Secure your WordPress wp-config.php File

The wp-config.php file is the most important file to protect on your site. It contains your username, password, and database name (among other things) for your WordPress install and by default, is accessible from any web browser.

Try it. Enter http://www.yourwebsite.com/wp-config.php and you should see a blank white page (if you see plain text, you’ve got a bigger problem).

Harmless, right? Sure, but imagine for a minute the shared server you’re on somehow gets hacked and the php handler gets changed to txt–you’re in trouble. It’s not very likely but you can make one of the following changes to prevent this which adds another layer of protection and gives you peace of mind.

There are two main ways to easily protect the wp-config.php file from prying eyes and hackers. Both methods require you to have sftp or server-level access. Also turn off any caching plugins you may be using before attempting this steps.

Move your wp-config.php file up one level (image source: theclickstarter.com)

Option 1 – Move wp-config.php up one directory

This is the easiest way assuming you’re comfortable moving files on your server. Essentially this works by taking wp-config.php and moving it outside of the public realm (typically one level above /public_html).

The cool part is WordPress automatically knows to look up one directory if it can’t find wp-config.php in the default location.

Option 2 – Modify your .htaccess or .conf file

This option is a little more advanced and requires that you’re running Apache or Nginx. You’ll need to edit your .htaccess file (Apache) or nginx.conf (Nginx) using a text editor. Be careful not to alter any other code in this file otherwise your site may break.

For Apache, paste the following code into .htaccess at the top:

# Deny public access to wp-config.php
<Files wp-config.php>
    Order allow,deny
    Deny from all
</Files>

For Nginx, paste in the following code into nginx.conf:

# Deny public access to wp-config.php
location ~* wp-config.php { 
    deny all; 
}

Save and sftp it back to the server (if needed). You’ll need to restart Nginx but not Apache.

To test if it works, try visiting http://www.yourwebsite.com/wp-config.php in your web browser again. Instead of a blank white screen, you should see an “Access Forbidden 403″ error message.

What does AppThemes use?

We run multiple WordPress sites (multi site and single instances) so our needs are a bit more advanced. We also keep our sites in a git code repository that run auto-deployments which makes it a little more difficult to accomplish option #1.

Instead, we opted for option #2, albeit a tad more advanced implementation. We’ve got a dedicated server with complete root access so instead of having to manually add the deny block to each .htaccess file, we setup a global directive in httpd.conf. Just paste in the option #2 code, save, and restart Apache in order for it to take effect.

For even more advanced security WordPress tips, check out the “Hardening WordPress” page on the WordPress site.

Like this tutorial? Subscribe and get the latest tutorials delivered straight to your inbox or feed reader.

Your rating: none
Rating: 4.1 - 7 votes

Written by: on May 11, 2012. Last modified: May 11, 2012

Popular Marketplace Items

  • adposter-blocker-thumbnail
    $9

    AdPoster Blocker

     (2)
    A simple but powerful plugin that blocks spammy new user regs and/or ads/jobs/posts.
  • AppThemes Coupon Plugin
    $29

    AppThemes Coupons

     (8)
    An easy way to start offering coupons and promotions to your customers.
  • featured
    $9

    QR Codes Widget

     (3)
    Add a widget with QR codes to your AppThemes site.
  • Authorize.Net Thumbnail
    $39

    Authorize.Net

     (3)
    Easily start accepting online payments via credit card and e-check.
  • stripe-plugin
    $39

    Stripe

     (4)
    Process credit cards safely and securely on your AppThemes website.
  • autoauto-thumbnail
    $39

    AutoResponder AutoRegistration

     (4)
    Automatically integrates WordPress registration with major autoresponders.
  • critic-icon-2
    $39

    Critic

     (6)
    A professional review and rating system for WordPress.
  • 2Checkout Payment Gateway Plugin
    $39

    2Checkout

     (3)
    Accept up to eight payment methods, fifteen languages, & twenty six currencies.
  • pcp-featured
    $39

    Price Comparer

     (3)
    Jump start your Price Comparision site with products from Amazon, Commission Junction, and LinkShare.
  • daddy-likes-190x130
    $19

    Daddy Like

     (10)
    A fast, lightweight, and elegant "like" system for comments, pages, posts, & activities.
  • GeoReg thumbnail
    $29

    GeoReg

     (10)
    Captures detailed geographic info with new user registrations.
  • StarStruck WordPress Plugin Thumbnail
    $19

    StarStruck

     (14)
    A fast, lightweight, and elegant star rating system for comments, pages, & posts.