Hosting Tutorial & Guide

How to Secure the wp-config.php File of a WordPress Site

updated on Aug 10, 2017
How to Secure the wp-config.php File of a WordPress Site wp-config.php is one of the most important WordPress files. It includes much sensitive information including the database settings, security keys and developer options. That's why it is crucial for the security of your WordPress site.

By default, the wp-config.php file is not browsable because it will be interpreted by PHP when someone tries to access it from outside. However, as the file name is known by all and the default location is in the root directory, this file is not secure enough.

The good news is that you can take some simple measures to enhance the security of the wp-config.php file as well as your WordPress site. In total, there are three optional security methods you can try even if you know nothing about coding. The details are offered in below.

What is wp-config.php File?

This file can be regarded as one of most critical files for WordPress, for it displays and decides all the database configuring details of your WordPress powered website, such as the username, password, and local host. All the codes and information included in wp-config.php influence the DB to store and retrieve data, and modify the website for some advanced options like security precautions, function expanding, performance improvement, and site customization.

In fact, there is no wp-config.php file by default. You can only find the wp-config-sample.php file after the installation of WordPress, which is located at the root installation-directory. You can edit this file as required and save with the name of wp-config.php.

Before starting editing this file, you firstly need to know the database name, username, password, and host name. You can get the information from your hosting company. If you manage a web server on your own, then you need to save the related information after creating your database and user.

In addition, there is a special note that you can never use the Microsoft Word or other word processors to edit this file, but make use of a professional text editor like Notepad and EditPlus3.

Method 1: Restrict the File Permissions of wp-config.php

Each file on the web server has been assigned a set of file permissions which determine who can read, write and execute it. So does the wp-config.php file.

To secure wp-config.php, you should use the most restrictive possible permissions that do not affect the operations of your WordPress site, so that it would be harder for anyone else except for you and the web server to access the file.

Since less is better, the most secure file permissions for wp-config.php is 400. You can try them on the file, and if this causes problems for your site, you can change the permissions to 440.

If neither of these settings works, try 640 or 644. Remember that you should never use 777 for any file because this means everyone can read, write and execute the file, which would bring security issues.

The file permissions of wp-config.php can be changed in two simple ways – via the file manager of cPanel, or by using FTP. No matter which way you choose, once you locate the file on your server, you will be able to find the option for changing permissions by right-clicking the file name. The rest tasks are easy.

Restrict the File Permissions of wp-config.php

Method 2: Secure wp-config.php with .htaccess

.htaccess is a configuration file that is commonly used to control the access to files and web pages. With the file, you can do the following two things to enhance the security of the wp-config.php file.

Disable the directory browsing

This has been ignored by many webmasters because normally, other people without permissions cannot browse the folders and files in the root directory. However, there still could be a misconfiguration which has allowed the access.

To prevent the bad case from happening, you can disable directory browsing from the very beginning by adding the line below at the end of the .htaccess file.

Disable Directory Browsing

If you don't know how to edit the file, refer to this .htaccess tutorial. There is also another case that you may find the .htaccess file does not exist on your server. In this case, you can create an empty file, name it as "htaccess.txt", upload it to your server, and then rename it to ".htaccess".

Disable the access to wp-config.php

As .htaccess is used for security control, you can add extra rules in it to deny any bots' access to wp-config.php. This is one of the most commonly used security methods. Also, the task is easy to complete as you only need to add the following lines in the .htaccess file of your WordPress site.

Disable the Access to wp-config.php with .htaccess

Method 3: Move wp-config.php to Another Directory

There is a default location for wp-config.php. However, the file does not have to stay there because you can move it to a less predictable or more secure location without causing trouble to WordPress operations.

If you have installed WordPress in the root directory, you can try moving the wp-config.php file to one directory up to make it virtually inaccessible to attackers. This is easy as you can simply access the file with FTP or cPanel and move it up one level.

No additional configuration is needed because WordPress checks for wp-config.php in the directory above the installation automatically. If you find your WordPress site inaccessible due to the move, this means the file has gone too far. Check the location of the wp-config.php file and make sure it is right.

Move wp-config.php to One Directory Up

Note: You'd better only try moving wp-config.php when WordPress is installed in the root directory. If WordPress is already in a subdirectory, moving the file up one level will still make it stay in a public directory, which does not bring much security benefit. What's worse, this might lead to errors in the case that you have installed WordPress in another subdirectory, too.

In fact, you can break the directory restriction and move wp-config.php to any location while keeping WordPress functioning as normal. However, this is an advanced topic which is only recommended for experienced users who know much about code because you will have to create a new configuration file and edit it to allow wp-config.php to read sensitive information from another location instead of itself.