Hardening

Securing the WordPress wp-config.php File

The wp-config.php file contains your most sensitive WordPress settings. Learn how to protect this critical file from unauthorized access.

S
Sarah Chen
6 min read
969 views
WordPress wp-config.php file with security settings highlighted

What is wp-config.php?

The wp-config.php file is one of the most important files in your WordPress installation. It contains configuration information that WordPress needs to function, including database connection details, security keys, and various settings that control how WordPress operates.

If an attacker gains access to this file, they obtain your database credentials and can take complete control of your website. Protecting wp-config.php is essential for WordPress security.

Sensitive Information in wp-config.php

Database Credentials

The file contains your database host, name, username, and password. With these credentials, attackers can directly access and modify your database.

Security Keys and Salts

WordPress uses these cryptographic keys to secure cookies and passwords. If compromised, attackers can forge authentication cookies.

Table Prefix

While less sensitive, knowing your table prefix helps attackers craft SQL injection attacks.

Debug Settings

Debug settings, if enabled on production sites, can reveal sensitive information about your installation.

Protection Methods

Move wp-config.php Above Web Root

WordPress can access wp-config.php from one directory above your web root. This placement makes the file inaccessible via web browser:

Current location: /public_html/wp-config.php
Move to: /wp-config.php

WordPress automatically looks for the file in the parent directory if it's not in the main WordPress folder.

Block Access via .htaccess

Add this rule to your .htaccess file to block all web access to wp-config.php:

<files wp-config.php>
order allow,deny
deny from all
</files>

Nginx Configuration

For Nginx servers, add this to your server block:

location ~ wp-config.php {
    deny all;
}

Set Restrictive File Permissions

Set the most restrictive permissions possible:

  • Recommended: 400 (read-only for owner)
  • Alternative: 440 (read-only for owner and group)
  • Maximum: 600 (read-write for owner only)

Enhancing wp-config.php Security

Regenerate Security Keys

If you suspect your site may have been compromised, regenerate all security keys. Visit the WordPress secret key generator and replace your existing keys:

  • AUTH_KEY
  • SECURE_AUTH_KEY
  • LOGGED_IN_KEY
  • NONCE_KEY
  • AUTH_SALT
  • SECURE_AUTH_SALT
  • LOGGED_IN_SALT
  • NONCE_SALT

Disable File Editing

Prevent theme and plugin editing through the WordPress admin:

define('DISALLOW_FILE_EDIT', true);

Disable Plugin and Theme Installation

For maximum security, prevent file modifications entirely:

define('DISALLOW_FILE_MODS', true);

Note: This also disables updates through the admin panel.

Force SSL for Admin

Ensure all admin activity happens over HTTPS:

define('FORCE_SSL_ADMIN', true);

Limit Post Revisions

Reduce database size by limiting revisions:

define('WP_POST_REVISIONS', 5);

Disable Debug on Production

Ensure debugging is disabled on live sites:

define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);

Database Security in wp-config.php

Use a Strong Database Password

Generate a complex password with at least 20 characters. Don't use the same password for other accounts.

Create a Dedicated Database User

Don't use your hosting account's main database user. Create a user with only the necessary privileges for WordPress.

Use a Non-Default Table Prefix

Change the default 'wp_' prefix to something unique. For existing installations, use a plugin or careful SQL commands to change it.

Additional wp-config.php Tips

Define Memory Limit

Increase the PHP memory limit if needed:

define('WP_MEMORY_LIMIT', '256M');

Automatic Updates

Configure automatic updates for security:

define('WP_AUTO_UPDATE_CORE', true);

Block External Requests

If your site doesn't need external HTTP requests:

define('WP_HTTP_BLOCK_EXTERNAL', true);

Monitoring wp-config.php

Use file integrity monitoring to alert you if wp-config.php is modified. Any unauthorized changes to this file indicate a serious security breach requiring immediate investigation.

Conclusion

The wp-config.php file is the key to your WordPress kingdom. Protecting it with proper permissions, access restrictions, and security configurations prevents attackers from gaining the credentials they need to compromise your site.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

WordPress Cloaking Attack: When Google Sees Different Content Than Visitors
WordPress Cloaking Attack: When Google Sees Different Content Than Visitors

Cloaking attacks show different content to search engines than to human visitors. Learn how hackers...

January 14, 2026
SSL Certificates and HTTPS: Why Your WordPress Site Needs Them
SSL Certificates and HTTPS: Why Your WordPress Site Needs Them

SSL certificates encrypt data between your website and visitors. Learn why HTTPS is essential for...

December 26, 2025
SSL/HTTPS Security for WordPress Websites
SSL/HTTPS Security for WordPress Websites

HTTPS is essential for modern WordPress security. Learn how to properly implement SSL certificates...

November 28, 2025

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started