How to secure wp-config File

How to secure wp-config File

Due to the high importance of config file in your WordPress script, this article will guide us on how to secure this “config file” from intruders and hackers. WordPress has many ways to harden itself from the many security breaches it faces. In this article, we shall be primarily focusing on securing wp-config.php file which is one of the core files that can cause blunders if hacked.

About wp-config.php File

When a WordPress website is created, it contains a file called ‘wp-config.php’. This special WordPress configuration file is one of the most vital WordPress files. The file contains numerous configuration parameters which must be modified for better security of your WordPress website. When you open this file, you will find all the information that you input while setting up the database for your WordPress website.

WP config file

It holds information such as username, password – all the necessary information required to access the database. Further down, there are a set of secret keys available which help in securing your WordPress website in multiple ways. Below that, you get a variable named ‘table_prefix’ which is crucial in regards to information security. With all such vital data written into this file, securing wp-config.php file is of great importance. If anyone is able to get hold of the information written in this file, then imagine the catastrophe that would befall on your website.

Ways To Secure wp-config.php File

Now let us discuss the possible steps which can be used for securing wp-config.php file of your WordPress website:
1. Protection through .htaccess file

Connect your WordPress website using an FTP Client (use SFTP of FTPES to encrypt communication between computers and servers) and download the .htaccess file which can be found in the root directory of your WordPress website.

Open the .htaccess file using any text editor application.
Include the following lines of code in the end of the .htaccess file:

#secure wp-config.php

<files wp-config.php>

order allow, deny

deny from all


These lines basically block access to your wp-config.php from internal hacking and code modification thus securing wp-config.php file.

Once you’re done editing, save the file using ‘Save As Type’ and selecting ‘All Files’ so that the text editor doesn’t change the file type to something else. Once saved, upload it back through the same connection procedure to the root folder of your WordPress website and overwrite the old one.

2. Moving wp-config.php

Usually, the wp-config.php file is located in the root directory. Now letting the hacker sneak into the root directory is something that you would never desire. Hence the best practice is to move the wp-config.php file to an unpredictable location in order to secure the sensitive data stored inside the file. Although it is a difficult task and time consuming but in the end, it is an important part in deciding the fate of your WordPress website’s security. Also, with every upgrade, you will be required to make changes to the WordPress source code and maintain it.

Usually, the wp-config.php file is secured by moving it up one level thus putting it outside your website’s public folder. So the best option is to move up and in an undisclosed location on your website directory. While working offline, you can do this through the simple drag-and-drop feature. However, while working online, you need to perform the following steps:

Use the Move tool in File Manager
Select the wp-config.php file
Hit Move tool.
Change the directory in which you want the file to be put in

This process may not be achieved easily and one may have to talk to the WordPress host to ensure that your website server is set up in a way that allows this. But the relocation of wp-config.php doesn’t ensure its full security. How about changing the contents in order to secure wp-config.php file?

3. Modify wp-config.php File

You can also create a new configuration file. This file must be created in a non-WWW accessible directory so that it is protected from foreign access or external attackers. It must not be present in the public_html file of your website thus keeping it out of reach from your WordPress website visitors.

Now open the current wp-config.php file and move the lines which contain the database connection details, database prefix and also WordPress security keys. Append at the end of the file.

After moving all the sensitive data from the wp-config.php file, add the following line just as the 4. Setting up the correct file permissions for wp-config.php

The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. The appropriate file permission for this file will be 400. This means that the user and groups have permission to only read and others will not be able to access the file.

To conclude this short guide.

Thus, these were some of the methods to secure wp-config.php file which in-turn would secure your WordPress website. As a WordPress admin, you must ensure that your wp-config.php is configured in the above-mentioned steps and let your users also be aware of the best security practices for their organization’s website.

About the Author

Leave a Reply

Call me!
content copy not allowed
Secured By miniOrange