Protect WP config php File
The wp-config.php file contains very sensitive information about your WordPress installation, including your database access, table prefix and Secret Keys.
The wp-config.php file is a standard part of your WordPress installation. It defines the configuration settings required to access your MySQL database. If your self-hosting WordPress, there's no way of getting around not using it.
It's your job to protect it! You certainly don't want this file falling into the wrong hands in the event of a server problem. You can protect it by encrypting it's content when you upload and denying access to it.
How to protect your WordPress wp-config.php file:
- Anytime you upload the wp-config.php file, and ANY directory or file to your server, you should only use SFTP or FTPES. By using either of these methods, your data is encrypted while being sent to the server.
If you just upload via plain FTP, your files are seen as plain text and that's not want you want to feed a lurking evil hacker for lunch. If you don't know if you have SFTP or FTPES, call your hosting company and ask. I personally use FTPES on GoDaddy on one of my sites and SFTP on HostGator on another.
If you don't have SSH enabled on your hosting, DON'T run over and enable it. You will lose some downtime and your database. For now, go to Step 2 so you can at least hide it, until you have time to get it set up properly. - Download your .htaccess file from the server. This is located in the same section as your wp-config.php or index.php file. (If you don't have an .htaccess file, then you will need to create one, see directions below).
- Using a text editor, like Notepad, open your .htaccess file.
- Copy and paste the following code into your .htaccess file to deny access to your wp-config.php file.
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
When saving your changes using “Notepad,” make sure that you change the “Save as type” dropdown to “All Files” so that it does not change your .htaccess file into a .txt file.
If you're having a problem copying and pasting the code above, you can download our sample here. Please note: This is just a sample. Be sure that you just copy and paste the portion to protect your wp-config into your own .htaccess file.
How to create your own .htaccess file:
- Open up “Notepad” on your computer.
- Copy and paste the code to deny access to your wp-config.php file (see above).
- Click on File > Save As >
- Change File Name to .htaccess
- In the “Save as type” dropdown, change to “All Files.”
- Upload this file to your server in the top-level of your WordPress files are (index.php, wp-app.php, wp-config.php, etc.).
Although there are many more things that you can do to protect your WordPress website, knowing that your wp-config.php file is now more protected should give you some peace of mind. Sleep better tonight!
If you would like this Done For You, we have options available on our Services page. For ongoing WordPress Security and Maintenance, consider our monthly packages.
Securely yours,
Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter
P.S. If you found this post helpful or have any questions, please leave your comment below.
@WPSecurityLock:
Do you think, we should also protect the wp-cron.php ?
Thanks,
K_Wasseem
(7php.com)
You don’t need to “protect” wp-config.php. Because it’s a PHP file, it gets parsed and executed by the PHP engine. You cannot see the contents of this file if you request http://www.website.com/wp-config.php. It gets interpreted by PHP and you will just see an empty page.
If somebody gets access to the web server and can read that file, this “protection” will not help you. Therefore, I don’t see any purpose for this “protection”.
Hello Bogdan,
Thank you for your comment. In light of the fact that the most recent hacker attacks on WordPress sites are changing all server permissions for both directories and files to 777, this will make that file readable, writable and executable. This is just another way to safeguard our sites.
There is a way to move this file outside the root as well. You can find out more here:
http://www.devlounge.net/code/protect-your-wordpress-wp-config-so-you-dont-get-hacked.
If you have your config file unprotected, it might be visible via:
http://yourwebsite.com/wp-config.php?-s
Change “yourwebsite” above to your domain name and test it in a browser.
This is probably a dumb question, but since my htaccess file has my permalink structure, can I just paste this code beneath it so that I don’t mess with my permalink code? If I do that will my config file still be protected? Thanks.
Hi Tina,
Thanks for your question. And no, it’s not a dumb question. I’m glad you asked.
Yes, you can post it directly below your permalink code. Here’s an example:
# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPress
# protect wp-config
<files wp-config.php>
order deny,allow
deny from all
</files>
Also check your site right away to make sure that it is working. If the code is not put in properly, you will get a Internal Server Error. If this happens, check to make sure you copied it correctly and reupload. If all else fails, email me, I’ll help you personally.
Looks like the bad guys are having a field day hacking WP blogs. Glad I found your site to help me avoid being spammed and hacked by the creations.
What theme are you using? I like it.
Regina,
What about changing the permissions of your wp-config file to 640 440 or 400?
Here ya go Matt! This is a great link to explains the file permissions on both the .htacess and config should be @ 640.
http://digwp.com/2010/08/pimp-your-wp-config-php/
Updating permalinks in WP updates htaccess. On my system/set-up this causes the protect wpconfig.php directive (and some others) to disappear and just leaves my permalink redirects in htaccess. This may be specific to the order of entries in my file – I don’t know, but people may wish to check their htaccess to ensure it’s still setup how they want..
Oops, my bad.
I had the wpconfig.php directive inside the WP Begin and End headings. WP erases everything between Begin End when you update permalinks. Anything you need to keep must be placed outside the Begin End.
Recently my wp-config.php file is edited by hacker and they insert some code in it which resulted in my site is being redirected to other site. I fixed it now but how can i avoid it in future?
I amended the .htaccess and I even moved the wp-config.php in a folder at the same level as my www folder (public_html) but now I am getting an error of ‘Error establishing a database connection’.
been trying all sorts of permutations and I suspect the solution is getting the patch right. I use Skype should you wish to have a quick chat about this. Any help is appreciated.
regards
Twanny
Hi Twanny,
You must of missed a step. I would be happy to help. Feel free to signup for a 30 min consult with me 🙂
Thanks for sharing the great post, however i want to ask you 1 question, whats the best permission right to set for my wordpress wp file attributes, a friend advise me that the default is vulnerable to attack, Please can you shed more light on this? Thanks
For files, the maximum you should go is 644 🙂
Hi Ms. Smola,
What other security tips do you have for securing wp-config.php? I have done some steps to secure it, but nothing optimal. The best thing to do is to secure the system from the inside and not through solutions such as .htaccess – although this solution can somewhat mitigate the inherent security risks involved with PHP, but most importantly WordPress (PHP is not inherently unsecure as many claim).
Good to see a woman write articles such as yours. Keep it up, ms. Smola.
PS:
You have some issue with your commentary system. When I use Chrome — with Javascript enabled — it tells me to enable Javascript and refuses my comment.
Faithfully,
Indigo Stanza (k0nsl)
Amazing article. I suppose moving the wp-config.php file from the publicly accessible document structure. That way no one can guess its location easily