How to Secure wp-config.php Properly

Protect your database credentials, salts, and security settings from hackers — with proven, server-safe methods.

Why wp-config.php Is Your Most Critical File

The wp-config.php file contains your:

If exposed, an attacker gains full control of your site. Yet most hosts leave it readable by default. This guide shows you how to lock it down.

Three Layers of Protection

  1. Move it → Place it outside the web root (/public_html)
  2. Restrict permissions → Set file permissions to 600
  3. Block web access → Prevent direct HTTP downloads

Step-by-Step Securing Guide

1. Move wp-config.php One Level Up

Upload wp-config.php to the parent directory (e.g., /home/youruser/). WordPress checks there automatically.

2. Set Correct File Permissions

In cPanel File Manager or via SSH:

chmod 600 wp-config.php

This ensures only your user can read/write the file.

3. Block Direct Web Access

Add this to your .htaccess:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Need It Done Safely?

If you’re unsure about file permissions or server paths, our vetted Fiverr experts can:

Hire a WP Security Expert

Frequently Asked Questions

Can I move wp-config.php outside public_html?

Yes. WordPress automatically looks one directory above if it doesn’t find wp-config.php in the root. This is the most secure location.

What file permissions should wp-config.php have?

600 (owner read/write only). Never use 644 or 755 — these allow other users on the server to read your database credentials.

Will blocking web access break my site?

No. WordPress reads the file via PHP, not HTTP. Blocking direct browser access prevents attackers from downloading it.

Do I need to regenerate security keys?

Only if they’re default or compromised. Use the official generator: WordPress Salt Generator.

⚡ Hire a WP Expert