#WordPress Security Tip – Move the wp-config.php file one level up in the directory structure

By default WordPress looks in the directory that it’s installed in for the wp-config.php file. It will also look one directory up.

For example, if your blog is at http://www.mysite.com and the document root is /home/mysite/www, then you can move your wp-config.php file to /home/mysite and WordPress will load it from there. The advantage to this is that moving it outside the document root will prevent it from being accessed directly from a web client. Typically you should have rules in your .htaccess file to prevent the wp-config.php file from being accessed directly anyway, but this is even better.

If your blog is not in the document root this also helps somewhat, but not much. For example, say your blog is at http://www.mysite.com/blog and has a location of /home/mysite/www/blog. If you move the wp-config.php file to /home/mysite/www, then WordPress will find it, but it will still be accessible from a client at http://www.mysite.com/wp-config.php. This might deter someone that only thinks to look in http://www.mysite.com/blog/wp-config.php, but not if they are determined.

Disclaimer: if things are properly configured, then if someone is able to pull up http://www.mysite.com/wp-config.php, then they will only get a file with no content. This post shows how to help protect the wp-config.php file in a case where php isn’t configured properly (and will show the contents) or the file isn’t protected by other means.

This entry was posted in Wordpress. Bookmark the permalink.