Change wp-config.php to different name for security reason

  1. adinugroho


    I handle hundreds of WordPress site in my server. Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server. If we can change the wp-config.php name easily in future, that will increase the WordPress security.

    Posted: 2 years ago #
  2. 1989danielb

    Couldn't you just use a program such as NetBeans to do a search and replace on all instances of wp-config.php within the WordPress directory? I don't think any references to the file are in the database.

    As in you change the filename to something like "template-home.php" and then set NetBeans to find and replace any and all instances of wp-config.php to "template-home.php". Then anything pointing to the old config file name will be changed.

    Not sure if it works, but it could be a temporary solution while you wait for any changes/plugins :)

    Posted: 2 years ago #
  3. Ipstenu (Mika Epstein)


    NO! Never. 1989danielb please do not suggest that. It's a terrible idea, all your changes will be lost when you upgrade and your site will break.

    Okay. Now that we're all NOT editing core....

    You can move the wp-config.php file one level up. So if you install WP here:

    /home/public_html/index.php (etc)

    The config can go in the NON web-accessible folder:


    However. The concept that renaming that file will 'help' is not actually so. First of all, you have to be able to have a 'common' file to tell WP 'this is where I live' and since WP is open source, any reasonable hacker would be able to write a script that checks what your site is calling instead of wp-config.php

    Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server.

    THIS is bad, horrible, dear god get a new webhost, levels of security holes. A GOOD server does not allow user A to read ANY files from User B. A symlink could be made, but would be unreadable because of permissions.

    And still, renaming won't matter if I can run a server side scan for all files with the wp-config 'headers'

    Unless of course the intruder gets in with root access, at which point nothing matters at all.

    Posted: 2 years ago #
  4. adinugroho


    Yes we can move the wp-config.php to the home folder but how if we have some subdomain for example /home/x/www/sub1/, /home/x/www/sub2/? we can't put both wp-config.php at /home/x/www/ and also it will overwrite the wp-config.php on main domain.
    At least we can one step ahead from the intruder before he found another method. I was check many intruder scripts and it create symlink to CMS configuration from their name, ex: wp-config.php, configuration.php, config.php, etc.
    Most of the scripts bruteforce all names and hope they lucky

    They can't read it if they not do the symlink first.
    If we change the wp-config.php name, they can't read our database name, username and password.

    Posted: 2 years ago #

RSS feed for this topic


You must log in to post.

  • Rating

    1 Vote
  • Status

    Sorry, not right now