Improve WordPress Security by Moving the wp-config.php File

Here’s a quick security tip that will make it nearly impossible for anyone to access your wp-config.php file. Simply move it one directory above your WordPress root.


Default wp-config.php file location:


Move it here:


Source: For more WordPress security tips, check out the slides from Brad Williams’ WordPress Security presentation at WordCamp Boston 2010.

6 Responses

  • That won’t make it “nearly impossible” for someone to access the wp-config.php file. It will only make it “slightly more difficult” since your wp-config.php is still in a web-accessible location. If there was some reason it shouldn’t be where it is now, then moving it into a still web-accessible location 1 directory above that doesn’t change anything with respect to whether or not was possible or “nearly impossible” to access. The level of exploitability is identical.

    If you really need to move wp-config.php somewhere else to make it more secure, which I don’t necessarily agree with, but if it were true, wouldn’t you want to move it -OUTSIDE- of the publicly accessible files inside public_html? If you want to make it “nearly impossible” for someone to access the wp-config.php file, then move it outside of public_html… Make a directory called config_files or something at the same level as public_html and put the file in there…

  • this tip is only effective if WP is not installed in a directory inside public_html, but directly inside public_html. WordPress won’t find the wp-config.php if you move it two levels up though, so replacing the part of it with connection settings etc to an included file outside of public_html would be a more appropriate method of adding this kind of protection for installations in a subdirectory. Also it’s a good idea to CHMOD the wp-config.php to 400.

  • Plus of course wp-config.php should never render in the browser anyway.

    I wouldn’t mind, but yerman’s example doesn’t even move it outside docroot, like he claimed, unless for some bizarre reason he’s edited DocumentRoot in httpd.conf. Some security presentation. :rolleyes:

  • Hi, I’ve followed the instructions above and unfortunately it crashed my website and filemanager got all funky. I’ve moved the file back to where it came from. I wonder how to get around that.?

Comments are closed.