[This post is part of WordPress Security series. If you care about your WP site, do follow the series!]

wp-config.php is the WordPress configuration file. You might have noticed this file in the root of your WordPress site (where wp-includes folder resides). It comes with WordPress core and is used to establish database connection between MySQL and WordPRess. If you want your site secure, you must protect this file at all costs!

Here are a few ways to help you do just that.Two Ways to Secure wp-config.php File

Introduction to wp-config

wp-config.php is plainly part of WordPress Core. Though it comes named as wp-config-sample.php, but is later renamed when during installation. This is the file that establishes website’s connection to database. It is probably the most powerful file, concerning WordPress. It holds all kinds of configuration settings that concern the CMS in question. It is via wp-config.php:

  1. You can strengthen encryption by adding security keys
  2. You can change language of WordPress Dashboard
  3. You can modify default table prefix i.e. wp_
  4. You can enable Multi-Site feature
  5. You can enable display of errors (if any!) on your site, which is generally discouraged. Why? Because errors may enable hackers identify vulnerabilities.

Put it simply: It is a very critical file.

If compromised, your database connection details are exposed. For a hacker, an wp-config.php is easiest to exploit. So you should definitely take measures to protect this file. In that effort, here are a few tips to help you secure this file.

Practices to secure wp-config

Moving the file beyond root

WordPress though by default looks for wp-config.php file in root directory, but if it does not find it there, it goes one directory beyond. You can utilize this mechanism to your advantage by moving wp-config.php one directory beyond root directory. For example, suppose right now your wp-config.php file’s path is:


You can move it from there to here:


Albeit it looks like a tiny change, but incredibly secures the file. If you move only move wp-config.php file one directory beyond WordPress root, you’re done, no settings required, you’re done! But if you want to move the file to somewhere else other than beyond the root, you can utilize following snippet in your wp-config.php:


/** Absolute path to the WordPress directory. */
if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);

/** Location of your WordPress configuration. */
require_once(ABSPATH . ‘../phpdocs/wp-config.php’);

Just make sure to modify the path accordingly.

For a healthy discussion about whether to move the file one directory beyond or not, check this!

Deny access to wp-config via .htaccess

.htaccess stands for hypertext access. It is a directory-level configuration file and is used commonly on Apache Web Server. .htaccess is one of the most powerful file when it comes to WordPress. Certain techniques can be utilized to improve WordPress within this file. Among many things, you can use .htaccess to secure wp-config.php file. How? Well, just add the following snippet and it will deny said file’s access to anyone surfing it:

<files wp-config.php>
order allow,deny
deny from all

It doesn’t exist in the root by default though and gets created when you enable Pretty Permalinks. So if you cannot find it in directory where wp-includes folder exists, first check by un-hiding files/folders and if you still are unable to locate it, just create it.

Note: Add aforementioned snippet outsides following tags: # END WordPress and # BEGIN WordPress. Why? Because anything put inside those tags get overwritten when WordPress updates/is updated.


That’s all. If you only implement aforementioned two ways, you’re almost halfway done. And as always security is maintained, not completed.

[This post is part of WordPress Security series. If you care about your WP site, do follow the series!]