By default, wp-config.php sits in the same folder as your WordPress blog. So, if the homepage of your blog is at mysite.com/blog, so is your wp-config.php. That’s not as reckless as it seems since .php files are server-side scripts that are processed by the server. When you are looking at a .php file, you are actually looking at the output of the file. The same goes for when you view the source. The only way to download the raw code of a .php file is via FTP. But, just because you can’t normally access a .php file doesn’t mean you are always safe… Accidents happen, and vulnerabilities exist. If your web server’s PHP configuration breaks down, your MIME types aren’t set up correctly, or your web server is otherwise misconfigured, your web page could end up serving plain text instead of processed PHP output; that is just a few examples. And, just like being depantsed during a pep rally in the high school auditorium, it only takes a split-second and before you can get your knickers back on they’ve seen everything. Yeah, they’ve seen it all. In this groovyPost, I’ll show you how to keep your wp-config.php with your MySQL database usernames and passwords safe(r). While no website or blog is 100% un-hackable, this quick tip will make hacking your WordPress blog more difficult for would-be intruders than a site that hasn’t taken these precautions. Usually just being more secure than your neighbor is enough to deter a would-be hacker’s efforts to a site other than your own. Remember, if you are ever in the woods with a group of people and a bear shows up -you don’t have to run faster than the bear, just faster than the other people. (and all joking aside, Bear mace is your best bet if you are ever really in that situation)
Moving Your wp-config.php File
With the correct file permissions and a correctly configured web server, keeping your wp-config.php file in the same public folder as the rest of your blog should be perfectly fine. But, when it comes to protecting your website, security is an onion (or Ogre apparently); the more layers, the more of it you got. The WordPress Codex affirms this sentiment and recommends that you move your wp-config.php away from its default install location. WordPress.org self-hosted blogs allow you to move your wp-config.php up one level from your blog’s root. That’s all well and good, but for most web servers, one level up from your blog root is still a public_html folder. You’re best off putting it in a folder that’s not a subdirectory of your public_html or WWW folder. That way, the chances of someone reaching it via a web browser or any other HTTP application is virtually nil. Here’s what you do:
Step 1
Access your WordPress.org site via an FTP program and navigate to the root.
Step 2
Download wp-config.php to your hard drive.
Step 3
Rename it to something other than wp-config.php.
Make it something nonsensical, so someone who stumbles upon it (perhaps someone who has hacked into your shared server via SSH) might not recognize it for what it is. So, instead of calling it “off-site-wordpress-config.php” call it “futurama-fan-fic.php.”
Step 4
Upload your renamed wp-config.php file to a folder above your public_html or www folder. Personally, I created an entire directory for off-site config files. But it’s probably safer to put them somewhere more random. The most important thing is to put it outside of your www or public_html folder.
Step 5
Open up notepad or your other favorite PHP editor.
Create a new wp-config.php file that contains only the following code: Replace the directory here with the server location of your renamed wp-config.php file. Note that this isn’t a URL, it’s a path relative to your server location. So, making it: will NOT work. As you’ve probably gathered, what this will do is essentially create a “shortcut” to your actual wp-config.php file. So, if someone does hack your wp-config.php file in your WordPress directory, all they’ll find is a file pointing to another file. For fun, you may want to add a comment that reads:
Step 6
Upload your new wp-config.php file to your WordPress root. Overwrite the old one (you backed it up first, right?).
Step 7
That’s it! Navigate to your WordPress.org blog root to ensure that it worked. If you get an error that reads: Then it means that you typed in the server location wrong in your modified wp-config.php file. If you’re having trouble determining the absolute path of your blog, create a .php file with the following code in it: Fatal error: Call to undefined function wp() in /wp-blog-header.php on line 14 This will show you the absolute path for whatever directory the file is in and will also illuminate how to move above the public_html folder. If you get an error message that reads: Then it means that there’s no wp-config.php file in your WordPress.org root. Double-check that you uploaded the modified wp-config.php to your WordPress.org root or the folder just above it and the renamed wp-config.php file to another location, rather than vice-versa.
Conclusion
Will moving your wp-config.php make your blog bulletproof? Certainly not. But it’s just one of the steps you can take towards making your website or blog more secure. And for me, it helps me sleep better at night—just like putting an extra chain or deadbolt on the door. Note: Before you go mucking around your file structure, make sure you back things up and feel comfortable with what you’re doing. You could seriously mess up your WordPress blog if you delete the wrong thing. You’ve been warned. I have a small doubt, if some one managed to hack and see the wp-config.php where normally locate, then he can open the same PHP file and see the hidden location, correct? Am I asking wrong question? Thanks for the nice tutorials. But… This security measure is mostly to protect you against misconfigured or compromised web servers throwing plain text instead of processed PHP. This has happened before. For example, VandelayDesign.com got hacked a few years ago because the site was displaying in plain text for some reason. A non-malicious hacker hijacked the site and left this messsage: Hiho guys, this blog was in text/plain yesterday. Also a friend and I took a look in the wp-config.php. There is all the DB data we need to login here. So little change of the md5 hash and all was fine to login. I do not know this site really, but it’s nice and I will not delete posts, comments or something else. Admin, change your database password. Cheers, Mr. X PS: Get down of PHP So, in this case, wp-config.php became visible to users via their web browser. But by moving the wp-config.php outside of your public_html folder, you prevent anyone from seeing it via Firefox or Chrome or IE, regardless of whether it’s plain text or not. Really, it’s sort of a long shot that this method would save your skin, but it could and has happened. Consider this scenario: A hacker or group of hackers wants to get access to someone’s website or database. So, they find out a way to crash PHP on the entire server. This is like knocking out the deflector shield generators on the Death Star. Once PHP is down, EVERYONE’s .php files on the web server turn into plain text. From there, the hackers can go in and pick out any passwords or other data they want, right from their web browsers–UNLESS its not in a public_html or WWW folder. If you are on a shared server, it only takes one persons’s poorly validated user data form or GET method to allow someone to inject something malicious that COULD bring down PHP. Again, a long shot–I’m sure very few of you are waging open warfare with Internet terrorists…but again, it’s all about layers… Will this protect you from a hacker who wants to break in and cause damage… No. Will this help protect you against scripts that ppl run against the internet, yes however, like Jack said. It’s all about layers. Add more layers to make the website next door easier to attack and hopefully they will leave your site alone. :) When I reverted back to standard nothing is returned. I changed the config file to 640 permissions as suggested. Didn’t work for .htaccess file as I could access the site with it at 640. Any thoughts on this? If that makes any difference? Thanks, Josh What you COULD do is add a .htaccess file protection to your wp-config.php file. Just add this bit to your .htaccess file (careful doing this–could mess things up): AuthType Basic AuthName “Protected Access” AuthUserFile /home/users/.htpasswd Require valid-user And then create a .htpasswd file and place it in the directory that you indicated on line AuthUserFile Just remember: you HAVE TO encrypt your passwords for .htpasswd. Use this tool to help you: http://www.4webhelp.net/us/password.php https://www.groovypost.com/forum/linux/how-to-block-access-to-wp-config-php-or-htaccess-file-t96820.html Have fun! My WP install sits at my web root (public_html) and I’ve already moved the wp-config file up one level, so it’s outside of public_html. In light of that, would there be any benefit in me bringing it back to the web root and using your ‘include’ technique instead? Is one method more secure than the other? Are they both ok with regard to future one-click updating of WordPress? Warning: require_once(/home4/myaccount/wp-configs/wp-settings.php): failed to open stream: No such file or directory in /home4/myaccount/wp-configs/wp-config-secure.php on line 76 Fatal error: require_once(): Failed opening required ‘/home4/myaccount/wp-configs/wp-settings.php’ (include_path=’.:/opt/php54/lib/php’) in /home4/myaccount/wp-configs/wp-config-secure.php on line 76 Line 76 of my real config file is: require_once(ABSPATH . ‘wp-settings.php’); How can I fix this? Also, WP_debug is set to false so should I even get an error message? Thanks If they won’t help, just let me know and I can assist as well. Just let us know. I then deleted the content of my original wp-config.php and added the include to it referencing the new folder location (as per the article instructions). As I said the website works fine except for the error messages when browsing to mydomain.com/wp-config.php. I notice that the warning and error messages both reference the wp-settings.php file and are looking in my new secret folder yet the original article makes no mention of moving this file into this folder. The article was written 3 years ago, maybe something has changed within wordpress in that time to do with the absolute path that now needs to be changed in addition? Any help you can give would be really appreciated. Thanks Thanks Comment Name * Email *
Δ Save my name and email and send me emails as new comments are made to this post.