One Simple Trick to Keep Your WordPress wpconfig.php File Safe

Move Your WordPress wpconfig.php File

The single most important file in your entire WordPress Installation is wp-config.php.

Your WordPress website is made up of two elements: a WordPress database, and your WordPress files. Wp-config.php is the one element that links the database and files together.

If you’re curious, we have a full guided tool of wp-config.php available.

Because wp-config.php is important, it is also the file that you most protect more than any other.

In this video, our WordPress teacher, Topher, is going to show you one simple trick to keep your wp-config.php safe.


  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
Dan Knauss
Dan Knauss
9 years ago

Secure wp-config.php with .htaccess. Block direct access to it whether PHP is running or not. Consider making it totally locked down so nobody can write to it. That is the security-minded solution.
If someone gets into your WP, it doesn’t matter where wp-config is because they can write to it — unless you make it unwritable. If they break into your server and want to write to wp-config, they can find it and write to it no matter what.
The rationale given in the video for moving wp-config is that PHP might terminate for some reason and then it would be readable to anyone over HTTP. (So would all your other PHP files.) The real problem then is you or your host really screwed up.
It’s also suggested that someone taking your database user and password from config.php could do some harm with this information. This is only true if your database is open to remote access without any restrictions, or the intruder has access to the database already. If this is how you or your host has set up your server, once again that’s the real problem. (The authentication key and salts are possibly more important to a serious hacker than your database credentials too, btw.)
Some good advice along these lines:

The top answers here are for and against moving wp-config, and there is a lot of good commentary back and forth:


The person who asked the question picked the “no” position as the best, although the “yes” position got more votes. Note the “yes” position reduces to an argument that security by obscurity can save you if you or your host screw up really really badly. Maybe.

Yaeger Design
Yaeger Design
9 years ago

This is a great, simple tip! For WordPress users/owners who aren’t coders/developers/sys-admins, this is a very simple and effective way to add at least some level of added security (even if only beneficial in very rare circumstances).

9 years ago

Thank you i hope it will work it…. I hacked some days before and i should start again from the begin to design again the web!!! :S

Would love your thoughts, please comment.x