How to secure your wp-config.php file.

Securing your wp-config.php file is a key step in protecting your WordPress site, because this file contains your database credentials and crucial configuration settings. If an attacker gets access to it, they can potentially take over your entire site. Here are practical ways to keep your wp-config.php file safe:

1. Move wp-config.php Above the Web Root

• Why: By default, wp-config.php sits in your site’s root directory (often public_html or www). WordPress will still find this file if you move it one level up, making it inaccessible to the web.
• How:
  • Move the file up one directory (outside of the web-accessible folder).
  • WordPress will automatically detect it there.

2. Set Correct File Permissions

• Why: Restrictive permissions ensure only the server (and not other users or processes) can read the file.
• How:
  • Using SSH or your hosting file manager, set permissions to 400 or 440:
    bash

    Copy

    chmod 400 wp-config.php
    

  • This means only the file owner (usually the server process) can read it.

3. Deny Web Access via .htaccess

• Why: If someone tries to access wp-config.php through a browser, they should be blocked.
• How:
  • If you use Apache, add this to your .htaccess file in the root directory:
    Copy

    
      order allow,deny
      deny from all
    
    

  • For Nginx, add this to your config:
    Copy

    location ~* wp-config.php {
        deny all;
    }
    

4. Keep Backups Secure

• Why: Old backups containing wp-config.php should be stored outside the web root and protected as well.

5. Avoid Downloadable Backups

• Why: Never keep downloadable copies of wp-config.php in your web directories (like wp-config.php.bak or wp-config.php~). Attackers often look for these.

6. Secure Hosting Environment

• Why: Even if your file is locked down, an insecure server can still put you at risk.
• How:
  • Keep your hosting, PHP version, and all server software updated.
  • Use strong passwords for your hosting and database accounts.

Quick Checklist

• Move wp-config.php above web root
• Set permissions to 400 or 440
• Block web access via .htaccess or Nginx config
• Secure all backups
• Remove any downloadable backup copies
• Maintain a secure hosting environment

In summary:
A locked-down wp-config.php is a cornerstone of WordPress security. Simple steps like moving it, setting strict permissions, and blocking web access can go a long way to keeping your site safe from attackers.