How to Protect the wordpress wp-config.php File

The wp-config.php file contains very sensitive information about your WordPress installation, including your database access, table prefix and Secret Keys.

The wp-config.php file is a standard part of your WordPress installation. It defines the configuration settings required to access your MySQL database. If your self-hosting WordPress, there’s no way of getting around not using it.

It’s your job to protect it! You certainly don’t want this file falling into the wrong hands in the event of a server problem. You can protect it by encrypting it’s content when you upload and denying access to it.

How to protect your WordPress wp-config.php file:

  1. Anytime you upload the wp-config.php file, and ANY directory or file to your server, you should only use SFTP or FTPES. By using either of these methods, your data is encrypted while being sent to the server.If you just upload via plain FTP, your files are seen as plain text and that’s not want you want to feed a lurking evil hacker for lunch. If you don’t know if you have SFTP or FTPES, call your hosting company and ask. I personally use FTPES on GoDaddy on one of my sites and SFTP on HostGator on another.If you don’t have SSH enabled on your hosting, DON’T run over and enable it. You will lose some downtime and your database. For now, go to Step 2 so you can at least hide it, until you have time to get it set up properly.
  2. Download your .htaccess file from the server. This is located in the same section as your wp-config.php or index.php file. (If you don’t have an .htaccess file, then you will need to create one, see directions below).
  3. Using a text editor, like Notepad, open your .htaccess file.
  4. Copy and paste the following code into your .htaccess file to deny access to your wp-config.php file.# protect wpconfig.php
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>When saving your changes using “Notepad,” make sure that you change the “Save as type” dropdown to “All Files” so that it does not change your .htaccess file into a .txt file.

If you’re having a problem copying and pasting the code above, you can download our sample here.Please note: This is just a sample. Be sure that you just copy and paste the portion to protect your wp-config into your own .htaccess file.

How to create your own .htaccess file:

  1. Open up “Notepad” on your computer.
  2. Copy and paste the code to deny access to your wp-config.php file (see above).
  3. Click on File > Save As >
  4. Change File Name to .htaccess
  5. In the “Save as type” dropdown, change to “All Files.”
  6. Upload this file to your server in the top-level of your WordPress files are (index.php, wp-app.php, wp-config.php, etc.).

Although there are many more things that you can do to protect your WordPress website, knowing that your wp-config.php file is now more protected should give you some peace of mind. Sleep better tonight!

Source :