Securing wp-config.php

Protection Requirement:



>Edit system files
>text editor

The wp-config.php file contains database access as well as authentication keys and salts that can be used in any number of potential hijacking attacks.

Secure the wp-config.php file

Move the wp-config.php file up one directory above your WordPress installation as WordPress will automatically look one directory above your WordPress installation for your wp-config.php file.

If you have installed WordPress in the root of your domain then you will move wp-config.php outside of your web-root folder.

NOTE: There is some debate about the benefits of this security measure. We have considered the arguments on both sides and decided that it is a beneficial security measure.  For a discussion on the benefits of this security measure see MORE INFORMATION below.

Additional Security Measure:

Make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).


Additional Security Measure:

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it: 

# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all


You can move wp-config.php to any location on your server.

Create a new wp-config.php in the WordPress directory with the following code:

if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);

/** Location of your WordPress configuration. */
require_once(ABSPATH . ‘../newpathto/wp-config.php’);

(Be sure to change “newpathto” to the actual path of your relocated wp-config.php file.)

If you run into a problem with open_basedir, just add the new path to the open_basedir directive in your PHP configuration:

open_basedir = “/var/www/vhosts/;/var/www/vhosts/;/tmp/”

If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services