that by doing this (again, I am using xampp+my local website is only made for local testing:

step a) Finding the “httpd.conf” file under the “conf” folder inside the Apache’s installation folder.

step b) Find the following line “#LoadModule rewrite_module modules/mod_rewrite.so” in the “httpd.conf” file.

step c) Remove the “#” at the starting of the line, “#” represents that line is commented.

I succeeded change the db prefix, but is it a secure way to do this? Must I disable rewrite mode after?
+
I do not succeed changing the write access of my local files… I understand I have to connect with ftp on my server, as if it was a “distant website”… Must I define a username+password to access this local website? oups sorry, I am a bit lost here…