Whilst you can move the wp-config.php file outside of your web accessible folder this can get messy and just isn’t practical if you’re running multiple websites on the same hosting package. Instead you can take a couple of steps to protect yourself:
Not all providers have advanced filesystem protections in place, which means if your file permissions aren’t quite right then other users on the system can read your files, and in the case of your
wp-config.php that means all of your database details and login security tokens. This is where filesystem permissions come in to play, and we’re talking specifically about Linux here, as that’s where most WordPress sites will be running.
Depending on your providers exact configuration you may need to try two different values, we’re not going to delve too much in to how Linux filesystem permissions work, but for these purposes it’s a series of 3 numbers, from left to right the numbers mean:
- Permissions for the files owner
- Permissions for the files group
- Permissions for everyone else (world)
Each of these numbers ranges from 0 to 7 and is made of of the permissions to:
- Read a file (4)
- Write to a file (2)
- Run/execute a file (1)
The numbers in brackets are added together depending on the permissions e.g.
- Read only = 4
- Read and write = 6 (4+2)
- Read and execute = 5 (4+1)
- No permissions = 0
wp-config.php probably has permissions of 644 or 640 right now, meaning that:
- Your username can read and write to the file
- Your user group can read the file
- Everyone else can read the file (644) or no one else can read it (640)
Ideally we want to set 440 or 400 so that only your user and group (or just user) can read the file, as your PHP code should run as your username this means the web server will be able to read the file and run the code but no one else will be able to read it. Which of the two you set depends on how your provider has their server configured, so you may need to try 440 if 400 doesn’t work.
The other important point is that your PHP code won’t be able to write to
wp-config.php – meaning any malicious code won’t be able to change things in there. This does mean if you need to make any changes though, that you will need to set the permissions back to 644 or 640 to edit it.
How you set these permissions really depends on your provider, if you have SSH access then you can set them with
chmod 440 wp-config.php, if you have access to cPanel or Plesk then their respective file managers both allow you to change file permissions.
Imagine a situation where for some reason (it can happen) your web server stops processing your .php files as PHP and just sends the content of the file to the user like a normal web page, now anyone who accesses your wp-config.php can see your database connection details, and the security tokens used to protect your user logins. That would be very bad, so we want to stop that from happening.
We’re back with that
.htaccess file again, this time we want to add:
This will deny access to anyone trying to access wp-config.php via the web server, but will still allow your site to work. So no matter if PHP stops working or not, no one can access the file.