Website security is something you shouldn’t take lightly. I know it may seem like only high profile sites are targeted, but the truth of the matter is, everyone is vulnerable to a hack.
Whether it’s a personal blog, church website or large organization, protecting your WordPress wp-config.php file is a great step to adding added security. Understand that your wp-config.php file contains your database name, username and password. Information that you don’t want anyone to have. If someone can access your database, they can not only delete all of your WordPress data, but they can change your usernames and passwords, too!
How-To Protect Your WordPress WP-Config File
There is two steps in this process. Although one of these may suffice, I recommend doing both.
First, you can protect your wp-config.php by beefing up your .htaccess.
Simply add the following (be sure to back it up first!):
# protect wpconfig.php
deny from all
Yeah. I know. That was really easy. You’re probably wondering why you hadn’t already done this, right?
Now this will take a little bit longer, as it involves a lot more changes.
What we’re going to do is move the wp-config.php file to an unpredictable location. This should make it next to impossible to find, right? Right.
The only problem is, every time you make a WordPress upgrade, it’s going to be a pain. So, let’s do this in such a way that you can freely upgrade WordPress without any hassles. Also, as always, make sure you backup your files!
- Create a new file — config.php — and save it in a non-WWW accessible location on your sever
Let’s say your website sits on your sever like so: /home/yourname/public_html/
What you’re going to do, is save our fancy new PHP file here: /home/yourname/
By doing this, you won’t be able to access the wp-config.php file from the web. Nice!
- Add the following code to your new config.php file
Now, we need to edit the WordPress config file, wp-config.php.
- Add the following to your wp-config.php
There may be same differences based on your server configuration, but you get the idea. Keep the vital info safe in a non-WWW folder location, and have WordPress pull from it, keeping the data safe and secure.