911 Hack Removal

How to secure WP-Config.php File

Updated on: April 9, 2020

How to secure WP-Config.php File

Article Summary

Trying to secure your WordPress website from attacker? Read this article to see the different steps required for securing wp-config.php file of your WP website.

Try thinking from a hacker’s mindset. Wouldn’t you like to break into a platform that is used by thousands of website or try brute-forcing the platform with multiple websites? With tools such as WP-Scanner available open source, even an amateur script kiddie can now break into your professional WordPress website and cause a nightmarish experience for you. Also, wp-config.php is one stop file which can make or break your website. Would you let it compromise? Learn the steps to secure wp config file in this article.

WordPress has many ways to harden itself from the many security breaches it faces. In this article, we shall be primarily focusing on securing wp-config.php file which is one of the core files that can cause blunders if hacked.

Related article – How to fix wp-vcd malware backdoor hack in WordPress functions.php

About wp-config.php File

When a WordPress website is created, it contains a file called ‘wp-config.php’. This special WordPress configuration file is one of the most vital WordPress files. The file contains numerous configuration parameters which must be modified for better security of your WordPress website. When you open this file, you will find all the information that you input while setting up the database for your WordPress website.

It holds information such as username, password – all the necessary information required to access the database. Further down, there are a set of secret keys available which help in securing your WordPress website in multiple ways. Below that, you get a variable named ‘table_prefix’ which is crucial in regards to information security. With all such vital data written into this file, securing wp-config.php file is of great importance. If anyone is able to get hold of the information written in this file, then imagine the catastrophe that would befall on your website.

Ways To Secure wp-config.php File

Now let us discuss the possible steps which can be used for securing wp-config.php file of your WordPress website:

1. Protection through .htaccess file

  1. Connect your WordPress website using an FTP Client (use SFTP of FTPES to encrypt communication between computers and servers) and download the .htaccess file which can be found in the root directory of your WordPress website.
  2. Open the .htaccess file using any text editor application.
  3. Include the following lines of code in the end of the .htaccess file:

#secure wp-config.php

<files wp-config.php>

order allow, deny

deny from all


These lines basically block access to your wp-config.php from internal hacking and code modification thus securing wp-config.php file.

Once you’re done editing, save the file using ‘Save As Type’ and selecting ‘All Files’ so that the text editor doesn’t change the file type to something else. Once saved, upload it back through the same connection procedure to the root folder of your WordPress website and overwrite the old one.

2. Moving wp-config.php

Usually, the wp-config.php file is located in the root directory. Now letting the hacker sneak into the root directory is something that you would never desire. Hence the best practice is to move the wp-config.php file to an unpredictable location in order to secure the sensitive data stored inside the file. Although it is a difficult task and time consuming but in the end, it is an important part in deciding the fate of your WordPress website’s security. Also, with every upgrade, you will be required to make changes to the WordPress source code and maintain it.

Usually, the wp-config.php file is secured by moving it up one level thus putting it outside your website’s public folder. So the best option is to move up and in an undisclosed location on your website directory. While working offline, you can do this through the simple drag-and-drop feature. However, while working online, you need to perform the following steps:

  1. Use the Move tool in File Manager
  2. Select the wp-config.php file
  3. Hit Move tool.
  4. Change the directory in which you want the file to be put in

This process may not be achieved easily and one may have to talk to the WordPress host to ensure that your website server is set up in a way that allows this. But the relocation of wp-config.php doesn’t ensure its full security. How about changing the contents in order to secure wp-config.php file?

3. Modify wp-config.php File

You can also create a new configuration file. This file must be created in a non-WWW accessible directory so that it is protected from foreign access or external attackers. It must not be present in the public_html file of your website thus keeping it out of reach from your WordPress website visitors.

Now open the current wp-config.php file and move the lines which contain the database connection details, database prefix and also WordPress security keys. Append <?php at the starting of the new configuration file and ?> at the end of the file.

After moving all the sensitive data from the wp-config.php file, add the following line just as the <?php term in the wp-config.php file:



So now when the wp-config.php is opened, the sensitive data is included from a separate file which is stored at a different location on your web server. There is no sensitive information on your main wp-config.php file which makes it secure. However, the include path (i.e. /home/yourusername/) differs from a web server to web server. Hence, you are required to have ample knowledge about the absolute path of your website. Only then will this step work properly.

4. Setting up the correct file permissions for wp-config.php

The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. The appropriate file permission for this file will be 400. This means that the user and groups have permission to only read and others will not be able to access the file.

Conclusion – Secure WP Config File

Thus, these were some of the methods to secure wp-config.php file which in-turn would secure your WordPress website. As a WordPress admin, you must ensure that your wp-config.php is configured in the above-mentioned steps and let your users also be aware of the best security practices for their organization’s website.

Get the ultimate WordPress security checklist with 300+ test parameters

A new plugin must be thoroughly examined to ensure that the know vulnerabilities have been fixed properly. As an admin, you also need to balance security with utilitarianism – it is almost unlikely that all your code is cent percent secure. And the more popular plugin you use, the more attention of a hacker it will gain as more people would try to find a vulnerability out of it. Thus, with certain mindful security practices and taking help from trustworthy companies like Astra, you can secure wp-config.php files and secure your WordPress website in total.

Naman Rastogi

Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than a year, Naman shares the passion for spreading awareness about cybersecurity amongst netizens. He is a regular reader of anything cybersecurity which he channelizes through the Astra blog. Naman is also a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.e cybersecurity. When not hustling to find newer ways to spread awareness about cybersecurity, he can be found enjoying a game of ping pong or CSGO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
health plan
health plan
4 years ago

It’s awesome to go to see this website and reading the views of all friends about
this paragraph

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany