Secure your WordPress wp-config.php File

The wp-config.php file is the most important file to protect on your site. It contains your username, password, and database name (among other things) for your WordPress install and by default, is accessible from any web browser.

Try it. Enter and you should see a blank white page (if you see plain text, you’ve got a bigger problem).

Harmless, right? Sure, but imagine for a minute the shared server you’re on somehow gets hacked and the php handler gets changed to txt–you’re in trouble. It’s not very likely but you can make one of the following changes to prevent this which adds another layer of protection and gives you peace of mind.

There are two main ways to easily protect the wp-config.php file from prying eyes and hackers. Both methods require you to have sftp or server-level access. Also turn off any caching plugins you may be using before attempting this steps.

Move your wp-config.php file up one level (image source:

Option 1 – Move wp-config.php up one directory

This is the easiest way assuming you’re comfortable moving files on your server. Essentially this works by taking wp-config.php and moving it outside of the public realm (typically one level above /public_html).

The cool part is WordPress automatically knows to look up one directory if it can’t find wp-config.php in the default location.

Option 2 – Modify your .htaccess or .conf file

This option is a little more advanced and requires that you’re running Apache or Nginx. You’ll need to edit your .htaccess file (Apache) or nginx.conf (Nginx) using a text editor. Be careful not to alter any other code in this file otherwise your site may break.

For Apache, paste the following code into .htaccess at the top:

# Deny public access to wp-config.php
<Files wp-config.php>
    Order allow,deny
    Deny from all

For Nginx, paste in the following code into nginx.conf:

# Deny public access to wp-config.php
location ~* wp-config.php { 
    deny all; 

Save and sftp it back to the server (if needed). You’ll need to restart Nginx but not Apache.

To test if it works, try visiting in your web browser again. Instead of a blank white screen, you should see an “Access Forbidden 403″ error message.

What does AppThemes use?

We run multiple WordPress sites (multi site and single instances) so our needs are a bit more advanced. We also keep our sites in a git code repository that run auto-deployments which makes it a little more difficult to accomplish option #1.

Instead, we opted for option #2, albeit a tad more advanced implementation. We’ve got a dedicated server with complete root access so instead of having to manually add the deny block to each .htaccess file, we setup a global directive in httpd.conf. Just paste in the option #2 code, save, and restart Apache in order for it to take effect.

For even more advanced security WordPress tips, check out the “Hardening WordPress” page on the WordPress site.

Like this tutorial? Subscribe and get the latest tutorials delivered straight to your inbox or feed reader.

Your rating: none
Rating: 4.1 - 7 votes

Written by: on May 11, 2012. Last modified: May 11, 2012

Popular Marketplace Items

  • balanced-payments-plugin-sm

    Balanced Payments

    Accept credit cards and setup escrow payments.
  • 2Checkout Payment Gateway Plugin


    Accept up to eight payment methods, fifteen languages, & twenty six currencies.
  • classpress tabber


    Show specific custom fields as tabs on an ad detail page.
  • Authorize.Net Thumbnail


    Easily start accepting online payments via credit card and e-check.
  • classipress-fortumosms-gateway

    Fortumo SMS payment gateway

    Fortumo sms payment gateway for ClassiPress
  • autoauto-thumbnail

    AutoResponder AutoRegistration

    Automatically integrates WordPress registration with major autoresponders.
  • wp-smart-export-final

    WP Smart Export

    A highly customizable WordPress data exporter plugin.
  • at_autosuggest_taskerr_thumb

    AutoSuggest – Taskerr

    Automatically suggests services as the user types.
  • stripe-plugin


    Process credit cards safely and securely on your AppThemes website.
  • featured

    QR Codes Widget

    Add a widget with QR codes to your AppThemes site.
  • daddy-likes-190x130

    Daddy Like

    A fast, lightweight, and elegant "like" system for comments, pages, posts, & activities.
  • screenshot


    A conversion focused responsive Clipper child theme with premium features.
  • StarStruck WordPress Plugin Thumbnail


    A fast, lightweight, and elegant star rating system for comments, pages, & posts.
  • Custom Greeting

    Custom Greeting

    Easily replace the default WordPress greeting.
  • adposter-blocker-thumbnail

    AdPoster Blocker

    A simple but powerful plugin that blocks spammy new user regs and/or ads/jobs/posts.
  • woo_goodstore_thumb


    A clean, modernĀ and fully responsive WooCommerce Fashion Theme.
  • pcp-featured

    Price Comparer

    Jump start your Price Comparision site with products from Amazon, Commission Junction, and LinkShare.
  • critic-icon-2


    A professional review and rating system for WordPress.
  • AppThemes Coupon Plugin

    AppThemes Coupons

    An easy way to start offering coupons and promotions to your customers.
  • GeoReg thumbnail


    Captures detailed geographic info with new user registrations.
  • thumnail

    Category Icons

    Add icons to your ClassiPress categories
  • woo_marine_thumb


    A clean, modernĀ and fully responsive marine-based goods WooCommerce Theme.