[resolved] Moving wp-config.php to private directory (7 posts)

  1. MrsPost
    Posted 7 years ago #

    Is there a way to move the wp-config.php file (with all the connection goodies) to a private directory to keep the script kiddies away?

    I didn't see anything in the forum or the documentation that would apply to this.

  2. MichaelH
    Posted 7 years ago #

    As I understand it, that's a PHP file, and that info can't been seen.

    Please review: Hardening_WordPress

  3. MrsPost
    Posted 7 years ago #

    I did read that before posting and didn't find anything on moving that file out of the public directory.

    /wp-admin/ -- the WordPress administration area: all files should be writable only by your user account.

    Just because they can't write to it doesn't mean that they can't possibly view it and see all the connection information in clear text.

    I know that part of my responsibility is to secure all the directories properly but being able to move that critical file into a private directory seems like a pretty basic security practice.

  4. You can move the wp-config.php file to the directory above your WordPress install.

    This means for a site installed in the root of your webspace you can store in outside the webroot fine.

  5. MichaelH
    Posted 7 years ago #

    Hopefully I won't forget that feature again!

    Added this to Codex: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

  6. rxcknrxll
    Posted 7 years ago #

    I've seen this a number of times, but when I move wp-config to the wp-includes folder, I get an error that wp-config does not exist. I'm guessing I'm misunderstanding how to do this. It's easy enough to understand that you wouldn't want anyone to read wp-config.

    Why is it set by default to be able to be read publicly anyway? Is it to simplistic to simply change the permissions on this file and leave it where it is? This really doesn't apply to automated attacks does it? It seems the config file would only come into play if there was an actual hacker trying to pry into your site a bit.

    Thanks for the thread on this...it's an important issue. I always took security for granted until my site was destroyed. Live and learn :)

  7. DamonG
    Posted 7 years ago #


    I think by up they mean in the other direction, outside your public_html folder.

    Some hosts only give you access to public_html, so you might need to contact your hosting support to put a file outside of public_html.

Topic Closed

This topic has been closed to new replies.

About this Topic