Secure your WordPress wp-config.php File

The wp-config.php file is the most important file to protect on your site. It contains your username, password, and database name (among other things) for your WordPress install and by default, is accessible from any web browser.

Try it. Enter and you should see a blank white page (if you see plain text, you’ve got a bigger problem).

Harmless, right? Sure, but imagine for a minute the shared server you’re on somehow gets hacked and the php handler gets changed to txt–you’re in trouble. It’s not very likely but you can make one of the following changes to prevent this which adds another layer of protection and gives you peace of mind.

There are two main ways to easily protect the wp-config.php file from prying eyes and hackers. Both methods require you to have sftp or server-level access. Also turn off any caching plugins you may be using before attempting this steps.

Option 1 – Move wp-config.php up one directory

This is the easiest way assuming you’re comfortable moving files on your server. Essentially this works by taking wp-config.php and moving it outside of the public realm (typically one level above /public_html).

The cool part is WordPress automatically knows to look up one directory if it can’t find wp-config.php in the default location.

Option 2 – Modify your .htaccess or .conf file

This option is a little more advanced and requires that you’re running Apache or Nginx. You’ll need to edit your .htaccess file (Apache) or nginx.conf (Nginx) using a text editor. Be careful not to alter any other code in this file otherwise your site may break.

For Apache, paste the following code into .htaccess at the top:

# Deny public access to wp-config.php
<Files wp-config.php>
    Order allow,deny
    Deny from all

For Nginx, paste in the following code into nginx.conf:

# Deny public access to wp-config.php
location ~* wp-config.php { 
    deny all; 

Save and sftp it back to the server (if needed). You’ll need to restart Nginx but not Apache.

To test if it works, try visiting in your web browser again. Instead of a blank white screen, you should see an “Access Forbidden 403” error message.

What does AppThemes use?

We run multiple WordPress sites (multi site and single instances) so our needs are a bit more advanced. We also keep our sites in a git code repository that run auto-deployments which makes it a little more difficult to accomplish option #1.

Instead, we opted for option #2, albeit a tad more advanced implementation. We’ve got a dedicated server with complete root access so instead of having to manually add the deny block to each .htaccess file, we setup a global directive in httpd.conf. Just paste in the option #2 code, save, and restart Apache in order for it to take effect.

For even more advanced security WordPress tips, check out the “Hardening WordPress” page on the WordPress site.

Like this tutorial? Subscribe and get the latest tutorials delivered straight to your inbox or feed reader.

Your rating: none
Rating: 4.1 - 7 votes

Popular Add-ons


FeedPress for Clipper

Customize & place a widget of your coupons on users' websites


WP Email Styler

Add good looking html template to emails


AdPoster Blocker

A simple but powerful plugin that blocks spammy new user regs and/or…