How to secure WP-Config.php File
Try thinking from a hacker’s mindset. Wouldn’t you like to break into a platform that is used by thousands of website or try brute-forcing the platform with multiple websites? With tools such as WP-Scanner available open source, even an amateur script kiddie can now break into your professional WordPress website and cause a nightmarish experience for you. Also, wp-config.php is one stop file which can make or break your website. Would you let it compromise? Learn the steps to secure wp config file in this article.
WordPress has many ways to harden itself from the many security breaches it faces. In this article, we shall be primarily focusing on securing wp-config.php file which is one of the core files that can cause blunders if hacked.
Related article – How to fix wp-vcd malware backdoor hack in WordPress functions.php
Contents of This Guide
About wp-config.php File
When a WordPress website is created, it contains a file called ‘wp-config.php’. This special WordPress configuration file is one of the most vital WordPress files. The file contains numerous configuration parameters which must be modified for better security of your WordPress website. When you open this file, you will find all the information that you inputted while setting up the database for your WordPress website.
It holds information such as username, password – all the necessary information required to access the database. Further down, there are a set of secret keys available which help in securing your WordPress website in multiple ways. Below that, you get a variable named ‘table_prefix’ which is crucial in regards to information security. With all such vital data written into this file, securing wp-config.php file is of great importance. If anyone is able to get hold of the information written in this file, then imagine the catastrophe that would befall on your website.
Ways To Secure wp-config.php File
Now let us discuss the possible steps which can be used for securing wp-config.php file of your WordPress website:
1. Protection through .htaccess file
- Connect your WordPress website using an FTP Client (use SFTP of FTPES to encrypt communication between computers and servers) and download the .htaccess file which can be found in the root directory of your WordPress website.
- Open the .htaccess file using any text editor application.
- Include the following lines of code in the end of the .htaccess file:
order allow, deny
deny from all
These lines basically block access to your wp-config.php from internal hacking and code modification thus securing wp-config.php file.
Once you’re done editing, save the file using ‘Save As Type’ and selecting ‘All Files’ so that the text editor doesn’t change the file type to something else. Once saved, upload it back through the same connection procedure to the root folder of your WordPress website and overwrite the old one.
2. Moving wp-config.php
Usually, the wp-config.php file is located in the root directory. Now letting the hacker sneak into the root directory is something that you would never desire. Hence the best practice is to move the wp-config.php file to an unpredictable location in order to secure the sensitive data stored inside the file. Although it is a difficult task and time consuming but in the end, it is an important part in deciding the fate of your WordPress website’s security. Also, with every upgrade, you will be required to make changes to the WordPress source code and maintain it.
Usually, the wp-config.php file is secured by moving it up one level thus putting it outside your website’s public folder. So the best option is to move up and in an undisclosed location on your website directory. While working offline, you can do this through the simple drag-and-drop feature. However, while working online, you need to perform the following steps:
- Use the Move tool in File Manager
- Select the wp-config.php file
- Hit Move tool.
- Change the directory in which you want the file to be put in
This process may not be achieved easily and one may have to talk to the WordPress host to ensure that your website server is set up in a way that allows this. But the relocation of wp-config.php doesn’t ensure its full security. How about changing the contents in order to secure wp-config.php file?
3. Modify wp-config.php File
You can also create a new configuration file. This file must be created in a non-WWW accessible directory so that it is protected from foreign access or external attackers. It must not be present in the public_html file of your website thus keeping it out of reach from your WordPress website visitors.
Now open the current wp-config.php file and move the lines which contain the database connection details, database prefix and also WordPress security keys. Append <?php at the starting of the new configuration file and ?> at the end of the file.
After moving all the sensitive data from the wp-config.php file, add the following line just as the <?php term in the wp-config.php file:
So now when the wp-config.php is opened, the sensitive data is included from a separate file which is stored at a different location on your web server. There is no sensitive information on your main wp-config.php file which makes it secure. However, the include path (i.e. /home/yourusername/) differs from a web server to web server. Hence, you are required to have ample knowledge about the absolute path of your website. Only then will this step work properly.
4. Setting up the correct file permissions for wp-config.php
The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. The appropriate file permission for this file will be 400. This means that the user and groups have permission to only read and others will not be able to access the file.
Conclusion – Secure WP Config File
Thus, these were some of the methods to secure wp-config.php file which in-turn would secure your WordPress website. As a WordPress admin, you must ensure that your wp-config.php is configured in the above-mentioned steps and let your users also be aware of the best security practices for their organization’s website.
A new plugin must be thoroughly examined to ensure that the know vulnerabilities have been fixed properly. As an admin, you also need to balance security with utilitarianism – it is almost unlikely that all your code is cent per cent secure. And the more popular plugin you use, the more attention of a hacker it will gain as more people would try to find a vulnerability out of it. Thus, with certain mindful security practices and taking help from trustworthy companies like Astra, you can secure wp-config.php file and secure your WordPress website in total.