Website security is something you shouldn’t take lightly. I know it may seem like only high profile sites are targeted, but the truth of the matter is, everyone is vulnerable to a hack.
Whether it’s a personal blog, church website or large organization, protecting your WordPress wp-config.php file is a great step to adding added security. Understand that your wp-config.php file contains your database name, username and password. Information that you don’t want anyone to have. If someone can access your database, they can not only delete all of your WordPress data, but they can change your usernames and passwords, too!
How-To Protect Your WordPress WP-Config File
There is two steps in this process. Although one of these may suffice, I recommend doing both.
First, you can protect your wp-config.php by beefing up your .htaccess.
Simply add the following (be sure to back it up first!):
deny from all
Yeah. I know. That was really easy. You’re probably wondering why you hadn’t already done this, right?
Now this will take a little bit longer, as it involves a lot more changes.
What we’re going to do is move the wp-config.php file to an unpredictable location. This should make it next to impossible to find, right? Right.
The only problem is, every time you make a WordPress upgrade, it’s going to be a pain. So, let’s do this in such a way that you can freely upgrade WordPress without any hassles. Also, as always, make sure you backup your files!
- Create a new file — config.php — and save it in a non-WWW accessible location on your sever
Let’s say your website sits on your sever like so: /home/yourname/public_html/
What you’re going to do, is save our fancy new PHP file here: /home/yourname/
By doing this, you won’t be able to access the wp-config.php file from the web. Nice!
- Add the following code to your new config.php file
define('DB_NAME', 'your_db_name'); // The name of the database
define('DB_USER', 'your_db_username'); // Your MySQL username
define('DB_PASSWORD', 'your_db_pass'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value
// You can have multiple installations in one database if you give each a unique prefix
$table_prefix = 'yourdbprefix_'; // Only numbers, letters, and underscores please!
Now, we need to edit the WordPress config file, wp-config.php.
- Add the following to your wp-config.php
// Change this to localize WordPress. A corresponding MO file for the
// chosen language must be installed to wp-includes/languages.
// For example, install de.mo to wp-includes/languages and set WPLANG to 'de'
// to enable German language support.
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
There may be same differences based on your server configuration, but you get the idea. Keep the vital info safe in a non-WWW folder location, and have WordPress pull from it, keeping the data safe and secure.