Website security is something you shouldn’t take lightly. I know it may seem like only high profile sites are targeted, but the truth of the matter is, everyone is vulnerable to a hack.
Whether it’s a personal blog, church website or large organization, protecting your WordPress wp-config.php file is a great step to adding added security. Understand that your wp-config.php file contains your database name, username and password. Information that you don’t want anyone to have. If someone can access your database, they can not only delete all of your WordPress data, but they can change your usernames and passwords, too!
How-To Protect Your WordPress WP-Config File
There is two steps in this process. Although one of these may suffice, I recommend doing both.
Step One
First, you can protect your wp-config.php by beefing up your .htaccess.
Simply add the following (be sure to back it up first!):
<files wp-config.php>
order allow,deny
deny from all
</files>
Yeah. I know. That was really easy. You’re probably wondering why you hadn’t already done this, right?
Right.
Step Two
Now this will take a little bit longer, as it involves a lot more changes.
What we’re going to do is move the wp-config.php file to an unpredictable location. This should make it next to impossible to find, right? Right.
The only problem is, every time you make a WordPress upgrade, it’s going to be a pain. So, let’s do this in such a way that you can freely upgrade WordPress without any hassles. Also, as always, make sure you backup your files!
- Create a new file — config.php — and save it in a non-WWW accessible location on your sever
Let’s say your website sits on your sever like so: /home/yourname/public_html/
What you’re going to do, is save our fancy new PHP file here: /home/yourname/
By doing this, you won’t be able to access the wp-config.php file from the web. Nice!
- Add the following code to your new config.php file
define('DB_NAME', 'your_db_name'); // The name of the database
define('DB_USER', 'your_db_username'); // Your MySQL username
define('DB_PASSWORD', 'your_db_pass'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value
// You can have multiple installations in one database if you give each a unique prefix
$table_prefix = 'yourdbprefix_'; // Only numbers, letters, and underscores please!
?>
Now, we need to edit the WordPress config file, wp-config.php.
- Add the following to your wp-config.php
include('/home/yourname/config.php');
// Change this to localize WordPress. A corresponding MO file for the
// chosen language must be installed to wp-includes/languages.
// For example, install de.mo to wp-includes/languages and set WPLANG to 'de'
// to enable German language support.
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
define('ABSPATH', dirname(__FILE__).'/');
require_once(ABSPATH.'wp-settings.php');
?>
There may be same differences based on your server configuration, but you get the idea. Keep the vital info safe in a non-WWW folder location, and have WordPress pull from it, keeping the data safe and secure.
Be safe!
[via Devlounge]
Eric,
Would I add the snipped to wp-config at the end or beginning, or would it replace fields in wp-config? This is probably pretty obvious, but I’m still learning wp coding and php…
I would put the wp-config snippet of code at the beginning, but make sure the server path is your own and not “/home/yourname/config.php.” Also, be sure to back up the file before you make any changes, so if it isn’t right, you can quickly restore it.