Protect the WordPress wp-config.php Configuration File

Last updated on April 12th, 2019 by Robert Abela. Filed under WordPress Security Tutorials & Tips

Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details. You certainly do not want the content of this file to fall in the wrong hands, so WordPress wp-config.php security is definitely something you should take seriously.

In this step by step article we will explain how to protect the WordPress wp-config.php file, and how to store the sensitive information wp-config.php file contains somewhere secure not accessible via web.

New to htaccess? Check out our Definitive Guide to htaccess and WordPress!

Protecting wp-config.php via .htaccess file

  1. Connect to your website using an FTP client and download the .htaccess file found in the root directory of your website. It is important to use SFTP of FTPES to encrypt the communication between your computer and your servers.
  2. Using a text editor such as Notepad open the .htaccess file.
  3. Copy the below to your .htaccess to deny access to your wp-config.php file. You can copy the below text at the bottom of your .htaccess file, after all other entries.
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

WP White Security Tip: If you are using notepad to modify .htaccess files make sure that when saving your changes you change the ‘Save as type’ dropdown to ‘All Files’ so that notepad does not add a .txt extension to your .htaccess file.

Once you’ve added the above text to your WordPress .htaccess file, upload it back to the root of your website to overwrite the old one.

Move WordPress wp-config.php file

Ideally you should be able to simply move the WordPress wp-config.php file to an unpredictable location to protect the sensitive data stored in this file, though this is a difficult task and time consuming. You would have to make changes to the WordPress source code and maintain it with every upgrade. Alternatively you can simply create a new file and move all the WordPress wp-config.php sensitive entries to this file as explained below.

Remove Sensitive Information from wp-config.php

Create a new ‘config.php’ file

Create a new file called ‘config.php’.  The file should be created in a non-WWW accessible directory. For example if your blog or website content is in /home/youruser/public_html/, then create the file config.php in /home/youruser/ so the file cannot be reached by any of your visitors. Typically this should be a directory before public_html or www directory.

Open the existing WordPress wp-config.php file and move the lines which contain the database connection details, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file as shown in the below example. Add <?php at the beginning of the new config.php file and ?> at the end of the file.

define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host

// The WordPress Security Keys

define('AUTH_KEY',         'Your_key_here');
define('SECURE_AUTH_KEY',  'Your_key_here');
define('LOGGED_IN_KEY',    'Your_key_here');
define('NONCE_KEY',        'Your_key_here');
define('AUTH_SALT',        'Your_key_here');
define('SECURE_AUTH_SALT', 'Your_key_here');
define('LOGGED_IN_SALT',   'Your_key_here');
define('NONCE_SALT',       'Your_key_here');

// The WordPress database table prefix
$table_prefix  = 'wp_'; // only numbers, letters and underscore

Modify wp-config.php file

After removing all the sensitive data from the wp-config.php file, simply add the following line straight after <?php in the wp-config.php file; include(‘/home/yourname/config.php’);. So the first two lines of your wp-config.php should look like this;


Now instead of having all the sensitive information stored in your wp-config.php file, the wp-config.php file is reading such information from a different location.

Please note that the include path (i.e. /home/yourname/) varies from one web server or web hosting provider to the other. If you are not sure what is the absolute path of your website, refer to the blogger tip How to find absolute path on a webserver using PHP.

If you are having problems implementing the above suggestion or beefing up the security of your WordPress installation, drop us an email and we will gladly assist you and answer any WordPress and web master questions you might have.

WordPress Hosting, Firewall and Backup

This Website is:


Thanks for helping! But I think some plugin will conflict this .htacesss modification, isn’t it right?

Robert Abela 18/02/2014


Thank you for visiting our website. No plugins should not have problems with modified .htaccess files. I.e. plugins should never be accessing the wp-config.php file directly, so protecting it via .htaccess file should not be of a problem.

Martin Gawlikowski 02/05/2018

are Protecting wp-config.php via .htaccess file and Remove Sensitive Information from wp-config.php alternative or consecutive steps – I am a bit confused.


Robert Abela 24/07/2018

I would recommend doing both. The more you can do to harden your WordPress setup the better it is.

Nico 16/05/2019


It seems that some plugins really have access to wp-config.php. I found this line in mine:
“define( ‘WPCACHEHOME’, ‘/home/username/public_html/’ ); //Added by WP-Cache Manager”

and was added above define(‘DB_NAME’,..

So, would this removing of the sensitive information affect the site’s functionality?


Robert Abela 17/05/2019

Hello Nico. Plugins and themes will always have access to the wp-config.php file since they can update it through WordPress. They do not need direct access. The point of this exercise is to move the wp-config.php sensitive information to a non web accessible location. Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *