The Easiest WordPress Security Tip Ever!

Share this article

Sometimes you encounter a tip which is so simple you can’t believe you didn’t know about it before.

If you’re running WordPress, you’ll have defined a wp-config.php file which contains essential settings such as the MySQL database host, name, user and password. It normally sits in the location where WordPress was installed — in most cases this will be the web server root but it could be any sub-folder.

You certainly don’t want wp-config.php falling into the wrong hands. Under normal circumstances, a naughty cracker cannot view the file because the PHP interpreter would parse it and return an empty page. However:

  • The cracker will know exactly where the file is located and can target it more effectively.
  • If PHP fails, e.g. perhaps during a update, wp-config.php could be viewed directly in a browser by entering the URL.

Ready for the simple tip…

Move the wp-config.php file into the folder above your WordPress installation.

For example, you may have a folder structure such as /home/mysite/public_html/ where WordPress is installed. In that case, you would move wp-config.php into /home/mysite/.

This has several benefits:

  1. Assuming /home/mysite/public_html/ was the web server’s root folder, /home/mysite/ is inaccessible to anyone using a browser.
  2. A cracker has less chance of locating the correct file.
  3. It’s so simple, there’s little reason not to do it!

Perhaps this won’t be the most exciting tech article you read today, but it’s useful to know. I hope it helps with your security efforts.

Craig BucklerCraig Buckler
View Author

Craig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.

Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week
Loading form