Here’s a really easy, quick tip to help secure your WordPress blog from some of the web miscreants out there. You can move your very important “wp-config.php” file from the root directory of your WP install and outside your web directory completely.
Because it is outside your public “web” directory, now only approved users (ie: Apache) can access or edit the file. While “wp-config.php” sits in your web directory, you run the risk of it being edited maliciously (you did remember to reset your permissions after install right?) by no-good web scoundrels.
For example, if you are on a Cpanel server, your WP installation path-to-wp-config probably looks something like this-
/public_html/wp-config.php
But, WordPress will natively also look for your wp-config file here as well-
/wp-config.php
And because it is no longer in the publicly accessible public_html/ folder it is much safer now.
Hope that helps!
{ 3 comments… read them below or add one }
Great tip! One of my blogs just got hacked yesterday so I’ll be sure to make sure I deny access to the wp_config.php file from now on. Thanks again!
Great tip! I have several sites set up as subhosts, all in one subfolder under the root, (dumb, I know) so this method wont work for me. However, I did recently discover some code to add to your .htaccess file that will make the wp-config file non-accessible. Just add the following:
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
Thanks for the additional tip Jack, I’m sure our readers will find it useful. I appreciate you taking the time to share!