Securing wp-config.php

Protection Requirement:

OPTIONAL

Skills/Resources:

>Edit system files
>text editor

THE THREAT
The wp-config.php file contains database access as well as authentication keys and salts that can be used in any number of potential hijacking attacks.

THE OBJECTIVE
Secure the wp-config.php file

PROPOSED SOLUTION
Move the wp-config.php file up one directory above your WordPress installation as WordPress will automatically look one directory above your WordPress installation for your wp-config.php file.

If you have installed WordPress in the root of your domain then you will move wp-config.php outside of your web-root folder.

NOTE: There is some debate about the benefits of this security measure. We have considered the arguments on both sides and decided that it is a beneficial security measure.  For a discussion on the benefits of this security measure see MORE INFORMATION below.

Additional Security Measure:

Make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

See http://protectyourbusinessonline.com/security/change-wordpress-file-permissions/

Additional Security Measure:

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it: 

# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

MORE ADVANCED

You can move wp-config.php to any location on your server.

Create a new wp-config.php in the WordPress directory with the following code:

if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);

/** Location of your WordPress configuration. */
require_once(ABSPATH . ‘../newpathto/wp-config.php’);

(Be sure to change “newpathto” to the actual path of your relocated wp-config.php file.)

If you run into a problem with open_basedir, just add the new path to the open_basedir directive in your PHP configuration:

open_basedir = “/var/www/vhosts/example.com/newpathto/;/var/www/vhosts/example.com/newpathto/;/tmp/”

NEED HELP?
If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services