Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

[Lesson 2] Learn How To Protect Your wp-config File In 5 Minutes

How to Protect wp-config File in Your WordPress

wp-config.php is that one file which can literally make or break your website. This special file contains the WordPress configuration details and is one of the most vital files on your website. 

It holds confidential information of your WordPress database among other necessary information required to access the database. This makes it crucial to secure it.


Here are some ways to Secure wp-config.php file:

1. Protection through .htaccess file

Step 1 – Connect your WordPress website using an FTP Client.

Step 2 – Navigate to the public_html directory and download the .htaccess file.

Step 3 – Edit and include the following lines of code in the end of the .htaccess file:

#secure wp-config.php

order allow, deny

deny from all

Once you’re done editing save and upload it back to the server.

These lines will resist internal access and code modifications to your wp-config.php.


2. Protect by Moving wp-config.php

Usually, the wp-config.php file is located in the root directory. Changing its default location can reduce the risk of it getting hacked. 

You can do this by following a few steps:

  1. Step 1 – Connect your website using an FTP client.
  2. Step 2 – Use the Move tool in File Manager
  3. Step 3 – Select the wp-config.php file and move it to the directory of your wish.

3. Protect by Modifying wp-config.php File

This file must be created in a non-WWW accessible directory so that it is protected from foreign access or external attackers. Additionally, it must not be present in the public_html directory.

You can do this by creating a new configuration file or you can do this by following these steps:

Step 1 – open the current wp-config.php file and

Step 2 – move the lines which contain the database connection details, database prefix and also WordPress security keys.

Step 3 – Append these at the end of the file.

Step 4 – After moving all the sensitive data from the wp-config.php file, add the following line just as the <?php term in the wp-config.php file:



This makes sure there is no sensitive information left on your main wp-config.php file.


4. Setting up the correct file permissions for wp-config.php

The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. The appropriate file permission for this file will be 400. This means that the user and groups have permission to only read and others will not be able to access the file.

Secure WordPress Site Email Course

WordPress Security Lessons

Rock solid security, amazing support

Super Secure My Business