Sometimes you encounter a tip which is so simple you can’t believe you didn’t know about it before.

If you’re running WordPress, you’ll have defined a wp-config.php file which contains essential settings such as the MySQL database host, name, user and password. It normally sits in the location where WordPress was installed — in most cases this will be the web server root but it could be any sub-folder.

You certainly don’t want wp-config.php falling into the wrong hands. Under normal circumstances, a naughty cracker cannot view the file because the PHP interpreter would parse it and return an empty page. However:

  • The cracker will know exactly where the file is located and can target it more effectively.
  • If PHP fails, e.g. perhaps during a update, wp-config.php could be viewed directly in a browser by entering the URL.

Ready for the simple tip…

Move the wp-config.php file into the folder above your WordPress installation.

For example, you may have a folder structure such as /home/mysite/public_html/ where WordPress is installed. In that case, you would move wp-config.php into /home/mysite/.

This has several benefits:

  1. Assuming /home/mysite/public_html/ was the web server’s root folder, /home/mysite/ is inaccessible to anyone using a browser.
  2. A cracker has less chance of locating the correct file.
  3. It’s so simple, there’s little reason not to do it!

Perhaps this won’t be the most exciting tech article you read today, but it’s useful to know. I hope it helps with your security efforts.

Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler

Get your free chapter of Level Up Your Web Apps with Go

Get a free chapter of Level Up Your Web Apps with Go, plus updates and exclusive offers from SitePoint.

  • nicola

    but how will wordpress find it during initialization if its position has changed?

    • timbuktu

      Yea, I’m also curious. How WP will find it during the installation? And is it possible to change it’s location in an old WP installation?

    • Toby

      What Craig omitted to say is that WordPress automatically searches the parent directory for wp-config.php. If you look at wp-load.php, you’ll see a comment to that effect at the top.

    • gillbates

      @nicola: WordPress is smart enough to hunt for it if it’s not in the default location :)

    • Blake Petersen

      The core’s written in such a way to support it, consider it wordpress black magic ;]

  • Extensiones Joomla

    It’s an useful tip, I wonder if this kind of security fix, could also be used in a Joomla Webiste.

    Anyway, Thanks!

  • James W

    Good idea, but many hosting platforms don’t have a higher level directory to do this. I’d use an .htaccess file to prevent access to wp-config.php, which Apache should honor if it’s running. Eg:

    order allow,deny
    deny from all

  • James W
  • cotsweb

    Good tip.
    It seems that Word Press will automatically look 1 level up for the config file if it doesn’t find it in the current directory.
    Sadly this doesn’t help me as my Word Press installation is in a sub-directory so I would need to move it up two levels to put it above /public_html

    • Craig Buckler

      True, but it still has the advantage of hiding it a little from anyone who managed to access your files.

  • GWD

    and where to place it when you’ve installed WP in a separate directory?

    • Craig Buckler

      A: the parent folder of that directory.

  • Blake Petersen

    Funny, Mark Jaquith mentions that briefly in, didn’t really resonate until I saw this, thanks so much Craig!

    • Craig Buckler

      I don’t think it’s ever been a secret and has been supported for some time. But it’s one I didn’t know about until recently and it seems many of us missed it!

  • Michael

    Cool trick! Thanks for the tip.

  • Evan

    How do you get this to work? Do you only need to move the config and wordpress finds it? Or is there a setting somewhere you need to change?

    • Craig Buckler

      WordPress will find it. If it’s not in the installation folder, it’ll try “../wp-config.php”.

  • Ran

    This “tip” is on the WordPress Codex for ages. Nothing new here.

    • Craig Buckler

      Well spotted, but a one-sentence tip in a 3,000 word document is easy to miss!

  • Tanja

    Does this work if multiple sites are hosted in the same /public_html directory e.g.


    If I moved the 3 wp-config.php files to the public_html directory, can WordPress find the correct wp-config file for each site?

    • Craig Buckler

      They would conflict so that wouldn’t work. You might want to consider a single, multi-site installation though. It saves a lot of time.

  • Taurean Wooley

    WordPress seems to do some pretty cool stuff with the permalinks with keeping this from happening, the only down side is that there are issues with updated or new templates. I think the newer version fixed this, but not 100% sure.

    Great article either way, and great having it posted on sitepoint. Maybe having a highlights in 2012 security article might be needed. Always good doing a refresher just in case someone missed something throughout the year.

  • Jay

    Great share Craig!

  • Tim

    htaccess is a safer route

    • Craig Buckler

      Not using WordPress is even safer.

      But, seriously, you should ‘hide’ files using .htaccess but, unlike moving the file, that’s not something everyone can do quickly and easily.

  • Matt Early

    Ha! This is so simple, I don’t know why I wouldn’t have done this before. Thanks, Matt x

  • nhannguyen86


  • karthikeyan

    Also we should use only legitimate premium themes to avoid virus injection from malware.

  • Jen

    Some plugins and theme’s will break tho..
    but you could move the contents of wp-config.php in another file, move that one up, and use an “include_once” to that 2nd file in your original wp-config file.

  • Vadym

    Or add the following line to your .conf file on nginx:
    location ~* wp-config.php { deny all; }

  • Robin Thebs

    Will give it a try.

  • Jakob

    Think the plugin “Automatic update”, is a pretty good. A old wp blog that is not updated is never safe.

  • Sumit

    NIce Post.
    Thank you for sharing.

  • ari

    I am using also WordPress, after hiding wp-config.php, and then how the engine check the directory place? just move this file?

Related books & courses
Introduction to Wordpress

Available on SitePoint Premium. Check it out now!