Support » Fixing WordPress » Moving wp-config.php to private directory

  • Resolved MrsPost


    Is there a way to move the wp-config.php file (with all the connection goodies) to a private directory to keep the script kiddies away?

    I didn’t see anything in the forum or the documentation that would apply to this.

Viewing 6 replies - 1 through 6 (of 6 total)
  • As I understand it, that’s a PHP file, and that info can’t been seen.

    Please review: Hardening_WordPress

    I did read that before posting and didn’t find anything on moving that file out of the public directory.

    /wp-admin/ — the WordPress administration area: all files should be writable only by your user account.

    Just because they can’t write to it doesn’t mean that they can’t possibly view it and see all the connection information in clear text.

    I know that part of my responsibility is to secure all the directories properly but being able to move that critical file into a private directory seems like a pretty basic security practice.

    Moderator Peter Westwood


    WordPress Lead Developer

    You can move the wp-config.php file to the directory above your WordPress install.

    This means for a site installed in the root of your webspace you can store in outside the webroot fine.

    Hopefully I won’t forget that feature again!

    Added this to Codex:

    I’ve seen this a number of times, but when I move wp-config to the wp-includes folder, I get an error that wp-config does not exist. I’m guessing I’m misunderstanding how to do this. It’s easy enough to understand that you wouldn’t want anyone to read wp-config.

    Why is it set by default to be able to be read publicly anyway? Is it to simplistic to simply change the permissions on this file and leave it where it is? This really doesn’t apply to automated attacks does it? It seems the config file would only come into play if there was an actual hacker trying to pry into your site a bit.

    Thanks for the thread on this…it’s an important issue. I always took security for granted until my site was destroyed. Live and learn 🙂


    I think by up they mean in the other direction, outside your public_html folder.

    Some hosts only give you access to public_html, so you might need to contact your hosting support to put a file outside of public_html.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Moving wp-config.php to private directory’ is closed to new replies.