{"id":27426,"date":"2025-06-27T12:20:11","date_gmt":"2025-06-27T10:20:11","guid":{"rendered":"https:\/\/tremhost.com\/blog\/?p=27426"},"modified":"2025-06-27T12:20:11","modified_gmt":"2025-06-27T10:20:11","slug":"how-to-secure-your-wp-config-php-file","status":"publish","type":"post","link":"https:\/\/tremhost.com\/blog\/how-to-secure-your-wp-config-php-file\/","title":{"rendered":"How to secure your wp-config.php file."},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><p>Securing your <code>wp-config.php<\/code> file is a key step in protecting your WordPress site, because this file contains your database credentials and crucial configuration settings. If an attacker gets access to it, they can potentially take over your entire site. Here are practical ways to keep your <code>wp-config.php<\/code> file safe:<\/p>\n<hr \/>\n<h2><strong>1. Move <code>wp-config.php<\/code> Above the Web Root<\/strong><\/h2>\n<ul>\n<li><strong>Why:<\/strong> By default, <code>wp-config.php<\/code> sits in your site\u2019s root directory (often <code>public_html<\/code> or <code>www<\/code>). WordPress will still find this file if you move it one level up, making it inaccessible to the web.<\/li>\n<li><strong>How:<\/strong>\n<ul>\n<li>Move the file up one directory (outside of the web-accessible folder).<\/li>\n<li>WordPress will automatically detect it there.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2><strong>2. Set Correct File Permissions<\/strong><\/h2>\n<ul>\n<li><strong>Why:<\/strong> Restrictive permissions ensure only the server (and not other users or processes) can read the file.<\/li>\n<li><strong>How:<\/strong>\n<ul>\n<li>Using SSH or your hosting file manager, set permissions to <code>400<\/code> or <code>440<\/code>:\n<div class=\"MarkdownCodeBlock_container__nRn2j\">\n<div class=\"MarkdownCodeBlock_codeBlock__rvLec force-dark\">\n<div class=\"MarkdownCodeBlock_codeHeader__zWt_V\">\n<div class=\"MarkdownCodeBlock_languageName__4_BF8\">bash<\/div>\n<div class=\"MarkdownCodeBlock_codeActions__wvgwQ\"><button class=\"button_root__TL8nv button_ghost__YsMI5 button_sm__hWzjK button_center__RsQ_o button_showIconOnly-compact-below___fiXt MarkdownCodeBlock_codeActionButton__xJBAg\" type=\"button\" data-theme=\"ghost\"><span class=\"button_label__mCaDf\">Copy<\/span><\/button><\/div>\n<\/div>\n<div class=\"\" data-collapsed=\"unknown\">\n<pre class=\"MarkdownCodeBlock_preTag__QMZEO MarkdownCodeBlock_horizontalOverflowHidden__YPHxg\"><code class=\"MarkdownCodeBlock_codeTag__5BV0Z\">chmod 400 wp-config.php\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<li>This means only the file owner (usually the server process) can read it.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2><strong>3. Deny Web Access via .htaccess<\/strong><\/h2>\n<ul>\n<li><strong>Why:<\/strong> If someone tries to access <code>wp-config.php<\/code> through a browser, they should be blocked.<\/li>\n<li><strong>How:<\/strong>\n<ul>\n<li>If you use Apache, add this to your <code>.htaccess<\/code> file in the root directory:\n<div class=\"MarkdownCodeBlock_container__nRn2j\">\n<div class=\"MarkdownCodeBlock_codeBlock__rvLec force-dark\">\n<div class=\"MarkdownCodeBlock_codeHeader__zWt_V\">\n<div class=\"MarkdownCodeBlock_languageName__4_BF8\"><\/div>\n<div class=\"MarkdownCodeBlock_codeActions__wvgwQ\"><button class=\"button_root__TL8nv button_ghost__YsMI5 button_sm__hWzjK button_center__RsQ_o button_showIconOnly-compact-below___fiXt MarkdownCodeBlock_codeActionButton__xJBAg\" type=\"button\" data-theme=\"ghost\"><span class=\"button_label__mCaDf\">Copy<\/span><\/button><\/div>\n<\/div>\n<div class=\"\" data-collapsed=\"unknown\">\n<pre class=\"MarkdownCodeBlock_preTag__QMZEO MarkdownCodeBlock_horizontalOverflowHidden__YPHxg\"><code class=\"MarkdownCodeBlock_codeTag__5BV0Z\">&lt;files wp-config.php&gt;\r\n  <span class=\"hljs-nomarkup\">order<\/span> allow,deny\r\n  <span class=\"hljs-nomarkup\">deny<\/span> from all\r\n&lt;\/files&gt;\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<li>For Nginx, add this to your config:\n<div class=\"MarkdownCodeBlock_container__nRn2j\">\n<div class=\"MarkdownCodeBlock_codeBlock__rvLec force-dark\">\n<div class=\"MarkdownCodeBlock_codeHeader__zWt_V\">\n<div class=\"MarkdownCodeBlock_languageName__4_BF8\"><\/div>\n<div class=\"MarkdownCodeBlock_codeActions__wvgwQ\"><button class=\"button_root__TL8nv button_ghost__YsMI5 button_sm__hWzjK button_center__RsQ_o button_showIconOnly-compact-below___fiXt MarkdownCodeBlock_codeActionButton__xJBAg\" type=\"button\" data-theme=\"ghost\"><span class=\"button_label__mCaDf\">Copy<\/span><\/button><\/div>\n<\/div>\n<div class=\"\" data-collapsed=\"unknown\">\n<pre class=\"MarkdownCodeBlock_preTag__QMZEO MarkdownCodeBlock_horizontalOverflowHidden__YPHxg\"><code class=\"MarkdownCodeBlock_codeTag__5BV0Z\">location ~* wp-config.php {\r\n    deny all;\r\n}\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2><strong>4. Keep Backups Secure<\/strong><\/h2>\n<ul>\n<li><strong>Why:<\/strong> Old backups containing <code>wp-config.php<\/code> should be stored outside the web root and protected as well.<\/li>\n<\/ul>\n<hr \/>\n<h2><strong>5. Avoid Downloadable Backups<\/strong><\/h2>\n<ul>\n<li><strong>Why:<\/strong> Never keep downloadable copies of <code>wp-config.php<\/code> in your web directories (like <code>wp-config.php.bak<\/code> or <code>wp-config.php~<\/code>). Attackers often look for these.<\/li>\n<\/ul>\n<hr \/>\n<h2><strong>6. Secure Hosting Environment<\/strong><\/h2>\n<ul>\n<li><strong>Why:<\/strong> Even if your file is locked down, an insecure server can still put you at risk.<\/li>\n<li><strong>How:<\/strong>\n<ul>\n<li>Keep your hosting, PHP version, and all server software updated.<\/li>\n<li>Use strong passwords for your hosting and database accounts.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2><strong>Quick Checklist<\/strong><\/h2>\n<ul class=\"contains-task-list\">\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Move <code>wp-config.php<\/code> above web root<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Set permissions to <code>400<\/code> or <code>440<\/code><\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Block web access via <code>.htaccess<\/code> or Nginx config<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Secure all backups<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Remove any downloadable backup copies<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Maintain a secure hosting environment<\/li>\n<\/ul>\n<hr \/>\n<p><strong>In summary:<\/strong><br \/>\nA locked-down <code>wp-config.php<\/code> is a cornerstone of WordPress security. Simple steps like moving it, setting strict permissions, and blocking web access can go a long way to keeping your site safe from attackers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Securing your wp-config.php file is a key step in protecting your WordPress site, because this file contains your database credentials and crucial configuration settings. If an attacker gets access to it, they can potentially take over your entire site. Here are practical ways to keep your wp-config.php file safe: 1. Move wp-config.php Above the Web [&hellip;]<\/p>\n","protected":false},"author":226,"featured_media":27427,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[49],"tags":[],"class_list":{"0":"post-27426","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tips"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/27426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/users\/226"}],"replies":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/comments?post=27426"}],"version-history":[{"count":2,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/27426\/revisions"}],"predecessor-version":[{"id":27429,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/27426\/revisions\/27429"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/media\/27427"}],"wp:attachment":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/media?parent=27426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/categories?post=27426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/tags?post=27426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}