wp-config.php » Move wp-config.php outside the web root directory

Move wp-config.php outside the web root directory

I recently did a guide on 5 (Less known) WordPress Security Tips to keep your website safe from hackers where I suggested moving wp-config.php outside the web root directory as a simple change that adds an additional layer of security to your WordPress website.

The wp-config.php file contains your MySQL database username & password, along with the encryption salts for all the login session cookies on the website – it is everything someone might need to completely take over your website.

Should you move wp-config.php outside the web root directory?

Yes! Moving your wp-config.php file is a no-brainer when you compare the benefits to the minimal added work.

Even WordPress Codex recommends that you move your wp-config.php away from its default install location as a way to of hardening WordPress.

Researchers at Wordfence recently discovered a large-scale attack that targeted vulnerabilities in outdated themes & plugins with the ultimate goal of obtaining access to the wp-config.php file. The attack targeted at least 1.3 million sites globally. Automated attacks like this, generally look in default locations for vulnerable files, so moving your wp-config.php file will help make these automated methods fail.

What it won’t do is protect you if your FTP (old school!) or SSH credentials get compromised – in that case, you have a major breach of completely different severity. However, security is all about adding layers and making it more difficult for the bad guys.

If you have multiple websites, just repeat these two steps for each one, naming the files appropriately (for instance, example.com.config.php). example.net.config.php

Step 1. Copy the wp-config.php file outside of your public_html directory & rename it to something else

Copy your wp-config.php file and place it in the folder above. Once it’s there, rename it so that it doesn’t immediately become clear that it’s the wp-config.php file. Again, we do this to prevent bots and malicious scripts from seeing results when they conduct mass searches for the filename “wp-config.php.”

Although I’ve kept the name wp-config.php in this example, you may give yours any name you want. The only requirement is that it must end in “.php.”

chrome 1yYa23GsPm - Move wp-config.php outside the web root directory
The wp-config file has been moved outside the public_html directory

Step 2. Edit your current wp-config.php file to point to the new file

Edit the original wp-config.php file, delete everything within, and then add this short piece of code in its place. 


💡 Make sure to replace the ‘cpanel-username‘ with your server username and wp-config.php with the new file name.

wordpress edit wpconfig file security - Move wp-config.php outside the web root directory
Current wp-config.php file is edited to point to the new configuration file

Step 3. Limit access to the new configuration file using .htaccess

This is an optional step that I recommend doing because it will basically disable direct access to the new configuration file.

Create a new (or edit existing) .htaccess file in the root directory (one folder above public_html) and add the following code:

<files wp-config.php>
order allow,deny
deny from all

💡 Replace wp-config.php with the new file name

That’s it!

Your website should load smoothly now that it is reading its configuration information from a file that is no longer located in the directory that is open to the public.

Technically, the wp-config.php file that was previously in your WordPress installation directory still exists, but it now only serves as a pointer to the non-public folder’s version of the file.

If your website won’t load and shows an HTTP 500 error it is usually because the filename has a mistake or the server’s absolute path has been entered incorrectly. If this is the case, re-check the wp-config file.

The only drawback is that some plugins that write to the wp-config.php file (like iThemes Security) no longer have access, and you will need to manually add code if needed.

Was this post helpful?

Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.