It’s a sad truth that many WordPress sites are incredibly easy to hack. So many of them are not even updated to the latest version. However, one of the most dangerous and sensitive files in the entire WordPress installation is the wp-config.php. One single location contains a wealth of critical data regarding your database, username, and password. Just take a look:
If a hacker gets hold of this, it’s game over for your blog. At the same time, WordPress itself depends on it almost continuously. As a result, it’s important to take steps that harden your installation by securing wp-config.php in as many ways as possible. In this article, we look at three distinct techniques for doing this. While some of them might be redundant for your particular set up, there’s no such thing as being too careful. We will look at the following three aspects:
- File Permissions
- Directory Browsing
- File Placement
Every file on a Web server is assigned a set of permissions that determine which user can perform which operations. The combination of these permissions take the form of a three digit number with “777” being the most permissive – meaning that anyone can read, write, or execute it. With our wp-config.php file, ideally we would like to have the most restrictive setting that still works. Unfortunately, your hosting setup will determine which file permissions work and which ones don’t. Here is a list of permissions that you can set for wp-config.php. Start with the first and if that renders your blog inaccessible, move to the next and then the ones after that:
Note that depending on your set up an interface, you might be asked for a three or four digit permission number. Use the one that’s appropriate.
- 400 or 0400
- 440 or 0440
- 640 or 0640
- 644 or 0644
So first try setting the permissions of wp-config.php to “0400” as shown here:
If that doesn’t work, change it to 0440 and so on and so forth. This will ensure that you have the most restrictive permission setting for wp-config.php without breaking your WordPress blog.
Again depending on your setup, anyone may be able to browse the folders in your WordPress directory and see which files are available. They normally can’t do this with the root folder, but there have been instances where a misconfiguration has allowed access to all the files including wp-config.php. To prevent this, open up your .htaccess file and add the following line towards the very end:
This will disable all directory browsing for your WordPress installation, meaning that users will no longer be able to navigate to your uploads folder and see what images and resources you have on your server.
Moving the wp-config.php File
I recommend that you try this step only if you have installed WordPress in the root public_html directory of your blog. Don’t do it if it’s in a subfolder. This precaution consists of moving wp-config.php to one directory above that in which WordPress is installed.
So if you have all your installation files directly in “/home/username/public_html/”, you can move wp-config.php into “/home/username/” instead.
No further configuration change is required for this to take effect. WordPress automatically checks for wp-config.php in one folder above the installation. This is why you shouldn’t do it if your blog is already in a subfolder because it would mean that your wp-config.php file could be exposed to another public facing directory and instead of becoming more secure, it would become less so.
These three techniques of securing your wp-config.php file are extremely simple to carry out and have no negative side effects. Considering the amount of sensitive information locked away inside it, it’s best to do the most you can to keep it safe.