Securing your WP-Config.php

One of the key components of a WordPress blog is a file called wp-config.php and it’s used to control administrator access. WordPress blogs will not run unless the 3 critical administrator supplied fields are in the wp-config file. These are

1.) the name of the MuSql database the blog is going to run on

2.) the name of the administrator of the MySql database or “username”

3.) the password for the database administrator user

the wp-config.php looks like this:


* The base configurations of the WordPress.
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information by
* visiting {@link Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
* This file is used by the wp-config.php creation script during the
* installation. You don’t have to use the web site, you can just copy this file
* to “wp-config.php” and fill in the values.
* @package WordPress

// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘putyourdbnamehere’);

/** MySQL database username */
define(‘DB_USER’, ‘usernamehere’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘yourpasswordhere’);


Your implementation of the wordpress config fil might look more like this:

define(‘DB_NAME’, ‘cookiejar’);

/** MySQL database username */
define(‘DB_USER’, ‘baker’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘bakerspassword’);

WP-CONFIG.PHP begins life as a file called wp-config-sample.php and it is found at the root level of your installation. You have to modify the sample file adding the 3 critical fields, rename the file to wp-config.php, and upload it to your host site before your WordPress Blog will start properly.

The problem is that unless you do a few more steps, any decent hacker can see your ID and Password and Database name, and consequently HACK YOUR SITE.


To prevent bad surfers from seeing and manipulating your config file, take these protective measures.

1.) Create and upload a file called .htaccess and put it in your root directory on the host.There are thousands of variations you can put in the file but this will do for starters

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all

# limit file uploads to 10mb
LimitRequestBody 10240000

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

# disable directory browsing
Options All -Indexes

I put this text into a file I call htaccess.txt on my local drive, I upload it to the root of the host, and then I rename it on the host to .htaccess and then it immediately disappears because it acts like a system file.

For more information and details on this subject:

Josiah Cole Dot Com – Published 7-11-07

DevLounge – Published 11-14-07 by Ronald Huereca