How to Secure wp-config.php and .htaccess Files in WordPress (2026 Guide)

Dilawar
December 16, 2025
WordPress

The wp-config.php and .htaccess files are two of the most critical files in your WordPress installation. They contain sensitive information like database credentials and server configurations. Properly securing these files is essential for WordPress security.

Why Secure These Files?

wp-config.php Contains:

  • Database name, username, and password
  • Authentication keys and salts
  • Table prefix
  • Debug settings
  • Other sensitive configuration

.htaccess Controls:

  • URL rewriting (permalinks)
  • Access restrictions
  • Redirect rules
  • Security headers
  • Caching rules

Method 1: Secure Using File Permissions (chmod)

Understanding File Permissions

File permissions control who can read, write, or execute files. They're represented as three digits for owner, group, and public.

PermissionValueMeaning
Read (r)4View file contents
Write (w)2Modify file
Execute (x)1Run as program

Common permission combinations:

  • 400 - Owner read only (most restrictive)
  • 440 - Owner and group read only
  • 600 - Owner read/write only
  • 644 - Owner read/write, others read only

Setting wp-config.php Permissions

Recommended: 400 or 440

Using FTP client (FileZilla, etc.):

  1. Connect to your server via FTP/SFTP
  2. Navigate to your WordPress root directory
  3. Right-click wp-config.php > File Permissions
  4. Set numeric value to 400 (or 440 if 400 causes issues)
  5. Click OK

Using SSH:

chmod 400 wp-config.php

Note: If 400 causes your site to break, try 440 or 600. Some hosts require the web server group to have read access.

Setting .htaccess Permissions

Recommended: 644

  1. Locate .htaccess in your WordPress root
  2. Right-click > File Permissions
  3. Set to 644
  4. Click OK

Using SSH:

chmod 644 .htaccess

Important: Never use 777 permissions. This allows anyone to read, write, and execute - a major security risk.

Method 2: Protect Files Using .htaccess Rules

Add these rules to your .htaccess file to block direct access to sensitive files:

Protect wp-config.php

<files wp-config.php>
order allow,deny
deny from all
</files>

Protect .htaccess Itself

<files .htaccess>
order allow,deny
deny from all
</files>

Complete Security Rules

Add this comprehensive set of rules to your .htaccess:

# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# Protect .htaccess
<files .htaccess>
order allow,deny
deny from all
</files>

# Block access to sensitive files
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

# Disable directory browsing
Options -Indexes

# Block access to includes folder
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Method 3: Move wp-config.php Above Root

WordPress automatically looks for wp-config.php one directory above your installation. Moving it there adds an extra layer of security:

  1. Move wp-config.php from /public_html/ to /home/username/
  2. WordPress will automatically find it
  3. The file is now outside the publicly accessible directory

Note: This may not work on all hosting setups, particularly shared hosting.

Additional Security Tips

1. Add Security Keys

Ensure your wp-config.php has unique authentication keys. Generate new ones at:

https://api.wordpress.org/secret-key/1.1/salt/

2. Disable File Editing

Add this to wp-config.php to disable theme/plugin editing from dashboard:

define('DISALLOW_FILE_EDIT', true);

3. Limit Login Attempts

Install a security plugin like Wordfence or limit login attempts via .htaccess.

4. Hide WordPress Version

Add to your theme's functions.php:

remove_action('wp_head', 'wp_generator');

Testing Your Security

After making changes, verify they work:

  1. Try accessing yourdomain.com/wp-config.php directly - should show 403 Forbidden
  2. Check your site still loads correctly
  3. Test WordPress admin functions still work
  4. Verify permalinks still function

Troubleshooting

Site breaks after changing permissions?

Try less restrictive permissions (440 instead of 400, or 644 instead of 600). Some hosts require specific permissions.

Can't save permalinks?

Temporarily set .htaccess to 666, save permalinks, then change back to 644.

403 errors everywhere?

Check your .htaccess rules for syntax errors. Temporarily rename .htaccess to test.

Summary

FileRecommended Permission.htaccess Rule
wp-config.php400 or 440deny from all
.htaccess644deny from all
Other PHP files644-
Directories755-

Securing these files is a fundamental step in WordPress security. Combined with keeping WordPress, themes, and plugins updated, using strong passwords, and installing a security plugin, your WordPress site will be well-protected against common attacks.

D
Dilawar
Chief of all operations at Softstribe

Related Articles

Secure wp-config.php

How to Secure wp-config.php and .htaccess Files in WordPress (2026 Guide)

Dec 16, 2025·WordPress
Two Ways to Secure w

Two Ways to Secure wp-config.php File

May 14, 2015·WordPress
Free Default WordPre

Top 4 Free Default WordPress Themes Bundle from 2026 to 2026

May 23, 2013·Top Lists
WordPress Security P

Top 10 WordPress Security Plugins to Secure WordPress Blog

Feb 27, 2013·Top Lists
15 Essential WordPre

15 Essential WordPress Security Tips for 2026 - Protect Your Site

Dec 15, 2025·WordPress
allow PHP in Posts/P

How to allow PHP in Posts/Pages/CPT in WordPress

Aug 5, 2024·WordPress