Table of Contents:
- Why is securing this file so important?
- How to Secure the wp-config.php File in WordPress
- 1. Create a Copy of the File Outside the Web Directory
- 2. Modify the Original wp-config.php File
- Don’t Know How to Find the Path to the New File?
- Want to Further Improve the Security of wp-config.php?
- How to Secure the wp-config.php File in WordPress
- Conclusion
The wp-config.php file is a crucial part of your website, where WordPress stores highly sensitive information. This includes MySQL database connection details, which are stored in plain text without encryption. Therefore, securing this file is essential to prevent unauthorized access. In this guide, we’ll show you a simple method to enhance security by moving the file outside the web directory structure.
Why is securing this file so important?
The wp-config.php file is one of the most critical files in WordPress, as it contains key configuration data such as database login credentials, security keys, and other sensitive settings. If an attacker gains access to this file, they can take full control of your website.
By default, wp-config.php is located in the root directory of your website, making it potentially accessible via a web browser (although most servers prevent direct access). However, vulnerabilities in plugins, themes, or server misconfigurations can expose this file.
By moving wp-config.php one level higher – outside the root directory (to a folder that is not publicly accessible via a browser) -you reduce the risk of unauthorized access. Even if there is a misconfiguration on your server, the file will be outside the public HTTP(S) directory, significantly lowering security risks.
This method is also recommended by the official WordPress documentation as one of the key steps in hardening your website’s security. You can find more details in the WordPress Hardening Guide.
While this step alone won’t protect against all attacks, it’s an important security measure. When combined with regular updates, strong passwords, and server-level access restrictions, it forms a solid foundation for protecting your WordPress site.
How to Secure the wp-config.php File in WordPress
1. Create a Copy of the File Outside the Web Directory
The first step is to create a copy of the file and move it outside the web directory:
- Log in to your website’s FTP using any FTP client.
- Open the folder containing your website (usually www or public_html).
- Locate the wp-config.php file and copy it to your computer.
- Navigate one level above the web folder.
- Upload the copied wp-config.php file from your computer to this location outside the web directory.
2. Modify the Original wp-config.php File
At this point, you have two WordPress configuration files: one in the web folder (the original) and one outside the web directory, which is not accessible via a browser. Now, go back to the web folder and modify the original wp-config.php file:
- Navigate to the folder containing your website.
- Edit the original wp-config.php file.
- Delete its existing content and replace it with the following code.
- Make sure to adjust the path to the new file located outside the web directory.
<?php
include('/path_to_new_file_outside_root_directory/wp-config.php');
Don’t Know How to Find the Path to the New File?
If you’re unsure what path to use in the script above, you can use another script to display the paths your web server uses. Follow these steps:
- Create a file named path.php using a text editor.
- Insert the following code into the file and save it.
- Upload the path.php file to your website’s folder.
- Access the file through your browser (https://yourdomain.extension/path.php).
- The file will display the absolute path of the folder it is located in.
- Using this displayed path, you’ll understand the directory structure of your website on the server.
- If this method doesn’t help, contact your web hosting provider—they should be able to assist you.
<?php
echo dirname(__FILE__);
?>
Want to Further Improve the Security of wp-config.php?
If you want to add an extra layer of protection to your configuration file, you can use the .htaccess file:
- Navigate to the folder where you uploaded the copy of wp-config.php (outside the web directory).
- Create a new file named .htaccess in this folder.
- Insert the following code into the file.
<files wp-config.php>
order allow,deny
deny from all
</files>
How to Secure the wp-config.php File in WordPress
Conclusion
As you can see, the process is not overly complicated. However, it is highly effective and adds an extra layer of security to your WordPress site. It only takes a few minutes to implement, but the impact on security is significant. The internet is not a safe place, which is why it’s crucial to take proactive steps to protect your website.
If you’re interested in learning more about WordPress security, check out the complete WordPress Security Guide 2024 here: How to Secure WordPress – Complete Guide 2024.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.
