Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details. You certainly do not want the content of this file to fall in the wrong hands, so WordPress wp-config.php security is definitely something you should take seriously.
In this step by step article we will explain how to protect the WordPress wp-config.php file, and how to store the sensitive information wp-config.php file contains somewhere secure not accessible via web.
Protecting wp-config.php via .htaccess file
- Connect to your website using an FTP client and download the .htaccess file found in the root directory of your website. It is important to use SFTP of FTPES to encrypt the communication between your computer and your servers.
- Using a text editor such as Notepad open the .htaccess file.
- Copy the below to your .htaccess to deny access to your wp-config.php file. You can copy the below text at the bottom of your .htaccess file, after all other entries.
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
WP White Security Tip: If you are using notepad to modify .htaccess files make sure that when saving your changes you change the ‘Save as type’ dropdown to ‘All Files’ so that notepad does not add a .txt extension to your .htaccess file.
Once you’ve added the above text to your WordPress .htaccess file, upload it back to the root of your website to overwrite the old one.
Move WordPress wp-config.php file
Ideally you should be able to simply move the WordPress wp-config.php file to an unpredictable location to protect the sensitive data stored in this file, though this is a difficult task and time consuming. You would have to make changes to the WordPress source code and maintain it with every upgrade. Alternatively you can simply create a new file and move all the WordPress wp-config.php sensitive entries to this file as explained below.
Remove Sensitive Information from wp-config.php
Create a new ‘config.php’ file
Create a new file called ‘config.php’. The file should be created in a non-WWW accessible directory. For example if your blog or website content is in /home/youruser/public_html/, then create the file config.php in /home/youruser/ so the file cannot be reached by any of your visitors. Typically this should be a directory before public_html or www directory.
Open the existing WordPress wp-config.php file and move the lines which contain the database connection details, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file as shown in the below example. Add <?php at the beginning of the new config.php file and ?> at the end of the file.
<?php
define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host
// The WordPress Security Keys
define('AUTH_KEY', 'Your_key_here');
define('SECURE_AUTH_KEY', 'Your_key_here');
define('LOGGED_IN_KEY', 'Your_key_here');
define('NONCE_KEY', 'Your_key_here');
define('AUTH_SALT', 'Your_key_here');
define('SECURE_AUTH_SALT', 'Your_key_here');
define('LOGGED_IN_SALT', 'Your_key_here');
define('NONCE_SALT', 'Your_key_here');
// The WordPress database table prefix
$table_prefix = 'wp_'; // only numbers, letters and underscore
?>
Modify wp-config.php file
After removing all the sensitive data from the wp-config.php file, simply add the following line straight after <?php in the wp-config.php file; include(‘/home/yourname/config.php’);. So the first two lines of your wp-config.php should look like this;
<?php
include('/home/yourname/config.php');
Now instead of having all the sensitive information stored in your wp-config.php file, the wp-config.php file is reading such information from a different location.
Please note that the include path (i.e. /home/yourname/) varies from one web server or web hosting provider to the other. If you are not sure what is the absolute path of your website, refer to the blogger tip How to find absolute path on a webserver using PHP.
If you are having problems implementing the above suggestion or beefing up the security of your WordPress installation, drop us an email and we will gladly assist you and answer any WordPress and web master questions you might have.
16 comments
Thanks for helping! But I think some plugin will conflict this .htacesss modification, isn’t it right?
Hi,
Thank you for visiting our website. No plugins should not have problems with modified .htaccess files. I.e. plugins should never be accessing the wp-config.php file directly, so protecting it via .htaccess file should not be of a problem.
Hello,
are Protecting wp-config.php via .htaccess file and Remove Sensitive Information from wp-config.php alternative or consecutive steps – I am a bit confused.
thanks
I would recommend doing both. The more you can do to harden your WordPress setup the better it is.
Hello
It seems that some plugins really have access to wp-config.php. I found this line in mine:
“define( ‘WPCACHEHOME’, ‘/home/username/public_html/site.com/wp-content/plugins/wp-super-cache/’ ); //Added by WP-Cache Manager”
and was added above define(‘DB_NAME’,..
So, would this removing of the sensitive information affect the site’s functionality?
Thanks
Hello Nico. Plugins and themes will always have access to the wp-config.php file since they can update it through WordPress. They do not need direct access. The point of this exercise is to move the wp-config.php sensitive information to a non web accessible location. Hope this helps.
What should I set permission for securing wp-config.php? Is it 444 enough or I should used 400?
As such no one needs to write to the wp-config.php file, apart from you (the admin) in case you need to change the setup. So 400 should do the trick.
Hi,
Instead of creating config.php in a folder above public_html and keep the wp-config file in wordpress installation, wouldnt be better hardening (because if we add the line: include(‘/home/yourname/config.php’); if the attacker manage to enter the wp-config he/she will see where the important infos are stored), just to move the whole wp-config file to the above folder of the wp installation, as is?
And then create a .htaccess in the same folder with the
# protect wpconfig.php
order allow,deny
deny from all
Wouldnt be that safer?
As I see WordPress havent any problem to find the wp-config’s location there. And any wordpress attacker if they manage to be inside public_html they will not see any wp-config.php file at all..
What do u think?
ps btw your articles are so good, u rock, keep up the good job
Rgrds
Panos
Thank you for your feedback Panos.
In this post we are using both steps, the one you mentioned (protecting the file with .htaccess) and we are also moving the sensitive info from the config file into a file outside the public_html. So we are applying two hardening tweaks here and not just one.
This is SUCH a helpful article. I appreciate you posting this and responding to everyone’s questions. Very professional.
Hello Mary,
We’re glad that you found this article helpful.
Thanks a lot for reaching out and sharing your feedback.
Best,
Rado
hello,
I’m trying to do it on localhost, not to affect web page. made both thing but it shows “500 internal server error”
can you help me with some advice?
Hello Akaki, thank you for comment. There are many things that could be affecting your setup and offhand it is very difficult to tell what is not working. When there is a 500 HTTP error typically the web server reports the issue in the error.log, so please check your web server’s log files. Good luck with solving the issue.
Hi, if I follow the steps for removing the sensitive information from the wp-config.php file, I get the “Error establishing a database connection” error. How can I fix this?
Hello Remco, thank you for comment. Offhand it is very difficult to tell what the problem might be, however, the most common problem in such cases is wrong connection details in the file (for example wrong username or password, or database name). Double check those details first. Good luck with the solution.