The Easiest WordPress Security Tip Ever!

By Craig Buckler
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

Sometimes you encounter a tip which is so simple you can’t believe you didn’t know about it before.

If you’re running WordPress, you’ll have defined a wp-config.php file which contains essential settings such as the MySQL database host, name, user and password. It normally sits in the location where WordPress was installed — in most cases this will be the web server root but it could be any sub-folder.

You certainly don’t want wp-config.php falling into the wrong hands. Under normal circumstances, a naughty cracker cannot view the file because the PHP interpreter would parse it and return an empty page. However:

  • The cracker will know exactly where the file is located and can target it more effectively.
  • If PHP fails, e.g. perhaps during a update, wp-config.php could be viewed directly in a browser by entering the URL.

Ready for the simple tip…

Move the wp-config.php file into the folder above your WordPress installation.

For example, you may have a folder structure such as /home/mysite/public_html/ where WordPress is installed. In that case, you would move wp-config.php into /home/mysite/.

This has several benefits:

  1. Assuming /home/mysite/public_html/ was the web server’s root folder, /home/mysite/ is inaccessible to anyone using a browser.
  2. A cracker has less chance of locating the correct file.
  3. It’s so simple, there’s little reason not to do it!

Perhaps this won’t be the most exciting tech article you read today, but it’s useful to know. I hope it helps with your security efforts.

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • nicola

    but how will wordpress find it during initialization if its position has changed?

    • timbuktu

      Yea, I’m also curious. How WP will find it during the installation? And is it possible to change it’s location in an old WP installation?

    • Toby

      What Craig omitted to say is that WordPress automatically searches the parent directory for wp-config.php. If you look at wp-load.php, you’ll see a comment to that effect at the top.

    • gillbates

      @nicola: WordPress is smart enough to hunt for it if it’s not in the default location :)

    • The core’s written in such a way to support it, consider it wordpress black magic ;]

  • It’s an useful tip, I wonder if this kind of security fix, could also be used in a Joomla Webiste.

    Anyway, Thanks!

  • James W

    Good idea, but many hosting platforms don’t have a higher level directory to do this. I’d use an .htaccess file to prevent access to wp-config.php, which Apache should honor if it’s running. Eg:

    order allow,deny
    deny from all

  • James W
  • Good tip.
    It seems that Word Press will automatically look 1 level up for the config file if it doesn’t find it in the current directory.
    Sadly this doesn’t help me as my Word Press installation is in a sub-directory so I would need to move it up two levels to put it above /public_html

    • True, but it still has the advantage of hiding it a little from anyone who managed to access your files.

  • GWD

    and where to place it when you’ve installed WP in a separate directory?

  • Funny, Mark Jaquith mentions that briefly in, didn’t really resonate until I saw this, thanks so much Craig!

    • I don’t think it’s ever been a secret and has been supported for some time. But it’s one I didn’t know about until recently and it seems many of us missed it!

  • Cool trick! Thanks for the tip.

  • How do you get this to work? Do you only need to move the config and wordpress finds it? Or is there a setting somewhere you need to change?

    • WordPress will find it. If it’s not in the installation folder, it’ll try “../wp-config.php”.

  • Ran

    This “tip” is on the WordPress Codex for ages. Nothing new here.

    • Well spotted, but a one-sentence tip in a 3,000 word document is easy to miss!

  • Tanja

    Does this work if multiple sites are hosted in the same /public_html directory e.g.


    If I moved the 3 wp-config.php files to the public_html directory, can WordPress find the correct wp-config file for each site?

    • They would conflict so that wouldn’t work. You might want to consider a single, multi-site installation though. It saves a lot of time.

  • WordPress seems to do some pretty cool stuff with the permalinks with keeping this from happening, the only down side is that there are issues with updated or new templates. I think the newer version fixed this, but not 100% sure.

    Great article either way, and great having it posted on sitepoint. Maybe having a highlights in 2012 security article might be needed. Always good doing a refresher just in case someone missed something throughout the year.

  • Jay

    Great share Craig!

  • Tim

    htaccess is a safer route

    • Not using WordPress is even safer.

      But, seriously, you should ‘hide’ files using .htaccess but, unlike moving the file, that’s not something everyone can do quickly and easily.

  • Ha! This is so simple, I don’t know why I wouldn’t have done this before. Thanks, Matt x

  • nhannguyen86


  • Also we should use only legitimate premium themes to avoid virus injection from malware.

  • Jen

    Some plugins and theme’s will break tho..
    but you could move the contents of wp-config.php in another file, move that one up, and use an “include_once” to that 2nd file in your original wp-config file.

  • Vadym

    Or add the following line to your .conf file on nginx:
    location ~* wp-config.php { deny all; }

  • Will give it a try.

  • Think the plugin “Automatic update”, is a pretty good. A old wp blog that is not updated is never safe.

  • NIce Post.
    Thank you for sharing.

  • ari

    I am using also WordPress, after hiding wp-config.php, and then how the engine check the directory place? just move this file?