Secure your WordPress wp-config.php File

The wp-config.php file is the most important file to protect on your site. It contains your username, password, and database name (among other things) for your WordPress install and by default, is accessible from any web browser.

Try it. Enter and you should see a blank white page (if you see plain text, you’ve got a bigger problem).

Harmless, right? Sure, but imagine for a minute the shared server you’re on somehow gets hacked and the php handler gets changed to txt–you’re in trouble. It’s not very likely but you can make one of the following changes to prevent this which adds another layer of protection and gives you peace of mind.

There are two main ways to easily protect the wp-config.php file from prying eyes and hackers. Both methods require you to have sftp or server-level access. Also turn off any caching plugins you may be using before attempting this steps.

Move your wp-config.php file up one level (image source:

Option 1 – Move wp-config.php up one directory

This is the easiest way assuming you’re comfortable moving files on your server. Essentially this works by taking wp-config.php and moving it outside of the public realm (typically one level above /public_html).

The cool part is WordPress automatically knows to look up one directory if it can’t find wp-config.php in the default location.

Option 2 – Modify your .htaccess or .conf file

This option is a little more advanced and requires that you’re running Apache or Nginx. You’ll need to edit your .htaccess file (Apache) or nginx.conf (Nginx) using a text editor. Be careful not to alter any other code in this file otherwise your site may break.

For Apache, paste the following code into .htaccess at the top:

# Deny public access to wp-config.php
<Files wp-config.php>
    Order allow,deny
    Deny from all

For Nginx, paste in the following code into nginx.conf:

# Deny public access to wp-config.php
location ~* wp-config.php { 
    deny all; 

Save and sftp it back to the server (if needed). You’ll need to restart Nginx but not Apache.

To test if it works, try visiting in your web browser again. Instead of a blank white screen, you should see an “Access Forbidden 403″ error message.

What does AppThemes use?

We run multiple WordPress sites (multi site and single instances) so our needs are a bit more advanced. We also keep our sites in a git code repository that run auto-deployments which makes it a little more difficult to accomplish option #1.

Instead, we opted for option #2, albeit a tad more advanced implementation. We’ve got a dedicated server with complete root access so instead of having to manually add the deny block to each .htaccess file, we setup a global directive in httpd.conf. Just paste in the option #2 code, save, and restart Apache in order for it to take effect.

For even more advanced security WordPress tips, check out the “Hardening WordPress” page on the WordPress site.

Like this tutorial? Subscribe and get the latest tutorials delivered straight to your inbox or feed reader.

Your rating: none
Rating: 4.1 - 7 votes

Written by: on May 11, 2012. Last modified: May 11, 2012

Popular Marketplace Items

  • critic-icon-2


    A professional review and rating system for WordPress.
  • StarStruck WordPress Plugin Thumbnail


    A fast, lightweight, and elegant star rating system for comments, pages, & posts.
  • Custom Greeting

    Custom Greeting

    Easily replace the default WordPress greeting.
  • woo_goodstore_thumb


    A clean, modernĀ and fully responsive WooCommerce Fashion Theme.
  • screenshot


    A conversion focused responsive Clipper child theme with premium features.
  • stripe-plugin


    Process credit cards safely and securely on your AppThemes website.
  • at_autosuggest_taskerr_thumb

    AutoSuggest – Taskerr

    Automatically suggests services as the user types.
  • daddy-likes-190x130

    Daddy Like

    A fast, lightweight, and elegant "like" system for comments, pages, posts, & activities.
  • pcp-featured

    Price Comparer

    Jump start your Price Comparision site with products from Amazon, Commission Junction, and LinkShare.
  • GeoReg thumbnail


    Captures detailed geographic info with new user registrations.
  • wp-smart-export-final

    WP Smart Export

    A highly customizable WordPress data exporter plugin.
  • 2Checkout Payment Gateway Plugin


    Accept up to eight payment methods, fifteen languages, & twenty six currencies.
  • Authorize.Net Thumbnail


    Easily start accepting online payments via credit card and e-check.
  • AppThemes Coupon Plugin

    AppThemes Coupons

    An easy way to start offering coupons and promotions to your customers.
  • woo_marine_thumb


    A clean, modernĀ and fully responsive marine-based goods WooCommerce Theme.
  • balanced-payments-plugin-sm

    Balanced Payments

    Accept credit cards and setup escrow payments.
  • autoauto-thumbnail

    AutoResponder AutoRegistration

    Automatically integrates WordPress registration with major autoresponders.
  • featured

    QR Codes Widget

    Add a widget with QR codes to your AppThemes site.
  • adposter-blocker-thumbnail

    AdPoster Blocker

    A simple but powerful plugin that blocks spammy new user regs and/or ads/jobs/posts.