September 17, 2010 Here’s a quick security tip that will make it nearly impossible for anyone to access your wp-config.php file. Simply move it one directory above your WordPress root.
Example:
Default wp-config.php file location:
public_html/wordpress/wp-config.php
Move it here:
public_html/wp-config.php
Source: For more WordPress security tips, check out the slides from Brad Williams’ WordPress Security presentation at WordCamp Boston 2010.
Sarah Gooding on Google+Featured Plugin - Easily integrate your WordPress site with Facebook
Would you like to add Facebook comments, registration, 'Like' buttons and autoposting to your WP site? Well, The Ultimate Facebook plugin has got that all covered!
Find out more
Featured Plugin - WordPress + Google Maps = Perfect
Simply insert google maps into posts, sidebars and pages - show directions, streetview, provide image overlays and do it all from a simple button and comprehensive widget.
Find out more
Featured Plugin - Start your own Quora / StackOverflow / Yahoo Q&A site
It's now incredibly easy to start your own Q&A site using nothing more than WordPress - The Q&A plugin simply and brilliantly transforms any site, or page, into a perfect support or Q&A environment.
Find out more
Featured Plugin - Send beautiful html email newsletters, from WordPress!
Now there's no need to pay for a third party service to sign up, manage and send beautiful email newsletters to your subscriber base - this plugin has got the lot.
Find out more
Featured Plugin - Add bottom corner (or anywhere else) chat to your site
No javascript required, no third part chat engine, just fully featured chat right in your own database on your own WP sites - couldn't be easier.
Find out more
Featured Plugin - Every great SEO tweak you need, in one snazzy bundle
Fully integrated with the SEOMoz API, complete with automatic links, sitemaps and SEO optimization of your WordPress setup - this is the only plugin you need to help you rank your site number 1 on Google - nothing else compares.
Find out more
Featured Plugin - Open an Online Store with MarketPress
Out of all the WordPress ecommerce plugins available, this has got to be the winner - easy to configure, powerful functionality, multiple gateways and more. A simply brilliant plugin!
Find out more
Featured Plugin - Start Your Own Powerful Membership Site
If you're thinking about starting a paid, or just private, membership site then this is truly the plugin you've been looking for. Easy to use, massively configurable and ready to go out of the box!
Find out more
Featured Plugin - Turn any WordPress page into a fully featured wiki!
To get a wiki up and running you used to need to install Mediawiki and toil away for days configuring it... not any more! This plugin gives you *all* the functionality you want from a wiki, in WordPress!!!
Find out more
if my wordpress installation is under public_html ?
Like
public_html/wp-config.php
public_html/wp-content
public_html/wp-admin ….
this way … then what to do ?
That won’t make it “nearly impossible” for someone to access the wp-config.php file. It will only make it “slightly more difficult” since your wp-config.php is still in a web-accessible location. If there was some reason it shouldn’t be where it is now, then moving it into a still web-accessible location 1 directory above that doesn’t change anything with respect to whether or not was possible or “nearly impossible” to access. The level of exploitability is identical.
If you really need to move wp-config.php somewhere else to make it more secure, which I don’t necessarily agree with, but if it were true, wouldn’t you want to move it -OUTSIDE- of the publicly accessible files inside public_html? If you want to make it “nearly impossible” for someone to access the wp-config.php file, then move it outside of public_html… Make a directory called config_files or something at the same level as public_html and put the file in there…
this tip is only effective if WP is not installed in a directory inside public_html, but directly inside public_html. WordPress won’t find the wp-config.php if you move it two levels up though, so replacing the part of it with connection settings etc to an included file outside of public_html would be a more appropriate method of adding this kind of protection for installations in a subdirectory. Also it’s a good idea to CHMOD the wp-config.php to 400.
Plus of course wp-config.php should never render in the browser anyway.
I wouldn’t mind, but yerman’s example doesn’t even move it outside docroot, like he claimed, unless for some bizarre reason he’s edited DocumentRoot in httpd.conf. Some security presentation. :rolleyes:
Hi, I’ve followed the instructions above and unfortunately it crashed my website and filemanager got all funky. I’ve moved the file back to where it came from. I wonder how to get around that.?