If you’ve never dug into the files that make up your WordPress website, don’t worry – most folks haven’t. But the wp-config.php file is one file everyone should be familiar with. It contains your MySQL database username & password, along with the encryption salts for all the login session cookies on the website. The information in your wp-config.php file is essentially everything someone might need to completely take over your website.
When you install WordPress either manually or through your hosting company’s CPanel, the wp-config.php file sits in your website’s root directory – the same one where your primary index.php file sits (the file that essentially launches your site in a visitor’s web browser).
How Can the wp-config.php File be Compromised?
In most cases, this file isn’t accessible via a web browser – at least not in a way that allows someone to see what’s in it. Since PHP files are scripts, the web browser only outputs the result of the file which is blank. But this isn’t always the case.
Perhaps the PHP executable on your server stops working, if so, then the contents of wp-config.php might get dumped into the web browser in clear text readable by anyone. This could have devastating effects on any WordPress website hosted on the server. So if you use shared hosting, like most websites, any website which causes PHP to fail could potentially compromise the wp-config.php files of all the other sites hosted on that server.
Hardening WordPress by Moving Your wp-config.php File
One good way to help protect the secrecy of the information in your wp-config.php file is to move it outside of your website directory. Luckily, this is a fairly easy thing to accomplish and helps to ensure that nosy website visitors can’t see it at all.
While there is some debate as to whether moving the wp-config.php file out of its default location really makes your site any more secure, it is our position that changing any default settings when possible almost always provides some level of security benefit.
Researchers at Wordfence recently discovered a large scale attack that targeted vulnerabilities in outdated themes & plugins with the ultimate goal of obtaining access to the wp-config.php file. The attack targeted at least 1.3 million sites globally. Automated attacks like this, generally look in default locations for vulnerable files, so moving your wp-config.php file will help make these automated methods fail.
How to Move Your wp-config.php File
Moving your wp-config.php file is pretty easy. By default, WordPress allows you to simply move the file up one directory above your WordPress installation without any coding. This is super easy; you literally just move the file up one directory and WordPress finds it. However, if you installed WordPress in a subfolder, you may find that one directory up is still a publicly available folder. So I use a slightly more complicated method that also allows you not only to move it to any non-public directory, but also change the name of the wp-config.php file to help hide it even more.
There are 3 basic steps and we’ll go over each one below – you can perform these steps either by using an FTP client to connect to your host, or using your host’s CPanel File Manager. In this example, I’m using a demo site in that lives in a subdirectory called oxydemo – which is the perfect reason why you would want to put the wp-config.php file somewhere other than just one folder upstream.
Step 1: Create a new folder in your server outside of your public_html directory
In the example, I’ve created a folder one level above my public_html directory called “cgs-headers”. You can name the folder anything you want, but I like to make it something that doesn’t indicate it’s purpose. In case someone gets access to your FTP or SSH credentials, you want to make it as difficult as possible for them to stumble onto your real wp-config.php file with all that sensitive information.
Depending on your host, the default permissions on this new folder might be wide open at 755. I usually change it down to 700 or even more restrictive, but 700 should be sufficient (we’re going to set the file we put in this folder at a more restrictive setting anyway).
Step 2: Copy your wp-config.php file into the new directory & rename it to something else
Make a copy your wp-config.php and put it in the new folder. Once it’s there, rename it to something that doesn’t identify that it’s really the wp-config.php file. Again, we do this so that bots and malicious scripts doing bulk searches for the filename “wp-config.php” simply don’t find what they’re looking for.
In our example, I’ve renamed the file to demo-favorite-music-list.php but you can name yours anything you want. The only requirement is it has to end in “.php”.
Again when you put the file in the new folder, don’t forget to update the permissions. Your host might have a default of 644 but you’ll want to set it down to 600 at least.
Step 3: Edit your current wp-config.php file to point to the new file
This is where the actual magic happens. Up until now, your site is still using your wp-config.php file that sits in the WordPress installation directory.
Edit that wp-config.php file, wipe out everything in it and replace it with this simple code snippet. You’ll want to replace the directory in the single quotes with the absolute path to the file you created in Step 2. In my example it looks like this:
<?php include('/home/usr/cgs-headers/demo-favorite-music-list.php'); ?>
For your own server, you’ll want to make sure you create folder and wp-config.php replacement file names that don’t match what’s in this example. If you don’t know how to find the absolute path to your new folder, you can check in the CPanel file manager or contact your host and they’ll tell you.
As soon as you save this file, you’re done! Your site should load as it normally does, except now it’s reading its configuration settings from a file that’s no longer in the publicly accessible directory. Technically, you still have a wp-config.php file in your WordPress installation directory, but now it simply points to the file located in your non-public folder.
If your site doesn’t load, check to make sure you typed everything correctly. In most cases when this doesn’t work, it’s because there’s a typo in the filename or you got your absolute path wrong for your server. If this is the case, you might see an HTTP 500 error when you load the site.
Other Considerations to Moving Your wp-config File
The primary benefit to moving your wp-config.php file is that you make it more difficult for bots & malicious scripts to find it and you also eliminate the possibility of the file’s sensitive contents being dumped to the browser window of visitors should PHP on the server fail. The worst case scenario is that it drops out the location of the file where the settings are actually stored – which is inaccessible via the browser.
What it won’t do is protect you if your FTP or SSH credentials get compromised – in that case, you have a major breach of a completely different severity. But security is all about layers & making things harder for the bad guys. When you weigh the benefits of moving your wp-config.php file against the tiny amount of administrative overhead, it’s a no-brainer.