Best Practices

Securing wp-config.php: Essential Protection Strategies

The wp-config.php file contains your most sensitive WordPress credentials. Learn how to protect this critical file from unauthorized access and attacks.

S
Sarah Chen
6 min read
1,019 views
WordPress wp-config.php file with security lock overlay protecting credentials

Why wp-config.php Is Critical

The wp-config.php file is the most sensitive file in your WordPress installation. It contains database credentials, authentication keys, security salts, and various configuration settings that control your entire site. If attackers gain access to this file, they can take complete control of your website and database.

What wp-config.php Contains

Database Credentials

Your database name, username, password, and host are stored in plain text. With these credentials, attackers can access, modify, or delete all your data.

Authentication Keys and Salts

These unique phrases encrypt information stored in cookies. Compromised keys allow attackers to forge authentication cookies and hijack user sessions.

Table Prefix

While not secret, knowing your table prefix helps attackers craft SQL injection attacks.

Debug Settings

If debug mode is enabled and visible, error messages may reveal sensitive information about your server configuration.

File Permission Protection

Set Restrictive Permissions

Use the most restrictive permissions possible:

chmod 400 wp-config.php

This allows only the file owner to read the file. If your server requires group access:

chmod 440 wp-config.php

Verify Current Permissions

ls -la wp-config.php

Never use 644 or higher for wp-config.php.

Move wp-config.php Above Web Root

How It Works

WordPress automatically checks one directory above the installation for wp-config.php. Moving it outside the web-accessible directory prevents direct access via URL.

Implementation

# Move the file
mv /var/www/html/wp-config.php /var/www/wp-config.php

WordPress will find it automatically. No code changes needed.

Considerations

This only works for single WordPress installations. Multiple sites in subdirectories cannot share this approach.

Block Direct Access via .htaccess

Apache Configuration

Add to your root .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

Nginx Configuration

location ~ wp-config.php {
    deny all;
}

Strengthen Authentication Keys

Generate New Keys

Use the official WordPress generator:

Visit: https://api.wordpress.org/secret-key/1.1/salt/

Replace Existing Keys

Copy the generated keys and replace the existing ones in wp-config.php. This invalidates all existing cookies and forces all users to log in again.

Rotate Keys Regularly

Change authentication keys periodically, especially after:

  • Suspected security breach
  • Removing administrator access from someone
  • Cleaning malware infection

Secure Database Credentials

Use Strong Database Password

Generate a complex password with letters, numbers, and special characters. At least 20 characters recommended.

Limit Database User Privileges

The WordPress database user should only have necessary permissions:

  • SELECT, INSERT, UPDATE, DELETE
  • CREATE, ALTER, DROP (for updates only)

Avoid granting GRANT, FILE, or SUPER privileges.

Use Unique Database User

Create a dedicated database user for WordPress, not a shared account used by other applications.

Disable File Editing

Prevent Theme/Plugin Editor

Add to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This removes the file editor from WordPress admin, preventing attackers who gain admin access from modifying code directly.

Prevent All File Modifications

define('DISALLOW_FILE_MODS', true);

This also disables plugin and theme installation/updates through the admin panel.

Secure Debug Settings

Disable Display Errors

define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);
define('WP_DEBUG_LOG', true);

Errors are logged to wp-content/debug.log instead of displayed to visitors.

Protect Debug Log

If using debug logging, protect the log file:

<files debug.log>
order allow,deny
deny from all
</files>

Additional Security Constants

Force SSL for Admin

define('FORCE_SSL_ADMIN', true);

Block External Requests

define('WP_HTTP_BLOCK_EXTERNAL', true);
define('WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.github.com');

Limit Post Revisions

define('WP_POST_REVISIONS', 5);

Monitoring wp-config.php

File Integrity Monitoring

Set up alerts for any changes to wp-config.php. Security plugins like WP Folder Shield monitor this file for unauthorized modifications.

Regular Audits

Periodically review wp-config.php settings to ensure no unauthorized changes have been made.

Conclusion

Protecting wp-config.php is essential for WordPress security. Use restrictive file permissions, consider moving it above web root, block direct access, use strong credentials, and disable unnecessary features to minimize your attack surface.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

Automated vs Manual WordPress Malware Scanning: Which is Better?
Automated vs Manual WordPress Malware Scanning: Which is Better?

Compare automated and manual WordPress malware scanning approaches. Learn when to use each method...

January 17, 2026
Preventing WordPress Malware: 10 Essential Security Practices
Preventing WordPress Malware: 10 Essential Security Practices

Learn 10 essential security practices to prevent WordPress malware infections. Protect your site...

January 13, 2026
WordPress Directory Browsing: Why and How to Disable It
WordPress Directory Browsing: Why and How to Disable It

Learn why WordPress directory browsing is a security risk and how to disable it. Prevent attackers...

January 12, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started