A lot of questions I get about Better WP Security (BWPS) involve figuring out what is actually changed byt the plugin. Due to the complexity of the plugin there are a number of changes made to your WordPress install itself (all of which are documented somewhere within WordPress.org). Here is a list of all the changes made (minus it’s own options) as of version 2.4.
File System Changes
BWPS makes numerous changes to .htaccess all of which are between the # BEGIN Better WP Security line and the # END Better WP Security. These changes are removed when the plugin is deactivated and may be manually deleted at any time without any adverse affects to your site. If you have been using the “Hide Backend” feature however deleting this code will result in your login, register, and admin URLs reverting to the original as defined by WordPress.
As with the .htaccess file, BWPS also changes a lot of code in the wp-config.php file. Unlike .htaccess however many changes to w-config.php cannot be manually removed without breaking your website.
- The Content Directory option adds the lines define(‘WP_CONTENT_DIR’, ‘[new path to content directory]‘); and define(‘WP_CONTENT_URL’, ‘[new content directory url]‘);. Deleting these lines will break WordPress if you don’t manually rename the wp-content folder back to wp-content. In addition, if you have links to media or other files pointing to the changed wp-content directory throughout your site these links will also break until they are manually updated.
- The Database Prefix option changes the $table_prefix = ‘xxx’; line whereas xxx is the prefix used in your database. Manually changing this line will break your website.
- The Turn off file editor in WordPress Back-end option under System Tweaks adds the line define(‘DISALLOW_FILE_EDIT’, true); to the file. This line can be safely deleted manually without breaking your website.
- The Enforce SSL option in System Tweaks adds the lines define(‘FORCE_SSL_ADMIN’, true); and define(‘FORCE_SSL_LOGIN’, true); to the file. These lines can be safely removed without breaking your website.
- wp-content folder
- The Content Directory option physically renames the wp-content folder. This cannot be changed manually without changing the associated entry in the wp-config.php file. In addition, as with the option in the wp-config.php file, changing this will result in links to media and other files throughout the site breaking.
- The Intrusion Detection and Limit Logins options will create three BWPS tables in the database. These tables can be deleted if these options are not active and can be emptied at any time without breaking your site. Note that d404 table contains information on files missing in your site that might help you improve your SEO. Also, if you are locked out of your site after activating intrusion detection you can see what files are causing the errors. For more information see my post on the issue.
- The Database Prefix option will rename every table in the database utilizing the chosen database prefix. In addition, it will update the user_roles option in the options table to utilize the new database prefix. Changing any one of these without the others as well as the entry in your wp-config.php file will break your website.