Security with WordPress config

Security with WordPress can be something of an issue amongst web developers and to be honest I’ve learnt the hard way. After having several sites hacked a few years ago I made it somewhat of a mission to safeguard against issues like this happening again. I’m going to keep these posts short and sweet to focus on the individual things you can do to protect your WordPress installations. Feel free to subscribe to the RSS feed at the bottom to get the next thrilling installment.

When you install WordPress on the server one of the first things to change is the wp-config.php where  you will add sensitive information to to make WordPress run smoothly. Things like the database name, username and password to the database, the sort of information you wouldn’t want a hacker to get hold of. If they did compromise the database, as well as ruining your day, they could wreak havoc with your WordPress site or worse the server! If the former then you might never really irradicate the problem even with a new installation of WordPress, if it’s in the database it can re-occur even with a fresh installation.

The quickest and easiest thing to do is to move the wp-config.php file one level up from the root WordPress installation. WordPress will still know how to access the database but it will be invisible to any outsiders who might be looking to hack in. So if your wp-config.php file is inside:
just move it to

For extra security you can set the permission to 400 or 440 reference Codex

An alternative is to use the htaccess file to deny access to the file, however some servers have this file hidden with a preceeding “.” if you are using an FTP app there is probably a way to show hidden files, once activated you should see the .htaccess file. If you can put this in the file:
<files wp-config.php>
order allow,deny
deny from all

Feel free to subscribe to the next Security with WordPress post.

Leave a Reply

Your email address will not be published. Required fields are marked *