Beef up your Wordpress Security – secure wp-config.php

Back to Blog
How to secure your WordPress wp-config.php file

Beef up your Wordpress Security – secure wp-config.php

There are multiple ways to harden your WordPress website against the many security breaches it faces, in this article I focus on securing your wp-config.php file.

Why secure wp-config.php?

In any WordPress installation the wp-config.php file holds crucial information about your setup – including database name, the server it is located on and the admin username, the password to access it, your WordPress authentication keys and other sensitive information.

This is gold for hackers, giving them full access to every part of your website where they can inflict major damage or even remove everything, so let’s make it much more difficult for them to access it

The following article gives 3 ways of securing your wp-config file.


Move wp-config

In a default WordPress installation wp-config.php resides in the websites root directory (usually called “public_html”, “webroot”, “www”  or “root”).  This directory is a public folder.  So to make it more difficult to access you should move it to a higher level than your root directory.  Don’t just take my word for it, our bible the Wordpress Codex strongly advises to do this.

Our gorgeous Wordpress developers have given us a helping hand.  If you simply move your wp-config.php file one level higher from your webroot directory, your WordPress installation will detect it and your site will continue to operate.  Changing the file permissions to 440 whilst you’re there will ensure that only you (and your webserver) will be able to read it.

Protect via .htaccess file

Add the following code to your .htaccess file:

#secure wp-config.php
<files wp-config.php>
order allow, deny
deny from all

This code will basically block access to your wp-config.php from internal hacking and code modification.

File permissions

Changing wp-config.php file permissions to 440 (or even better 400) will make sure that only you (and your webserver) will be able to read it.


If you need any more information or a helping hand please reach out, I’d love to help!

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Blog