WordPress

The Easiest WordPress Security Tip Ever!

By | January 11, 2013 | Content management | Open source | Web security | WordPress

34

Sometimes you encounter a tip which is so simple you can’t believe you didn’t know about it before.

If you’re running WordPress, you’ll have defined a wp-config.php file which contains essential settings such as the MySQL database host, name, user and password. It normally sits in the location where WordPress was installed — in most cases this will be the web server root but it could be any sub-folder.

You certainly don’t want wp-config.php falling into the wrong hands. Under normal circumstances, a naughty cracker cannot view the file because the PHP interpreter would parse it and return an empty page. However:

  • The cracker will know exactly where the file is located and can target it more effectively.
  • If PHP fails, e.g. perhaps during a update, wp-config.php could be viewed directly in a browser by entering the URL.

Ready for the simple tip…

Move the wp-config.php file into the folder above your WordPress installation.

For example, you may have a folder structure such as /home/mysite/public_html/ where WordPress is installed. In that case, you would move wp-config.php into /home/mysite/.

This has several benefits:

  1. Assuming /home/mysite/public_html/ was the web server’s root folder, /home/mysite/ is inaccessible to anyone using a browser.
  2. A cracker has less chance of locating the correct file.
  3. It’s so simple, there’s little reason not to do it!

Perhaps this won’t be the most exciting tech article you read today, but it’s useful to know. I hope it helps with your security efforts.

Craig Buckler

Craig is a Director of OptimalWorks, a UK consultancy dedicated to building award-winning websites implementing standards, accessibility, SEO, and best-practice techniques.

More Posts - Website

Tagged as: security, tips, WordPress

{ 34 comments }

ari February 9, 2013 at 11:39 am

I am using also WordPress, after hiding wp-config.php, and then how the engine check the directory place? just move this file?

Sumit February 4, 2013 at 4:33 am

NIce Post.
Thank you for sharing.

Jakob February 3, 2013 at 1:26 am

Think the plugin “Automatic update”, is a pretty good. A old wp blog that is not updated is never safe.

Robin Thebs February 1, 2013 at 2:18 am

Will give it a try.

Vadym January 19, 2013 at 3:30 am

Or add the following line to your .conf file on nginx:
location ~* wp-config.php { deny all; }

Jen January 18, 2013 at 6:21 am

Some plugins and theme’s will break tho..
but you could move the contents of wp-config.php in another file, move that one up, and use an “include_once” to that 2nd file in your original wp-config file.

karthikeyan January 18, 2013 at 1:57 am

Also we should use only legitimate premium themes to avoid virus injection from malware.

nhannguyen86 January 15, 2013 at 8:12 pm

great!

Matt Early January 14, 2013 at 1:46 pm

Ha! This is so simple, I don’t know why I wouldn’t have done this before. Thanks, Matt x

Tim January 14, 2013 at 8:35 am

htaccess is a safer route

Craig Buckler January 14, 2013 at 9:58 am

Not using WordPress is even safer.

But, seriously, you should ‘hide’ files using .htaccess but, unlike moving the file, that’s not something everyone can do quickly and easily.

Jay January 13, 2013 at 9:02 pm

Great share Craig!

Taurean Wooley January 12, 2013 at 9:01 am

Wordpress seems to do some pretty cool stuff with the permalinks with keeping this from happening, the only down side is that there are issues with updated or new templates. I think the newer version fixed this, but not 100% sure.

Great article either way, and great having it posted on sitepoint. Maybe having a highlights in 2012 security article might be needed. Always good doing a refresher just in case someone missed something throughout the year.

Tanja January 12, 2013 at 8:42 am

Does this work if multiple sites are hosted in the same /public_html directory e.g.

/home/user/public_html/site1
/home/user/public_html/site2
/home/user/public_html/site3

If I moved the 3 wp-config.php files to the public_html directory, can WordPress find the correct wp-config file for each site?

Craig Buckler January 14, 2013 at 9:52 am

They would conflict so that wouldn’t work. You might want to consider a single, multi-site installation though. It saves a lot of time.

Ran January 12, 2013 at 5:48 am

This “tip” is on the Wordpress Codex for ages. Nothing new here.
http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

Craig Buckler January 14, 2013 at 9:51 am

Well spotted, but a one-sentence tip in a 3,000 word document is easy to miss!

Evan January 12, 2013 at 12:14 am

How do you get this to work? Do you only need to move the config and wordpress finds it? Or is there a setting somewhere you need to change?

Craig Buckler January 14, 2013 at 9:53 am

WordPress will find it. If it’s not in the installation folder, it’ll try “../wp-config.php”.

Michael January 11, 2013 at 11:01 pm

Cool trick! Thanks for the tip.

Blake Petersen January 11, 2013 at 4:29 pm

Funny, Mark Jaquith mentions that briefly in http://2011.sf.wordcamp.org/session/scaling-servers-and-deploys-oh-my/, didn’t really resonate until I saw this, thanks so much Craig!

Craig Buckler January 14, 2013 at 9:54 am

I don’t think it’s ever been a secret and has been supported for some time. But it’s one I didn’t know about until recently and it seems many of us missed it!

GWD January 11, 2013 at 3:34 pm

and where to place it when you’ve installed WP in a separate directory?

Craig Buckler January 14, 2013 at 9:55 am

A: the parent folder of that directory.

cotsweb January 11, 2013 at 1:31 pm

Good tip.
It seems that Word Press will automatically look 1 level up for the config file if it doesn’t find it in the current directory.
Sadly this doesn’t help me as my Word Press installation is in a sub-directory so I would need to move it up two levels to put it above /public_html

Craig Buckler January 14, 2013 at 9:56 am

True, but it still has the advantage of hiding it a little from anyone who managed to access your files.

James W January 11, 2013 at 1:21 pm

Tags didn’t work in the comment, something like this would work http://tdot-blog.com/wordpress/how-to-deny-access-to-your-wp-configphp-file-under-wordpress-installation

James W January 11, 2013 at 1:18 pm

Good idea, but many hosting platforms don’t have a higher level directory to do this. I’d use an .htaccess file to prevent access to wp-config.php, which Apache should honor if it’s running. Eg:

order allow,deny
deny from all

Extensiones Joomla January 11, 2013 at 11:58 am

It’s an useful tip, I wonder if this kind of security fix, could also be used in a Joomla Webiste.

Anyway, Thanks!

nicola January 11, 2013 at 11:31 am

but how will wordpress find it during initialization if its position has changed?

timbuktu January 11, 2013 at 2:28 pm

Yea, I’m also curious. How WP will find it during the installation? And is it possible to change it’s location in an old WP installation?

Toby January 11, 2013 at 3:24 pm

What Craig omitted to say is that Wordpress automatically searches the parent directory for wp-config.php. If you look at wp-load.php, you’ll see a comment to that effect at the top.

gillbates January 11, 2013 at 4:06 pm

@nicola: Wordpress is smart enough to hunt for it if it’s not in the default location :)

Blake Petersen January 11, 2013 at 4:32 pm

The core’s written in such a way to support it, consider it wordpress black magic ;]

Comments on this entry are closed.