Protect the WordPress wp-config.php Configuration File

Last updated on January 26th, 2023 by Robert Abela. Filed under WordPress Security Tutorials & Tips

Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details. You certainly do not want the content of this file to fall in the wrong hands, so WordPress wp-config.php security is definitely something you should take seriously.

In this step by step article we will explain how to protect the WordPress wp-config.php file, and how to store the sensitive information wp-config.php file contains somewhere secure not accessible via web.

New to htaccess? Check out our Definitive Guide to htaccess and WordPress!

Protecting wp-config.php via .htaccess file

  1. Connect to your website using an FTP client and download the .htaccess file found in the root directory of your website. It is important to use SFTP of FTPES to encrypt the communication between your computer and your servers.
  2. Using a text editor such as Notepad open the .htaccess file.
  3. Copy the below to your .htaccess to deny access to your wp-config.php file. You can copy the below text at the bottom of your .htaccess file, after all other entries.
# protect wpconfig.php
<files wp-config.php&gt;
order allow,deny
deny from all

WP White Security Tip: If you are using notepad to modify .htaccess files make sure that when saving your changes you change the ‘Save as type’ dropdown to ‘All Files’ so that notepad does not add a .txt extension to your .htaccess file.

Once you’ve added the above text to your WordPress .htaccess file, upload it back to the root of your website to overwrite the old one.

Move WordPress wp-config.php file

Ideally you should be able to simply move the WordPress wp-config.php file to an unpredictable location to protect the sensitive data stored in this file, though this is a difficult task and time consuming. You would have to make changes to the WordPress source code and maintain it with every upgrade. Alternatively you can simply create a new file and move all the WordPress wp-config.php sensitive entries to this file as explained below.

Remove Sensitive Information from wp-config.php

Create a new ‘config.php’ file

Create a new file called ‘config.php’.  The file should be created in a non-WWW accessible directory. For example if your blog or website content is in /home/youruser/public_html/, then create the file config.php in /home/youruser/ so the file cannot be reached by any of your visitors. Typically this should be a directory before public_html or www directory.

Open the existing WordPress wp-config.php file and move the lines which contain the database connection details, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file as shown in the below example. Add <?php at the beginning of the new config.php file and ?> at the end of the file.

define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host

// The WordPress Security Keys

define('AUTH_KEY',         'Your_key_here');
define('SECURE_AUTH_KEY',  'Your_key_here');
define('LOGGED_IN_KEY',    'Your_key_here');
define('NONCE_KEY',        'Your_key_here');
define('AUTH_SALT',        'Your_key_here');
define('SECURE_AUTH_SALT', 'Your_key_here');
define('LOGGED_IN_SALT',   'Your_key_here');
define('NONCE_SALT',       'Your_key_here');

// The WordPress database table prefix
$table_prefix  = 'wp_'; // only numbers, letters and underscore

Modify wp-config.php file

After removing all the sensitive data from the wp-config.php file, simply add the following line straight after <?php in the wp-config.php file; include(‘/home/yourname/config.php’);. So the first two lines of your wp-config.php should look like this;


Now instead of having all the sensitive information stored in your wp-config.php file, the wp-config.php file is reading such information from a different location.

Please note that the include path (i.e. /home/yourname/) varies from one web server or web hosting provider to the other. If you are not sure what is the absolute path of your website, refer to the blogger tip How to find absolute path on a webserver using PHP.

If you are having problems implementing the above suggestion or beefing up the security of your WordPress installation, drop us an email and we will gladly assist you and answer any WordPress and web master questions you might have.


Thanks for helping! But I think some plugin will conflict this .htacesss modification, isn’t it right?

Robert Abela 18/02/2014


Thank you for visiting our website. No plugins should not have problems with modified .htaccess files. I.e. plugins should never be accessing the wp-config.php file directly, so protecting it via .htaccess file should not be of a problem.

Martin Gawlikowski 02/05/2018

are Protecting wp-config.php via .htaccess file and Remove Sensitive Information from wp-config.php alternative or consecutive steps – I am a bit confused.


Robert Abela 24/07/2018

I would recommend doing both. The more you can do to harden your WordPress setup the better it is.

Nico 16/05/2019


It seems that some plugins really have access to wp-config.php. I found this line in mine:
“define( ‘WPCACHEHOME’, ‘/home/username/public_html/’ ); //Added by WP-Cache Manager”

and was added above define(‘DB_NAME’,..

So, would this removing of the sensitive information affect the site’s functionality?


Robert Abela 17/05/2019

Hello Nico. Plugins and themes will always have access to the wp-config.php file since they can update it through WordPress. They do not need direct access. The point of this exercise is to move the wp-config.php sensitive information to a non web accessible location. Hope this helps.

Robi Setiawan 09/11/2019

What should I set permission for securing wp-config.php? Is it 444 enough or I should used 400?

Robert Abela 14/11/2019

As such no one needs to write to the wp-config.php file, apart from you (the admin) in case you need to change the setup. So 400 should do the trick.

Panos 07/07/2020

Instead of creating config.php in a folder above public_html and keep the wp-config file in wordpress installation, wouldnt be better hardening (because if we add the line: include(‘/home/yourname/config.php’); if the attacker manage to enter the wp-config he/she will see where the important infos are stored), just to move the whole wp-config file to the above folder of the wp installation, as is?

And then create a .htaccess in the same folder with the
# protect wpconfig.php

order allow,deny
deny from all

Wouldnt be that safer?

As I see WordPress havent any problem to find the wp-config’s location there. And any wordpress attacker if they manage to be inside public_html they will not see any wp-config.php file at all..

What do u think?

ps btw your articles are so good, u rock, keep up the good job

Robert Abela 31/07/2020

Thank you for your feedback Panos.

In this post we are using both steps, the one you mentioned (protecting the file with .htaccess) and we are also moving the sensitive info from the config file into a file outside the public_html. So we are applying two hardening tweaks here and not just one.

Mary Trankel 17/12/2021

This is SUCH a helpful article. I appreciate you posting this and responding to everyone’s questions. Very professional.

Radostin Angelov 18/01/2022

Hello Mary,

We’re glad that you found this article helpful.

Thanks a lot for reaching out and sharing your feedback.


Akaki 20/05/2022

I’m trying to do it on localhost, not to affect web page. made both thing but it shows “500 internal server error”
can you help me with some advice?

Robert Abela 15/07/2022

Hello Akaki, thank you for comment. There are many things that could be affecting your setup and offhand it is very difficult to tell what is not working. When there is a 500 HTTP error typically the web server reports the issue in the error.log, so please check your web server’s log files. Good luck with solving the issue.

Remco 02/07/2022

Hi, if I follow the steps for removing the sensitive information from the wp-config.php file, I get the “Error establishing a database connection” error. How can I fix this?

Robert Abela 15/07/2022

Hello Remco, thank you for comment. Offhand it is very difficult to tell what the problem might be, however, the most common problem in such cases is wrong connection details in the file (for example wrong username or password, or database name). Double check those details first. Good luck with the solution.

Leave a Reply

Your email address will not be published. Required fields are marked *

Our other plugins