How to Secure WP-Config.php File

In this video, I’m going to show you how to secure your WordPress site by showing you a couple of ways to secure your wp-config.php file. One way we’re going to do that is by moving it from where it is to where the bad guys can’t find it. Now since there are arguments on both sides of the fence that doing this will secure your site or do this will not secure your site, I’m also going to show you another way to secure your config file by adding some code to your .htaccess file.

So let’s go ahead and get started. But before we do, I want to give you a little public service announcement. First, before you do any playing around with code or messing with moving files, you want to make sure that you have a current full backup. That’s a backup of both your files and your database. So before you do anything, get your full backup done.

Secondly, the moving of the wp-config.php file will not work at all – as a matter of fact, it will break your site – if your WordPress site is installed on a subdomain or if it’s a multisite setup. So that’s another reason why I want to show you another way of securing your config file by adding code to your .htaccess file just in case your WordPress site is installed on a subdirectory or is a multisite setup. Again, if it’s a subdirectory or it’s a multisite setup, do not do the moving of the config file. That will not only not work, it will break your site.

That said, let’s get to work. I’m going to be doing this within my cPanel control panel. You can do pretty much the same thing if you are using something like FileZilla or an FTP client. But for me, it’s just a lot easier to do it within file manager of my cPanel control panel. So I’ve already logged into cPanel. Click on File Manager. And here is the wp-config.php file. Now we’re not talking about the wp-config-sample.php. That’s basically just trash right now. We could just delete that and not have to worry about it, but we’ll leave it alone for now. The one we’re going to be moving is right here, wp-config.php.

Now first off, I want to demonstrate that the site is working. Click on My Blog, OK, hello world. It’s a brand new installation, so there’s nothing on there. What have we got here? Okay, so everything is working just fine. So we come on back to File Manager. And let’s just select our wp-config.php file. And right now, it is located in the root directory. It’s located inside of the public_html folder. Hit the drop-down there. You can see that it is right in here along with these guys here. So what I’m going to do is I’m going to move it outside of up a level from the root directory. I’m going to put it in the same directory as the public_html. I just left-click, hold, and drag it on up there. And you can see it’s gone from here. Just go ahead and reload this. Yup, it’s definitely gone. And if I click on this to show you all the contents of this, you can see the public_html right here. If I scroll down, you’ll see the config file right here. So we have successfully moved it. Come on back to the site, and let’s click on that, and click on that. Yup, we’re still working just fine. Okay, so that’s how you can move the config file and it is working just fine. Now let’s come on back here and bring it back. Select it, left-click, hold, and drag it over to the public_html directory or folder, and there it is. So we’re back in business now.

Now the other way is by adding some code to your .htaccess file. Now if yours is a brand new installation of WordPress, you might not have this just yet – in which case, one way to do it is come up here and click on Create File. And name it, put a period there, htaccess, click on Create New File. That’s one way to do it. But I’ve already got one made, so I’m going to select it, and then right-click, and click on Edit. And you want to come on up here to the very top. And this is where you want to enter this code. Now, this code I’m going to be included along with this video as a separate copy-and-paste file. There’s not a whole lot to it, but just in case you don’t want to pause the video and take a chance on getting anything wrong here, I’ve got you covered. Basically, you’ve got this:

<files wp-config.php> 
order allow,deny 
deny from all 
</files>

And that’s it. Come on over here. Click on Save. Click on Close. And now nobody has access to that wp-config file except for you and anybody else that has access to your server. And that’s it. We have now added an additional layer of security to our WordPress site by securing the wp-config.php file in a couple of different ways.

And that’s going to bring us to the end of this video. Thanks for watching and you have a great day.