BIOS,Windows, Linux, Software,Security, Domains, Web Hosting

How to Protect WordPress wp-config.php

We know wp-config.php is the most important file of wordpress, it defines some important configuration data for MySQL database, I have seen many articles are talking about this file's protection. Using htaccess to protect it is the most popular method. But which method will make your wp-config.php more secure?

1. Basic protection of wp-config.php

Adding these code to your .htaccess file will prevent wp-config.php from been access directly.

<files wp-config.php>
order allow,deny
deny from all

This way can do some effect for protect the wp-config.php file.

2. Change Permissions for wp-config.php

If wp-config.php has been CHMOD to 644(No WRITE privilege except owner), the hacker must get some top-level, or he can not cover this file. that is not a easy thing which rely on your system's security. If wp-config.php has not been cancelled WRITE privilege, the hacker may modify it as long as he get some SCRIPT or uploading loopholes.

3. Move wp-config.php to another directory

The second way is moving the file(wp-config.php) to the wordpress's parent directory, wordpress will work properly without any problems, but if your are using some plugins which are calling the root wp-config.php, you may need to do some relate change in their codes. Yes, this way can protect your wp-config.php from been accessed directly, too. 

4. Care about Script Injection

Despite you have done these trys, In fact, these methods has only a few effect in wp-config.php protection, because wp-config.php is a .php file, the hacker will get nothing about it even he visit wp-config.php directly. As long as apache server is running normally. Then, what's the greatest risk in wp-config.php protection? I think  the greatest rick in wp-config.php protection includes:

  • Been viewed as a plain text.

  • Been Modified by illegal codes

For the first option, you will view nothing while your apache server is working properly, because the .php file must pass the  server's interpretation. but if the hacker get some loopholes of the apache system or wordpress, such as script injection, or uploading loopholes, he may get all the information from wp-config.php. Just like this:


But if he want to modify wp-config.php, he must get some top-level, so that what we should do?

  • so changing permissions for wp-config.php is nessessary. 
  • Care about your system flaws and upgrade it.

Conclusion: I think preventing wp-config.php from been access directly by using .htaccess has a few profit for wp-config.php protection. We should focus on SCRIPT injection and system loopholes. For many hostings wordpress, IDC may be responsible for the security of operating system. the custom only need to focus on wordpress's SCRIPT injection or uploading bugs. 

Related Articles


Leave a Reply

Subscribe to BootBeta Comments RSS feed to receive notification of latest comments posted.


  • Enter Email Address:

Recent Post

Copyright@ 2010-2014 Bootbeta All Rights Reserved.
HooBlog Ver 1.5 Build 20140530