Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details. You certainly do not want the content of this file to fall in the wrong hands, so WordPress wp-config.php security is definitely something you should take seriously.
In this step by step article we will explain how to protect the WordPress wp-config.php file, and how to store the sensitive information wp-config.php file contains somewhere secure not accessible via web.
Protecting wp-config.php via .htaccess file
- Connect to your website using an FTP client and download the .htaccess file found in the root directory of your website. It is important to use SFTP of FTPES to encrypt the communication between your computer and your servers.
- Using a text editor such as Notepad open the .htaccess file.
- Copy the below to your .htaccess to deny access to your wp-config.php file. You can copy the below text at the bottom of your .htaccess file, after all other entries.
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
WP White Security Tip: If you are using notepad to modify .htaccess files make sure that when saving your changes you change the ‘Save as type’ dropdown to ‘All Files’ so that notepad does not add a .txt extension to your .htaccess file.
Once you’ve added the above text to your WordPress .htaccess file, upload it back to the root of your website to overwrite the old one.
Move WordPress wp-config.php file
Ideally you should be able to simply move the WordPress wp-config.php file to an unpredictable location to protect the sensitive data stored in this file, though this is a difficult task and time consuming. You would have to make changes to the WordPress source code and maintain it with every upgrade. Alternatively you can simply create a new file and move all the WordPress wp-config.php sensitive entries to this file as explained below.
Remove Sensitive Information from wp-config.php
Create a new ‘config.php’ file
Create a new file called ‘config.php’. The file should be created in a non-WWW accessible directory. For example if your blog or website content is in /home/youruser/public_html/, then create the file config.php in /home/youruser/ so the file cannot be reached by any of your visitors. Typically this should be a directory before public_html or www directory.
Open the existing WordPress wp-config.php file and move the lines which contain the database connection details, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file as shown in the below example. Add <?php at the beginning of the new config.php file and ?> at the end of the file.
<?php define('DB_NAME', 'Your_DB'); // name of database define('DB_USER', 'DB_User'); // MySQL user define('DB_PASSWORD', 'DB_pass'); // and password define('DB_HOST', 'localhost'); // MySQL host // The WordPress Security Keys define('AUTH_KEY', 'Your_key_here'); define('SECURE_AUTH_KEY', 'Your_key_here'); define('LOGGED_IN_KEY', 'Your_key_here'); define('NONCE_KEY', 'Your_key_here'); define('AUTH_SALT', 'Your_key_here'); define('SECURE_AUTH_SALT', 'Your_key_here'); define('LOGGED_IN_SALT', 'Your_key_here'); define('NONCE_SALT', 'Your_key_here'); // The WordPress database table prefix $table_prefix = 'wp_'; // only numbers, letters and underscore ?>
Modify wp-config.php file
After removing all the sensitive data from the wp-config.php file, simply add the following line straight after <?php in the wp-config.php file; include(‘/home/yourname/config.php’);. So the first two lines of your wp-config.php should look like this;
Now instead of having all the sensitive information stored in your wp-config.php file, the wp-config.php file is reading such information from a different location.
Please note that the include path (i.e. /home/yourname/) varies from one web server or web hosting provider to the other. If you are not sure what is the absolute path of your website, refer to the blogger tip How to find absolute path on a webserver using PHP.
If you are having problems implementing the above suggestion or beefing up the security of your WordPress installation, drop us an email and we will gladly assist you and answer any WordPress and web master questions you might have.