• Skip to primary navigation
  • Skip to main content
  • Skip to footer
WPSecurityLock – Malware removal & WordPress security services

WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

  • Facebook
  • LinkedIn
  • Twitter
  • Home
  • About
    • About Us
    • Speaker Information
    • Contact Us by Phone, Email or Live Chat
    • Testimonials
  • Security Services
    • Malware / Virus Removal
    • WordPress Security and Installation Services
    • Monthly Security Packages
    • SSL Conversion Service (HTTP to HTTPS)
  • Blog
  • Resources
  • Contact
  • SafeWP

WordPress Security Tip – How to Protect the wp-config.php File

May 8, 2010 By Regina Smola 18 Comments

Hide wp-config fileProtect WP config php File

The wp-config.php file contains very sensitive information about your WordPress installation, including your database access, table prefix and Secret Keys.

The wp-config.php file is a standard part of your WordPress installation. It defines the configuration settings required to access your MySQL database. If your self-hosting WordPress, there's no way of getting around not using it.

It's your job to protect it! You certainly don't want this file falling into the wrong hands in the event of a server problem. You can protect it by encrypting it's content when you upload and denying access to it.

How to protect your WordPress wp-config.php file:

  1. Anytime you upload the wp-config.php file, and ANY directory or file to your server, you should only use SFTP or FTPES. By using either of these methods, your data is encrypted while being sent to the server.

    If you just upload via plain FTP, your files are seen as plain text and that's not want you want to feed a lurking evil hacker for lunch. If you don't know if you have SFTP or FTPES, call your hosting company and ask. I personally use FTPES on GoDaddy on one of my sites and SFTP on HostGator on another.

    If you don't have SSH enabled on your hosting, DON'T run over and enable it. You will lose some downtime and your database. For now, go to Step 2 so you can at least hide it, until you have time to get it set up properly.
  2. Download your .htaccess file from the server. This is located in the same section as your wp-config.php or index.php file. (If you don't have an .htaccess file, then you will need to create one, see directions below).
  3. Using a text editor, like Notepad, open your .htaccess file.
  4. Copy and paste the following code into your .htaccess file to deny access to your wp-config.php file.

    # protect wpconfig.php
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    When saving your changes using “Notepad,” make sure that you change the “Save as type” dropdown to “All Files” so that it does not change your .htaccess file into a .txt file.

If you're having a problem copying and pasting the code above, you can download our sample here. Please note: This is just a sample. Be sure that you just copy and paste the portion to protect your wp-config into your own .htaccess file.

How to create your own .htaccess file:

  1. Open up “Notepad” on your computer.
  2. Copy and paste the code to deny access to your wp-config.php file (see above).
  3. Click on File > Save As >
  4. Change File Name to .htaccess
  5. In the “Save as type” dropdown, change to “All Files.”
  6. Upload this file to your server in the top-level of your WordPress files are (index.php, wp-app.php, wp-config.php, etc.).

Although there are many more things that you can do to protect your WordPress website, knowing that your wp-config.php file is now more protected should give you some peace of mind. Sleep better tonight!

If you would like this Done For You, we have options available on our Services page.  For ongoing WordPress Security and Maintenance, consider our monthly packages.

Securely yours,

Regina Smola
Follow me on Twitter
Follow WPSecurityLock on Twitter

P.S. If you found this post helpful or have any questions, please leave your comment below.

Share10
Tweet
Pin
10 Shares

Filed Under: WordPress Security Tips Tagged With: hide wp-config file, Protect WP config php File, protect wp-config.php, secure wordpress, wordpress security

Reader Interactions

Comments

  1. K_Wasseem__7php.com says

    May 10, 2010 at 2:05 pm

    @WPSecurityLock:

    Do you think, we should also protect the wp-cron.php ?

    Thanks,
    K_Wasseem
    (7php.com)

    Reply
  2. Bogdan Calin says

    May 11, 2010 at 8:43 am

    You don’t need to “protect” wp-config.php. Because it’s a PHP file, it gets parsed and executed by the PHP engine. You cannot see the contents of this file if you request http://www.website.com/wp-config.php. It gets interpreted by PHP and you will just see an empty page.

    If somebody gets access to the web server and can read that file, this “protection” will not help you. Therefore, I don’t see any purpose for this “protection”.

    Reply
    • Regina says

      May 11, 2010 at 12:01 pm

      Hello Bogdan,

      Thank you for your comment. In light of the fact that the most recent hacker attacks on WordPress sites are changing all server permissions for both directories and files to 777, this will make that file readable, writable and executable. This is just another way to safeguard our sites.

      There is a way to move this file outside the root as well. You can find out more here:
      http://www.devlounge.net/code/protect-your-wordpress-wp-config-so-you-dont-get-hacked.

      Reply
    • Allison says

      May 8, 2012 at 1:06 am

      If you have your config file unprotected, it might be visible via:

      http://yourwebsite.com/wp-config.php?-s

      Change “yourwebsite” above to your domain name and test it in a browser.

      Reply
  3. Tina T says

    May 11, 2010 at 12:38 pm

    This is probably a dumb question, but since my htaccess file has my permalink structure, can I just paste this code beneath it so that I don’t mess with my permalink code? If I do that will my config file still be protected? Thanks.

    Reply
    • Regina says

      May 11, 2010 at 12:46 pm

      Hi Tina,

      Thanks for your question. And no, it’s not a dumb question. I’m glad you asked.

      Yes, you can post it directly below your permalink code. Here’s an example:

      # BEGIN WordPress
      <ifmodule mod_rewrite.c>
      RewriteEngine On
      RewriteBase /
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]
      </ifmodule>
      # END WordPress

      # protect wp-config
      <files wp-config.php>
      order deny,allow
      deny from all
      </files>

      Also check your site right away to make sure that it is working. If the code is not put in properly, you will get a Internal Server Error. If this happens, check to make sure you copied it correctly and reupload. If all else fails, email me, I’ll help you personally.

      Reply
  4. James Neil says

    August 15, 2010 at 10:54 am

    Looks like the bad guys are having a field day hacking WP blogs. Glad I found your site to help me avoid being spammed and hacked by the creations.

    What theme are you using? I like it.

    Reply
  5. Matt Fraser says

    May 22, 2011 at 3:38 am

    Regina,

    What about changing the permissions of your wp-config file to 640 440 or 400?

    Reply
    • B says

      December 27, 2011 at 11:27 am

      Here ya go Matt! This is a great link to explains the file permissions on both the .htacess and config should be @ 640.

      http://digwp.com/2010/08/pimp-your-wp-config-php/

      Reply
  6. Michael says

    September 17, 2011 at 9:42 am

    Updating permalinks in WP updates htaccess. On my system/set-up this causes the protect wpconfig.php directive (and some others) to disappear and just leaves my permalink redirects in htaccess. This may be specific to the order of entries in my file – I don’t know, but people may wish to check their htaccess to ensure it’s still setup how they want..

    Reply
    • Michael says

      February 18, 2012 at 6:34 pm

      Oops, my bad.

      I had the wpconfig.php directive inside the WP Begin and End headings. WP erases everything between Begin End when you update permalinks. Anything you need to keep must be placed outside the Begin End.

      Reply
  7. Tushar says

    February 17, 2012 at 9:41 pm

    Recently my wp-config.php file is edited by hacker and they insert some code in it which resulted in my site is being redirected to other site. I fixed it now but how can i avoid it in future?

    Reply
  8. Twanny says

    November 13, 2012 at 9:04 am

    I amended the .htaccess and I even moved the wp-config.php in a folder at the same level as my www folder (public_html) but now I am getting an error of ‘Error establishing a database connection’.

    been trying all sorts of permutations and I suspect the solution is getting the patch right. I use Skype should you wish to have a quick chat about this. Any help is appreciated.

    regards

    Twanny

    Reply
    • Regina Smola says

      November 29, 2012 at 11:01 am

      Hi Twanny,

      You must of missed a step. I would be happy to help. Feel free to signup for a 30 min consult with me 🙂

      Reply
  9. wikinaira says

    December 9, 2012 at 4:26 pm

    Thanks for sharing the great post, however i want to ask you 1 question, whats the best permission right to set for my wordpress wp file attributes, a friend advise me that the default is vulnerable to attack, Please can you shed more light on this? Thanks

    Reply
    • Regina Smola says

      December 12, 2012 at 11:05 am

      For files, the maximum you should go is 644 🙂

      Reply
  10. k0nsl says

    December 16, 2012 at 6:02 pm

    Hi Ms. Smola,

    What other security tips do you have for securing wp-config.php? I have done some steps to secure it, but nothing optimal. The best thing to do is to secure the system from the inside and not through solutions such as .htaccess – although this solution can somewhat mitigate the inherent security risks involved with PHP, but most importantly WordPress (PHP is not inherently unsecure as many claim).

    Good to see a woman write articles such as yours. Keep it up, ms. Smola.

    PS:
    You have some issue with your commentary system. When I use Chrome — with Javascript enabled — it tells me to enable Javascript and refuses my comment.

    Faithfully,
    Indigo Stanza (k0nsl)

    Reply
  11. Mike_Host says

    June 8, 2014 at 7:20 pm

    Amazing article. I suppose moving the wp-config.php file from the publicly accessible document structure. That way no one can guess its location easily

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s work together:

Get in touch with us and send some basic info about your project. Don't be shy, we can help with just about anything.

Contact Us!

Footer

  • Facebook
  • LinkedIn
  • Twitter

Contact

Call 815-600-7270
Contact
Mo,Tu,We,Th,Fr 9:00 am – 5:00 pm

Get WordPress Help Now

Chat With Us!
Submit A Support Ticket

Copyright © 2023 | WP Security Lock, Inc